Photograph: Larry E. Daniel, Computer Forensics Expert

The Juror Inquires: Larry, I understand you are willing to testify as a computer forensics expert for the defense, is that correct?

Larry E. Daniel: I actually specialize in criminal defense, even though I do all types of cases. 

The Juror Inquires: You must be rare. I can think of very few trials in which the defense brought on computer experts. Do you have many colleagues?

I am one of very few computer forensic experts that will work for the defense.  And even fewer are those of us that will handle sex crime cases.  I actually do more murder cases than anything else at the moment.  However, I do have some other criminal cases such as child porn, rape, and and other criminal offenses that I am currently working on.

The Juror Inquires: Why are most computer forensics experts "on the prosecution's side?"

Larry E. Daniel: Historically, computer forensics has been a law enforcement job.  So most private computer forensics people came out of law enforcement.  Ex-law enforcement people will not do criminal defense work, as a rule.  They tend to focus on civil litigation cases and domestic cases.  It has been a fairly recent development for more people to enter the field, and they are mostly working civil cases or domestic cases.  Criminal work is very difficult from a defense standpoint, and it can take a toll on you as well.

When I went to CEIC back in 2006, there were over 400 attendees.  I was the only defense expert there.  It makes you a bit of a pariah doing defense work.

The Juror Inquires: What case have you found most interesting? Why? What process did you follow? What "clues" did you find?"

Larry E. Daniel: I can't talk about specific cases due to confidentiality rules.  The process I follow is different from most computer forensics people, as far as I can tell.  I start at the beginning, by reading all of the documents in the case, including witness statements, police reports, autopsy reports, interviews, search warrants, etc.  That is before I begin to even think about the computer or cell phone evidence.  Then I read all the forensic reports, including those not pertaining to computers or cell phones.

Once I have done all of that, I will consult with the attorney on the case regarding the warrants or other discovery.  Then I will begin my analysis of the computer and cell phone evidence.  I work from forensic copies of the hard drives supplied by law enforcement.

I begin by duplicating their work to verify the results they got.  Then I will do a deeper analysis to make sure that facts were not left uncovered in the case, good or bad.  That is my job: to inform the attorney of the facts.  I am a neutral expert, even though I am contracted by the defense in most cases.

Even when I work on the other side in civil or domestic cases, my job is still to only report the facts that can be directly supported by the computer or other digital evidence.

The key is to be more thorough and more attentive to details than the other side to make sure everything gets put into the proper context.

The Juror Inquires: You've said most criminals aren't smart enough to know how to cover their tracks on an electronic device, like a computer. Have you ever encountered someone who DID try to cover their tracks? What happened?

Larry E. Daniel: It is not uncommon for people to try and cover their tracks in a minimal way, such as clearing their Internet history or deleting files.  But to a forensics expert, they might as well not bother.

To actually defeat a forensics expert's examination requires considerable knowledge, not just of computers, but of forensics.  You have to know what to get rid of and how to do it in a way that makes it truly unrecoverable.  Outside of completely forensically wiping your hard drive, or using full encryption, that is very hard to do.  Almost impossible actually.  We will find something.

Wiping your hard drive is not very practical if you want to use your computer.  So that is a very rare instance.  I have never encountered it.

The Juror Inquires: What sorts of "dueling experts" testimony over computer use issues can jurors expect to encounter these days? Is there anything a computer savvy juror should watch out for from either the prosecution or the defense?

Larry E. Daniel: The biggest problem for jurors, in my opinion, is less the experts than it is the attorneys.  If you read the computer forensics testimony in the Scott Peterson case, you will get an idea of just how terrible this kind of testimony can be.  In that case, even the judge got involved in asking the expert questions.  It was so confusing and the expert's explanations so poor that they might as well have not done it.  I think it actually served to help the prosecution simply because the jury was so overwhelmed by the confusion of it all that they may have assumed it to be of value.  "If I can't understand it, then maybe it is just too technical, so the expert must be right" is how I might have characterized the possible jury take on it.

However, many computer forensics experts cannot seem to figure out how to explain technical concepts in everyday language that will make the point clear for the jury and the court.  Computer forensics testimony needs to be understandable or it is worthless. That is true for any forensics expert. Properly framing your answers to make them understandable helps our system of justice by making sure the person gets a fair day in court. Anything less is a travesty.

The Juror Inquires: If you could sit with jurors during deliberations, what questions would you like to ask them about your own testimony?

Larry E. Daniel: How did that guy get so good looking and smart too?!  Just kidding.  If I had the luxury of asking jurors about my own testimony, I would always want to know what I may have said that could have been said better or in a more understandable way.  To me, the art of communication is using language that everyone who hears me can understand.  If I am not doing that, then I am failing my client.  And that is the last thing I want to do.

About Larry E. Daniel: Larry E. Daniel of Guardian Digital Forensics has six years of experience in computer forensics and has provided computer forensics and criminal defense expert witness testimony in cases ranging from capital murder to exploitation of a child. Some of the more well known cases Larry has consulted on are the Michelle Theer, Mark Bowling, and Jerry Lynn Stuart capital cases. Larry is a member of the American College of Forensic Examiners, the IEEE, and the International Institute of Computer Forensics Professionals. Larry will be speaking at the National Association of Criminal Defense Lawyers conference in April of 2009, as well as other locations during the year.

Visit Larry’s blog at http://exforensis.blogspot.com/ and listen to his new talk show on BlogTalkRadio, starting with his interview of cadaver-dog expert, Mike Craig (Sunday, Fe.b 8, 4:00 pm ET and any time after that online).