What can computer and mobile forensics do for you?

Nearly every lawyer has heard the term “computer forensics” at some point. However, many lawyers do not understand what computer forensics is and when they may need a computer forensics expert for their case. Not every case with computer-related evidence requires an expert, and not every case that requires an expert requires a computer forensic analyst. This blog post explores some of the areas where computer forensic examiners may be useful to your case, and may give you some ideas about when you need to consult with a forensic examiner.

First, there is a difference between e-discovery and computer forensics. E-discovery, or electronic -discovery, generally involves the processing of large amounts of electronically stored data. E-discovery typically occurs in large civil cases dealing with corporations, where there may be tens of thousands of pages of electronic documents disclosed by one side. E-discovery techniques allow law firms to use automated tools to process those documents and pull out the pages that may be the most useful. There are law firms that specialize in e-discovery as well as consulting agencies that employee specialized software for e-discovery.

Computer forensics is the application of forensically sound techniques to recover and preserve digital evidence from a particular device (such as a computer or cell phone). Essentially, this the process of taking a computer and investigating the contents of a hard drive to determine such things as who accessed it, when, what the users viewed or downloaded, what the user did while at the computer, etc. In a case involving a cell phone, the examination includes call history, text message, application data, location data, and much more.

There are many situations when a lawyer may want to consult with a computer or mobile forensics expert. Some cases are obvious, such as criminal cases involving computer crime (financial crime, pornographic files stored on a computer, etc.). Other cases are not so clear. Below are some examples of situations where computer forensics can assist in a civil or criminal case.

Civil Wrongful Death

In a wrongful death case, the family members of the plaintiff may want to see what the deceased was doing on his computer or cell phone. There could be evidence in those devices that shows what the deceased was doing right before the event that led to litigation. There may also be evidence of communications which demonstrate the deceased’s relationship with his family members, which can be relevant to the topic of damages. A computer forensics expert can analyze the computer, cell phone, or tablet, and find exactly what the deceased was doing in the hours, days, or weeks leading up to his death.

 Auto Collision

In an auto collision case, a plaintiff may want to know if the defendant accessed her cell phone in the moments before the crash. Maybe the defendant took her eyes off the road to read or send a text message. Perhaps the defendant answered a phone call just moments before running that stop sign. Often, these records can be obtained from the cell phone service provider (such as Verizon, AT&T, T-Mobile, etc.), but they can also be obtained directly from the cell phone. A forensic analysis, however, could reveal additional information, such as when the devices was powered on or when the defendant accessed a particular application, or even when the defendant sent a message through an application (instead of sending a text message using the phone’s built-in text feature).

 Employment Law

Unfortunately, it is not uncommon for employees to leave on bad terms. When this happens, there is a risk that the employee will steal electronic corporate documents. Even when an employee leaves on good terms, some employers may have an interest in ensuring that their proprietary or confidential information remains uncompromised. If a computer forensics examiner is immediately involved, he can use techniques to discover what the employee was doing on the computer, what the employee was looking at, what devices (USB drives, hard drives, etc.) were connected to the computer, and if documents may have been altered, deleted, or copied.

Medical Malpractice

With more doctors and hospitals moving to electronic medical records, there is a risk of records alteration after a plaintiff files a medical malpractice lawsuit. Besides the risk of altering data, there are problems with how the data is displayed and sent to different departments within a hospital, leading to critical information not getting to the correct department on time. Electronic medical records typically have an “audit trail” which shows when and where the data was entered, and when data is altered. A computer forensic examiner can review the audit trail and other digital documents to determine when alterations have been made to a record, and what data was present at the time of the suspected malpractice.

Criminal Law – Electronic Harassment

More and more defendants are being charged with harassment after “evidence” is submitted to the court to show that the defendant used electronic means to contact the alleged victim. However, these electronic messages are extremely easy to forge. It is surprisingly easy for an alleged victim who wants to get a defendant in trouble to falsify electronic messages that look authentic to give to police as substantiation for their allegations. Computer forensics techniques can determine the true sender of electronic communications and flush out the false emails, text messages, Facebook messages, and tweets.

Criminal Law – Illegal Files

This may be one of the most well-known areas of computer forensics, and one that has been in the court systems the longest – finding illegal files on computers. In these situations, law enforcement has typically already conducted a search of the computer to find the illegal files. The defense then hires their own expert to examine the computer and the forensic work conducted by law enforcement. The defense computer forensic examiner looks for evidence of how the files got onto the system, who put them there, and when. There is evidence on a computer that can show when the computer was used and sometimes even who was using it. This kind of information is essential for the defense in an illegal files case. An independent computer forensics expert often has more time to perform a thorough examination of the computer, which can lead to the discovery of exculpatory evidence.

 Civil Business Disputes

In civil business disputes, there are many issues involving digital evidence. One party may try to hide emails or documents from the other side. A forensic examination of the party’s computer will reveal those documents. A forensic examination can also reveal changes made to crucial documents, such as changes to financial records. Finally, a forensic examiner may be able to find evidence of destruction of digital documents, which can lead to favorable jury instructions at trial.

Family Law

Few areas of law are more contentious than family law cases, where parties often submit hard copies of texts, emails, and other “evidence” of online activity and communications to the Court, without challenge by opposing counsel. As discussed previously, it is quite easy to falsify e-communications or create “evidence” that could have significant bearing in a family law case. It is important to establish the authenticity of your client’s digital evidence, and challenge that evidence presented by opposing counsel, if it has not been authenticated by a digital forensics expert. A forensic expert can explain these issues to the judge and even demonstrate how easy it is to create fake digital “evidence.”


Computer and mobile forensics are quickly becoming an essential part of the practice of law. A lawyer involved in litigation that could have digital evidence concerns should contact a forensic examiner early to learn how to preserve critical evidence and ensure its admissibility. If you handle any cases with digital evidence, familiarize yourself with the possible issues so you can spot them and hire a forensic examiner before it is too late.