Skip to main content

Checks & Balances in DF/IR





June 1, 2025


Checks & Balances in DF/IR


"Freedom is not secured by the fulfilling of one’s desires, but by the removal of desire where it is not appropriate."


-Epictetus

Discourses




AUTHOR’S NOTE:  As some of you may have seen, I was away for the first of the month, so I posted a place-holder for this article.  My apologies… I was out seeing some of our beautiful country.


One of the benefits to writing, speaking & posting regularly is that I have the built-in opportunity to network with other DF/IR professionals.  I’m also fortunate that I can combine these activities with things that are of value to me professionally and to my employer.  What inevitably comes from these networking opportunities are conversations on a litany of topics that affect our practice areas.  The DF/IR market, employment trends, law enforcement challenges, private sector challenges, new case law, recent testimony, testing of tools and discovery of artifacts, best practices and a host of other topics are discussed when you network with like-minded professionals.  That said, I hear a lot of the same comments from others in conversation, particularly in the realm of litigation support digital forensics - “I’m not interested in working defense cases.


I find this comment interesting, and I hear it a lot.  To be clear, it comes mostly from former law enforcement examiners or those who are looking to move out of law enforcement into the next phase of their career.  Being former law enforcement (and a current law enforcement instructor) myself, I think I understand the underlying sentiments of this comment.  It’s not simply speculation or an educated guess on my part either.  It comes from many conversations had with law enforcement-minded analysts around the country and from my own experience having worked criminal cases from the prosecution side, both in and outside of law enforcement.  


From what I can garner from this experience and conversations with those who express this, the sentiment is rooted in the fact that law enforcement and like-minded examiners don’t want to do anything to “help the bad guys get off”.  Again, a curious sentiment, especially given the fact that only a handful of examiners nationwide are also practicing attorneys.  I’m not exactly sure how working cases for a criminal defendant is “helping them get off”.  We all provide facts to our prosecuting or defense attorney.  Those facts are rooted firmly in the evidence.  Sometimes, we have to use our experience and knowledge to formulate an opinion based upon the evidence, but in our line of forensic science, this is also not a very frequent occurrence.  More often, we are asked to interpret the evidence for the stakeholders and finders-of-fact in the case, not to offer any opinion about what the evidence shows.  




There is value in working the case from more than one angle.  I’m exposed to a wide range of criminal cases nationwide.  Naturally, my LE background has that as a strong skillset, which is why both defense and prosecuting attorneys seek out practitioners with similar backgrounds.  Criminal is not 100% of my caseload, but as a senior member of a litigation support team with a strong background in criminal work, it’s a natural fit.  These cases are also not 100% defense, but the majority of them are advising the defense.  I say all that to lay the groundwork for this observation:  Not all police work is created equal.  Not all investigators are altruistic, seeking the truth, and looking at their evidence from a dispassionate perspective.  This is not a knock against anyone in law enforcement, in fact, it’s human nature.  I’ll provide an example from my personal experience…


I work a fair number of nationwide cases involving *INSERT 3-LETTER FEDERAL AGENCY HERE*.  This agency is highly-regarded nationwide and they have special units for various aspects of digital forensics from device analysis to cellular records mapping.  Many of the reports I review, cases I work, and much of the evidence I examine is as you would expect - very thorough & competent often enough to help prove guilt beyond a reasonable doubt.  But I also work a fair number of cases investigated by this agency that are lacking in detail, context and completeness.  The work appears designed to push for a plea bargain, even if the analysis in the case is incomplete or inadequate.  Furthermore, this agency (and the prosecutors with whom they work) often obfuscates evidence from the defense, not revealing all pieces until and unless the defense hires their own expert to review, assess and consult upon the evidence and the agency’s findings.  To add insult to injury, the LE agency will sometimes alter their findings after it is discovered that the defense attorney hired their own expert and after having already provided a version of their findings to the defense attorney.  This is inexcusable, but it also causes me to approach every case involving this agency with a very cautious eye.  This is a learned reaction garnered over time and dozens of interactions.  As I said, much of the work is just fine.  But there’s enough of a significant percentage that is lacking in solid, unadulterated evidence that the pattern leads one to approach these cases cautiously.  This is also human nature.


The purpose of an independent analysis by the defense is not to poke holes in a case that don’t already exist.  The purpose is not to throw smoke and mirrors at the case to ensure the judge or jury’s heads are spinning in ten different directions.  The purpose is to check the work that’s been done as thorough, complete, contextual to all of the pertinent facts, and to sometimes pose hard questions that have yet to be answered.  None of us want more pedophiles, murders or rapists on the street.  We only want to see the RIGHT pedophiles, murderers or rapists get put away for the crime.  That’s the definition and purpose of the justice system.  


If you read the first sentence of the previous paragraph again, I’d encourage you to give it some solid thought.  If holes exist in a case, they should be cited, particularly if they are substantive enough to allow room for some mitigation and/or reasonable doubt.  If no holes exist in a case, I can guarantee you I’ll advise the defense attorney that.  This means the ownness is on the law enforcement investigator to ensure there are no such holes in the case, and if there are, to ensure they are communicated effectively to all of the stakeholders.  I’ve done the job, I’ve worked cases with holes that I didn’t know were there and I’ve worked cases with no viable holes.  Holes lead to mitigation, or in some instances, reasonable doubt.  There are also legal holes, but those are upon the attorneys to research and cite as appropriate.  If they are not reasonable in light of the evidence, that’s also our job to advise the attorney.  Speculation and random facts that are not overly relevant to the case are not evidence.  


One of the other jabs that gets poked at “defense examiners” is that we get paid to do our job.  I’m frequently puzzled by this notion.  As I stated in my talk a Techno Security East last year, none of us are working for free.  I’d also estimate about 90% of our defense cases are indigent or court-appointed cases, which are generally billed at far less than any retained case.  Furthermore, in theory, the prosecution has all of the time and resources it needs to investigate and prosecute a case.  I know of no single area of practice that is more hog-tied by time and resources than indigent defense.  I’d also speculate that law enforcement compatriots in well-funded tax base localities such as New York, California, Massachusetts, etc. Are compensated to a degree that is comparable to a large percentage of the private sector, with outstanding benefits to boot!


All that to say, none of us are working for free.  The notion that one mission is any more or less valuable than the other is without merit.  Justice, truth and integrity of the profession are the mission, no matter which “side” of the case is being worked.


What’s the point to all of this?  The check-and-balance that is provided by more than one analyst working the case with added qualifications, training, expertise and insight is invaluable to the process.  I love it when someone proves me wrong.  It makes me better the next time around.  I completely understand that “getting in wrong” in law enforcement can sometimes mean a bad guy goes free.  I also know that bad guys who go free generally don’t stay free for very long.  And an innocent person sitting in prison is a failure.


Some Additional Food for Thought


If you’re in LE and will be matriculating out of your position at some point, consider that you are in a unique position to work litigation support digital forensic analysis by way of your training and experience.  When we take the dataset of qualified examiners in the US, then pare that dataset down to those with litigation support experience, then further pare it down to those who have expert testimony experience, we’ve narrowed down the pool to a pretty small subset of qualified forensic examiners who can continue to add to the community after retirement or leaving LE.  But you’ll likely have to work defense cases.  In fact, the ability and willingness to work defense cases makes you an outstanding candidate on the private sector job market.




One more thing that I’ve experienced that is worth noting – You may need a defense examiner one day.  It’s no secret that some places in the US are less than cop-friendly.  Elected prosecutors in some jurisdictions got to their elected position by promising to indict cops for any number of perceived offenses, and every case deals with digital data in the modern era.  The department DF guy won’t be your examiner, so you’ll have to hire or have someone appointed to assist you.  Consider a local case from several years ago where a police lieutenant was charged with rape, sodomy, abduction and several other offenses because a police dispatcher, with whom he was having an affair, decided this was the best way to avoid getting fired for engaging in the affair.  The lieutenant was fired and indicted when the criminal complaint was filed.  Phones belonging to both parties were analyzed, by both the law enforcement agency and by the expert hired by the defense attorney (me).  We were able to determine that the dispatcher fabricated text messages, which skewed the general theory of the case that the relationship was not consensual.  All charges were dropped before trial ever took place.


Is that a one-off example?  If you’re in law enforcement and you’re reading this, I think you know the answer to that question.


The Final Check & Balance


When I was a rookie cop, like most rookie cops, I was very righteous in my approach to the world.  I was the “good guy”, the one who protected the innocent and brought those to justice who deserved it by their own actions.  As careers progress and perspective increases, I’ve come to realize there is nothing “unrighteous” about working cases for criminal defendants.  Those that do still strive to protect the innocent and work to bring those to justice who deserve it.  Ultimately, we don’t have a dog in the proverbial fight, but the role is no less important than anyone else who is involved in the criminal justice system.  Our job – that of the law enforcement AND the appointed/retained examiner advising the defense attorney – is to ensure that all of the facts are properly analyzed, brought forth and made part of the record.  The goals are the same, regardless of which “side” of the case you’re working.



About the Author:

Patrick Siewert served 15 years in full-time law enforcement and investigated hundreds of high-tech crimes to precedent-setting results, Patrick is a graduate of SCERS & BCERT and is a court-certified expert witness in digital forensics, mobile forensics and historical cell site location analysis. He has published dozens of articles and is cited in numerous academic papers. He was the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA) and currently serves as Director of Digital Forensics and E-Discovery for a Nationwide (US) provider of DF/IR and e-disco litigation support services, while keeping in touch with the public safety community as a Law Enforcement Instructor in multiple disciplines.

Email:  Patrick@ProDigital4n6.com

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Patrick Siewert on X/Twitter : @RVA4n6

Patrick Siewert on Substack :  rva4n6.substack.com 

Pro Digital (old) blog site :  https://prodigital4n6.blogspot.com/ 



Labels

Labels:
Location: Virginia, USA

Popular posts from this blog

  January 1, 2025 What Is “The Philosophy of DF/IR” ? “If it is not right, do not do it, if it is not true, do not say it.” -Marcus Aurelius Welcome to the newest Digital Forensics/Incident Response blog (for now)!   I created this space for several reasons.   First, I have a passion for writing about our industry and the nuances that reside within it and come about because of our practice of forensic data analysis.   The intersection of data, evidence and the law is a fascinating thread on which to pull and the more we pull on it, the more we unravel the tapestry of our practice and work to hone and refine how we conduct our work.   Second, I have been inspired lately by the likes of Brett Shavers (DFIR Training) and others to continue writing.   For those of you who are not already familiar, I wrote a DF blog for my company, Pro Digital Forensic Consulting, before the company and I were acquired by a Nationwide Digital Forensic services provider.   ...
Read more

Effective Advanced Communication in DF/IR

  January 12, 2025 Effective Advanced Communication in DF/IR “Nothing important comes into being overnight; even grapes or figs need time to ripen.” -Epictetus As my bio and LinkedIn page relay, I teach a lot.   One of those teaching roles is as an Adjunct Professor in the Department of Forensic Science teaching an Intro to Digital Forensics course at Virginia Commonwealth University , which also happens to be my Alma Mater.   I teach one semester per year, which, when combined with a list of other responsibilities, is quite enough. For those of you who teach, you know that most semesters start off with excitement and energy and by the time the 15 or 16-week course starts to wind down, it can be a bit of a grind.   Even teaching once a week for 3 hours is grueling at times, especially with regard to assignments, grading, testing, etc… Oh, and FT work too!   Teaching at VCU is also one of the most rewarding roles I fill.   Not only does it help keep me up-to...
Read more

Due Diligence In The Search For & Practice of Digital Forensics

  May 1, 2025 Due Diligence In The Search For & Practice of Digital Forensics " If someone is able to show me that what I think or do is not right, I will happily change, for I seek the truth, by which no one was ever truly harmed. It is the person who continues in his self-deception and ignorance who is harmed. " -Marcus Aurelius Meditations There’s been a lot of chatter lately about the qualifications, credentials, experience, education and credibility of digital forensic practitioners.   If you don’t know what I’m talking about, I suggest searching on LinkedIn or other related platforms.   Notably, a longtime practitioner in the Midwest has recently been placed under investigation by the FBI for essentially perjuring himself with regard to many of these listed characteristics, a definite bellwether for bad tidings and a position I don’t think anyone reading this post would want to be in.   But the developments with regard to this practitioner, among others, br...
Read more