Drawing The Line On Computer Forensic Expert And Lay Testimony (Part I)

Finding error in failing to provide pretrial notice about computer forensic expert testimony; however, trial court erred in excluding testimony as a sanction, in United States v. Ganier, 468 F.3d 920 (6th Cir. 2006)

Distinguishing lay and expert testimony can be a challenging feat, as other courts have recognized. See, e.g., United States v. Hilario-Hilario, 529 F.3d 65, 72 (1st Cir. 2008) (“There is no bright-line rule to separate lay opinion from expert witness testimony; circuits, and indeed decisions within a circuit, are often in some tension.”) This same challenge can arise in considering computer forensic testimony. For example, can lay testimony be used to present results by “running commercially-available software, obtaining results, and reciting them”? The circuit noted that whether testimony about “computer-related” issues is expert testimony “is a relatively new question.” The Sixth Circuit addressed this issue and answered the question in the negative.

In Ganier, the defendant, who was Chief Executive Officer, Chairman of the Board, a shareholder, and a founder of Education Networks of America, Inc., was being investigated concerning allegations of improprieties and favoritism in being awarded contracts from the State of Tennessee. After federal investigators sought emails from the defendant’s company, the defendant implemented a “retention” policy in which employee emails would be automatically deleted six months after creation. The defendant also deleted files from his laptop computer relevant to the investigation and also deleted similar files from employee’s computers. The government planned to call a forensic computer specialist at trial. The specialist used forensic software to determine what searches were run on the three computers in which relevant documents were allegedly deleted by the defendant, in relation to search terms relevant to the grand jury investigation. This report was completed the day before trial. The defendant filed a motion to exclude the report and related testimony, for failure to receive pretrial disclosure concerning expert testimony. The trial court granted the motion. The government appealed and the trial was stayed pending resolution of the appeal.

On appeal, the government argued that there was no violation of the rule governing pretrial disclosure of expert testimony. See Fed. R. Crim. P. 16(a)(1)(G) (“At the defendant’s request, the government must give to the defendant a written summary of any testimony that the government intends to use under Rules 702, 703, or 705 of the Federal Rules of Evidence during its case-in-chief at trial.”). The government contended that the computer forensic specialist was merely providing lay testimony after running a commercial software program and generating reports “display[ing] a heading, a string of words and symbols, date and time, and a list of words” based on “three different types of searches performed with particular search terms at particular times.” Ganier, 468 F.3d at 926. As an example, one part of the forensic report provided the following information:

Registry - Al Ganier Desktop
Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
Last Written Time 12/09/02 08:34:57

000REG_ SZal...
005REG_SZroadmap to revenue...

Ganier, 468 F.3d at 926 n.4.

The Sixth Circuit disagreed concluding that interpreting the results of the software tests required the witness “to apply knowledge and familiarity with computers and the particular forensic software well beyond that of the average layperson. This constitutes ‘scientific, technical, or other specialized knowledge’ within the scope of Rule 702.” Ganier, 468 F.3d at 926. As the circuit explained:

“The average layperson today may be able to interpret the outputs of popular software programs as easily as he or she interprets everyday vernacular, but the interpretation [IRS special agent and forensic computer specialist] Drueck needed to apply to make sense of the software reports is more similar to the specialized knowledge police officers use to interpret slang and code words used by drug dealers…. Thus, the district court did not err by concluding that Drueck’s proposed testimony could be offered only pursuant to Rule 702. Accordingly, the government violated Federal Rule of Criminal Procedure 16(a)(1)(G) by not providing a written summary of the testimony to Ganier.”
Ganier, 468 F.3d at 926 (citing United States v. Peoples, 250 F.3d 630, 640-41 (8th Cir. 2001) (concluding that a police officer should not have been allowed to testify as to the meaning of code words on recorded conversations because she had not been qualified as an expert)).

Since the circuit agreed with the trial court that the government failed to provide pretrial discovery of the expert testimony, the court turned to the appropriate sanction. The trial court ruled that the witness testimony should be excluded. The circuit noted that the trial court should have considered the “least severe sanction necessary”. The trial court failed to make a record on considering this issue. There was no suggestion that the prosecutor acted in bad faith or that any prejudice could have been cured by a continuance or other sanction. The case was therefore remanded to determine the appropriate remedy.

There are many who may quarrel with the Sixth Circuit conclusion that the use of computer forensic software tool constituted expert testimony. Given the increase in electronic evidence, forensic tools have become more common. Certainly, the mere use of many of these tools should not require an expert to testify at trial. The lesson from the case is that there are certain computer forensic functions that may readily be admitted through lay testimony and at some point the function may be sufficiently specialized that only an expert may be used to admit the testimony. The Ganier case serves as a warning to be sensitive to the pretrial disclosure issue if computer forensic expert testimony is contemplated at trial.

Federal Rules of Evidence