By -

Dr Allan Watt is an internationally recognised digital forensics expert with over 25 years’ experience in the field. His combined experience as a former soldier, police officer, and fulltime academic fed into his current role as a consultant in digital forensics. Between 2014 and 2016, he was appointed as an expert committee member to the INTERPOL Global Cyber Security Panel, one of only seven in the world. He details his career journey to CAT WOODS.

Born in New Zealand, Watt moved to Sydney in 2008 and worked for many years as a lecturer in cyber-terrorism, computer forensics and cyber security largely to a post-graduate student body made up of military, police and intelligence experts. He is now based in the NSW Southern Highlands.

To date, he’s been engaged in more than 1500 investigations and provided evidence in cases spanning intellectual property (IP) theft, through civil litigation (email fabrications for example), data recovery, employee investigations and child protection.

A rare silver lining of COVID-19 was the move to having court proceedings online, enabling Watt to take part without having to travel.

“I prefer to be instructed by lawyers since they know what they’re looking for,” he says. “If clients approach me, I suggest they seek a lawyer.

“The other benefit is that legal professionals have privilege over reports, so they can’t subpoena stuff directly from me.”

As Watt notes, whenever we interact with a device, we leave artifacts. These artifacts, or digital footprints, are typically invisible to us as users. They’re usually hard to access or to modify, for better or worse.

The role of a digital forensic investigator is to seek these artifacts and preserve them, along with as much context (time, date, user identification) as possible, in order to use that information as part of a police investigation and/or legal proceedings.

Any device that stores data – and most do – has the capacity to provide artifacts of evidence.

Watt notes that while television shows like NCIS and CSI would lead us to believe all cases are major criminal affairs involving murder and mayhem, the role of digital forensics is much more common in cases of all types as we increasingly depend on digital devices to communicate, record and witness events daily.

Increasingly, digital forensic specialists are called upon to aid in investigating intellectual property theft or misuse of trademark, defamation, corruption or fraud, employee misconduct or trade of illegal images, video or other multimedia content.

“A lot of lawyers are getting savvier and understand it. Earlier, some of the judges couldn’t even turn a computer on,” says Dr Watt.

He recalls a case in which the barrister he was working for listened at length to Watt’s explanation of the evidence, only to ask “what’s an operating system? What’s a network?”

The court case was a shambles when it became quickly and painfully evident to the judge that the barrister couldn’t understand the digital evidence that formed a key component of the case.

In most cases, a client engages their lawyer as a first step, then their lawyer assesses the need for a digital forensic investigator to be employed as part of a team. The earlier, the better. Just as physical footprints and movement around or within a physical crime scene can sully evidence, destroying or corrupting it, the same is possible in the digital realm. The first role of a digital forensic investigator is to preserve the artifacts in order to then measure, record and analyse it.

It’s a two-way street when it comes to the collaborative nature of legal counsel and forensic investigators. Sometimes, counsel will request specific information from devices according to a date and time, or specific types of data. It may be that the investigator finds information or notices a trend or activity in assessing the artifacts that they think is notable and raises this with counsel as a prospective lead, too.

It is imperative that experts handle digital evidence so that its integrity is indisputable in court proceedings. If evidence, or artifacts, have been handled in a way that has corrupted files, or devices and data have been accessed without the necessary warrants and legal rights, it can be ruled inadmissible.

“I’ve got better at giving evidence over the years, though the other lawyer in proceedings wants to win and will try to trip you up or make you look incompetent,” Watt says.

“I’ve been doing this for 21 years full-time, and not many [digital forensics experts] do this full-time.”

He explains his lengthy CV and expertise, including degrees and an invitation to speak at an FBI counter-terrorism conference, often leads to cases being dropped or settled “rather than trying to argue the evidence isn’t significant or valid.”