Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 15
Expert Testimony in High-Tech
Investigations
 Objectives

• Explain guidelines for giving testimony as a

technical/scientific or expert witness
• Describe guidelines for testifying in court
• Explain guidelines for testifying in depositions and
hearings
• Describe procedures for preparing forensics
evidence for testimony
Preparing for Testimony
 Preparing for Testimony

• Technical or scientific witness

– Provides facts found in investigation
– Does not offer conclusions
– Prepares testimony
• Expert witness
– Has opinions based on observations
– Opinions make the witness an expert
– Works for the attorney
 Preparing for Testimony (continued)

• Confirm your findings with documentation

– Corroborate them with other peers
– Social networking and professional organizations will
help to locate peers
• Check opposing experts
– Internet
– Deposition banks
– Curriculum vitae, strengths, and weaknesses
 Preparing for Testimony (continued)

• When preparing your testimony consider the

following questions:
– What is my story of the case?
– What can I say with confidence?
– What is the client’s overall theory of the case?
– How does my opinion support the case?
– What is the scope of the case? Have I gone too far?
– Have I identified the client’s needs for how my
testimony fits into the overall theory of the case?
Documenting and Preparing Evidence

• Document your steps

– To prove them repeatable
• Preserve evidence and document it
• Do not use formal checklist
– Do not include checklist in final report
– Opposing attorneys can challenge them
• Collect evidence and document employed tools
• Maintain chain of custody
Documenting and Preparing Evidence
(continued)

• Collect the right amount of information

– Collect only what was asked for
• Note the date and time of your forensic workstation
when starting your analysis
– Check your clock with time.gov
• Keep only successful output
– Do not keep previous runs
• Search for keywords using well-defined parameters
Documenting and Preparing Evidence
(continued)

• Keep your notes simple

• List only relevant evidence on your report
• Define any procedures you use to conduct your
analysis as scientific
– And conforming to your profession’s standards
• Monitor, preserve, and validate your work
• Validate your evidence using hash algorithms
 Reviewing Your Role as a Consulting
Expert or an Expert Witness
• Do not record conversations or telephone calls
• Federal information requirements
– Four years of experience
– Ten years of any published writings
– Previous compensations
• Learn about all other people involved and basic points
in dispute
• Brief your attorney on your findings and opinion of the
court’s expert
• Find out if you are the first expert asked
 Creating and Maintaining Your CV

• Curriculum vitae (CV)

– Lists your professional experience and education
– Supports your role as an expert
• Show you continuously enhance your skills
• Detail specific accomplishments
• List basic and advanced skills
• Include a testimony log
– Do not include books you have read, because you
may not agree with everything in those books
 Preparing Technical Definitions

• Prepare definitions of technical concepts

• Use your own words and language
• Some terms
– Computer forensics
– Hash algorithms
– Image and bit-stream backups
– File slack and unallocated space
– File timestamps
– Computer log files
 Preparing Technical Definitions
(continued)

• Some terms (continued)

– Folder or directory
– Hardware
– Software
– Operating system
 Preparing to Deal with the News
Media

• Some legal actions generate interest from the news

media
• Reasons to avoid contact with news media
– Your comments could harm the case and create a
record that can be used against you
– You have no control over the context of the
information a journalist publishes
– You can’t rely on a journalist’s promises of
confidentiality
Testifying in Court
 Testifying in Court

• Procedures during a trial

– Your attorney presents you as a competent expert
– Opposing attorney might attempt to discredit you
– Your attorney leads you through the evidence
– Opposing attorney cross-examines you
 Understanding the Trial Process

• Typical order of trial

– Motion in limine (pretrial motion to exclude evidence)
– Empaneling the jury
– Opening statements
– Plaintiff
– Defendant
– Rebuttal
– Closing arguments
– Jury instructions
 Providing Qualifications for Your
Testimony

• Demonstrates you are an expert witness

– This qualification is called voir dire
• Attorney asks the court to accept you as an expert
on computer forensics
• Opposing attorney might try to disqualify you
– Depends on your CV and experience
 Example Voir Dire

• See page 547

General Guidelines on
Testifying
 Delivery and Presentation

• Be conscious of the jury, judge, and attorneys

• If asked something you cannot answer, say:
– That is beyond the scope of my expertise
– I was not requested to investigate that
• Be professional and polite
• Avoid overstating opinions
• Guidelines on delivery and presentation:
– Always acknowledge the jury and direct your
testimony to them
 Delivery and Presentation

• Movement
– Turn towards the questioner when asked
– Turn back to the jury when answering
• Place microphone six to eight inches from you
• Use simple, direct language to help the jury
understand you
• Avoid humor
• Build repetition into your explanations
 Delivery and Presentation

• Use chronological order to describe events

• If you’re using technical terms, identify and define
these terms for the jury
• Cite the source of the evidence the opinion is
based on
• Make sure the chair’s height is comfortable, and
turn the chair so that it faces the jury
 Delivery and Presentation

• Dress in a manner that conforms to the

community’s dress code
• Don’t memorize your testimony
• For direct examination
– State your opinions
– Identify evidence to support your opinions
– Relate the method used to arrive to that opinion
– Restate your opinion
 Preparing Testimony

• Prepare your testimony with the attorney who hired

you
– How is data (or evidence) stored on a hard drive?
– What is an image or a bit-stream copy of a drive?
– How is deleted data recovered from a drive?
– What are Windows temporary files and how do they
relate to data or evidence?
– What are system or network log files?
 Using Graphics

• Graphical exhibits illustrate and clarify your findings

• Your exhibits must be clear and easy to understand
• Graphics should be big, bold, and simple
• The goal of using graphics is to provide information
the jury needs to know
• Review all graphics with your attorney before trial
• Make sure the jury can see your graphics, and face
the jury during your presentation
 Avoiding Testimony Problems

• Recognize when conflict-of-interest issues apply to

your case
• Avoid agreeing to review a case unless you’re
under contract with that person
• Avoid conversations with opposing attorneys
• You should receive payment before testifying
• Don’t talk to anyone during court recess
• Make sure you conduct any conferences with your
attorney in a private setting
 Understanding Prosecutorial
Misconduct

• If you have found exculpatory evidence, you have

an obligation to ensure that the evidence isn’t
concealed
• Initially, you should report the evidence to the
prosecutor handling the case
– Be sure you document the communication
• If this information isn’t disclosed to the defense
attorney in a reasonable time
– You can report it to the prosecutor’s supervisor or the
judge
 Testifying During Direct Examination

• Techniques
– Work with your attorney to get the right language
– Be wary of your inclination to be helpful
– Review the examination plan your attorney has
prepared
– Provide a clear overview of your findings
– Use a systematic easy-to-follow plan for describing
your methods
– Practice testifying
– Use your own words when answering questions
 Testifying During Direct Examination
(continued)

• Techniques (continued)
– Present your background and qualifications
– Avoid vagueness
– When you’re using graphics in a presentation, keep
in mind that you’re instructing the jury in what you
did to collect evidence
 Testifying During Cross-examination

• Use your own words

• Keep in mind that certain words have additional
meanings
• Opposing attorneys sometimes use the trick of
interrupting you
• Be aware of leading questions
• Never guess when you do not have an answer
 Testifying During Cross-examination
(continued)
• Be prepared for challenging, pre-constructed
questions
– Did you use more than one tool?
• Rapid-fire questions
• Sometimes opposing attorneys declare that you
aren’t answering the questions
• Keep eye contact with the jury
• Sometimes opposing attorneys ask several
questions inside one question
 Testifying During Cross-examination
(continued)

• Attorneys make speeches and phrase them as

questions
• Attorneys might put words in your mouth
• Be patient
• Most jurisdictions now allow the judge and jurors to
ask questions
• Avoid feeling stressed and losing control
• Never have unrealistically high self-expectations
when testifying; everyone makes mistakes
Preparing for a Deposition
 Preparing for a Deposition

• Deposition differs from trial testimony

– There is no jury or judge
• Opposing attorney previews your testimony at trial
• Discovery deposition
– Part of the discovery process for a trial (Links Ch 15b,
15c)
• Testimony preservation deposition
– Requested by your client
– Preserve your testimony in case of schedule conflicts
or health problems
 Guidelines for Testifying at
Depositions

• Some recommendations
– Stay calm, relaxed, and confident
– Maintain a professional demeanor
– Use name of attorneys when answering
– Keep eye contact with attorneys
– Try to keep your hands on top of the table
– Be professional and polite
– Use facts when describing your opinion
– Being deposed in a discovery deposition is an
unnatural process
 Guidelines for Testifying at
Depositions (continued)

• If you prepared a written report, the opposing

attorney might attempt to use it against you
• If your attorney objects to a question from the
opposing attorney
– Pause and think of what direction your attorney
might want you to go in your answer
• Be prepared at the end of a deposition to spell any
specialized or technical words you used
 Recognizing Deposition Problems

• Discuss any problem before the deposition

– Identify any negative aspect
• Be prepared to defend yourself
• Avoid
– Omitting information
– Having the attorney box you into a corner
– Contradictions
• Be professional and polite when giving opinions
about opposite experts
 Recognizing Deposition Problems

• To respond to difficult questions that could

jeopardize your client’s case
– Pause before answering
• Keep in mind that you can correct any minor errors
you make during your examination
• Discovery deposition testimony often doesn’t make
it to the jury
– It might be presented to the jury, usually as part of
an attempt to discredit the witness
 Guidelines for Testifying at Hearings

• Testifying at a hearing is generally comparable to

testifying at a trial
• A hearing can be before an administrative agency
or a legislative body or in a court
• Often administrative or legislative hearings are
related to events that resulted in litigation
• A judicial hearing is held in court to determine the
admissibility of certain evidence before trial
– No jury is present
Preparing Forensics Evidence
for Testimony
 Preparing Forensics Evidence for
Testimony

• Use ProDiscover Basic to extract e-mail folders

– And FTK Demo to extract and analyze e-mail
metadata and messages
– See Figures 15-1 and 15-2
Preparing Forensics Evidence for
Testimony (continued)
Preparing Forensics Evidence for
Testimony (continued)
 Preparing Explanations of Your
Evidence-Collection Methods

• To prepare for court testimony

– You should prepare answers for questions on what
steps you took to extract e-mail metadata and
messages
• You might also be asked to explain specific
features of the computer, OS, and applications
(such as Outlook)
– And explain how these applications and computer
forensics tools work