Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations

Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition

Chapter 14Becoming an Expert Witness and

Reporting Results of Investigations

Guide to Computer Forensics and Investigations, 2e 2

ObjectivesObjectives

• Understand the importance of reports

• Understand guidelines for writing reports

• Generate report findings with forensic software tools


Objectives (continued)Objectives (continued)

• Prepare for testimony

• Prepare for testifying in court

• Prepare for depositions


Understanding the Importance of Understanding the Importance of ReportsReports

• Communicate the results of your investigation– Including expert opinion

• Courts require expert witness to submit written reports

• Keep copy of your reports

• Deposition banks– Examples of expert witness’ previous testimonies


Limiting the Report to SpecificsLimiting the Report to Specifics

• Submit reports electronically– PDF format

• Do not file a report directly

• All reports to client should start with the job mission or goal– Find information on a specific subject– Recover certain significant documents– Recover certain types of files


Types of ReportsTypes of Reports

• Identify your audience– Education paragraphs

• Examination plan– What questions to expect when testifying– Prepared by the attorney– Multiple source for questions– Do not include things you do not want the jury to see


Types of Reports (continued)Types of Reports (continued)



• Verbal report– Less structured– Attorneys cannot be forced to release verbal reports– Preliminary report

• Tests that have not been concluded

• Interrogatories

• Document production

• Depositions



• Written report– Affidavit or declaration– Limit what you write and pay attention to details– Use natural language style

• Describe yourself in the first person

• Word usage

– High-risk documents– Spoliation– Include same information as in verbal reports


Guidelines for Writing ReportsGuidelines for Writing Reports

• Hypothetical questions based on factual evidence– Less favored today– Guide and support your opinion– Can be abused and complex

• Opinions based on knowledge and experience

• Exclude from hypothetical questions– Facts that can change, cannot be used, or are not

relevant to your opinion


Report StructureReport Structure

• Abstract

• Summary

• Table of contents

• Body of report

• Conclusion


Report Structure (continued)Report Structure (continued)

• Reference

• Glossary

• Acknowledgments

• Appendixes


Writing Reports ClearlyWriting Reports Clearly

• Consider:– Communicative quality– Ideas and organization– Grammar and vocabulary– Punctuation and spelling

• Lay out ideas in logical order

• Build arguments piece by piece

• Group related ideas and sentences into paragraphs


Writing Reports Clearly (continued)Writing Reports Clearly (continued)

• Group paragraphs into sections

• Avoid jargon, slang, and colloquial terms

• Define technical terms– Consider your audience

• Writing style– Avoid repetition and vague language– Be precise and specific– Avoid presenting too many details and personal

observations


Designing the Layout and Presentation Designing the Layout and Presentation of Reportsof Reports

• Decimal numbering structure– Divides material into sections– Readers can scan heading– Readers see how parts relate to each other

• Legal-sequential numbering– Used in pleadings– Roman numerals represent major aspects– Arabic numbers are supporting information


Designing the Layout and Presentation Designing the Layout and Presentation of Reports (continued)of Reports (continued)

• Include signposts– Draw reader’s attention to a point

• Provide supporting material– Figures, tables, data, and equations

• Use consistent formatting

• Explain methods– How you studied the problem

• Include data collection


Designing the Layout and Presentation Designing the Layout and Presentation of Reports (continued)of Reports (continued)

• Include calculations

• Provide for uncertainty and error analysis– Protect your credibility

• Explain results and conclusion

• Provide references– Cite references by author and year– Harvard system

• Include appendices


Generating Report Findings with Generating Report Findings with Forensic Software ToolsForensic Software Tools

• Forensics tools generate report when performing analysis

• Report formats– Plaintext– Word processor– HTML format


Using FTK Demo VersionUsing FTK Demo Version

• Create a new case

• Add evidence to the case

• Analyze evidence with FTK– Look for image files– Locate encrypted files– Search for specific keywords

• Indexed search

• Live search


Using FTK Demo Version (continued)Using FTK Demo Version (continued)





• Create bookmarks

• Generate a report from your bookmarks

• Review your findings– Locate specific keywords

• Analyze additional material– Spreadsheets, documents

• Write a narrative report– Use any text editor









• Use FTK Report Wizard to integrate:– Evidence– Report from bookmarks– Narrative report

• FTK Report Wizard produces a final HTML report


Preparing for TestimonyPreparing for Testimony

• Technical or scientific witness– Provides facts found in investigation– Do not offer conclusions– Prepare testimony

• Expert witness– Has opinions based on observations– Opinions make the witness an expert– Works for the attorney


Preparing for Testimony (continued)Preparing for Testimony (continued)

• Confirm your findings with documentation– Corroborate them with other peers

• Detect conflict of interest

• Avoid conflicting out practice– Prevents another attorney from using you


Documenting and Preparing EvidenceDocumenting and Preparing Evidence

• Document your steps– To prove them repeatable

• Preserve evidence and document it

• Do not use formal checklist– Do not include checklist in final report– Opposing attorneys can challenge them

• Collect evidence and document employed tools

• Maintain chain of custody


Documenting and Preparing Evidence Documenting and Preparing Evidence (continued)(continued)

• Check opposing experts– Internet– Deposition banks– Curriculum vitae, strengths, and weaknesses

• Collect the right amount of information– Collect only what was asked for


Processing EvidenceProcessing Evidence

• Monitor, preserve, and validate your work

• Keep only successful output– Do not keep previous runs

• Validate your evidence using hash algorithms

• Search for keywords using well-defined parameters

• Keep your notes simple– List only relevant evidence on your report


Serving as a Consulting Expert or an Serving as a Consulting Expert or an Expert WitnessExpert Witness

• Do not record conversations or telephone calls

• Federal information requirements– 4 years of experience– 10 years of any published writings– Previous compensations

• Learn about all other people involved and basic points in dispute

• Define analysis procedures

• Find out if you are the first expert asked


Creating and Maintaining Your CVCreating and Maintaining Your CV

• Purpose of a CV– Tells your professional life– Qualify your testimony

• Show you continuously enhance your skills

• Detail specific accomplishments

• List basic and advance skills

• Include a testimony log– Do not include books you have read


Preparing Technical DefinitionsPreparing Technical Definitions

• Definitions of technical material

• Use your own words and language

• Some terms– Computer forensics– Hash algorithms– Image and bit-stream backups– File slack and unallocated space– File data and time stamps– Computer log files


Testifying in CourtTestifying in Court

• Procedures during a trial– Your attorney presents you as a competent expert– Opposing attorney might attempt to discredit you– Your attorney leads you through the evidence– Opposing attorney cross-examines you


Understanding the Trial ProcessUnderstanding the Trial Process

• Typical order of trial– Motion in limine– Empanelling of the jury– Opening statements– Plaintiff– Defendant– Rebuttal– Closing arguments– Jury instructions


Qualifying Your Testimony Qualifying Your Testimony and Voir Direand Voir Dire

• Demonstrates you are an expert witness– This qualification is called voir dire

• Court-appointed expert witnesses– Neutral in their initial positions

• Brief your attorney on your findings about a court’s expert

• Opposing attorney might try to disqualify you– Depends on your CV and experience


Testifying in GeneralTestifying in General

• Be conscious of the jury, judge, and attorneys

• If asked something you cannot answer– That is beyond the scope of my expertise– I was not requested to investigate that

• Be professional and polite

• Be aware of leading questions

• Avoid overreaching opinions


Testifying in General (continued)Testifying in General (continued)

• Build repetition into your explanations

• Place microphone 6 to 8 inches from you

• Use chronological order to describe events

• Movement– Turn towards the questioner when asked– Turn back to the jury when answering

• Cite source of the evidence you used to construct an opinion


Presenting Your EvidencePresenting Your Evidence

• Steps:– State your opinions– Identify evidence to support your opinions– Relate the method used to arrive to that opinion– Restate your opinion– Never carry on with a lengthy build-up

• Consider your audience

• Do not talk with anybody during court recess


Avoiding Testimony ProblemsAvoiding Testimony Problems

• Be an impartial expert witness

• Be clear about your opinion and knowledge boundaries– Do not lie about your expertise

• Always build a business case

• Build a case outline and summary for the attorney

• Coordinate your testimony with your attorney


Testifying During Direct ExaminationTestifying During Direct Examination

• Techniques:– State your background and qualifications– Provide a clear overview of your findings– Use a systematic, easy-to-follow plan for describing

your methods– Balance language– Practice testifying– Be fair– Avoid vagueness


Testifying During Cross-examinationTestifying During Cross-examination

• Recommendations and practices:– Never guess when you do not have an answer– Use your own words– Be prepared for challenging pre-constructed

questions• Did you use more than one tool?

– Some questions can cause conflicting answers– Rapid-fire questions– Keep eye contact with the jury


Testifying During Cross-examination Testifying During Cross-examination (continued)(continued)

• Recommendations and practices (continued):– Nested questions– Attorneys make speeches and phrase them as

questions– Attorneys might put words in your mouth– Be patient– Keep a vigorous demeanor and use energetic

speech– Avoid feeling stressed and losing control


Preparing for a DepositionPreparing for a Deposition

• There is no jury or judge

• Opposing attorney previews your testimony at trial

• Discovery deposition– Part of the discovery process for a trial

• Testimony preservation deposition– Requested by your client– Preserve your testimony in case of schedule

conflicts or health problems


Guidelines for Testifying at a Guidelines for Testifying at a DepositionDeposition

• Some recommendations:– Stay calm, relaxed, and confident– Use name of attorneys when answering– Keep eye contact with attorneys– Try to keep your hands on top of the table– Be professional and polite– Use facts when describing your opinion– Ask opposing attorney questions


Recognizing Deposition ProblemsRecognizing Deposition Problems

• Discuss any problem before the deposition– Identify any negative aspect

• Be prepared to defend yourself

• Avoid:– Omitting information– Having the attorney box you into a corner– Contradictions

• Be professional and polite when giving opinions about opposite experts


Public Release: Dealing with Public Release: Dealing with ReportersReporters

• Avoid contact with press– Especially during a case

• Refer press to your attorney

• Consult with your attorney on how to deal with a journalist

• Plan to record any interview– Important if you are misquoted or quoted out of

context


SummarySummary

• Technical witness or expert witness

• Prepare your testimony– Coordinate with your attorney

• Always monitor, preserve, and validate your work when processing evidence

• Qualification (voir dire) phase

• There is no jury or judge in a deposition


Summary (continued)Summary (continued)

• Know if you should act as a consultant expert or an expert witness

• Your reports should ask questions you were hired to answer

• Use a well-defined report structure

• Clarity of writing is critical to a report

• Project objectivity

Documents

Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations