sak 4801 introduction to computer forensics chapter 10 becoming an expert witness mohd taufik...

SAK 4801 INTRODUCTION TO COMPUTER FORENSICSChapter 10 Becoming an Expert Witness Mohd Taufik Abdullah

Department of Computer ScienceFaculty of Computer Science and Information Technology

University Putra of Malaysia

Room No: 2.28

Portions of the material courtesy Nelson et. al., and EC-Council

2 Chapter 10 Become an Expert Witness SAK4801 Introduction to Computer Forensics

Learning ObjectivesAt the end of this chapter, you will be

able to:• Understand the expert witness• Explain the role of expert witness• Understand the technical witness• Differentiate the technical witness with expert

witness• Understand the qualification of expert witness• Testifying as an expert witness


Chapter 10 Outline

10. Becoming an Expert Witness 10.1. Introduction 10.2. Role of an expert witness 10.3. Preparing for testimony 10.4. Testifying in court 10.5. Voir Dire 10.6. Testifying in general 10.7. Testifying during direct examination 10.8. Testifying during direct examination 10.9. Deposition

10.1 Introduction


A cybercrime investigation and building of the case file is aimed toward one end result: obtaining a conviction of the cyber criminal in a court of law.

No matter how good the evidence you obtain—log files showing unauthorized access to the network, hard disks seized from the suspect’s computer containing clear-cut indications of the criminal activity, network records tracking the intruder back through Internet servers to his or her computer—none of this evidence can stand alone.

Under most judicial systems, physical and intangible evidence must be supported by testimony.

Someone must testify as to when, where, and how the evidence was obtained and verify that it is the same when it is presented in court as it was when it was collected.


10.1.1 Who Is an Expert? According to Dan Poynter (An expert witness

since 1974), “If something can break, bend, crack, fold, spindle, mutilate, smolder, disintegrate, radiate, malfunction, embarrass, leach, be abused or used incorrectly, infect or explode, there is someone who can explain how and why it happened. This person is an EXPERT”


10.1.2 Who Is an Expert Witness? In a cybercrime case, police investigators and IT

personnel may be required to take the witness stand.Two types of witnesses can be called to testify in criminal actions:

Evidentiary witnesses Expert witnesses

An expert witness is a person who Investigates Evaluates Educates, and Testifies in court

An expert witness can be a Consulting expert or strategy advisor Court’s expert Testifying expert


10.1.3 Evidentiary Witness Versus Expert Witness? (Cont.) An evidentiary witness is someone who has

direct knowledge of the case. For example, a network administrator

might be called to testify as to what he or she observed during an attack on the network, or an investigator might be called to testify as to the evidence that he or she observed on a computer that was seized pursuant to a search warrant.

An evidentiary witness can only testify as to facts (what he or she saw, heard, or did) but cannot give authoritative opinions or draw conclusions.


An expert witness is different from an evidentiary witness in that he or she can give opinions and draw conclusions about facts in the case.

The expert witness may have no direct involvement in the case but has special technical knowledge or expertise that qualifies him or her to give professional opinions on technical matters.

Expert witnesses sometimes prepare reports that outline their opinions and give reasons for each opinion.

10.1.3 Evidentiary Witness Versus Expert Witness? (Cont.)

10.2 Role of an Expert Witness


Assist the court in understanding intricate evidence

Express an opinion in court Attend the entire trial in court Aid lawyers to get to the truth and not

obscure it Qualified to exhibit their expertise


10.2.1 Technical Testimony Versus Expert Testimony A Technical testimony is an individual

who Does the actual fieldwork Submits only the results of his

findings Does not offer a view in court

An Expert testimony is an individual who Has absolute field knowledge Offers a view in court


10.2.2 Rules Pertaining to an Expert Witness’ Qualification According to federal rules, to be

present as an expert witness in a court, following information must be furnished Four years of previous testimony

(indicates experience) Ten years of any published

literature Previous payment received when

giving testimony


10.2.3 Rules Pertaining to an Expert Witness’ Qualification Curriculum Vitae shows the capability of

an expert witness It is essential to regularly update your

curriculum vitae The following things must be kept in

mind while preparing a CV: Certifications/credentials/

accomplishments Recent work as an expert witness or

testimony log Expertise List of books written, if any Any training undergone Referrals and contacts


10.2.4 Technical Definitions Use lucid language and easily

understandable words Some examples of technical

definitions: Computer Forensics SHA-1, MD5, and CRC32 hash

functions Image and bit-stream backup File slack and free space File time and date stamps Computer log files.

10.3 Preparing for Testimony


Testimony in court is provided by witnesses, which are people who have firsthand knowledge of a crime or incident, or whom offer evidence during a trial, tribunal, or hearing.

When evidence is technical in nature and difficult for laypeople to understand, experts may be required to testify to explain the nature of the evidence and what it means to the case.

Basic points to be kept in mind while preparing for testimony Deeply go through the documentation Establish early communication with the attorney Ascertain the basic concepts of the case before

beginning with the examining and processing of evidence

Substantiate the findings with the documentation, and by collaborating with other computer forensic

professionals


10.3.1 Evidence Preparation and Documentation Every important aspect in the case

must be documented during investigations

Safeguard the integrity of all gathered evidence

Catalog and index for easier understanding

Use your professional experience and request peer reviews to support your findings


10.3.2 Evidence Processing Steps Examine, preserve and authenticate the

documentation prepared Different checklists must be created for different

evidence analysis Avoid personal comments or ideas in these notations Make simple and precise notes of the investigation Use SHA-1 for evidence validation

MD5 or CRC32 can be used if SHA-1 is absent An MD5 or SHA-1 hash check before and after

evidence examination would ensure the integrity of the evidence

Use well-defined search parameters while searching for key results Helps in narrowing the search Avoids false hits

While writing the report, list only the evidence findings that are relevant to the case

10.4 Testifying in Court


Familiarize with the usual procedures followed during a trial

The attorney introduces the expert witness with high regards

The opposing counsel may try to discredit the expert witness

The attorney would lead the expert witness through the evidence

Later it is followed by the cross examination with the opposing counsel


10.4.1 The Order of Trial Proceedings Motion in Limine

(motion in beginning) Written list of objections to particular testimonies Allows judge to examine whether certain evidence

should be admitted in the absence of the jury Opening Statement

Offers an outline of the case Plaintiff and defendant

The attorney and the opposing counsel presents the case


10.4.1 The Order of Trial Proceedings (Cont.) Rebuttal session

Cross examination by both plaintiff and defendant Jury orders

Proposed by the counsel Approved and read by the judge to the jury

Closing arguments Statements that organize the evidence and the

law

10.5 Voir dire


French words meaning “to speak the truth” Process of qualifying a witness as

an expert in their particular field. The opposing counsel may attempt to

degrade or disqualify the expert witness.

The opposing counsel may accept the expert witness without any formal qualification. The expert witness is well qualified

or has been an expert witness on several occasions.

The attorney will try to avoid this situation and impress the jury through the qualification process.

10.6 Testifying in General


10.6.1 General Ethics While Testifying Ethics to be followed while presenting as an

expert witness to any court or an attorney: Be professional, polite and sincere in

testimony Always pay tribute to the jury Be enthusiastic during testimony Keep the jury interested in speech Be aware and prepare for the possible

rebuttal questions especially from the opposing counsel

Avoid overextending opinions Develop repetitions into details and

descriptions for the jury Augment your image with the jury by

following a formal dress code


10.6.2 Evidence Presentation Identify evidence to defend opinion Associate the method used to arrive at

the opinion Reaffirm your opinion Never

exaggerate opinions Be prepared to defend your opinion

Recall definitions Gather information about the opposing

attorney and expert


10.6.3 Importance of Graphics in a Testimony Make graphical demonstrations such

as charts To illustrate and elucidate your

findings. Make sure the graphics are seen by

the jury Face the jury while exhibiting these

graphics Make it a habit of using charts and

tables for courtroom testimony Use clear and easily understandable

graphical demonstrations


10.6.4 Helping Your Attorney Prepare a list of questions that are vital.

Enables the attorney to get the expert’s testimony into the trial

Provides a practice in the testimony for the direct examination

Also helps the attorney review and improve on how he or she wants to try the case

Develop a script and work with the attorney to get the perfect language. Communicates the message to the

jury.


10.6.5 Avoiding Testimony Problems Offer clear opinions Outline your boundaries of knowledge and

ethics Create a case outline and summary for your

attorney Enables reviewing of your case plan Offers a clear overview of your level of

knowledge used in the case Make the best effort to coordinate testimony

with other experts, who are retained by your attorney for the same case

Meet with the paralegal to communicate necessary information to your attorney Paralegal is a person with special training in

either a specific or general area of law

10.7 Testifying During Direct Examination


Direct examination is an important part of a testimony during a trial

It offers a clear overview of all the findings

Create an easy to follow and systematic plan for describing evidence collection methods

Be lucid while describing complicated concepts

Determine the speech to the education level of the jury

10.8 Testifying During Cross Examination


The opposing counsel has the opportunity to ask questions about the expert witness’ testimony and evidence. This phase of the trial is cross-examination

Do not offer guesses when asked something irrelevant to the case

Use own words and phrases when answering the opposing counsel

Speak slowly as the best offense to problematic questions is to be patient with answers

Turn towards the jury slowly while giving your response Allows you to maintain control over

the opposing counsel.

10.9 Deposition


Deposition differs from a trial as Both attorneys are present No jury or judge Opposing counsel asks questions

Purpose of a Deposition Enables opposing counsel to

preview your testimony at trial Your attorney fixes a location for

the deposition.


10.9.1 Guidelines to Testify at a Deposition Convey a calm, relaxed, confident and

professional appearance during a deposition

Do not get influenced by the opposing counsel’s tone or expression or tactics

Use the opposing counsel’s name while responding him/her and reply confidently

Have continuous eye contact with the opposing counsel

Keep your hands on the table and hold out your elbows which makes you appear more open and friendly


10.9.2 Dealing With Reporters Avoid contact with media during a case Do not give opinions about the trial to

media but simply refer the attorney Avoid conversing with the media

because It is unpredictable what the journalist

might publish. The comments might harm the case Creates a record for future

testimony, which can be used against you

Record your interviews, if any, with the media


Summary An expert witness can express his opinion and

attend the entire trial in court Convey a calm, relaxed, confident and

professional appearance during a testimony Follow certain ethics while giving your testimony Project your voice and make your speech

interesting for the jury and audience to listen Use graphics to make your testimony more

appealing Avoid expressing an opinion to the media

End of Chapter 10

sak 4801 introduction to computer forensics chapter 10 becoming an expert witness mohd taufik...

Documents