Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Log Files to Litigation Making Electronic Evidence Count.

Similar presentations


Presentation on theme: "From Log Files to Litigation Making Electronic Evidence Count."— Presentation transcript:

1 From Log Files to Litigation Making Electronic Evidence Count

2 Presented at TASK, November 29, 2006 Forensicom Ltd. Introduction Who is Larry Gagnon? What is this all about? Why is this information important to me? Who is Larry Gagnon? What is this all about? Why is this information important to me?

3 Presented at TASK, November 29, 2006 Forensicom Ltd. Agenda Electronic evidence collection with a focus on admissibility Search tips Note-taking & documentation Continuity of evidence Analysis basics Effective reporting Testimony & sneaky lawyer tricks Electronic evidence collection with a focus on admissibility Search tips Note-taking & documentation Continuity of evidence Analysis basics Effective reporting Testimony & sneaky lawyer tricks

4 Presented at TASK, November 29, 2006 Forensicom Ltd. Overview Data forensics is a process which must be managed Evidence must be able to stand up to cross-examination The admissibility of evidence is crucial Preparation, process and practice Data forensics is a process which must be managed Evidence must be able to stand up to cross-examination The admissibility of evidence is crucial Preparation, process and practice

5 Presented at TASK, November 29, 2006 Forensicom Ltd. Searching for Evidence

6 Presented at TASK, November 29, 2006 Forensicom Ltd. Searching for Evidence Identify various sources of potential electronic evidence Desktop, mail server, firewall… Might include PDA’s, thumb drives, cell phones, etc. Can a company seize and examine an employee’s cell phone? Identify various sources of potential electronic evidence Desktop, mail server, firewall… Might include PDA’s, thumb drives, cell phones, etc. Can a company seize and examine an employee’s cell phone?

7 Presented at TASK, November 29, 2006 Forensicom Ltd. Searching for Evidence Must be able to state specifically where the evidence came from. More than “It was in Bob’s office” Extensive searches require scene control and exhibits logging Prepare and document a method that fits your needs. Practice your selected method Must be able to state specifically where the evidence came from. More than “It was in Bob’s office” Extensive searches require scene control and exhibits logging Prepare and document a method that fits your needs. Practice your selected method

8 Presented at TASK, November 29, 2006 Forensicom Ltd. Searching for Evidence Before you search: Limit physical access Fully document the area to be searched Photographs can be taken Make a hand-drawn diagram of the area Note the location and condition of things observed You never know what may be important Before you search: Limit physical access Fully document the area to be searched Photographs can be taken Make a hand-drawn diagram of the area Note the location and condition of things observed You never know what may be important

9 Presented at TASK, November 29, 2006 Forensicom Ltd. Searching for Evidence Number the room, letter the walls, number the furniture, letter the compartments. (POST-IT notes) Include numbering in your diagram Example: Room 1, Wall N, Furniture 2, Drawer B, Floppy Disk 1 becomes 1-N-2-B-1 Number the room, letter the walls, number the furniture, letter the compartments. (POST-IT notes) Include numbering in your diagram Example: Room 1, Wall N, Furniture 2, Drawer B, Floppy Disk 1 becomes 1-N-2-B-1

10 Presented at TASK, November 29, 2006 Forensicom Ltd. Taking Notes Notes form part of disclosure and are subject to cross-examination. DRAFT notes, scribblings, etc. can also be cross-examined. Notes are for refreshing your memory Each case gets it own notebook. Notes form part of disclosure and are subject to cross-examination. DRAFT notes, scribblings, etc. can also be cross-examined. Notes are for refreshing your memory Each case gets it own notebook.

11 Presented at TASK, November 29, 2006 Forensicom Ltd. Taking Notes Notes are to be legible, (can’t use codes, foreign language or short hand). You are required to provide full, frank and fair disclosure. Consider what should stay out of your notes. Notes are to be legible, (can’t use codes, foreign language or short hand). You are required to provide full, frank and fair disclosure. Consider what should stay out of your notes.

12 Presented at TASK, November 29, 2006 Forensicom Ltd. Taking Notes Each entry should be time stamped Entries should be chronological Notes are made at or near the time of the incident. Use 24 hour clock to avoid confusion Do not erase, alter or change them Use strikethrough on an incorrect entry When are my notes good enough? Each entry should be time stamped Entries should be chronological Notes are made at or near the time of the incident. Use 24 hour clock to avoid confusion Do not erase, alter or change them Use strikethrough on an incorrect entry When are my notes good enough?

13 Presented at TASK, November 29, 2006 Forensicom Ltd. Continuity of Evidence

14 Presented at TASK, November 29, 2006 Forensicom Ltd. Continuity of Evidence Continuity is the documentation of the life cycle of an evidence item. An unbroken chain of events that accounts for the evidence at all times Continuity is the documentation of the life cycle of an evidence item. An unbroken chain of events that accounts for the evidence at all times

15 Presented at TASK, November 29, 2006 Forensicom Ltd. Continuity of Evidence Who handled it? What did they do with it? When did this occur? Where was it taken or stored? Did anyone alter/handle/tamper with the evidence? Who handled it? What did they do with it? When did this occur? Where was it taken or stored? Did anyone alter/handle/tamper with the evidence?

16 Presented at TASK, November 29, 2006 Forensicom Ltd. Continuity of Evidence Many different documents that can be used for tracking evidence. Numbered bags, tamper-proof seals etc. Never alter the original evidence item by writing on it. See example forms Many different documents that can be used for tracking evidence. Numbered bags, tamper-proof seals etc. Never alter the original evidence item by writing on it. See example forms

17 Presented at TASK, November 29, 2006 Forensicom Ltd. Continuity of Evidence Continuity forms

18 Presented at TASK, November 29, 2006 Forensicom Ltd. Analysis of Evidence The integrity of the evidence must be preserved No “quick peeks” Never work on the original media Use a hash function to verify the integrity of the original before and after you image it. Use hashing to verify the integrity of your working copies. The integrity of the evidence must be preserved No “quick peeks” Never work on the original media Use a hash function to verify the integrity of the original before and after you image it. Use hashing to verify the integrity of your working copies.

19 Presented at TASK, November 29, 2006 Forensicom Ltd. Analysis of Evidence Use more than one tool Use ONLY PROPERLY LICENCED tools Test and verify your tools before putting them into production. Maintain documentation on your test process and subsequent results. Ultimately your process and results must be repeatable if required by the court. Use more than one tool Use ONLY PROPERLY LICENCED tools Test and verify your tools before putting them into production. Maintain documentation on your test process and subsequent results. Ultimately your process and results must be repeatable if required by the court.

20 Presented at TASK, November 29, 2006 Forensicom Ltd. Effective Reporting There is no “standard” report Know the purpose for the report Always consider that your report could end up in court, no matter how informal the case. Keep it absolutely professional, clear and concise. There is no “standard” report Know the purpose for the report Always consider that your report could end up in court, no matter how informal the case. Keep it absolutely professional, clear and concise.

21 Presented at TASK, November 29, 2006 Forensicom Ltd. Effective Reporting Civil & Internal HR cases Only include relevant information Use summary pages for executive summary, findings and opinions Put the technical stuff in appendices Attached a sworn affidavit No speculation or unrelated information Civil & Internal HR cases Only include relevant information Use summary pages for executive summary, findings and opinions Put the technical stuff in appendices Attached a sworn affidavit No speculation or unrelated information

22 Presented at TASK, November 29, 2006 Forensicom Ltd. Effective Reporting Criminal Cases An unbiased review of all the evidence Case summary up front Technical info at the back No opinions unless requested by Crown NO TECHNICAL TALK Use a glossary Criminal Cases An unbiased review of all the evidence Case summary up front Technical info at the back No opinions unless requested by Crown NO TECHNICAL TALK Use a glossary

23 Presented at TASK, November 29, 2006 Forensicom Ltd. Testifying in court

24 Presented at TASK, November 29, 2006 Forensicom Ltd. Testifying in Court Maintain composure Answer the question Don’t be argumentative Speak to the judge / jury Do not use high level tech talk Do not offer “extra” Don’t speculate, guess or agree just to accommodate a question Maintain composure Answer the question Don’t be argumentative Speak to the judge / jury Do not use high level tech talk Do not offer “extra” Don’t speculate, guess or agree just to accommodate a question

25 Presented at TASK, November 29, 2006 Forensicom Ltd. Sneaky Lawyer Tricks An excerpt from court transcripts: Q. When he went, had you gone and had she, if she wanted to and were able, for the time being excluding all the restraints on her not to go, gone also, would he have brought you, meaning you and she, with him to the station? An excerpt from court transcripts: Q. When he went, had you gone and had she, if she wanted to and were able, for the time being excluding all the restraints on her not to go, gone also, would he have brought you, meaning you and she, with him to the station?

26 Presented at TASK, November 29, 2006 Forensicom Ltd. Sneaky Lawyer Tricks They are paid money to make you and your work look bad. They take courses on how to ask confusing and difficult questions There are numerous time tested and effective questioning tactics that you will encounter in court. They are paid money to make you and your work look bad. They take courses on how to ask confusing and difficult questions There are numerous time tested and effective questioning tactics that you will encounter in court.

27 Presented at TASK, November 29, 2006 Forensicom Ltd. Sneaky Lawyer Tricks Diminishing your qualifications to testify on the matter. Drawing “I don’t know” answers frequently Re-phrasing and repeating questions Paraphrasing your responses. “Is it fair to say…?” Challenging your memory, “Earlier on you said…” Diminishing your qualifications to testify on the matter. Drawing “I don’t know” answers frequently Re-phrasing and repeating questions Paraphrasing your responses. “Is it fair to say…?” Challenging your memory, “Earlier on you said…”

28 Presented at TASK, November 29, 2006 Forensicom Ltd. Sneaky Lawyer Tricks Lulled into sense of agreeability Answers that require speculation Time and distance estimation “Did you examine ALL of the evidence?” Repeated confirmation of negative responses Making statements and not asking questions Lulled into sense of agreeability Answers that require speculation Time and distance estimation “Did you examine ALL of the evidence?” Repeated confirmation of negative responses Making statements and not asking questions

29 Presented at TASK, November 29, 2006 Forensicom Ltd. Sneaky Lawyer Tricks Weakening or minimizing your opinion. Cutting you off mid-answer. Leading you down the garden path “Is it Possible?” Weakening or minimizing your opinion. Cutting you off mid-answer. Leading you down the garden path “Is it Possible?”

30 Presented at TASK, November 29, 2006 Forensicom Ltd. Summary Importance of scene control & documentation What goes into notes and what doesn’t Integrity of your process and continuity of evidence items must be proven Consider the purpose and scope of your report Lawyers can be scary Importance of scene control & documentation What goes into notes and what doesn’t Integrity of your process and continuity of evidence items must be proven Consider the purpose and scope of your report Lawyers can be scary

31 Presented at TASK, November 29, 2006 Forensicom Ltd. More information http://www.canlii.org/ca/sta/c-5/ http://www.oba.org/en/pdf_newsletter/ E-DiscoveryGuidelines.pdf http://www.thesedonaconference.org/c ontent/miscFiles/7_05TSP.pdf larry.gagnon@forensicom.ca http://www.canlii.org/ca/sta/c-5/ http://www.oba.org/en/pdf_newsletter/ E-DiscoveryGuidelines.pdf http://www.thesedonaconference.org/c ontent/miscFiles/7_05TSP.pdf larry.gagnon@forensicom.ca


Download ppt "From Log Files to Litigation Making Electronic Evidence Count."

Similar presentations


Ads by Google