SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 10 Becoming an Expert Witness Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy Nelson et. al., and EC-Council

Learning Objectives At the end of this chapter, you will be able to: Understand the expert witness Explain the role of expert witness Understand the technical witness Differentiate the technical witness with expert witness Understand the qualification of expert witness Testifying as an expert witness

Chapter 10 Outline 10. Becoming an Expert Witness 10.1. Introduction 10.2. Role of an expert witness 10.3. Preparing for testimony 10.4. Testifying in court 10.5. Voir Dire 10.6. Testifying in general 10.7. Testifying during direct examination 10.8. Testifying during direct examination 10.9. Deposition

10.1 Introduction

A cybercrime investigation and building of the case file is aimed toward one end result: obtaining a conviction of the cyber criminal in a court of law. No matter how good the evidence you obtain—log files showing unauthorized access to the network, hard disks seized from the suspect’s computer containing clear-cut indications of the criminal activity, network records tracking the intruder back through Internet servers to his or her computer—none of this evidence can stand alone. Under most judicial systems, physical and intangible evidence must be supported by testimony. Someone must testify as to when, where, and how the evidence was obtained and verify that it is the same when it is presented in court as it was when it was collected.

10.1.1 Who Is an Expert? According to Dan Poynter (An expert witness since 1974),  “If something can break, bend, crack, fold, spindle, mutilate, smolder, disintegrate, radiate, malfunction, embarrass, leach, be abused or used incorrectly, infect or explode, there is someone who can explain how and why it happened. This person is an EXPERT”

10.1.2 Who Is an Expert Witness? In a cybercrime case, police investigators and IT personnel may be required to take the witness stand.Two types of witnesses can be called to testify in criminal actions: Evidentiary witnesses Expert witnesses An expert witness is a person who  Investigates  Evaluates  Educates, and  Testifies in court An expert witness can be a Consulting expert or strategy advisor Court’s expert Testifying expert

10.1.3 Evidentiary Witness Versus Expert Witness? (Cont.) An evidentiary witness is someone who has direct knowledge of the case. For example, a network administrator might be called to testify as to what he or she observed during an attack on the network, or an investigator might be called to testify as to the evidence that he or she observed on a computer that was seized pursuant to a search warrant. An evidentiary witness can only testify as to facts (what he or she saw, heard, or did) but cannot give authoritative opinions or draw conclusions.

10.1.3 Evidentiary Witness Versus Expert Witness? (Cont.) An expert witness is different from an evidentiary witness in that he or she can give opinions and draw conclusions about facts in the case. The expert witness may have no direct involvement in the case but has special technical knowledge or expertise that qualifies him or her to give professional opinions on technical matters. Expert witnesses sometimes prepare reports that outline their opinions and give reasons for each opinion.

10.2 Role of an Expert Witness

Assist the court in understanding intricate evidence Express an opinion in court Attend the entire trial in court Aid lawyers to get to the truth and not obscure it Qualified to exhibit their expertise

10.2.1 Technical Testimony Versus Expert Testimony A Technical testimony is an individual who  Does the actual fieldwork  Submits only the results of his findings  Does not offer a view in court  An Expert testimony is an individual who  Has absolute field knowledge  Offers a view in court

10.2.2 Rules Pertaining to an Expert Witness’ Qualification According to federal rules, to be present as an expert witness in a court, following information must be furnished Four years of previous testimony (indicates experience) Ten years of any published literature Previous payment received when giving testimony

10.2.3 Rules Pertaining to an Expert Witness’ Qualification Curriculum Vitae shows the capability of an expert witness It is essential to regularly update your curriculum vitae The following things must be kept in mind while preparing a CV: Certifications/credentials/accomplishments Recent work as an expert witness or testimony log Expertise List of books written, if any Any training undergone Referrals and contacts

10.2.4 Technical Definitions Use lucid language and easily understandable words Some examples of technical definitions: Computer Forensics SHA-1, MD5, and CRC32 hash functions Image and bit-stream backup File slack and free space File time and date stamps Computer log files.

10.3 Preparing for Testimony

Testimony in court is provided by witnesses, which are people who have firsthand knowledge of a crime or incident, or whom offer evidence during a trial, tribunal, or hearing. When evidence is technical in nature and difficult for laypeople to understand, experts may be required to testify to explain the nature of the evidence and what it means to the case. Basic points to be kept in mind while preparing for testimony  Deeply go through the documentation  Establish early communication with the attorney  Ascertain the basic concepts of the case before beginning with the examining and processing of evidence  Substantiate the findings with the documentation, and by collaborating with other computer forensic professionals

10.3.1 Evidence Preparation and Documentation Every important aspect in the case must be documented during investigations Safeguard the integrity of all gathered evidence Catalog and index for easier understanding Use your professional experience and request peer reviews to support your findings

10.3.2 Evidence Processing Steps Examine, preserve and authenticate the documentation prepared Different checklists must be created for different evidence analysis Avoid personal comments or ideas in these notations Make simple and precise notes of the investigation Use SHA-1 for evidence validation MD5 or CRC32 can be used if SHA-1 is absent An MD5 or SHA-1 hash check before and after evidence examination would ensure the integrity of the evidence Use well-defined search parameters while searching for key results Helps in narrowing the search Avoids false hits While writing the report, list only the evidence findings that are relevant to the case

10.4 Testifying in Court

Familiarize with the usual procedures followed during a trial The attorney introduces the expert witness with high regards The opposing counsel may try to discredit the expert witness The attorney would lead the expert witness through the evidence Later it is followed by the cross examination with the opposing counsel

10.4.1 The Order of Trial Proceedings Motion in Limine  (motion in beginning) Written list of objections to particular testimonies Allows judge to examine whether certain evidence should be admitted in the absence of the jury Opening Statement Offers an outline of the case Plaintiff and defendant The attorney and the opposing counsel presents the case

10.4.1 The Order of Trial Proceedings (Cont.) Rebuttal session Cross examination by both plaintiff and defendant Jury orders Proposed by the counsel Approved and read by the judge to the jury Closing arguments Statements that organize the evidence and the law

10.5 Voir dire

French words meaning “to speak the truth” Process of qualifying a witness as an expert in their particular field. The opposing counsel may attempt to degrade or disqualify the expert witness. The opposing counsel may accept the expert witness without any formal qualification. The expert witness is well qualified or has been an expert witness on several occasions. The attorney will try to avoid this situation and impress the jury through the qualification process.

10.6 Testifying in General

10.6.1 General Ethics While Testifying Ethics to be followed while presenting as an expert witness to any court or an attorney: Be professional, polite and sincere in testimony Always pay tribute to the jury Be enthusiastic during testimony Keep the jury interested in speech Be aware and prepare for the possible rebuttal questions especially from the opposing counsel Avoid overextending opinions Develop repetitions into details and descriptions for the jury Augment your image with the jury by following a formal dress code

10.6.2 Evidence Presentation Identify evidence to defend opinion Associate the method used to arrive at the opinion Reaffirm your opinion Never exaggerate opinions Be prepared to defend your opinion Recall definitions Gather information about the opposing attorney and expert

10.6.3 Importance of Graphics in a Testimony Make graphical demonstrations such as charts To illustrate and elucidate your findings. Make sure the graphics are seen by the jury Face the jury while exhibiting these graphics Make it a habit of using charts and tables for courtroom testimony Use clear and easily understandable graphical demonstrations

10.6.4 Helping Your Attorney Prepare a list of questions that are vital. Enables the attorney to get the expert’s testimony into the trial Provides a practice in the testimony for the direct examination Also helps the attorney review and improve on how he or she wants to try the case Develop a script and work with the attorney to get the perfect language. Communicates the message to the jury.

10.6.5 Avoiding Testimony Problems Offer clear opinions Outline your boundaries of knowledge and ethics Create a case outline and summary for your attorney Enables reviewing of your case plan Offers a clear overview of your level of knowledge used in the case  Make the best effort to coordinate testimony with other experts, who are retained by your attorney for the same case Meet with the paralegal to communicate necessary information to your attorney Paralegal is a person with special training in either a specific or general area of law

10.7 Testifying During Direct Examination

Direct examination is an important part of a testimony during a trial It offers a clear overview of all the findings Create an easy to follow and systematic plan for describing evidence collection methods Be lucid while describing complicated concepts Determine the speech to the education level of the jury

10.8 Testifying During Cross Examination

The opposing counsel has the opportunity to ask questions about the expert witness’ testimony and evidence. This phase of the trial is cross-examination Do not offer guesses when asked something irrelevant to the case Use own words and phrases when answering the opposing counsel Speak slowly as the best offense to problematic questions is to be patient with answers Turn towards the jury slowly while giving your response Allows you to maintain control over the opposing counsel.

10.9 Deposition

Deposition differs from a trial as Both attorneys are present No jury or judge Opposing counsel asks questions Purpose of a Deposition Enables opposing counsel to preview your testimony at trial Your attorney fixes a location for the deposition.

10.9.1 Guidelines to Testify at a Deposition Convey a calm, relaxed, confident and professional appearance during a deposition Do not get influenced by the opposing counsel’s tone or expression or tactics Use the opposing counsel’s name while responding him/her and reply confidently Have continuous eye contact with the opposing counsel Keep your hands on the table and hold out your elbows which makes you appear more open and friendly

10.9.2 Dealing With Reporters Avoid contact with media during a case Do not give opinions about the trial to media but simply refer the attorney Avoid conversing with the media because It is unpredictable what the journalist might publish. The comments might harm the case Creates a record for future testimony, which can be used against you Record your interviews, if any, with the media

Summary An expert witness can express his opinion and attend the entire trial in court Convey a calm, relaxed, confident and professional appearance during a testimony Follow certain ethics while giving your testimony Project your voice and make your speech interesting for the jury and audience to listen Use graphics to make your testimony more appealing Avoid expressing an opinion to the media

End of Chapter 10