cos413day24
advertisement
COS/PSA 413 Day 24 Agenda • • Student evaluations Lab 12 Graded – 1 A, 7 B’s, 1 F and 1 non-submit • Assignment 4 Due – Must return the evidence disc • Assignment 5 posted – Due December 16 • Lab 13 tomorrow in OMS – Either 14-2 or 14-3, same project on different images and I will tell you which one of the images to use tomorrow – Due December 14 – You will be working in teams for this assignment and I expect that there will be equal participation. In your report indicate which team member performed each task. 10% penalty in the grade if this isn’t a team effort. • Today we will be discussing becoming an Expert Witness Game Plan for last 3 weeks • Dec 6 – Becoming an Expert Witness – Assignment 4 Due • Dec 7 – Lab 13 OMS • Dec 9 – Becoming an expert witness Con’t • Dec 13 – Final Comprehensive Lab 14 • Dec 14 – Lab 14 continued – Lab 13 due • Dec 16 – Assignment 5 Due – Exam 4 • Dec 22 – 1-3 PM – Capstones due – Capstone presentations Learning Objectives • • • • • • • Compare Technical and Scientific Testimony Prepare for Testimony Documenting and preparing evidence Testify in Court Testify during Cross-Examination Prepare for a Deposition Form an Expert Opinion Comparing Technical and Scientific Testimony Technical Witness – A person who has performed the actual field work, but does not offer an opinion in court, only the results of their findings. Expert Witness – A person who has knowledge in a field and can offer an opinion in addition to the facts being presented. Preparing for Testimony • Technical or scientific witness – Provides facts found in investigation – Do not offer conclusions – Prepare testimony • Expert witness – Has opinions based on observations – Opinions make the witness an expert – Works for the attorney Preparing for Testimony Deposition Banks – Libraries kept by various law firms of depositions given in the past. Curriculum Vita (CV) – An extensive resume of your professional history that includes not only where you have worked, but what cases you have worked on, what testimony you have given, what training you have received and from whom, along with details of your other skills. Creating and Maintaining Your CV • Purpose of a CV – Tells your professional life – Qualify your testimony • • • • Show you continuously enhance your skills Detail specific accomplishments List basic and advanced skills Include a testimony log – Do not include books you have read Preparing For Testimony When presenting yourself to a federal court as an expert witness, federal rules require that you provide the following information: - Four years of previous testimony you may have provided, which indicates that you have experience at trial. - Ten years of any published writings. - Previous compensation you may have received when giving testimony. Preparing for Testimony (continued) • Confirm your findings with documentation – Corroborate them with other peers • Detect conflict of interest • Avoid “conflicting out” practice – Prevents another attorney from using you Preparing Technical Definitions • Definitions of technical material • Use your own words and language • Some terms – – – – – – Computer forensics Hash algorithms Image and bit-stream backups File slack and unallocated space File data and time stamps Computer log files Documenting and Preparing Evidence • Document your steps – To prove them repeatable • Preserve evidence and document it • Do not use formal checklist – Do not include checklist in final report – Opposing attorneys can challenge them • Collect evidence and document employed tools • Maintain chain of custody Documenting and Preparing Evidence (continued) • Check opposing experts – Internet – Deposition banks – Curriculum vitae, strengths, and weaknesses • Collect the right amount of information – Collect only what was asked for Processing Evidence • Monitor, preserve, and validate your work • Keep only successful output – Do not keep previous runs • Validate your evidence using hash algorithms • Search for keywords using well-defined parameters • Keep your notes simple – List only relevant evidence on your report Testifying in Court Consider the following questions when preparing your testimony: • What is my story of the case? • What can I say with confidence? • What is the client’s (attorney) overall theory of the case? • How does my opinion support the case? • What is the scope of the case? Have I gone too far? • Have I identified the client’s desires? Testifying in Court Questions you should prepare for: • How is data (or evidence) stored on a hard disk drive? • What is an image or a bit-stream copy of a disk drive? • How is deleted data recovered from a disk drive? • What are Windows temporary files and how do they relate to data or evidence? • What are system or network log files? Testifying in Court Testifying During Direct Examination • Independent Recollection – Things that you know about this case and others without being prompted. • Customary practice – Things that are traditionally done in similar cases. • Documentation of the Case – The actual written records that you have maintained. Testifying in Court • Procedures during a trial – Your attorney presents you as a competent expert – Opposing attorney might attempt to discredit you – Your attorney leads you through the evidence – Opposing attorney cross-examines you Understanding the Trial Process • Typical order of trial – – – – – – – – Motion in limine Empanelling of the jury Opening statements Plaintiff Defendant Rebuttal Closing arguments Jury instructions Qualifying Your Testimony and Voir Dire • Demonstrates you are an expert witness – This qualification is called voir dire • Court-appointed expert witnesses – Neutral in their initial positions • Brief your attorney on your findings about a court’s expert • Opposing attorney might try to disqualify you – Depends on your CV and experience Testifying in General • Be conscious of the jury, judge, and attorneys • If asked something you cannot answer – “That is beyond the scope of my expertise” – “I was not requested to investigate that” • Be professional and polite • Be aware of leading questions • Avoid overreaching opinions Testifying in General (continued) • • • • Build repetition into your explanations Place microphone 6 to 8 inches from you Use chronological order to describe events Movement – Turn towards the questioner when asked – Turn back to the jury when answering • Cite source of the evidence you used to construct an opinion Presenting Your Evidence • Steps: – – – – – State your opinions Identify evidence to support your opinions Relate the method used to arrive to that opinion Restate your opinion Never carry on with a lengthy build-up • Consider your audience • Do not talk with anybody during court recess Avoiding Testimony Problems • Be an impartial expert witness • Be clear about your opinion and knowledge boundaries – Do not lie about your expertise • Always build a business case • Build a case outline and summary for the attorney • Coordinate your testimony with your attorney Testifying During Direct Examination • Techniques: – State your background and qualifications – Provide a clear overview of your findings – Use a systematic, easy-to-follow plan for describing your methods – Balance language – Practice testifying – Be fair – Avoid vagueness Testifying during Cross-Examination The following are other questions opposing attorneys often ask: • What is your standing in the profession of computer forensics? • What are the tools used and what are their known problems or weak features? • Are the tools you used reliable? Are they consistent? Do they produce the same results? Testifying during Cross-Examination The following are other questions opposing attorneys often ask: Continued... • Are the tools safe to use on the original evidence? • Have you been called upon as a consultant on how to use the tools from other professionals? • Do you keep up with the latest technologies applied to computer forensics journals-papers read or published? Testifying during Cross-Examination In many instances, the opposing counsel give you rapid-fire questions meant to throw you off. For example, they may ask the following questions: • Does the vendor certify your tools? • Are there other tools available that do the same thing? • How do these tools compare to each other? Testifying during Cross-Examination At all costs, you want to avoid losing control, which you can do in any of the following ways: • Being argumentative when being badgered by the opposing attorney; being nervous about testifying. • Having an unresponsive attorney not objecting to the opposing attorney’s questions. • Having poor listening skills and negative body language. • Being too talkative when answering questions. Testifying during Cross-Examination Continued... • Being too technical for the jury. • Acting surprised and unprepared when presented with unknown or new information. • Making a mistake and not correcting it immediately and getting back on track. Testifying During Cross-examination • Recommendations and practices: – Never guess when you do not have an answer – Use your own words – Be prepared for challenging pre-constructed questions • Did you use more than one tool? – Some questions can cause conflicting answers – Rapid-fire questions – Keep eye contact with the jury Testifying During Cross-examination (continued) • Recommendations and practices (continued): – Nested questions – Attorneys make speeches and phrase them as questions – Attorneys might put words in your mouth – Be patient – Keep a vigorous demeanor and use energetic speech – Avoid feeling stressed and losing control Preparing for a Deposition • There is no jury or judge • Opposing attorney previews your testimony at trial • Discovery deposition – Part of the discovery process for a trial • Testimony preservation deposition – Requested by your client – Preserve your testimony in case of schedule conflicts or health problems Preparing for a Deposition Guidelines for Testifying at a Deposition • Be professional and polite. • Use facts when describing your opinion. • Understand that being deposed in a discovery deposition is an unnatural process; it is intended to get you to make mistakes. Guidelines for Testifying at a Deposition • Some recommendations: – – – – – – – Stay calm, relaxed, and confident Use name of attorneys when answering Keep eye contact with attorneys Try to keep your hands on top of the table Be professional and polite Use facts when describing your opinion Ask opposing attorney questions Recognizing Deposition Problems • Discuss any problem before the deposition – Identify any negative aspect • Be prepared to defend yourself • Avoid: – Omitting information – Having the attorney box you into a corner – Contradictions • Be professional and polite when giving opinions about opposite experts Preparing for a Deposition You should avoid talking to the news media for the following reasons: • Your comments could harm the case. • It creates a record for future testimony that can be used against you. • Your lack of media training could easily expose you to embarrassing situations. • You have no control over the context of the information the journalist will publish. Public Release: Dealing with Reporters • Avoid contact with press – Especially during a case • Refer press to your attorney • Consult with your attorney on how to deal with a journalist • Plan to record any interview – Important if you are misquoted or quoted out of context Preparing for a Deposition Continued.... •You cannot rely on a journalist’s promises of confidentiality. Their interests do not coincide with yours or your clients. Be on guard at all times, your comments may be interpreted in a manner that taints your impartiality in a case and future cases. Questions from journalists can become too big of a distraction from your work on the case. Even after the case is resolved, avoid discussing the details with the press. Chapter Summary - When cases go to trial you as a forensics expert play one of two roles; you are either called as a technical witness or as an expert witness. As a technical or scientific witness, you are only providing the facts as you have found them in your investigation. However, as an expert, you have opinions about what you observe. In fact, it is your opinion that makes you an expert. Chapter Summary - If you are called as a technical witness in a computer forensics case, you need to thoroughly prepare for your testimony. Establish communication early on with your attorney. When preparing to testify for any litigation, substantiate your findings with your own documentation and by collaborating with other computer forensics professionals. Chapter Summary - As you process evidence, be sure to always monitor, preserve, and validate your work. Doing so helps to ensure that it can be presented in court. Then submit to your attorney all evidence you collected and analyzed. When writing your report, only list evidence findings that are relevant to the case. Chapter Summary - When you are called to testify in court, your attorney demonstrates to the court that you are competent as an expert or technical witness. Your attorney then leads you through the evidence followed by the opposing counsel cross-examining you. After your attorney has established your credentials and you have presented your evidence, the opposing attorney has an opportunity to ask questions about your testimony and evidence, a process called crossexamination. Chapter Summary - Know whether you are being called as a scientific technical witness or expert witness (or both), whether you are being retained as a consulting expert or as an expert witness. Also be familiar with the contents of your curriculum vita (VC). - A deposition differs from a trial because there is no jury or judge. Both attorneys are present and the opposing counsel asks you questions. There are two types of deposition: discovery and testimony preservation.
