Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations.

Published byWesley Allen Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations."— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations

2 Guide to Computer Forensics and Investigations, 2e2 Objectives Understand the importance of reports Understand guidelines for writing reports Generate report findings with forensic software tools

3 Guide to Computer Forensics and Investigations, 2e3 Objectives (continued) Prepare for testimony Prepare for testifying in court Prepare for depositions

4 Guide to Computer Forensics and Investigations, 2e4 Understanding the Importance of Reports Communicate the results of your investigation –Including expert opinion Courts require expert witness to submit written reports Keep copy of your reports Deposition banks –Examples of expert witness’ previous testimonies

5 Guide to Computer Forensics and Investigations, 2e5 Limiting the Report to Specifics Submit reports electronically –PDF format Do not file a report directly All reports to client should start with the job mission or goal –Find information on a specific subject –Recover certain significant documents –Recover certain types of files

6 Guide to Computer Forensics and Investigations, 2e6 Types of Reports Identify your audience –Education paragraphs Examination plan –What questions to expect when testifying –Prepared by the attorney –Multiple source for questions –Do not include things you do not want the jury to see

7 Guide to Computer Forensics and Investigations, 2e7 Types of Reports (continued)

8 Guide to Computer Forensics and Investigations, 2e8 Types of Reports (continued) Verbal report –Less structured –Attorneys cannot be forced to release verbal reports –Preliminary report Tests that have not been concluded Interrogatories Document production Depositions

9 Guide to Computer Forensics and Investigations, 2e9 Types of Reports (continued) Written report –Affidavit or declaration –Limit what you write and pay attention to details –Use natural language style Describe yourself in the first person Word usage –High-risk documents –Spoliation –Include same information as in verbal reports

10 Guide to Computer Forensics and Investigations, 2e10 Guidelines for Writing Reports Hypothetical questions based on factual evidence –Less favored today –Guide and support your opinion –Can be abused and complex Opinions based on knowledge and experience Exclude from hypothetical questions –Facts that can change, cannot be used, or are not relevant to your opinion

11 Guide to Computer Forensics and Investigations, 2e11 Report Structure Abstract Summary Table of contents Body of report Conclusion

12 Guide to Computer Forensics and Investigations, 2e12 Report Structure (continued) Reference Glossary Acknowledgments Appendixes

13 Guide to Computer Forensics and Investigations, 2e13 Writing Reports Clearly Consider: –Communicative quality –Ideas and organization –Grammar and vocabulary –Punctuation and spelling Lay out ideas in logical order Build arguments piece by piece Group related ideas and sentences into paragraphs

14 Guide to Computer Forensics and Investigations, 2e14 Writing Reports Clearly (continued) Group paragraphs into sections Avoid jargon, slang, and colloquial terms Define technical terms –Consider your audience Writing style –Avoid repetition and vague language –Be precise and specific –Avoid presenting too many details and personal observations

15 Guide to Computer Forensics and Investigations, 2e15 Designing the Layout and Presentation of Reports Decimal numbering structure –Divides material into sections –Readers can scan heading –Readers see how parts relate to each other Legal-sequential numbering –Used in pleadings –Roman numerals represent major aspects –Arabic numbers are supporting information

16 Guide to Computer Forensics and Investigations, 2e16 Designing the Layout and Presentation of Reports (continued) Include signposts –Draw reader’s attention to a point Provide supporting material –Figures, tables, data, and equations Use consistent formatting Explain methods –How you studied the problem Include data collection

17 Guide to Computer Forensics and Investigations, 2e17 Designing the Layout and Presentation of Reports (continued) Include calculations Provide for uncertainty and error analysis –Protect your credibility Explain results and conclusion Provide references –Cite references by author and year –Harvard system Include appendices

18 Guide to Computer Forensics and Investigations, 2e18 Generating Report Findings with Forensic Software Tools Forensics tools generate report when performing analysis Report formats –Plaintext –Word processor –HTML format

19 Guide to Computer Forensics and Investigations, 2e19 Using FTK Demo Version Create a new case Add evidence to the case Analyze evidence with FTK –Look for image files –Locate encrypted files –Search for specific keywords Indexed search Live search

20 Guide to Computer Forensics and Investigations, 2e20 Using FTK Demo Version (continued)

21 Guide to Computer Forensics and Investigations, 2e21 Using FTK Demo Version (continued)

22 Guide to Computer Forensics and Investigations, 2e22 Using FTK Demo Version (continued) Create bookmarks Generate a report from your bookmarks Review your findings –Locate specific keywords Analyze additional material –Spreadsheets, documents Write a narrative report –Use any text editor

23 Guide to Computer Forensics and Investigations, 2e23 Using FTK Demo Version (continued)

24 Guide to Computer Forensics and Investigations, 2e24 Using FTK Demo Version (continued)

25 Guide to Computer Forensics and Investigations, 2e25 Using FTK Demo Version (continued)

26 Guide to Computer Forensics and Investigations, 2e26 Using FTK Demo Version (continued) Use FTK Report Wizard to integrate: –Evidence –Report from bookmarks –Narrative report FTK Report Wizard produces a final HTML report

27 Guide to Computer Forensics and Investigations, 2e27 Preparing for Testimony Technical or scientific witness –Provides facts found in investigation –Do not offer conclusions –Prepare testimony Expert witness –Has opinions based on observations –Opinions make the witness an expert –Works for the attorney

28 Guide to Computer Forensics and Investigations, 2e28 Preparing for Testimony (continued) Confirm your findings with documentation –Corroborate them with other peers Detect conflict of interest Avoid conflicting out practice –Prevents another attorney from using you

29 Guide to Computer Forensics and Investigations, 2e29 Documenting and Preparing Evidence Document your steps –To prove them repeatable Preserve evidence and document it Do not use formal checklist –Do not include checklist in final report –Opposing attorneys can challenge them Collect evidence and document employed tools Maintain chain of custody

30 Guide to Computer Forensics and Investigations, 2e30 Documenting and Preparing Evidence (continued) Check opposing experts –Internet –Deposition banks –Curriculum vitae, strengths, and weaknesses Collect the right amount of information –Collect only what was asked for

31 Guide to Computer Forensics and Investigations, 2e31 Processing Evidence Monitor, preserve, and validate your work Keep only successful output –Do not keep previous runs Validate your evidence using hash algorithms Search for keywords using well-defined parameters Keep your notes simple –List only relevant evidence on your report

32 Guide to Computer Forensics and Investigations, 2e32 Serving as a Consulting Expert or an Expert Witness Do not record conversations or telephone calls Federal information requirements –4 years of experience –10 years of any published writings –Previous compensations Learn about all other people involved and basic points in dispute Define analysis procedures Find out if you are the first expert asked

33 Guide to Computer Forensics and Investigations, 2e33 Creating and Maintaining Your CV Purpose of a CV –Tells your professional life –Qualify your testimony Show you continuously enhance your skills Detail specific accomplishments List basic and advance skills Include a testimony log –Do not include books you have read

34 Guide to Computer Forensics and Investigations, 2e34 Preparing Technical Definitions Definitions of technical material Use your own words and language Some terms –Computer forensics –Hash algorithms –Image and bit-stream backups –File slack and unallocated space –File data and time stamps –Computer log files

35 Guide to Computer Forensics and Investigations, 2e35 Testifying in Court Procedures during a trial –Your attorney presents you as a competent expert –Opposing attorney might attempt to discredit you –Your attorney leads you through the evidence –Opposing attorney cross-examines you

36 Guide to Computer Forensics and Investigations, 2e36 Understanding the Trial Process Typical order of trial –Motion in limine –Empanelling of the jury –Opening statements –Plaintiff –Defendant –Rebuttal –Closing arguments –Jury instructions

37 Guide to Computer Forensics and Investigations, 2e37 Qualifying Your Testimony and Voir Dire Demonstrates you are an expert witness –This qualification is called voir dire Court-appointed expert witnesses –Neutral in their initial positions Brief your attorney on your findings about a court’s expert Opposing attorney might try to disqualify you –Depends on your CV and experience

38 Guide to Computer Forensics and Investigations, 2e38 Testifying in General Be conscious of the jury, judge, and attorneys If asked something you cannot answer –That is beyond the scope of my expertise –I was not requested to investigate that Be professional and polite Be aware of leading questions Avoid overreaching opinions

39 Guide to Computer Forensics and Investigations, 2e39 Testifying in General (continued) Build repetition into your explanations Place microphone 6 to 8 inches from you Use chronological order to describe events Movement –Turn towards the questioner when asked –Turn back to the jury when answering Cite source of the evidence you used to construct an opinion

40 Guide to Computer Forensics and Investigations, 2e40 Presenting Your Evidence Steps: –State your opinions –Identify evidence to support your opinions –Relate the method used to arrive to that opinion –Restate your opinion –Never carry on with a lengthy build-up Consider your audience Do not talk with anybody during court recess

41 Guide to Computer Forensics and Investigations, 2e41 Avoiding Testimony Problems Be an impartial expert witness Be clear about your opinion and knowledge boundaries –Do not lie about your expertise Always build a business case Build a case outline and summary for the attorney Coordinate your testimony with your attorney

42 Guide to Computer Forensics and Investigations, 2e42 Testifying During Direct Examination Techniques: –State your background and qualifications –Provide a clear overview of your findings –Use a systematic, easy-to-follow plan for describing your methods –Balance language –Practice testifying –Be fair –Avoid vagueness

43 Guide to Computer Forensics and Investigations, 2e43 Testifying During Cross-examination Recommendations and practices: –Never guess when you do not have an answer –Use your own words –Be prepared for challenging pre-constructed questions Did you use more than one tool? –Some questions can cause conflicting answers –Rapid-fire questions –Keep eye contact with the jury

44 Guide to Computer Forensics and Investigations, 2e44 Testifying During Cross-examination (continued) Recommendations and practices (continued): –Nested questions –Attorneys make speeches and phrase them as questions –Attorneys might put words in your mouth –Be patient –Keep a vigorous demeanor and use energetic speech –Avoid feeling stressed and losing control

45 Guide to Computer Forensics and Investigations, 2e45 Preparing for a Deposition There is no jury or judge Opposing attorney previews your testimony at trial Discovery deposition –Part of the discovery process for a trial Testimony preservation deposition –Requested by your client –Preserve your testimony in case of schedule conflicts or health problems

46 Guide to Computer Forensics and Investigations, 2e46 Guidelines for Testifying at a Deposition Some recommendations: –Stay calm, relaxed, and confident –Use name of attorneys when answering –Keep eye contact with attorneys –Try to keep your hands on top of the table –Be professional and polite –Use facts when describing your opinion –Ask opposing attorney questions

47 Guide to Computer Forensics and Investigations, 2e47 Recognizing Deposition Problems Discuss any problem before the deposition –Identify any negative aspect Be prepared to defend yourself Avoid: –Omitting information –Having the attorney box you into a corner –Contradictions Be professional and polite when giving opinions about opposite experts

48 Guide to Computer Forensics and Investigations, 2e48 Public Release: Dealing with Reporters Avoid contact with press –Especially during a case Refer press to your attorney Consult with your attorney on how to deal with a journalist Plan to record any interview –Important if you are misquoted or quoted out of context

49 Guide to Computer Forensics and Investigations, 2e49 Summary Technical witness or expert witness Prepare your testimony –Coordinate with your attorney Always monitor, preserve, and validate your work when processing evidence Qualification (voir dire) phase There is no jury or judge in a deposition

50 Guide to Computer Forensics and Investigations, 2e50 Summary (continued) Know if you should act as a consultant expert or an expert witness Your reports should ask questions you were hired to answer Use a well-defined report structure Clarity of writing is critical to a report Project objectivity

Download ppt "Guide to Computer Forensics and Investigations, Second Edition Chapter 14 Becoming an Expert Witness and Reporting Results of Investigations."

Similar presentations

Common Core Standards (What this means in computer class)

Common Core Standards (What this means in computer class)
Reading and writing reports

Reading and writing reports
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
The Systems Analysis Toolkit

The Systems Analysis Toolkit
Litigation and Alternatives for Settling Civil Disputes CHAPTER FIVE.

Litigation and Alternatives for Settling Civil Disputes CHAPTER FIVE.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Q UINCY COLLEGE Paralegal Studies Program Paralegal Studies Program Litigation and Procedure Discovery: Overview and Interrogatories Litigation and Procedure.

Q UINCY COLLEGE Paralegal Studies Program Paralegal Studies Program Litigation and Procedure Discovery: Overview and Interrogatories Litigation and Procedure.
COS/PSA 413 Day 25. Agenda Capstone progress report due Assignment 4 only partially corrected –Wide disparity –Expected 3-4 pages Some only gave me a.

COS/PSA 413 Day 25. Agenda Capstone progress report due Assignment 4 only partially corrected –Wide disparity –Expected 3-4 pages Some only gave me a.
Summary-Response Essay

Summary-Response Essay
With Special Celebrity Guest Host: Pharrell’s Hat.

With Special Celebrity Guest Host: Pharrell’s Hat.
Essays IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Essays IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Technical Writing II Acknowledgement: –This lecture notes are based on many on-line documents. –I would like to thank these authors who make the documents.

Technical Writing II Acknowledgement: –This lecture notes are based on many on-line documents. –I would like to thank these authors who make the documents.
COS/PSA 413 Day 24. Agenda Student evaluations Lab 12 Graded –1 A, 7 B’s, 1 F and 1 non-submit Assignment 4 Due –Must return the evidence disc Assignment.

COS/PSA 413 Day 24. Agenda Student evaluations Lab 12 Graded –1 A, 7 B’s, 1 F and 1 non-submit Assignment 4 Due –Must return the evidence disc Assignment.
COS/PSA 413 Day 22. Agenda WAGM will air a short segment on the CIAG lab on Thursday (Dec 1) during the 6PM broadcast Lab 11 Graded –3 A’s, 1 C and 1.

COS/PSA 413 Day 22. Agenda WAGM will air a short segment on the CIAG lab on Thursday (Dec 1) during the 6PM broadcast Lab 11 Graded –3 A’s, 1 C and 1.
COS 413 Day 25. Agenda Lab 8 corrected –6 A’s, 3 B’s, & 1 C Assignment 8 corrected –3 A’s, 6 B’s $ 1 non-submit Assignment 9 due Discussion on Expert.

COS 413 Day 25. Agenda Lab 8 corrected –6 A’s, 3 B’s, & 1 C Assignment 8 corrected –3 A’s, 6 B’s $ 1 non-submit Assignment 9 due Discussion on Expert.
COS 413 Day 23. Agenda Assignment 7 not corrected yet –Will be corrected tomorrow Second Capstone Progress reports OVER Due –Did not receive any reports.

COS 413 Day 23. Agenda Assignment 7 not corrected yet –Will be corrected tomorrow Second Capstone Progress reports OVER Due –Did not receive any reports.
Report Writing Three phases of report writing Exploratory phase (MAPS)

Report Writing Three phases of report writing Exploratory phase (MAPS)
Introduction.  Resumes  Teaching Tips  Outcomes.

Introduction.  Resumes  Teaching Tips  Outcomes.
How to write an academic essay When I use a word, it means just what I choose it to mean – neither more nor less!

How to write an academic essay When I use a word, it means just what I choose it to mean – neither more nor less!

Similar presentations

Ads by Google