Guide to Computer Forensics and Investigations Fourth EditionObjectivesPreparing for TestimonyPreparing for Testimony (continued)Slide 5Documenting and Preparing EvidenceDocumenting and Preparing Evidence (continued)Slide 8Reviewing Your Role as a Consulting Expert or an Expert WitnessCreating and Maintaining Your CVPreparing Technical DefinitionsPreparing Technical Definitions (continued)Preparing to Deal with the News MediaTestifying in CourtUnderstanding the Trial ProcessProviding Qualifications for Your TestimonyGeneral Guidelines on TestifyingGeneral Guidelines on Testifying (continued)Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Testifying During Direct ExaminationTestifying During Direct Examination (continued)Testifying During Cross-examinationTestifying During Cross-examination (continued)Slide 29Preparing for a DepositionGuidelines for Testifying at DepositionsGuidelines for Testifying at Depositions (continued)Slide 33Slide 34Guidelines for Testifying at HearingsPreparing Forensics Evidence for TestimonyPreparing Forensics Evidence for Testimony (continued)Slide 38Preparing Explanations of Your Evidence-Collection MethodsSummarySummary (continued)Slide 42Guide to Computer Forensics and InvestigationsFourth EditionChapter 15Expert Testimony in High-Tech InvestigationsGuide to Computer Forensics and Investigations 2Objectives•Explain guidelines for giving testimony as a technical/scientific or expert witness•Describe guidelines for testifying in court•Explain guidelines for testifying in depositions and hearings•Describe procedures for preparing forensics evidence for testimonyGuide to Computer Forensics and Investigations 3Preparing for Testimony•Technical or scientific witness–Provides facts found in investigation–Does not offer conclusions–Prepares testimony•Expert witness–Has opinions based on observations–Opinions make the witness an expert–Works for the attorneyGuide to Computer Forensics and Investigations 4Preparing for Testimony (continued)•Confirm your findings with documentation–Corroborate them with other peers•Check opposing experts–Internet–Deposition banks–Curriculum vitae, strengths, and weaknessesGuide to Computer Forensics and Investigations 5Preparing for Testimony (continued)•When preparing your testimony consider the following questions:–What is my story of the case?–What can I say with confidence?–What is the client’s overall theory of the case?–How does my opinion support the case?–What is the scope of the case? Have I gone too far?–Have I identified the client’s needs for how my testimony fits into the overall theory of the case?Guide to Computer Forensics and Investigations 6Documenting and Preparing Evidence•Document your steps–To prove them repeatable•Preserve evidence and document it•Do not use formal checklist–Do not include checklist in final report–Opposing attorneys can challenge them•Collect evidence and document employed tools•Maintain chain of custodyGuide to Computer Forensics and Investigations 7Documenting and Preparing Evidence (continued)•Collect the right amount of information–Collect only what was asked for•Note the date and time of your forensic workstation when starting your analysis•Keep only successful output–Do not keep previous runs•Search for keywords using well-defined parametersGuide to Computer Forensics and Investigations 8Documenting and Preparing Evidence (continued)•Keep your notes simple•List only relevant evidence on your report•Define any procedures you use to conduct your analysis as scientific–And conforming to your profession’s standards•Monitor, preserve, and validate your work•Validate your evidence using hash algorithmsGuide to Computer Forensics and Investigations 9Reviewing Your Role as a Consulting Expert or an Expert Witness•Do not record conversations or telephone calls•Federal information requirements–Four years of experience–Ten years of any published writings–Previous compensations•Learn about all other people involved and basic points in dispute•Brief your attorney on your findings and opinion of the court’s expert•Find out if you are the first expert askedGuide to Computer Forensics and Investigations 10Creating and Maintaining Your CV•Curriculum vitae (CV)–Lists your professional experience–Qualify your testimony•Show you continuously enhance your skills•Detail specific accomplishments•List basic and advanced skills•Include a testimony log–Do not include books you have readGuide to Computer Forensics and Investigations 11Preparing Technical Definitions•Prepare definitions of technical concepts•Use your own words and language•Some terms–Computer forensics–Hash algorithms–Image and bit-stream backups–File slack and unallocated space–File timestamps–Computer log filesGuide to Computer Forensics and Investigations 12Preparing Technical Definitions (continued)•Some terms (continued)–Folder or directory–Hardware–Software–Operating systemGuide to Computer Forensics and Investigations 13Preparing to Deal with the News Media•Some legal actions generate interest from the news media•Reasons to avoid contact with news media–Your comments could harm the case and create a record that can be used against you–You have no control over the context of the information a journalist publishes–You can’t rely on a journalist’s promises of confidentialityGuide to Computer Forensics and Investigations 14Testifying in Court•Procedures during a trial–Your attorney presents you as a competent expert–Opposing attorney might attempt to discredit you–Your attorney leads you through the evidence–Opposing attorney cross-examines youGuide to Computer Forensics and Investigations 15Understanding the Trial Process•Typical order of trial–Motion in limine–Empaneling the jury–Opening statements–Plaintiff–Defendant–Rebuttal–Closing arguments–Jury instructionsGuide to Computer Forensics and Investigations 16Providing Qualifications for Your Testimony•Demonstrates you are an expert witness–This qualification is called voir dire•Attorney asks the court to accept you as an expert on computer forensics•Opposing attorney might try to disqualify you–Depends on your CV and experienceGuide to Computer Forensics and Investigations 17General Guidelines on Testifying•Be conscious of the jury, judge, and attorneys•If asked something