15.1: Preparing for Testimony

• When cases go to trial or a hearing involving testimony, you as a forensics examiner can play one of two roles:

  • Fact Witness

    • You provide only the facts you have found in your investigation—any evidence that meets the relevance standard and is more probative than prejudicial.

    • When you give technical or scientific testimony, you present this evidence and explain what it is and how it was obtained.

    • You don’t offer conclusions, only the facts and ordinary inferences based on that evidence.

  • Expert Witness

    • You u have opinions about what you have found or observed.

    • You form these opinions from experience and deductive reasoning based on facts found during an investigation.

    • In fact, it’s your opinion that makes you an expert witness.

• As part of your preparation, you might want to review your own documentation and confirm your findings by corroborating them with other digital forensics professionals.

• Learn to take advantage of your professional network and request peer reviews to help support your findings.

• You might also want to use the Internet to research opposing experts and try to find their strengths and weaknesses in previous testimony.

• Review their curriculum vitae, if possible, and see how they present themselves. To do otherwise is to go into battle without trying to know your opponent.

• Review the following questions when preparing your testimony:

  • What’s the client’s overall theory of the case?

  • What’s my story of the case (the central facts relevant to my testimony)?

  • What can I say with confidence?

  • How does my opinion fit into the theory of the case?

  • What’s the scope of the case? Have I gone too far?

  • Have I identified the client’s needs for how my testimony fits into the overall theory of the case?

Documenting and Preparing Evidence

• If you need a checklist to analyze evidence, create it only for a specific case.

  • Don’t create a formal checklist of your procedures that’s applied to all your cases or include such a checklist in your report.

• As a standard practice, collect evidence and record the tools you used in designated file folders or evidence containers.

  • This method helps organize your evidence and tools. Follow a system to record where items are kept for each case and how documentation is stored.

• Remember that the chain of custody of evidence supports the integrity of your evidence; do whatever you can to prevent contamination of the evidence.

  • You should also document any lapse or gap in evidence preservation or custody.

• When collecting evidence, be careful not to get too little or too much information.

  • For litigation, you’re responsible for collecting only what’s asked for, no more.

• Make sure you note the date and time of your forensic workstation when starting your analysis.

• Keep only successful output when running analysis tools; don’t keep previous runs, such as those missing necessary switch or output settings.

• When searching for keyword results, rerun searches with well-defined keywords and search parameters.

  • You might even want to state how they relate to the case, such as being business or personal names.

• When taking notes of your findings, keep them simple and specific to the investigation.

  • You should avoid any personal comments so that you don’t have to explain them to opposing counsel.

• When writing your report, list only the evidence that’s relevant to the case; do not include unrelated findings

• Define any procedures you use to conduct your analysis as scientific and conforming to your profession’s standards.

Reviewing Your Role as a Consulting Expert or an Expert Witness

• Consulting Expert: Has been retained or consulted with by a party in anticipation of litigation or trial, but who will not testify at trial. A testifying expert, on the other hand, may be used at trial to present evidence.

• If your role changes from consulting expert to expert witness later, however, your previous work as a consulting expert is subject to discovery by opposing counsel.

Creating and Maintaining Your CV

• Your curriculum vitae (CV) lists your education, training, and professional experience and is used to qualify your testimony.

• For forensics examiners, keeping this document updated and complete is crucial to supporting your role as an expert and showing that you’re constantly enhancing your skills through training, teaching, and experience.

• Your CV should describe tasks you’ve performed that define specific accomplishments and your basic and advanced skills.

• Be sure to include coursework sponsored by government agencies or organizations that train government agency personnel and courses sponsored or approved by professional associations, such as bar associations.

• Make sure your CV reflects your professional background.

• If your CV is more than three months old, you probably need to update it to reflect new cases and additional training.

Preparing Technical Definitions

• The following are examples of definitions to prepare ahead of time for your testimony:

  • Digital forensics or computer forensics

  • CRC-32, MD5, and SHA-1 hashing algorithms

  • Image files and bit-stream copies

  • File slack and unallocated (free) space

  • File timestamps

  • Computer log files

  • Folder or directory

  • Hardware

  • Software

  • Operating system

Preparing to Deal with the News Media

• Some legal actions generate interest from the news media, but you should avoid contact with news media, especially during a case, for the following reasons:

  • Your comments could harm the case and create a record that can be used against you.

  • You have no control over the context of the information a journalist publishes.

  • You can’t rely on a journalist’s promises of confidentiality.

  • Journalists have been known to be aggressive in getting information, and their interests do not coincide with yours or your client’s.

  • Be on guard at all times because your comments could be interpreted in a manner that taints your impartiality in this case and future cases.

  • Even after the case is resolved, avoid discussing details with the press.

15.2: Testifying in Court

Understanding the Trial Process

• Motion in limine: A pretrial motion to exclude or limit the use of certain evidence because its potential to prejudice the jury would exceed its probative value.

• Impaneling the jury: This process includes voir dire of venireman (questioning potential jurors to see whether they’re qualified), strikes (rejecting potential jurors), and seating of jurors.

• Opening statements: Both attorneys provide an overview of the case, with the plaintiff’s attorney going first.

• Plaintiff: The plaintiff’s attorney presents the case.

• Defense: The defense’s attorney presents the case.

• Rebuttal: Rebuttal from both the plaintiff’s and defense’s attorneys is an optional phase of the trial.

• Closing arguments: Statements that organize the evidence and state the applicable law. The plaintiff’s attorney goes first and gets a rebuttal opportunity at the end, which should be limited to issues raised by the defense’s attorney.

• Jury instructions: The attorneys propose instructions to the jury on how to consider the evidence, and then the judge approves or disapproves; if the instructions are approved, the judge reads them to the jury

Providing Qualifications for Your Testimony

• During the qualification phase of your testimony, your attorney asks questions to elicit the qualifications that make you an expert witness. This qualification phase is called voir dire.

• Your attorney guides you through your CV. The amount of detail in this examination depends on several factors, but they all relate to how much advantage the attorney sees in your qualifications.

• After your attorney has completed this examination, he or she asks the court to accept you as an expert on digital forensics.

• Opposing counsel might object and is allowed to examine you, too; usually, cross-examination happens only if the opposing attorney thinks there’s something to gain from it.

General Guidelines on Testifying

• Your delivery is an important part of how you answer questions and affects the impact you have on the jury.

• Always acknowledge the jury and direct your testimony to them, using an enthusiastic, sincere tone to keep the jury interested in what you have to say. When an attorney or the judge asks you a question, turn toward the questioner, and then turn back to the jury to give the answer.

• If a microphone is present, place it 6 to 8 inches from you, and remember to speak loudly and clearly so that the jury can hear and understand you.

• Use simple, direct language to help the jury understand you.

• Avoid humor. What one person thinks is funny, another won’t.

• Build repetition into your explanations and descriptions for the jury.

• Use chronological order to describe events when testifying, and use hand gestures to help the audience understand what you’re emphasizing.

• If you’re using technical terms, identify and define these terms for the jury, using analogies and graphics as appropriate. List any important technical elements, showing how you verified and validated each element.

• When giving an opinion, cite the source of the evidence the opinion is based on. Then express your opinion and explain your methodology—how you arrived at your opinion.

• If the witness chair is adjustable, make sure the height is comfortable, and turn the chair so that it faces the jury.

• To enhance your image with the jury, dress in a manner conforming to the community’s dress code for business professionals, or dress like the attorneys in the case.

• Don’t memorize your testimony; you should strive for a natural, extemporaneous tone. Also, make sure you have alternative ways to describe or explain key facts

• For direct examinations, state your opinion, identify evidence to support your opinion, explain the method you used to arrive at your opinion from your analysis, and then restate your opinion.

Testifying During Direct Examination

• When preparing your testimony for direct examination, keep some guidelines and techniques in mind.

• You should work with your attorney to get the right language that communicates your message to the jury effectively.

• Also, your attorney might advise you to be wary of your inclination to be helpful. This trait is natural, but it can hurt your testimony.

• You shouldn’t volunteer any information or be overly friendly (or hostile) to the opposing attorney.

• Review the examination plan your attorney has prepared to see whether you can make any suggestions for improvement; this plan is structured to ensure that questions elicit relevant evidence during direct examination.

• Independent recollection: Information you know about this case and others without being prompted.

• Customary practice: Procedures that are traditionally followed in similar cases.

• Documentation of the case: The written records you have maintained.

Testifying During Cross-Examination

• Keep in mind that certain words have additional meanings that an opposing attorney can exploit.

• Be aware of leading questions from the opposing attorney, too.

• Opposing attorneys often ask the following questions:

  • Did you use more than one tool to verify the evidence?

  • What tools did you use, and what are their known problems or weaknesses?

  • Are the tools you used reliable? Are they consistent, and do they produce the same results?

  • Have other professionals called on you as a consultant on how to use tools?

  • Do you keep up with the latest technologies used in digital forensics, such as by reading journal articles?

• Your response to cross-examination tactics should challenge the opposing attorney to be more sensible, a response that often plays well with juries.

• The more patient you are during cross-examination, the better you’ll weather any possible attacks. If the opposing attorney becomes assertive or upset with your testimony, be as professional and courteous as possible.

• If he continues to lose control, staying calm and professional strengthens your image by comparison.

• You should avoid showing that you have lost control, such as by the following behaviors:

  • Being argumentative when being badgered by the opposing attorney or being nervous about testifying.

  • Having poor listening skills or defensive body language, such as crossing your arms.

  • Being too talkative or talking too fast when answering questions.

  • Being too technical for an ordinary juror to understand your testimony.

  • Acting surprised and unprepared to respond when presented with unknown or new information.

• Never have unrealistically high self-expectations when testifying; everyone makes mistakes.

15.3: Preparing for a Deposition or Hearing

• Deposition: A witness's sworn out-of-court testimony.

  • The purpose of the deposition is for the opposing attorney to preview your testimony before trial.

• Discovery Deposition: A part of the discovery process for trial.

  • The opposing attorney who requested the deposition often conducts the equivalent of a direct examination and a cross-examination.

  • Your attorney usually asks only questions needed to clarify a point that could be subject to misinterpretation in your direct testimony.

• Testimony Preservation Deposition: It is usually requested by your client to preserve your testimony in case of schedule conflicts or health problems.

  • These depositions are often video recorded in addition to the written transcript, and your testimony is entered by playing the video recording for the jury.

Guidelines for Testifying at Depositions

• General Rules to follow during depositions:

  • Be professional and polite.

  • Use facts when describing your opinion.

  • Understand that being deposed in a discovery deposition is an unnatural process; it’s intended to get you to make mistakes.

• The following guidelines can also help you avoid problems during depositions:

  • Avoid omitting information in your testimony; omissions can cause major problems.

  • To respond to difficult questions that could jeopardize your client’s case, pause before answering, allowing your attorney to object before you answer.

  • To avoid having the opposing attorney box you into a corner or lead you to contradict previous statements, answer only the questions you’re asked, using short answers that are narrow in scope when possible.

  • Realize that excessively detailed questions from opposing counsel are an attempt to get you to contradict yourself.

  • When asked whether you know about an opposing fact or expert witness, your response should be as professional as possible.

  • Keep in mind that you can correct any minor errors you make during your examination by referring back to the error and correcting it.

  • Discovery deposition testimony generally doesn’t make it to the jury, except for the purpose of showing previous inconsistent testimony by the witness.

Guidelines for Testifying at Hearings

• A hearing can be before an administrative agency or a legislative body or in a court.

• An administrative or legislative hearing generally addresses the agency’s or committee’s subject matter and seeks evidence in your testimony on a subject for which it’s contemplating making a rule or legislation.

• A presiding officer or committee chairperson is present, and the format of questioning depends on the agency’s or committee’s rules and the purpose of the hearing.

• Often administrative or legislative hearings are related to events that previously resulted in litigation.

• Testifying at administrative hearings isn’t as common as testifying in depositions or at trials.

• A judicial hearing is held in court to determine the admissibility of certain evidence before trial.

• No jury is present, but evidentiary suppression hearings are usually held early in the case to determine whether a criminal case moves forward or is dismissed.