In This Chapter
Dealing with imperfect evidence
Dueling with opposing experts
Your ability to be responsive, adaptive, and resourceful is an invaluable asset because surprising things tend to happen that help or harm the case. For example, as e-evidence is found revealing more of the truth, the charges may change, defendants may countersue, or plaintiffs may lose their ability to think rationally. (If you doubt the last item, search YouTube for incriminating videos.)
In addition, clients may have no clue as to why something's important or not from a forensics point of view. Perhaps a reality show about e-evidence would help... . Putting reality into perspective for them is part of the job. Plaintiffs who crave punishing e-evidence, for example, need help seeing the potentially high cost of their line of attack — no CSI script-writers can ensure the outcomes they want. Doing certain tasks discussed in this chapter is beneficial to you and the case in court.
This chapter helps you understand how to move the scales of justice (along with your career) in the direction of a win. We describe how to deal — or duel — with opposing expert witnesses. Topics covered relate mostly to private or smaller cases where you work for either the plaintiff or the defense. Huge cases (international industrial espionage or fraud, for example) are beyond the scope of this chapter, but who knows — you may catapult into this type of case later in your career.
By the time you're engaged as an investigator or expert witness to provide testify, it may already be too late to authenticate some of the evidence if do-it-yourselfers (DIYs) went to work on it. Convincing a client to wait for a computer forensics investigator who can testify about the methodology and any positive findings on a target computer or device may be impossible for a lawyer to do. Contamination probably happened before the call to a lawyer. When victimized people or companies decide to fight back against harm, the first step they take is usually the wrong one. But e-evidence might reside in other locations that DIYs had not thought about so it may still be uncontaminated. All messages have at least one sender and one receiver and files are backed up. Get everyone with knowledge of the people or technology involved together to identify alternative sources. Talking to them individually takes more time, but do it if you can't arrange a brainstorming session.
Warning
Litigants may want you to overlook their DIY work ("We just looked around but didn't change anything") and pretend that it hasn't happened. Be prepared with a clear answer so that you don't commit perjury. You can also add these tasks to your list of don'ts: installing spyware, wiretapping, and other illegal tactics to capture or grab messages or files.
Being resourceful comes in handy when handling less-than-pristine e-evidence. This is a very tricky point to make regarding imperfect e-evidence. If perfect procedure has not been followed, it doesn't necessarily mean the e-evidence is useless. Depending on the case, lack of perfect e-evidence handling may only reduce the weight of that evidence. For example, in a criminal case, if prosecution has made some mistake with the evidence, it may reduce the sentence, but it doesn't get the entire case tossed out. The jury may still hear the evidence, and with help from an expert witness, decide how much value to attach to it. That value might be influential enough when it's corroborated by other evidence or used to corroborate. Of course, if the imperfect e-evidence is the sole piece of exculpatory evidence, then its weight is zero.
Special handling is needed when using imperfect e-evidence. You must admit to it upfront and put a positive spin on it. That is, show why or how the e-evidence is still material. You want to get out in front of that issue or you give the opposing side a sledgehammer to bring down on you for trying to sneak one past the jury. Getting caught in court can make you want to slither out of the witness box.
Tip
If the case involves responding to e-discovery requests and producing materials, be familiar with the issues covered in Chapter 2.
You most likely have a counterpart — the opposing computer forensics investigator and expert witness. In criminal cases, your counterpart works for the DA's office or law enforcement. You may need to interact with the person face-to-face at a forensics lab, over the phone, or in court. These other experts tend to be quite helpful and accommodating. In civil cases, you're less likely to have contact outside the courtroom, if the case moves that far along. Relationships with experts on civil cases tend to be more competitive.
Follow these guidelines when you interact with an opposing expert:
Be cordial.
Nothing can be gained by antagonizing or bullying your opponent. You're both working for the justice system and are bound by rules of ethics. At the same time, your opponent is attempting to weaken the value of your work and opinions — but you're doing the same to him.
Remember that you're not perfect, at least not all the time.
The downside of all types of evidence is that it can implicate the wrong person or indicate a crime that didn't happen, particularly if e-evidence has been planted to frame someone. The risk always exists that your interpretation is wrong.
Don't reject the expert's opinion or set out to demolish it.
Examine and research it just like you research your own. You have to justify your opinion of the other expert's opinion. Be prepared to respond intelligently.
Responding to an expert's report is a methodical process. Read the charges to refresh your memory before tackling the report.
As part of your examination and review of materials and documents provided by the opposing side, you prepare responses to statements made in affidavits. Responding to each material statement, charge, or allegation is necessary. Ignoring any critical issue makes you look like you're avoiding e-evidence that harms your case. And you know the risks of loopholes from Chapter 5.
Structure your report with these sections. Each statement, or item, is numbered for easy reference in the report — and later still in court. Here's the scenario: You represent the defendant, Rog Rabbit, who's charged by his former employer, A1 Company, with stealing confidential or intellectual proprietary (IP) files before leaving to work at a competitor. Rog's new employer is also named in the lawsuit, but they have their own legal team.
Note
Everything you write, you may need to defend in court.
Section A: Introduction.
Outline the key issues of the case. You usually take this information from the affidavit.
State the plaintiff's theory of the case: You want to include what the plaintiff, A1 Company, believes happened. A theory is that the defendant stole proprietary files from the company by copying them from the company laptop to CDs to use at a competitor. Then those files were deleted from the server to try to hide the theft.
State the basis for plaintiff's theory: Explain why the evidence supports the plaintiff's theory. For example, evidence was found indicating that files had been copied from the server, and company files couldn't be found there.
State your purpose in one or two sentences. For example: The purpose of my investigation is to determine if there is evidence to indicate that [list the plaintiff's charge].
Section B: Materials Available for Review.
List the materials given to you for review as well as the materials you referenced to form your opinion. Include any Web sites you visited, software products listed in the affidavit, and technical reviews of software. Include the full URL and the date you accessed it. If you reviewed reference books or manuals, list them in full, including the publisher and date.
Section C: Background.
Explain the facts of the case straight from the affidavit. For example, you would include the date the defendant stopped working at the company. Then the company retained Computer Forensics R Us who created a forensics image.
Section D: Analysis.
List each material provided to you and that you reviewed from the list in Section B. List each material reviewed as a heading. (Responses to Statements Contained in the Affidavit of Person-Z). Under the heading, write your statements in a numbered list.
You're laying a foundation for your interpretations and conclusions, just like a bricklayer does — one brick at a time. Respond with precision, facts, and legitimate or respected references. Don't use wikis or blogs as legitimate references unless you can defend their recognized authority in court.
Section E: Findings.
Start this section with a statement that has some flexibility followed by your conclusions, which you would number.
Within the bounds of reasonable computer forensics certainty and subject to change if additional information becomes available, it is my professional opinion that:
You build your defense with the following
State defense's theory of the case: Counteract the plaintiff's theory with your own. For example, suggest that the defendant was performing his standard job responsibilities by backing up the files as he had done for the past four years. Also suggest that the plaintiff cannot find its own files and is blaming a former employee and his new employer.
State the basis for defendant's theory: Back up your theory with your reasoning. For example, the defendant could have copied the files while backing up the files to another location — in this case, the server. Not being able to find files doesn't mean that the files were deleted.
List the key e-evidentiary issues: Outline the key points you're making in your report. For example, the defendant's laptop had been investigated in-house for two weeks to look for the missing files. Afterward, the laptop was imaged by a professional forensic imaging company's expert.
Section F: Attachments.
If you have any attachments, list them here. Don't forget to actually include them with the report.
At the end the end of your response, remember to sign your name.
Warning
When responding, don't "blast" anyone, especially the opposing expert, even when the expert knew that, for evidentiary purposes, the forensics image was a dud. You would just look unprofessional.
We show you sample responses to statements made in an affidavit. The affidavit is of Ken Kanine, who is AI Company's director of information technology (IT).
Items listed in the affidavit that you're responding to are:
Item 3: Each team has its own network drive space that can be password-protected to limit access of that space to members of that team. Thus, for example, only members of the "Big Dogs" team can access documents in the "Big Dogs" directory.
Item 7: A1 Company doesn't have an electronic document management program. A1 Company relies on its employees to backup, preserve, and maintain copies of the electronic documents they create.
Item 8: When A1 Company provided Rog Rabbit with a laptop, the company specifically directed him to backup files on a weekly basis to his personal drive space.
Item 10: Rog Rabbit submitted his resignation on May 1, 2008 and left the company on May 3, 2008.
Item 11: On May 3, 2008, the company took possession of Rog Rabbit's laptop, and A1 Company's IT department made backup copies of his laptop and his e-mail.
Item 12: On May 17, 2008, IT personnel began to examine his laptop.
Item 15: Documents that Mr. Rabbit copied to CDs contain A1 Company's confidential and proprietary data. A competitor can use that data to compete against A1 and profit from its value.
Item 19: The IT staff tried to recover the deleted files from Mr. Rabbit's laptop using a program called "Recover-Software version 5.5," which identified about 1,800 files as having been deleted from the laptop, and that the IT personnel weren't able to recover any of those files with "Recover-Software version 5.5."
You might respond to each of these statement from the affidavit of Ken Kanine in this way:
In Item 3, Ken Kanine states that each member of a team has his own network drive space that is password-protected to limit access to the members of a specific team, such as the Big Dogs. This item indicates that passwords were shared by everyone on the team and are not confidential.
In Item 7, Ken Kanine states that A1 Company did not have an electronic records-management program. Instead, A1 Company relied on employees to preserve and maintain copies of the electronic documents they created. This item indicates that employees were expected to save copies of their documents.
In Item 8, Ken Kanine states that Rog Rabbit had been specifically instructed to regularly back up all his files to his personal network drive space. This item indicates that one would expect him to have copied files as part of his job responsibility.
In Item 11, Ken Kanine states that IT staff took possession of Rog Rabbit's laptop computer on May 3, 2008. This item does not indicate that the laptop was secured against use by others.
In Item 12, Ken Kanine states that on May 17, 2008, IT personnel began examining Mr. Rabbit's laptop. This item indicates that others besides the defendant had used the laptop. This item does not state the IT personnel were qualified to perform a forensics investigation.
In Item 15, Ken Kanine states that Rog Rabbit had copied to CD some files that contained confidential and proprietary information. Now the response is different because this is an allegation against the defendant.
Offer alternative interpretations of what the item indicates, such as
The copying of files may indicate that backup copies of A1 Company's files were created, in accordance with A1 Company's requirement that employees and managers with company laptops save copies of their documents.
It is reasonable that at least some of the A1 Company files that were saved as backup copies would contain confidential and proprietary information.
In Item 19, Ken Kanine states that IT personnel used "Recover-Software version 5.5," which identified about 1,800 files as having been deleted from the laptop, and that the IT personnel weren't able to recover any of those files with "Recover-Software version 5.5."
Here's how to respond to the claim in this allegation:
According to the independent test results of the recovery effectiveness <insert URL of technical review> of "Recover-Software version 5.5":
"Recover-Software version 5.5" software cannot recover files over a network.
Copies of files were saved on the network, so the files would have been found using this software.
Note
Don't chastise or make snide remarks, because you want the focus to be on your evaluation. Putting down other people to make your report look better makes you look juvenile or desperate.
Your report prepares your testimony for trial, if the case isn't settled beforehand. In your report, avoid exposing yourself to any of the following risks, which would surface during a trial:
Relying on ignorance: Don't expect an attorney or opposing expert not to know enough to challenge the validity of e-evidence you present.
Overqualifying yourself or your expertise: It may not occur to you that it's dangerous to describe yourself as an expert in a general way. Saying that you're a computer expert exposes you to questions later in court that may be beyond the scope of your knowledge or expertise. Faced with a computer question that you can't answer gives the opposing lawyer the chance to ridicule your abilities and toss doubt on your credibility. Stay "inside the box" by describing yourself, for example, as an expert in the collection, preservation, and examination of electronic evidence from computers and certain types of handheld devices.
Failing to understand key legal and forensic words: Be prepared to give definitions of terms such as IP address and forensic image. You need to use and be able to explain every word in your report, including what's reasonable. (Reasonable means "more likely than not.") A reasonable conclusion, for example, is more likely than not to be valid or true. If you're asked why you think your conclusion is reasonable, that phrase needs to be in your response.