Chapter 10. What to Expect from an Expert

Information in this chapter:

• General expectations
• Where to begin?
• The examination
• Court preparation
• Expert advice
Depending on the type of service you need in a particular case, an expert should be expected to assist you with all of the steps regarding digital evidence. Many attorneys and commercial clients are dealing with digital evidence for the very first time, and there is a significant knowledge gap as to the handling of cases involving digital evidence. It is the expert’s role to bridge this gap by assisting the attorney in identifying and obtaining evidence through discovery, reviewing expert reports and providing an assessment of the case, making sure that any evidence is properly collected and handled in a forensically sound manner, educating the attorney about the specific evidence in the case, and assisting the attorney with trial preparation. This chapter will explain what this process looks like and how it should proceed.
Keywords
Motions, Court Preparation, Expert Advice, Discovery

Introduction

Depending on the type of service you need in a particular case, an expert should be expected to assist you with all of the steps regarding digital evidence. Many attorneys and commercial clients are dealing with digital evidence for the very first time, and there is a significant knowledge gap as to the handling of cases involving digital evidence. It is the expert’s role to bridge this gap by assisting the attorney in identifying and obtaining evidence through discovery, reviewing expert reports and providing an assessment of the case, making sure that any evidence is properly collected and handled in a forensically sound manner, educating the attorney about the specific evidence in the case, and assisting the attorney with trial preparation.

10.1. General expectations

When you contact a forensic expert, you may have no idea of what you need to do to deal with this type of evidence. And depending on the type of case, the steps that must be taken can vary considerably.
The most basic considerations are obtaining the evidence via motions or orders to access the evidence, what type of evidence to ask for it if is not already clearly spelled out, and a review of the opposing expert’s work if one is involved in the case.
If you are the plaintiff in a case, it will fall on you to obtain all the evidence you will need to litigate the case. Unless you are already well versed in the many types and forms of evidence and evidence storage, you may be at a loss as to what to ask for and where to get it. An expert can assist you through the process of identifying potential evidence, creating motion language to obtain the evidence, and finally, analyzing the evidence.
If you are representing a client in a criminal case, you will be dealing with search warrants and affidavits that are technical in nature, especially in cases involving Internet stings and file-sharing programs. An expert can and should assist the attorney in reviewing warrant affidavits, assessing the forensics performed by law enforcement experts, and in answering questions for your client about the digital forensics aspect of their case. In many cases, a digital forensics expert can assist you and your client with assessing the merits of a case where digital evidence is the primary evidence in the case.
Engaging a properly experienced expert can also be critical in assisting you with your pre-trial motions by providing assistance with understanding the way evidence was gathered and preserved, analyzing the probable cause in search warrant affidavits, and assisting in the assessment of cost burdens for processing various types of evidence in civil cases.

10.2. Where to begin?

The question of where to begin comes up in every case. And the answer many times is dependent on the need in the particular case.
If the case is a civil case, the process of identifying and then getting and collecting evidence is the first step. The expert should be able to assist with motion language to make sure that the evidence is made available and also be able to outline, if needed, the processes and procedures that will be used to collect the evidence in a forensically sound manner.
For example, the expert can provide a protocol or set of requirements that can be included in production motions to ensure that the evidence is properly collected. This is particularly important when you are using third parties to collect and copy digital evidence, or if the other side is producing the evidence using their own experts or personnel.

10.2.1. Sample protocol for evidence collection by a third or opposing party

The following protocol shall govern the collection, copying, and preservation of evidence to be produced by the plaintiff:
1. All media shall be copied in a forensically sound manner in compliance with accepted best practices for the handling, copying, verification, and preservation of digital evidence.
a. No computer or other device shall be operated, previewed, copied, or otherwise “powered on” without proper write-blocking hardware or software in place to protect the original evidence.
b. All collection, handling, and copying of digital evidence shall be performed by a properly trained forensics examiner with specific experience and training for the type of device that is to be copied; computers and computer storage media shall be handled and copied by trained computer forensics examiners; cell phones and mobile devices shall be handled and copied by trained cell phone forensics examiners.
c. Any type of digital evidence that requires that a representative of plaintiff or defendant, or a third party, assist in the collection and copying of said evidence, such as NetApp shares and snapshots, server file shares, mail stores, backup volumes, and so forth, shall be performed under the supervision of a trained digital forensics examiner.
d. All forensic copies shall be made using a standard forensic collection tool, which may include but is not limited to FTK Imager, EnCase, Helix, Forensic Talon, or Tableau. Any such tool used must have the capability of generating a verification hash for the evidence copied.
e. All forensic copies shall be delivered in a standard encapsulated format such as the Expert Witness (E01) Format, EnCase Logical Format (L01), Access Data’s Logical Format (AD1), or the Linux DD format.
f. Mobile devices such as cell phones and GPS units shall be copied using forensic tools designed for the specific purpose of analyzing such devices in a forensically sound manner. Forensic tools for this can include but are not limited to Paraben’s Device Seizure, Susteen’s SecureView, XRY, Cellebrite, CellDek, or Blackthorn. Any tool to be used for the forensic copying of mobile devices shall be disclosed and approved by the supervising digital forensics examiner prior to collection of any mobile device data.
g. In the event those copies cannot be made in the following formats due to technical issues, the supervising digital forensics examiner shall be notified as to the reason and propose an alternative collection method to be employed.
2. Documentation Requirements
a. A complete chain of custody shall be created and maintained for all evidence collected.
b. An acquisition report shall be created for all evidence collected, by item, and shall include at a minimum the following information:
i. The name and contact information of the person who performed the collection and copying of the evidence.
ii. The qualifications of the person who performed the collection and copying of the evidence.
iii. The acquisition hash values in MD5 and/or SHA1 format for each item of evidence collected.
iv. The specific process used for the collection and copying of each item of evidence, including the manufacturer, name, and version of the tool used for both hardware and software tools.
v. The method used to protect the evidence, including the make and manufacturer of the write-blocking method employed.
vi. The origination of the evidence item including the originating location (server, computer, cell phone), device name and serial or asset tag number, file path(s), manufacturer, make and model of the device, and the corresponding custodian name or owner of the data.
vii. The name and contact information of any person who assisted in the collection or copying of the device.
The reason such a protocol is critical is that many times, especially in small civil cases, one side may decide to use a non-expert to perform collections. In many cases, the person handling the collection and examination of evidence had no training or experience in forensics, did not use any forensic tools for protecting the evidence or making forensic copies, and modified the evidence during the collection and examination process. Rarely does this come to light until you get to court and the person’s qualifications are revealed to be that they “helped out neighbors and friends with recovering their lost family pictures, removing viruses, and generally fixing their computers.”
When you get contaminated evidence in a case like this, it becomes a much larger job for your expert to sort out what has been done, and verification of the evidence and facts may become impossible.
Once the evidence is collected, the expert may be required to write an affidavit outlining the processes and procedures used and documenting the chain of custody. Alternatively, your expert may be required to prepare an affidavit challenging the methods used and the chain of custody for evidence collected and produced by the opposing side.
In a criminal case, the expert should be able to discuss the case with you and assist with motions and subpoenas for getting either a copy of the evidence, or in the case of an Adam Walsh Act contraband case, motions to get access to a copy of the evidence for analysis.
For example, in a criminal case where there is a serious risk of contamination, to the point where the issue will be brought up at trial as part of your defense argument, then an expert can assist you in assessing the risk of tampering and also to prepare a motion that will allow your expert to make a new forensic copy of the evidence in question for comparison to the forensic evidence provided by law enforcement. However, this will add significant expense to the case due to the additional work that must be performed to make new forensic copies and compare them to the copies made by law enforcement. Not only would you need to justify the additional expense to whoever is paying for the expert’s services, but you will probably meet stiff resistance from the prosecution in getting such a motion approved by a judge.
At this point, you may need an affidavit from your expert to support the motion and/or testimony at a pre-trial hearing by your expert to explain why it is necessary to recopy what the prosecution has already provided.
Different types of evidence will require different language specific to obtaining that evidence. For instance, the subpoena language to get the proper records from a cell phone provider is very different from the language needed to get forensic copies of computers and cell phones in the hands of law enforcement.
For example, to obtain call detail records from a cellular carrier, you will need to specify exactly what you want to get in the subpoena response. In a case involving cell tower locations for a cellular phone, just getting the call detail records is not enough to properly perform an analysis. You will also need to have language in your subpoena to obtain engineering and maintenance information about the cell towers of interest. Motion language for call detail records and cell tower information is covered in Chapter 24.
In the case of cell phones, there are still many police departments and law enforcement agencies that do not have the resources to examine cell phones. If this is true in your case, it is doubly important to get any cell phones properly collected and examined by your expert before they are damaged in some way or returned to the owner.
In any of the cases, the expert should already have or be able to write the technical language needed to obtain evidence and assist you with this process.

10.3. The examination

Once the evidence has been gathered, the expert will perform an examination or analysis of the evidence. Based on information provided by you as the attorney and your client, and the expert’s review of an opposing expert’s forensic report, the expert is expected to perform the following steps:
1. Verify the work of an opposing expert.
2. Perform an independent analysis of the evidence to ensure that all of the facts are accurate and also that the evidence has been completely analyzed if an opposing expert is involved in the case.
3. Once the analysis has been completed, the expert should be able to advise you on the findings and in some cases, the merits of the digital evidence in the case.
4. Assist you with trial preparation based on the analysis of the digital evidence.

10.4. Court preparation

Part of the process is assisting the attorney with court preparation. This involves anticipating what the opposing expert may testify about based on their forensic reports. As part of the process, a series of questions should be developed by the expert to assist the attorney with cross-examination of the opposing expert.
Some examples of such questions include:
1. During your examination of the computer in question, did you check and verify the accuracy of the date and time of the computer’s built-in clock?
2. Is there a possibility that the computer clock was set to an earlier time to cover up the fact that the witness could have planted this evidence on the computer?
3. Did you take any steps to verify that the computer clock was not manipulated in some way by setting to an earlier time and then setting it back to the current time?
4. Can you tell the court whether or not my client had his own personal login for the computer?
5. Can you tell the court if my client’s login was password protected?
6. Can you explain the steps you took to protect the evidence on the hard drive when you made your copy?
The expert may also be required to testify and should be able to provide testimony as to the ownership of the computer, ownership of various files, the handling and collection of the evidence, specifics relating to the software installed on the computer, and dates and times of computer activities.

10.5. Expert advice

Before a case goes to court, the expert may be asked to advise the attorney as to the merits of the case in regard to the digital evidence located or presented. This is mostly true in criminal cases where the expert has had an opportunity to review the digital evidence and form an opinion of the strength of the evidence if presented at trial.
10.1.Merits of the case
Larry had a case where an attorney contacted him late on a Friday afternoon. His client was charged with possession of child pornography, and he was scheduled to attend court the following Monday to either accept a plea bargain or enter a not-guilty plea and to go to trial. The attorney and the client met with Larry that evening and Larry reviewed the discovery in the case, including the computer forensic report compiled by the law enforcement agency.
After reviewing the discovery and asking the client some pointed questions with his attorney present, Larry advised the client that going to court would be a high risk compared to the plea offer he had on the table. While the client maintained that he did not know about the presence of the child pornography located on his computer and external hard drive, he could offer no explanation for how it got there. He said that he did not know of anyone else using his computer and that he was the only one who had ever used his external hard drive, which was stored in his bedroom closet. He could think of no witnesses to anyone seeing someone using his computer. It boiled down to his only being able to state that he didn’t do it, but there was no evidence or witness he could name to contradict the forensic report provided by law enforcement. Other elements of the case added to the problem as he was also charged with secret peeping for installing a hidden camera in his bathroom for him and his girlfriend to record their sexual encounters. He had a plea offer on the table to only serve probation and register as a sex offender for five years. The client decided to take the offered plea. When he attended court the following Monday, the judge told him after he accepted the plea bargain that if he had not done so and lost at trial, the judge would have put him in prison until he was an old man. The client was in his early twenties and based on the sentencing guidelines, if he had lost at trial he could have been sentenced to prison for over 25 years.

Summary

In this chapter we discussed what you as an attorney or client should expect from a digital forensics expert. We looked at motions and discovery and some of the ways an expert can assist in getting discovery in the correct manner. We also looked at what to expect in a computer forensics report and included a sample of the minimum information you should expect to be provided in computer or other digital forensic reports. This chapter also covered trial preparation, some sample questions for court testimony, and how an expert can assist in assessing the merits of a case based on the forensic evidence.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset