COURSE

CHAPTEROVERVIEW
8 l BECOMING AN EXPERT WITNESS

CHAPTER 8 Becoming an
Expert Witness
LE AR NI NG OUTCOMES
By the end of this chapter, you should be able to:

1 . Understand the role of an expert witness;

2. Know how to prepare for testimony;

3. Illustrate how to testify in court during cross examination;

4 . Know how to prepare a deposition; and

5 . Understand about the expert opinion.

i. 203
 BECOMING AN EXPERT WITNESS l CHAPTER 8

INTRODUCTION
Computer crime investigators should approach every case with an eye toward trial.
It is significant for investigators to preserve this mindset because the strength of
the case ultimately is determined by the weight of the evidence and the defendant’s
perception of the prosecutors’ ability to effectively present the evidence. Investigators
must understand not only the basic mechanics of testifying but also the “Big picture”
of what the case is about and where their testimony will fit in to the case as
a whole.

Computer expert witness should not only capable to analyse evidence and give an
expert opinion on what that evidence means, but also to be able to explain their
findings in a clear and concise manner, as well as the ability to clearly, methodically
and convincingly dispute any incorrect information the other side may put
forward. Presentation of digital evidence in a clear and simple format could make
the difference between the success and failure of your case.

Source: http://www.youtube.com/watch?v=bwsD_LCw_k8&feature=related

204
CHAPTER 8 l BECOMING AN EXPERT WITNESS

8.1 Preparing Your Self as an Expert Witness

The key ingredients in presenting yourself as an effective witness are the same
in cyber crime cases as they are in all cases. Bear in mind there is no one right or
wrong to testify. Everyone who testifies will be having a different style. If your
style of testimony is likely to be credible to a panel of judges, style of testimony
is just fine. During the conversation with the prosecutor, get advice from the
prosecutor about testifying effectively. Lawyers will be focusing on different things,
and despite of how many time you have testified, there is always something that
you can learn about doing it better.

The most basic general rule about testifying is to listen to the questions carefully
and to answer the question to the best of your ability. After question is asked,
pause for a while to gather your thoughts prior answering. This serves two purposes
which are:
1. Merely blurting out an answer is the finest way to get into trouble.
2. It provides the attorneys with an opportunity to object.
If you don’t know how to answer a question or you can’t respond to the questions
as asked, just say so.

i. 205
 BECOMING AN EXPERT WITNESS l CHAPTER 8

8.1.1 The Limitation on an Expert Witness

Occasionally, investigators would be qualified by court to testify as expert because

of specialised knowledge that they possess. Court qualifies witnesses to testify as
experts in limited areas, and an investigator should not propose that they know
more than they actually do. For example, though an investigator may be qualified
to testify as an expert in the use of Forensic Tool Kit to investigate media storage
devices, this qualification would not make the investigation an all-round computer expert.

And most importantly, there are ethics and codes that expert witnesses need to know
and abide to when testifying in court as shown in Figure 8.1:

Figure 8.1: The list of ethics and codes which expert witnesses need to know
and abide to when testifying in court

206
CHAPTER 8 l BECOMING AN EXPERT WITNESS

(a) Find out the crime through internet and get the full details about
expert witness on that case.
(b) Find out the different code of ethics used by the investigators.

8.2 Preparing for Testimony

When preparing for a testimony, there are few steps that need to be considered.
These steps are:
(a) Comparing technical and scientific testimony;
(b) Determining the requirements needed to be an expert witness;
(c) Preparing technical definitions;
(d) Understanding the ethical difficulties in expert testimony;
(e) Knowing the ethical responsibilities owed to you.

8.2.1 Comparing Technical and Scientific Testimony

A comparison between a Technical Witness and an Expert Witness and the requirement
needed is shown in Figure 8.2:

Figure 8.2: A comparison between a Technical Witness and an Expert Witness

i. 207
 BECOMING AN EXPERT WITNESS l CHAPTER 8

8.2.2 Determining the Requirements Needed to be An Expert Witness

When presenting yourself in court as an expert witness, you are required to provide
two (2) main information. This information is shown in Figure 8.3:

Figure 8.3: Two (2) main requirements to be an expert witness

8.2.3 Preparing Technical Definitions

During the preparation of the testimony, you must ensure that the technical
definitions are to be declared and clarified so that the court will be able to evaluate
the evidence. Some of the technical definitions that might be involved are:

208
CHAPTER 8 l BECOMING AN EXPERT WITNESS

8.2.4 Understanding Ethical Difficulties in Expert Testimony

Some of the ethical difficulties which an expert witness might face during a testimony are:

i. 209
 BECOMING AN EXPERT WITNESS l CHAPTER 8

8.2.5 Knowing the Ethical Responsibilities Owed to You

The points in Figure 8.4 provide you an idea of what ethical responsibilities that
will be given to an expert witness during a testimony:

Figure 8.4: Ethical responsibilities that will be given to an expert witness during a testimony

(a) Differentiate between the technical and expert witness.

(b) Find out the ethical responsibilities followed by the forensic
investigator.

8.3 Testifying in Court

(a) Computer evidence in court

Presenting evidence in court of law is the acid test by which the computer crime
investigator is ultimately judged. The following brief points as shown in table 8.1
will help the investigator to appear in court to testify.

210
CHAPTER 8 l BECOMING AN EXPERT WITNESS

Table 8.1: The Fourteen (14) Dos & Don’ts for an Investigator to Know Before Appearing in Court

i. 211
 BECOMING AN EXPERT WITNESS l CHAPTER 8

(b) Questions to be considered when preparing your testimony:

(c) Questions you should prepare for:

212
CHAPTER 8 l BECOMING AN EXPERT WITNESS

(d) Reviewing Reports

If the investigator does nothing else to prepare for testimony, the one thing
that the investigator must do is to review his or her report shortly before
testifying. Reviewing the report doesn’t mean just reading it over; it means
reading the report over very closely at least five or six times. One of the
most frustrating things from the vantage point of a prosecutor is watching
defence counsel attack an investigator on the details of the investigators report
when the investigators knowledge of the report is clearly hazy because he or
she wrote the report a long time ago and did not properly review the report
before trial. In almost all cases, most of the defence attorney’s cross-examination
of the investigator will be based upon the investigators report. Investigators
have a huge advantage when testifying; they know almost exactly what most
of the defence attorney’s questions are going to be based upon.

(e) Understanding the big picture

Following the basic rules just described is not only required for testifying
effectively, it also involves understanding how your testimony fits into the big
picture of the trial as a whole. This big picture is known as the theory of the
case by the attorneys. For example, in a child pornography case, the defence
attorney’s theory of the case might be that there were many people with access
to the computer, and the government really cannot establish that the defendant
is responsible for the child pornography on the computer. Another defence that
may be used by the defendant is that the images on the computer, weren’t of
real children.

You have to understand the theory of the case that the prosecutor and
defence counsel is relying upon, to testify effectively. As an investigator, if you
build up a wide understanding of the case, you will be able to assist the prosecutor
in identifying the testimony you could offer that would be helpful for the trier
of fact to understand the issues that are really in dispute. Moreover, you will be

i. 213
 BECOMING AN EXPERT WITNESS l CHAPTER 8

able to better anticipate the questions that the defence attorney is going to
ask you.

An example might be helpful: if the issue in a case is the defendant’s sanity,

most defence attorneys aren’t going to argue or object the protocol that
the cyber investigator followed while searching the defendant’s computer.
If the cyber investigator understands that the theory of the defendant’s case
is that the defendant is insane, the cyber investigator, working with the
prosecutor, could effectively tailor his testimony to address the issue of sanity.
The investigator may testify, for example, about how the defendant organised
his files or how the defended hide or destroyed certain files. This short of
high level understanding of the case should be the ultimate goal of a cyber
crime investigator.

(a) Find out the rules that should be followed to prepare a report.

8.4 Testifying during Cross Examination

Source: http://www.youtube.com/watch?v=q021AHmvJbc

214
CHAPTER 8 l BECOMING AN EXPERT WITNESS

The primary rule in relation to testifying on cross-examination is not to voluntarily

provide information that was not asked. As a witness, you have to simply
respond to the questions that are asked to you. On cross-examination, defence
counsel will raise closed question like, “you did not photograph the computer
screen before you started to work on the computer, did you? There is generally
an irresistible temptation for investigators either to take an effort to testify what
they did. The prosecutor would get a chance to clarify something on redirect
examination that is important. If you voluntarily give information, you are simply
going to open up additional areas for opposing counsel to question about,
possibly areas that opposing counsel would not have investigated into otherwise.

Keep this in mind that the defence counsel is not your enemy. You should
treat defence counsel’s questions to you as an opportunity to educate the finder
of fact about what you observed and did. If you allow defence counsel to
bait you into squabbling about things in front of the finder of fact, your credibility
will inevitably suffer even if you think that you got the better of the argument.
Do not try to one up the defence counsel by showing off your technical knowledge.

8.4.1 Direct Examination

On direct examination, you ideally want to develop a rapport with the prosecutor.
Listen very carefully to the prosecutor’s questions and answer them to the best
of your ability. Respond to the prosecutor’s questions fully. In an ideal direct
examination, the prosecutor’s role is almost unnoticeable. In direct examination,
the prosecutor is to ask open-ended questions that allow you to tell your story in a
comfortable and complete manner that is as close to a narrative as possible.

i. 215
 BECOMING AN EXPERT WITNESS l CHAPTER 8

8.4.2 Testifying During Direct Examination

The followings are other questions opposing attorneys often ask:

A few of additional questions opposing attorneys often ask are:

216
CHAPTER 8 l BECOMING AN EXPERT WITNESS

In a lot of instances, the opposing counsel gives you many questions meant to
throw you off. For example, they may ask the following questions:

You have to avoid losing control, which you can do in any of the following ways:

(a) Find out the importance for cross-examining the investigator.

(b) Differentiate between direct and cross-examinations.

i. 217
 BECOMING AN EXPERT WITNESS l CHAPTER 8

8.5 Preparing for a Deposition

Source: http://www.youtube.com/watch?v=BoIqlCNPhYI

There are guidelines that an expert witness needs to remember when testifying at
a deposition in court. Most of these guidelines apply to trial and hearing testimony
as well. These guidelines are shown in Figure 8.5:

218
CHAPTER 8 l BECOMING AN EXPERT WITNESS

Figure 8.5: Guidelines when testifying at a Deposition, trial and hearing

During depositions there are procedures that need to be followed. These procedures
are shown in Table 8.2:

Table 8.2: rocedure of Depositions

i. 219
 BECOMING AN EXPERT WITNESS l CHAPTER 8

You must avoid talking to the news media for the following reasons listed in
Table 8.3:

220
CHAPTER 8 l BECOMING AN EXPERT WITNESS

Table 8.3: List of Reasons for Not Talking to the Media

(a) Find out what should be followed by investigator when testifying

the deposition.

8.6 Forming an Expect Opinion

What is expected from an Expert? Above all else, the evidence is what is expected
from an Expert. Nevertheless, the evidence that the expert provides must include
three things as listed Figure 8.6:

i. 221
BECOMING AN EXPERT WITNESS l CHAPTER 8

222
CHAPTER 8 l BECOMING AN EXPERT WITNESS

Figure 8.6: Three (3) important criteria needed when providing evidences

SUMMARY

1. This chapter explains about the expert witness and the functions and limitations
of an expert witness.
2. A key ingredient in presenting your self as an effective witness in cyber
crime cases is to listen to the questions carefully and to answer the question
to the best of your ability.
3. The ethical responsibilities of forensic investigator, ethical difficulties
in expert testimony, comparing technical and scientific testimony, preparing
technical definitions and how to prepare for testimony have been explained
in this chapter.
4. This chapter explains how to testify computer evidences in court and
additionally how to testify during cross-examination in court.
5. Finally, you have understood the guidelines for testifying at a deposition and
how to from an expert opinion.

i. 223
 BECOMING AN EXPERT WITNESS l CHAPTER 8

TRUE/FALSE QUESTIONS

1. Computer expert witness should be a professional opinion on what that evidence

means and also be able to explain their findings in a clear manner.
True False

2. Presentation of digital evidence should be clear and highly technical format

when submitting to the court.
True False

3. Expert witness should be given by the trained prosecutors.

True False

4. Expert witnesses should present unbiased, specialised, and technical evidence

to a jury.
True False

5. Forensic Experts should follow their own personal ethics and the ethics of
their professional organisations.
True False

6. Technical Witness and Expert Witness will play major role in cybercrime
investigation.
True False

7. Forensic investigation can be done by anyone who poses the certification.

True False

8. Eye witness is considering as a major part in cyber crime investigation.

True False

9. To maintain a integrity of the evidence the investigator must carry the evidence
on ever appeal in court.
True False

10. Forensic investigator must avoid talking to the Medias.

True False

224
CHAPTER 8 l BECOMING AN EXPERT WITNESS

MULTIPLE CHOICE QUESTIONS 1

1. Cyber crime investigators are qualified by courts to testify as experts because

of their__________.
A. Certifications they hold.
B. Specialised knowledge and Experience.
C. Designation
D. All of the above.

2. FTK is known as ______.

A. Forensic Technical Knowledge.
B. Forensic Tool knowledge.
C. Forensic Tool Kit.
D. A & B

3. A person who has performed the actual field work, but does not offer an
opinion in Court is know as ________.
A. Technical Witness.
B. Expert Witness.
C. Chain of Custody.
D. Witnesses

4. A person who has knowledge in a field and can offer an opinion in addition
to the facts being presented is known as __________.
A. Technical Witness.
B. Expert Witness.
C. FTK.
D. MD5

5. Defense counsel will ask closed questions to a investgator is known as ___________.

A. Direct Examination.
B. Cross-examination.
C. Testifying Evidence.
D. None of the above.

i. 225
 BECOMING AN EXPERT WITNESS l CHAPTER 8

MULTIPLE CHOICE QUESTIONS 2

1. When presenting digital evidence to the court it should be________.

A. Clear and highly technical format.
B. Only technical format.
C. Easily understandable.
D. Clear and concise manner.

2. Technical Definitions of witness should contain __________.

A. CRC32, MD5, and SHA-1.
B. Image and bit-stream backup.
C. Log files.
D. All of the above.

3. In direct examination the prosecutor will ask ________ questions to the examiner.
A. Open-ended
B. Closed
C. Technical
D. A & B

4. Evidence provided by the forensic expert must includes one of this __________.
A. Partial
B. Clear
C. Credible
D. None of the above.

5. Authentication of the Digital evidence is maintained by _________ method.

A. Digital Media.
B. Tools acquiring.
C. Forensic
D. Chain of custod.

226
CHAPTER 8 l BECOMING AN EXPERT WITNESS

REFERENCES

Simson L. Garfinkel . 2006. AFF: a new format for storing hard drive images
Commun. ACM 49(2):85-87. New York. USA.

Simson L. Garfinkel. 2006. Forensic feature extraction and cross-drive analysis

Digital Investigation 3(Supplement-1):71—81.

Bishop, M. (1993). Teaching computer security. Paper presented at the IFIP

TC11, 2006.

Blankenhorn, C. A., Huebner, E., & Cook, M. (2005). Forensic investigation

of data in live high volume environments Retrieved October 2, 2006, 2006, from
http://www.cit.uws.edu.au/compsci/computerforensics/Technical%2520Reports/
Blankenhorn 2005.doc

Bogen, A. C., & Dampier, D. A. (2004). Knowledge discovery and experience

modeling in computer forensics media analysis. Paper presented at the 2004
International Symposium on Information and Communication Technologies, Las
Vegas, Nevada.

Buchholz, F. P. (2004). Providing process origin information to aid in computer

forensic investigations. Journal of Computer Security, 12(5), 753-776.

Carney, M., & Rogers, M. (2004). The Trojan Made Me Do It: A First Step in
Statistical Based Computer Forensics Event Reconstruction. International Journal of
Digital Evidence, 2(4).

Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital
investigation process. International Journal of Digital Evidence, 2(2), 1-20.

Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence. International

Journal of Digital Evidence, 1(3), 71-74.

Casey, E. (2006). Investigating Sophisticated Security Breaches. Communications

of the ACM, 49(2), 48-55.

Ciardhuáin, S. (2004). An Extended Model of Cybercrime Investigations.

International Journal of Digital Evidence, 3(1).

Corey, V., Peterman, C., Shearin, S., Greenberg, M. S., & Van Bokkelen, J.
(2002). Network Forensics Analysis. Internet Computing, IEEE, 6(6),
60-66.

i. 227
 BECOMING AN EXPERT WITNESS l CHAPTER 8

Dai, J. S., Xiao, J. M., & Zhang, J. (2005). Research and Design of a Distributed
Network Real Forensics System. Journal of University of Electronic
Science and Technology of China, 34(3), 347-350.

228