Computer Forensics For Dummies Chapter 15 to 17

Submitted By: Kirti Kohli Suruchi Prasad

1 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

Chapter -15 Holding up your end at pretrial

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Depending on where you stand, a pretrial is a good idea because it offers another chance to bring an end to a case before it reaches trial. Pretrial events help identify and weed out non trial cases to spare public and private costs.
The three pretrial procedures used by either side in criminal or civil cases are Motions Pretrial hearings Depositions

Pretrial Motions A motion is a formal request to a judge to make a legal ruling. Both parties try to maneuver into a better position by using motions. In civil cases, after the plaintiff files a complaint, the defendant has two options:
File an answer. File a motion, which is a response to the complaint but doesnt constitute an answer to the complaint.
3 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

There are three types of common pretrial motions that are relevant to computer forensics in civil or criminal cases: Motion to suppress evidence (applies to criminal cases) Motion in limine (applies to civil cases) Motion to dismiss Other motions are : Forensics Depositions Production of evidence
4 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

Handling Pretrial Hearings Pretrial hearings are an opportunity for negotiation in good faith between the parties. Judges can also hear evidence to determine whether the parties involved in the case followed the law and the United States Constitution and that the evidence was collected legally. Pretrial hearings are critical because they determine what jurors will hear or learn from the evidence and witnesses. All the e-evidence you examine can be examined also by the opposing sides computer forensics expert. Giving a Deposition Basically, depositions are sworn question-and-answer conversations. Youre asked questions by the opposing attorney, and the questions and your answers are recorded by an official court reporter. No judge or jury is present, but otherwise your testimony is similar to the way it is in the courtroom. Depositions have these three purposes, to
5 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

Obtain relevant information Avoid surprises at trial Motivate a settlement before trial
Swearing to tell truthful opinions Give your opinion the weight it deserves Know the meaning of every acronym you use Prepare convincing opinions based on a thorough analysis to the best of your ability. Prepare to explain your review of the opinions of the opposing sides computer forensics expert and reasons why you disagree with them Know the weakness of each opinion Be concise.

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Bulletproofing your opinions

Dont make assumptions about what the question means or the lawyers motivation for asking it. Dont argue or get defensive. Dont allow your answer to get cut off. Dont act like youre trying to win a marathon. Dont talk when someone else is talking. During the deposition, remember these five dos: Be simple, clear, concise, complete, and jargon free. Wait until the lawyer has finished asking the question so that you know you heard the entire question. Allow yourself a moment to think before you answer. Say I dont recall when you truthfully dont recall or remember. Say I dont know when you truthfully dont know.

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Checking your statements

You need to review and correct your testimony in your deposition because It may be entered as testimony. If your mistakes are found and pointed out in front of the jury, your credibility tanks.

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Chapter 16 Winning a Case Before You Go to Court

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Working Around Wrong Moves

By the time youre engaged as an investigator or expert witness to provide testify, it may already be too late to authenticate some of the evidence if do-ityourselfers (DIYs) went to work on it. Convincing a client to wait for a computer forensics investigator who can testify about the methodology and any positive findings on a target computer or device may be impossible for a lawyer to do. Special handling is needed when using imperfect e-evidence. You must admit to it upfront and put a positive spin on it. That is, show why or how the eevidence is still material. Responding to Opposing Experts You most likely have a counterpart the opposing computer forensics investigator and expert witness. In criminal cases, your counterpart works for the DAs office or law enforcement.
10 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

Dealing with counterparts

Follow these guidelines when you interact with an opposing expert: Be cordial. Remember that youre not perfect, at least not all the time. Dont reject the experts opinion or set out to demolish it Formatting your response

As part of your examination and review of materials and documents provided by the opposing side, you prepare responses to statements made in affidavits. Responding to each material statement, charge, or allegation is necessary. Ignoring any critical issue makes you look like youre avoiding e-evidence that harms your case.
Everything you write, you may need to defend in court

11

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Section A: Introduction. Outline the key issues of the case. You usually take this information from the affidavit.
State the plaintiffs theory of the case: You want to include what State the basis for plaintiffs theory: Explain why the evidence supports State your purpose in one or two sentences Section B: Materials Available for Review. List the materials given to you for review as well as the materials you referenced to form your opinion. Include any Web sites you visited, software products listed in the affidavit, and technical reviews of software. Section C: Background. Explain the facts of the case straight from the affidavit. Section D: Analysis. List each material provided to you and that you reviewed from the list in Section B. COMPUTER FORENSICS FOR DUMMIES December 25, 2013 12

Section E: Findings. Start this section with a statement that has some flexibility followed by your conclusions, which you would number. You build your defense with the following State defenses theory of the case: Counteract the plaintiffs theory State the basis for defendants theory: Back up your theory with your List the key e-evidentiary issues Section F: Attachments. If you have any attachments, list them here. Dont forget to actually include them with the report.

13

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Hardening your testimony

In your report, avoid exposing yourself to any of the following risks, which would surface during a trial: 1. Relying on ignorance: Dont expect an attorney or opposing expert not to know enough to challenge the validity of e-evidence you present. 2. Over qualifying yourself or your expertise 3. Failing to understand key legal and forensic words

14

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Chapter 17 Standing Your Ground in Court

COMPUTER FORENSICS FOR DUMMIES

15

December 25, 2013

Making Good on Deliverables

Lawyers want you to help prove their cases or defend their clients. In a word, they want deliverables, things produced as a result of the investigation that they can use.

16

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Understanding Barroom Brawls in the Courtroom

Managing challenging issues:
1. Legal issues: Legal loopholes, or novel situations for which no case law or precedent exists. Basically, legal issues are about whether a crime has been committed. Judges decide questions of law. Evidentiary issues: Disagreements over the e-evidence, such as its authenticity or interpretation Technique or procedural issues: Lapses in the chain of custody, poorly documented e-evidence collection techniques, or an investigators lack of credibility. Advanced law enforcement procedures for handling eevidence, following the chain of custody, and performing proper forensics imaging make these issues rare.
COMPUTER FORENSICS FOR DUMMIES December 25, 2013

2. 3.

17

Sitting on the stand:

The timeframe for when you take the stand and testify depends on which team you represent. The following example outlines the process for giving testimony on the witness stand (plaintiff refers to the prosecuting, or plaintiff, lawyer): 1. Direct examination (also called direct) by plaintiff: The plaintiff calls its first witness (P-Witness #1) to introduce evidence supporting the allegations. 2. Cross-examination (also called cross) by the defense :Youre still P-Witness #1, but youre now questioned by the defense. Questions on cross are limited to the subject matter introduced during direct, which is generally a good thing. Whats different is that the defense lawyer can ask you leading questions. Leading questions are in a form that suggests the answer to the witness. 3. Redirect examination (also called redirect) by plaintiff :Youre questioned again by the plaintiff about issues that were uncovered or that didnt go well during cross. Youre back in friendly territory, so dont expect that someone will try to trick you.

18

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

4. Re-cross-examination (also called recross) by defense : Recross gives both sides an equal number of times to ask you questions. 5. Case rested by plaintiff : In this defining moment, the court is informed that the plaintiff rests its case. No more witnesses can be called to the stand or evidence introduced by the plaintiff. 6. (Optional) Directed verdict of acquittal : If the plaintiff hasnt proved its case, the defense may make a motion for a directed verdict from the judge. 7. Direct examination by the defense : The defense begins its direct examination with its own witnesses and evidence, with the roles reversed, until all defense witnesses have testified. If youre working for the defense, this step is where you first take the stand. 8. Cross by plaintiff As in Step 2, cross-examination might not take place. If it does, you can expect the tactics discussed in Step 2 to take place. If not, Steps 9 and 10 dont take place, either. 9. Redirect by defense

19

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

10. Recross by plaintiff 11. Defense rests All testimony ends. Youre done, as are all witnesses. 12. Closing or final arguments : Its last call for the lawyers to influence the jury in this case. Your testimony might be mentioned here. 13. Jury instructions : The judge gives instructions and charges to the jury, explaining the appropriate law and the steps they must take to reach a verdict. Your testimony may be brought up in these instructions. 14. Jury deliberation and verdict Jurors consider the evidence and reach a verdict of guilty or not guilty. In some cases, the jury doesnt reach a verdict. 15. Appeal Either party can appeal the verdict.

20

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

STAGING A DISASTERRelying on computer technology, wireless connections, or electronics to work precisely the way you need them to at the moment you need them to is outright dumb. You can minimize disastrous moments by following these guidelines: 1. 2. No surprises: Dont surprise the judge or your opponent. No live events: Dont rely on anything live, such as a live Internet connection, No ad libs: Dont expect things to work unless youve rehearsed and tested them yourself No epics: Consider the attention span of jurors. No gaps: Connect the dots for the jury. No-tech backup: Expect problems and plan alternative displays as backups. No forgetting all items you need.

3.
4. 5. 6. 7.

21

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Exhibiting like an expert:

Design your exhibits as simply as possible. Consider these other tips: 1. 2. 3. 4. Use terms that nontechnical types can understand, unless precision is necessary. Use analogies to explain complex technical material. Be prepared to explain and define technical material. If youre allowed to, stand up and point to elements on the exhibit to ensure that everyone is looking at the right spot as you describe it. Dont forget that your attention belongs on the jury and not on your displays. Never testify beyond your expertise.

5.

6.

22

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

Communicating to the Court

Giving testimony about the case The following tactics and techniques can help you perform well during direct and redirect, and make you resistant to cross and recross attacks: 1. Compose a logical and focused testimony outline of the facts in the case. Prepare testimony that the judge and jury will believe. Dont spar with the lawyers. Be as natural and relaxed as you can be. Be aware of your body language, facial expressions, eye movement, and good posture. Watch the jurors to determine their level of understanding. Focus on the right thing. Dont get misled.
COMPUTER FORENSICS FOR DUMMIES December 25, 2013

2. 3. 4. 5. 6. 7. 8.
23

Answering about yourself

Avoid these mistakes: 1. Not being familiar with the facts of the case. 2. Not being prepared to defend your methodology and aware of its limitations. 3. Billing for work you werent authorized to perform by the lawyer or client. 4. Charging too much or too little. 5. Not getting paid until after you testify or being paid based on the outcome. 6. Payment issues are more serious than you might expect. 7. Having a conflict of interest. 8. Being inconsistent or giving a report or testimony that contradicts earlier reports or testimonies 9. Not identifying all the time spent examining the e-evidence 10.Stretching the truth. 11. Speaking to or on the media about a case, which can indicate that youre on the case for fame or other personal gain.
24 COMPUTER FORENSICS FOR DUMMIES December 25, 2013

Getting paid without conflict

All parties need to be careful and precise with this payment issue because The lawyer needs to avoid any action or expense that can lead to disputes between himself and the client over fees. The lawyer and the client need to avoid disputes with the expert witness. The expert witness wants to maintain an unblemished reputation by not stiffing the lawyer or client. Here are some common-sense recommendations for minimizing conflicts and disputes: 1. Use a detailed written fee agreement with the expert together with an engagement letter. 2. Discuss specific provisions for the withdrawal of the expert before the agreement is signed.

25

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013

THANK YOU

26

COMPUTER FORENSICS FOR DUMMIES

December 25, 2013