CHAPTER 17
Litigation and Reports for Court and Exhibits
We’ll Cover
 
image   What type of witness are you?
image   Writing reports for court
image   Creating exhibits
 
Chapter 16 discussed report writing for internal investigations. If your internal investigation makes its way into the legal system, you will have different requirements and duties in both your role and with regard to the report you write. This chapter discusses your involvement as a computer forensic examiner in a legal proceeding.
image Note
I am not a lawyer, and the content in this chapter is based on my experience working with lawyers during the last 12 years in support of their lawsuits. This chapter defaults to federal court rules since changes in state courts occur frequently.
Important Legal Terms
Let’s start by introducing you to a few important legal terms.
Litigation refers to the judicial process—that is, it’s what occurs in courtrooms every day. In civil court, individuals and/or companies are referred to as plaintiffs and/ or defendants. The plaintiff in a lawsuit is the person and/or company that initiated the lawsuit against the defendant. There is usually only one plaintiff, unless the case is a class action lawsuit. The defendant is the person and/or company that is being sued by the plaintiff. Multiple defendants can be involved if the plaintiffs believe that multiple parties have caused harm. In criminal court, the plaintiff is always the government, whether that be the city, county, state, or country. An individual cannot begin criminal action, at least in the United States.
Outside counsel refers to the law firm that a company hires to represent it in a court of law. Lawyers who work in a company legal department typically do not maintain the credentials they need to work in the courts; lawyers must be admitted to practice in the states they go to court in. So outside law firms are retained to represent the people and/or companies or provide them legal advice.
The discovery phase occurs in litigation between two parties. During discovery, plaintiffs and defendants are allowed to ask each other for documents they believe to be responsive to their claims or defenses. A responsive document is a document that is relevant to the request being made. When plaintiffs and defendants ask for documents from each other, they do so in the form of written requests for production; these identify which types of documents they want. If the document being reviewed matches that criteria and is not excluded for another criteria (such as it is privileged), it is responsive.
Admissibility is the process of determining whether a piece of evidence or a statement should be allowed to be entered into the court record. Information and/or evidence can be determined not to be admissible if it is privileged communication, an attorney-client work product, irrelevant to the proceeding, hearsay, or unable to be authenticated.
Privilege refers to the status of a document or communication with regard to the attorney-client privilege. Any e-mail sent between an attorney and her client is considered privileged by default and is exempt from discovery unless a judge rules otherwise.
Work product or attorney-client work product refers to drafts and materials used in the support of a lawyer’s work in a lawsuit. This can include e-mails, documents, and reports that you wrote at the attorney’s direction.
In Actual Practice
No matter what you believe to be admissible, responsive, or otherwise, it is ultimately up to a judge to decide what will be produced and admitted into the court and what will not. This is important to remember, because no matter how technically correct your argument is, some IT people like to think of the law like programming logic: a human being will apply his or her rationale thinking and apply past case law with regard to the issue to reach a decision.
What Type of Witness Are You?
As a computer forensic examiner, you can serve multiple roles in a legal proceeding. In a civil court, you can be appointed as a fact witness, an expert consultant, or an expert witness. In a criminal court working for the plaintiffs, you will typically be appointed as a fact witness or expert consultant only. Your role determines your involvement with the lawsuit, the scope of any testimony you provide, and the admissibility of any of your work in the case beyond the forensic images you’ve created. Remember that you do not decide the role you will be assigned; the outside law firm will work with your company’s legal department to decide who will be placed in which role. If you are acting as an outside consultant, you can additionally be appointed as a special master or a neutral. This section covers the duties of each role and what will be expected of you.
LINGO
A witness is someone called upon to testify in a court of law or in a deposition. Anyone can be a witness if he or she has information relevant to the case and has first-party knowledge of the information.
As a witness, you have first-party knowledge of the event—that is, you personally witnessed the event to which you will be testifying. If you heard the information from another party, repeating it would be considered hearsay because you did not personally witness it. When acting as a computer forensic examiner, first-party knowledge means that you personally reviewed an image or tested an artifact to prove its meaning. When presenting evidence, you must show that you had first-party knowledge in order to testify to something and have it entered into evidence. As an expert witness, you are allowed to rely on other people’s statements, which otherwise would be considered hearsay evidence, but that is the only exception to the first-party knowledge rule.
Fact Witness
A fact witness is the most common role for a first-time computer forensic examiner. As a fact witness, your job will be to attest to the facts about how you obtained evidence, plus anything you personally experienced that cannot be re-created from the forensic image.
Your Role
You will bear witness to the facts you personally know. Your first-party knowledge is the basis for the court admissibility of the forensic images you create.
Limits of Testimony
As a fact witness, your testimony will be limited to your qualifications in respect to your role in the case (such as creating a forensic image) and the events that occurred around the facts to which you are testifying. For example, you might be called to testify regarding the creation of the forensic image you made. In your testimony, you would be asked what education you’ve received, what forensic training you’ve received, whether you have any certifications, and what experience you have in computer forensics. These questions will explain your qualifications and be used to judge your statements.
Discovery and Admissibility
Your correspondence with attorneys will be considered attorney-client privileged and are therefore not discoverable. You will not have to produce this correspondence, so you can speak candidly in your e-mails with attorneys. Any notes or reports you made involving the investigation will be discoverable, however, if you make reference to them in your testimony. At a minimum, you may be asked to provide the chain-of-custody documents you created.
Expert Consultant
As an expert consultant, you are involved in advising outside law firm attorneys on technical and other details regarding the facts at issue. You act as a consultant to help others understand the technical details of your investigation, but you will not be called on to testify or give a deposition.
Your Role
Your role as an expert consultant is that of an advisor. You will be given access to all materials generated in the lawsuit, even those normally covered under protective orders, so that you can advise the legal team regarding technical issues. How involved you get with the case—from attending hearings to providing questions in depositions—depends on how much assistance your legal team needs.
Limits of Testimony
As an expert consultant, you should not be called on to testify.
Discovery and Admissibility
Expert consultants enjoy full privilege regarding e-mails and documents created while advising the legal team. Those e-mails and documents should be considered work products and are thus inadmissible unless ruled otherwise.
Expert Witness
As an expert witness, you’ll review the evidence, testimony, and facts of the case to form an opinion. You then deliver that opinion in the form of a formal written report and through testimony both in a deposition and at trial.
LINGO
In a deposition, you are asked to give testimony and have it recorded by a court reporter. It will be attended by lawyers from both the plaintiff and defendant who will take turns asking you questions. You cannot ask questions at a deposition, but during a break you can advise your legal team of questions you think they should ask you.
Your Role
As an expert witness, your role is designated by your legal team. They will formally designate you as an expert on a specific topic, such as computer forensics, and the opposing legal team will also know who you are. You will form an opinion based on the evidence in the case, testimony, and facts in your possession and defend that opinion when challenged.
image Note
To qualify as an expert, the federal courts and all but six states recognize the Daubert standard, which says that to qualify as an expert, you must show that you have knowledge of the subject based on your experience, education, or training. Having sufficient knowledge in all three of these categories just makes you a great expert witness. During the first part of your testimony, you will be asked questions to determine whether you meet this standard in what is known as voir dire.
Limits of Testimony
You can be questioned on your experience, education, training, past opinions, past testimony, current opinions, and anything else a judge deems relevant. You can also be asked questions regarding discussions with attorneys and your client.
Discovery and Admissibility
As of December 2010, experts’ e-mails and report drafts are no longer automatically discoverable in federal court. However, they still may be discoverable at a local state court. Ask your legal team about the rules regarding the discovery of your e-mails and report drafts before you send them.
In Actual Practice
Don’t rush into being an expert witness. As an expert witness, all your prior testimony as an expert witness is admissible every time you testify, unless it is under seal because of the topics you are discussing. This means that if you go up as an expert witness before you feel ready and find yourself suddenly contradicting yourself and have a jury instructed to ignore your testimony, this will and can follow you for the rest of your career. Although being an expert witness is the end goal for most computer forensic investigators who want to see their investigation to its conclusion in the legal system, being ready for what comes with it will ensure that you can continue to do the work.
Special Master
A special master is a unique role in that it is not something your legal team can appoint. A special master is appointed by a judge in a case to answer a question for the court. They typically are appointed only when the parties in a lawsuit either can’t agree on a fundamental fact of the case or can’t answer a judge’s question to his or her satisfaction.
Your Role
A special master is an agent of the court, which means that the judge gives the special master the authority to request evidence, request people to attend depositions, and conduct onsite inspections to find the truth for the judge. The special master’s role ends with a report to the judge detailing his or her findings and an answer to the court’s question.
Limits of Testimony
Typically, special masters are not deposed; they deliver their reports directly to the judge.
Discovery and Admissibility
The master’s report is available for both parties to review, but his or her work product is typically only for the judge’s review.
Neutral
A neutral is a third party who plaintiff and defendant mutually agree to engage to review evidence. The neutral is different from a special master, because the neutral is not selected by the judge, nor does the neutral have any authority to demand the production of any data.
Your Role
Typically, you’re engaged as a neutral when there is a contested piece of evidence that one party wants to review but does not trust the opposing party to disclose fully. In such situations, rather than allow a “hostile expert” to have full access to the evidence, the evidence will be given to a neutral expert, who will review the data and then report his or her findings. How the neutral reports and what is reported, searched for, and produced is up to the agreement of both parties.
Limits of Testimony
Neutrals typically do not give testimony unless their work is in question.
Discovery and Admissibility
Neutrals are not retained exclusively by either party, so no e-mails or documents created by the neutral should be considered privileged, unless otherwise agreed to.
Writing Reports for Court
Chapter 16 discussed how to write internal reports, but it did not address report writing for the courts. Different courts have different requirements for the report formatting, but the basic information is always the same. This section covers what you must include in a report to the court.
Declarations in Support of Motions
Declarations and affidavits don’t vary much from the descriptions in Chapter 16. Any difference would be based on what your role is and any change in how you start the document. Typically, you will include the name of the lawsuit and what party you are working for. Figure 17-1 shows part of an example declaration. To get a copy of this, go to www.learndfir.com.
image
Figure 17-1   Declaration of David Cowen
Expert Reports
Expert reports are different from other reports, because they have strict requirements regarding what must be included. You must state the following:
 
image   Who retained you
image   Your educational background
image   Any training you have received
image   Any certifications you hold
image   What experience you have
image   What other cases you’ve testified in as an expert witness
image   What you are paid for your work as an expert witness
image   What you have reviewed in forming your opinion
 
Figure 17-2 shows an example of an expert report.
image image
Figure 17-2   The skeleton of an expert report
Creating Exhibits
Rather than try to embed spreadsheets, images, or other artifacts within the report, you may find it easier to refer to them as exhibits and attach them separately. Your exhibits don’t have to be printed out; they can also be stored on a CD/DVD or other storage device and provided with the report.
LINGO
An exhibit is any supporting document that you include with your report. If including supporting data would make your report unfriendly or unreadable, such as a spreadsheet of copied files, it’s better to supply it as an exhibit to your report.
There are two ways to present exhibit documents. If a document renders (prints) well in the PDF or TIFF format, you can place the printed document at the end of your report with full page separators indicating which exhibit follows. If the exhibit will not render well, name it using the exhibit letter or number that you specify in the report and place the document in the same directory as your report on whatever medium you are handing it over on.
Working with Forensic Artifacts
When you are presenting a forensic artifact as an exhibit, make sure that the exhibit is either self explanatory, is explained in your report, or includes a description within the exhibit itself. If you leave the interpretation of an artifact to the reader, your report and exhibit could be misunderstood or used against you.
LINGO
In legal parlance, native refers to the data as it was found. In the legal world, most documents are converted to PDF or TIFF before they are reviewed or produced. So when you are discussing producing a document, explain that you can produce it in the native format if you can’t save the document as a PDF or TIFF.
We’ve Covered
You’ve made it to the end of the book. In this chapter, you’ve learned about the end of your involvement in a forensic investigation—supporting your findings in a court of law. The best advice I can give you as you take what you’ve learned in this book and apply it to your career is what an attorney told me once: “You are just a part of the overall case, an important part, but just a part.” Don’t lose perspective that your work, although important, is not on its own going to lead to a favorable verdict for your client. Many equally important legal facts, testimony, and damage claims will be introduced, which you have nothing to do with. Keep your reports clean and your testimony to the facts, and I might just see you across the courtroom someday.
What type of witness are you?
 
image   Different types of witnesses can be required.
image   Witness rules and duties vary depending on type.
Writing reports for court
 
image   Affidavits and declarations are required for court.
image   An expert report must meet certain requirements.
Creating exhibits
 
image   You can present exhibits with your report.
image   Exhibits should be clearly explained.
image   You also may need to present artifacts for review.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.52.203