Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 11: Expert Witness Ethics

This is the final step in your digital forensic investigation: you, as the investigator, have received a subpoena to testify in a judicial or administrative hearing. Now, it is time for you to explain your actions and findings to an unbiased third party, that is, the jury. It does not matter how good or strong the evidence you found during your digital forensic investigation is if you cannot testify effectively. You must be able to testify and authenticate the evidence in your actions.

I know some digital forensic investigators who hate to testify. They love the collection of evidence; they love doing the exam and finding the relevant artifacts, but to get them into a judicial/administrative proceeding is very difficult. The first time you walk into a courtroom, it can be an intimidating environment. You may not know the rules, the procedures, and you may be afraid of making mistakes. To overcome those issues, you will need to prepare yourself.

We'll be covering the following topics in this chapter:

Understanding the types of proceedings
Beginning the preparation phase
Understanding the curriculum vitae
Understanding testimony and evidence
Understanding the importance of ethical behavior

So, let's jump in and start talking about how to prepare to testify in a judicial/administrative proceeding.

Understanding the types of proceedings

There are a variety of proceedings where you may be called to testify or to present evidence. We will discuss some of the more common proceedings that you may encounter (The following are US-based proceedings; your jurisdiction may differ.):

Grand jury: A grand jury is a panel of citizens empowered to investigate potential criminal conduct and to determine whether the conduct requires criminal charges. A grand jury will have subpoena powers that could include compelling testimony or requesting physical evidence.
Arraignment: This is the formal reading of a criminal complaint. The accused is present and informed of the charges. At this hearing, the accused will plead guilty/not guilty.
Detention hearing: This is a proceeding before a judge to determine whether the accused is to be detained/released while the matter is progressing in the criminal justice system.
Evidentiary hearing: This is a hearing before a judge to examine the potential evidence that will be presented to the jury. The judge can exclude or limit the evidence that may be offered.
Trial: This could be a criminal or civil matter. Here, both sides present evidence to the fact-finder (judge/jury), and you may be called to testify during the case in chief, as well as the sentencing portion.
Deposition: This is a sworn testimony that occurs outside of the confines of the court and is commonly used in civil litigation proceedings. Typically, there will not be a judge present, only the attorneys and the witness.

As you can see, there are several occasions where you may be called to testify or to take part. Treat every avenue as if you are taking part in a jury trial. Ultimately, it should not matter in which aspect of the system you will be testifying. You will still need to prepare in the same manner.

There are many moving parts within the courtroom. Let's discuss some participants you may encounter as a digital forensic investigator:

Judge: This is the supreme being overseeing the matter. The judge will determine all motions during the trial.
Court reporter: A court officer responsible for creating the official record of proceedings.
Court clerk: A court officer responsible for administrative issues within the courtroom.
Bailiff: A court officer responsible for maintaining order and dignity in the courtroom.
Prosecutor: A representative of the sovereign who will present the government's case against the accused.
Defense attorney: Represents the accused in the matter being presented in the courtroom.
Plaintiff: In civil proceedings, this is the party that is claiming that the actions of the defendant have harmed them.
Defendant: The accused in a criminal/civil matter.
Jury: A panel of citizens who will determine the guilt/innocence of the defendant.
Witnesses: Individuals who have knowledge of the incident in question and can present evidence in the matter.

As a digital forensic investigator, your role may be that of an expert witness. Being called to testify can be stressful; remember that your ability to reduce this stress lies in your preparation. Part of your preparation will be becoming familiar with the process and its participants. The more knowledge you have of your jurisdiction's criminal and civil procedures, the more comfortable you will be as you navigate through the process.

In a criminal matter, the process begins when the accused is arrested, or a warrant is issued. The accused is taken before a judge (after being arrested) and is arraigned. A preliminary hearing is held, where the judge decides whether probable cause exists to go forward with a trial. Alternatively, the matter could go before a grand jury, where they will determine whether an indictment is warranted.

There will be several hearings before the matter is presented at a trial. Once the matter goes to trial, the prosecution representing the sovereign will present their case through the presentation of evidence and witnesses. The defense will be able to cross-examine each witness immediately after the prosecution has conducted its direct examination.

Once the government rests their case, the defense has the option of presenting a case, or if they feel that the government did not present enough evidence to overcome reasonable doubt, then they may rest also.

Once both parties have rested, then the judge will give the jury instructions on how they must proceed in their deliberations.

Before you get to the proceedings where you may testify, you must be ready. This is not something you can walk into without preparing.

Beginning the preparation phase

As a digital forensic investigator, your role in a judicial/administrative proceeding can be defined in two ways:

Witness (also referred to as a lay or fact witness): You will testify about events you observed. You are just presenting facts that you have personal knowledge of, such as where the evidence was found.
Expert witness: You can testify to everything a lay/fact witness can, but now you may offer your opinion. You form your opinions based on your training and experience as a digital forensic investigator. It is your ability to provide an opinion that makes you an expert witness.

Your preparation starts with your participation in the investigation. You should treat every investigation as if it will go to trial and you will have to testify. No matter which side you are on in the judicial/administrative proceeding, start communicating with the attorney at the very beginning. Discuss what they need for a successful outcome. You want to learn everything you can about the participants, that is, the suspects, victims, and attorneys of the proceeding. Educate yourself about the points of dispute of the proceeding.

For example, if the point of dispute is the willful and knowing possession of illicit images, what artifacts show/do not show that the subject willingly and knowingly possessed the illicit images? As you work to answer this question, you have the responsibility to inform the attorney when you find information that proves or disapproves the point of contention.

I can almost guarantee there will be an expert witness on the opposition team. You will want to learn about them. You will want to review their curriculum vitae, learn about their experience, their education, and their certifications. If possible, review their prior testimony.

I remember one incident where I was called to testify as an expert witness in a motion hearing. During the hearing, I was on the stand over 4 hours being questioned by the prosecution, the defense, and the judge. Once my testimony had been completed, the opposition's expert witness was called to the stand. One of the first questions asked by the judge was, "You have heard Mr. Oettinger's testimony, is there anything you disagree with about his opinions on the state of the evidence?" The opposing expert witness thought for a moment and replied, "No." I will say that it was a powerful moment for me. Having another professional in my field validate my findings and opinions during a contested trial is something I strive for.

As you are preparing for your testimony, you are trying to answer the following questions:

What is the theory of the case?
Does my theory fit within the facts of the case?
What facts are central to my testimony?
What facts can I confirm or cannot confirm?

I cannot emphasize this enough: review your report and your notes before you take the stand and testify in the proceeding. Practice answering questions. Key to the preparation phase is working with the attorney so that you both have a clear understanding of the state of the evidence and your interpretation of the evidence. Before you can be appointed as an expert witness in a matter, you will have to be approved by the judge.

To begin the review process, you will have to submit a curriculum vitae, which is the next topic.

Understanding the curriculum vitae

A curriculum vitae (also known as a CV) is a document you create that outlines your education and experience, as well as your certifications and membership and professional organizations. The court and attorneys who determine your qualifications as an expert witness will use your CV to make that determination. The contents of your CV will contain a synopsis of what makes you an expert; it will highlight all your experiences that make you an expert in your field.

There is no a specific format you have to use when creating your CV, but all of them will contain the same content as it is the history of your professional life.

At the top of the CV will be your name and contact information. This ensures that your name is spelled correctly throughout the proceeding and when added to the witness list. You will also want to identify the field you are an expert in. If the attorney, judge, or court clerk is dealing with multiple experts in a matter, this helps to identify the area of testimony that you may be asked to speak about. You will also want to include a contact number, email address, and physical address. This allows for all parties to contact you. Also, your CV may be shared with other attorneys in different matters, and they will use that information to solicit you for additional opportunities.

Note

A note about the address used on your CV. You should not include your home address. You may testify in a matter that could deal with physical violence or the potential for incarceration. It does not matter which side you testify on; someone will likely be unhappy with the results. If you are working for an organization, use the organization's address. If you are working for yourself, I recommend getting a PO Box or a private mailbox.

You will then create a summary of your biography. This will include a synopsis of your career, education, and experience.

Next is the bulk of your CV, where you list your formal education and work history. You can use the following categories to organize the information being presented:

Formal education: Degrees, certificates awarded.
Employment history: As it relates to the field.
Teaching experience: This will cross over with your employment history. Keep it relevant to the field you will testify about in the proceeding.
Licensing/professional membership: List the relevant professional organizations you belong to. If the government requires licensure, be sure to include that as well.
Publication: If you have authored a book, white paper, an article, or a blog, identify the publisher's name and address, as well as when the item was printed.
Awards: If you have received an award for your work in the field, please list it.
Previous testimony: You should list the previous cases where they have appointed you as an expert. This does not have to include a summary of the matter; instead, the use of a simple US v Smith (2015) will suffice.

Do not get caught up and overthink the CV by including everything. You will want to keep the content pertinent to the specific matter and what subjects will come into play during your testimony. You want to stay focused on the field-specific items; whether you graduated high school or worked at a fast-food restaurant during college isn't relevant. You are only providing the information needed for the judge/attorneys to determine whether your education and experiences qualify you as an expert witness.

When drafting your CV, I cannot emphasize enough that you refrain from adding information that is not true and accurate. I can understand wanting to pad the document to make it appear you are the best candidate, but if you lie about your CV and continue to lie after being appointed as an expert and testify, you could face severe repercussions when the lie is discovered.

Note

In 2016, The government arrested Chester Kwitowski after he provided false information about his education, experience, and credentials. At the time of his arrest, defense teams had hired him for five additional pending matters. Historically, he also provided expert testimony in state and federal court over 50 times. The prosecutors determined that the educational degrees Kwitowski claimed to have received did not exist, nor was there any record he had completed the professional certifications he claimed. Kwitowski claims to have worked with NASA, but the organization denied any involvement or work history with Kwitowski. Kwitowski also had a criminal history dating back nearly 20 years that included charges of battery, domestic violence, and aggravated battery with a deadly weapon.

At the time of writing this book, in 2020, Kwitowski is pending prosecution for two counts of giving false statements during the prosecution of a capital felony and three counts of perjury.

After you are requested to be an expert in the matter and you have submitted your CV, there may be a hearing to determine your qualifications as an expert. The bailiff will swear you under oath and you will take your seat on the witness stand. Each counsel will ask you questions in order to assess your qualifications to be an expert in the matter at hand. In some jurisdictions, the judge may also ask you questions. The judge will make a ruling to either approve or disapprove you acting as an expert.

If the judge approves you, then you will work closely with the attorney that requested you and work with them to determine the pros and cons of the matter. On the day of the trial, the attorney may call you as a witness in the matter and you will have to testify. We will cover this in the next section.

Understanding testimony and evidence

You are at the point in the trial where you are asked to take an oath and promise to tell the truth. You then take your seat, and the focus of the room is on you. You may have the judge sitting next to you at an elevated position. Across from you, you may see two tables. One table will be hosting the prosecution, which could be one or more attorneys. At the next table will be the defense, which can also comprise more than one attorney and the subject of the trial. There could also be a jury box that could contain 12 or more citizens whose job is to determine the guilt or innocence of the accused. Every single one of them is now watching you. This can be a little stress-inducing. Take a deep breath and focus on the questions that are being asked of you.

Your testimony will comprise technical details and your expert opinion. The technical information will include you explaining complex technical issues in simple terms. This enables the non-technical audience, that is, the judge and the jury, to understand what occurred and how it is being described.

You will want to speak in a slow, deliberate manner. This ensures your audience, including the jury and the court reporter, can understand the concepts you are relaying. You also want to add analogies to help explain the complex technical subject.

I remember a trial I was part of a few years back. I was the defense's expert in a matter that dealt with digital evidence and the possession of illicit images. While reviewing the reports, there were issues in the method that was used in the seizure of digital evidence. Based on the information in the reports, the computer systems were not seized in the method that would conform to best practices at that time. I informed the lead attorney about these issues as he was preparing to cross-examine the lead agent who was responsible for the seizure. The lead agent did not have a significant amount of experience testifying. During the cross-examination, the agent was not testifying as effectively as they could have. When the subject of the seizure of the digital evidence was started, the agent admitted to violating the "prime directive" of seizing digital evidence.

I asked myself the same question that is going through your mind: What is the prime directive? My only reference for the prime directive is watching episodes of the TV show Star Trek. What occurred is that the attorney conflated best practices with the prime directive, which the agent agreed he violated.

Once the trial was complete, I had coffee with the agent, and I asked him why he answered that he violated the prime directive. He stated that he had just been worn down by the questions of the defense attorney and did not want to appear stupid in front of the jury or his peers. I can understand that. Let's now talk about how to prevent that.

If the lawyers ask you a question you do not understand, it is perfectly acceptable to answer "I am not sure what you are asking, could you rephrase the question" or "I do not know." All are very valid answers. You may also be asked a question outside your expertise. Answer that question as "that is beyond the scope of my expertise" or "that was not part of the investigation."

Lawyers love to ask exceedingly complex questions; you have the right – if not the duty – to ask for clarification for any question you do not understand. Sometimes, lawyers will ask you a question that requires a narrative answer but wants a firm yes or no answer. Your answer should be "that is not a yes or no question, but one that requires a more detailed response."

Your words are not the only thing your audience is using to grade your credibility. Your physical appearance, your tone, and your posture conveys your attitude to your audience. If you take the stand in a rumpled suit, tie undone, and shirttail untucked, you will not be as effective as if you are wearing a freshly pressed suit, properly tied tie, and looking and answering questions like a professional. The following are some guidelines to consider when testifying:

Do not argue with the attorney: You are an unbiased professional. You need to answer the questions to the best of your ability. If you get into an argument with the attorney, it does not help the audience understand the evidence. In fact, they may discount your testimony because of the appearance of bias.
Speak clearly and slowly: If your audience cannot understand what you are saying, you are not as effective as a witness.
Avoid slang and acronyms: Remember that you are translating a technical topic for a non-technical audience.
Do not be a comedian: Do not make a joke; this is a serious situation. Someone's freedom could be at stake; it is not the place to be humorous.
Listen to the entire question: Do not interrupt the attorney and try to answer what you think the question is. Only answer the question that was asked.

Remember, you are an unbiased advocate. Your job is to assist the fact-finder in determining what occurred based on the evidence.

Digital evidence caused some issues with the rules of evidence when it was first used in a judicial proceeding. You will want to follow all the best practices in the collection of digital evidence to ensure its integrity. By being able to demonstrate your efforts to ensure the integrity of the digital evidence, you will reduce the likelihood of the judge excluding the digital evidence.

All evidence must be authenticated. This means there must be a witness to testify about their knowledge of the evidence being presented. If a photo is being presented as evidence, the photographer must attest that they took the photo.

With digital evidence, the digital forensic investigator must testify that the evidence being presented is based on an exact and true copy of the original. Remember, we do not want to conduct our digital forensic examination on the original evidence. Digital evidence is very fragile, so we need to create an exact and true copy that can be validated using hashing.

For the evidence to be admitted in court, it must be reliable and credible, relevant to the facts of the matter, and material to an issue that is being questioned. If the evidence was collected in a manner the court determines to be illegal, then that evidence is tainted and can be excluded.

When you (or someone in your organization) collects the digital evidence, you want to make sure that the original evidence was preserved in the state that it was found. If you collected volatile data, explain to the court your reasoning for doing so. The collection of volatile data will cause changes to the system and alter the original state of the evidence.

As you can see, this process can be overwhelming. While conducting your digital forensic investigation, you may find yourself in a situation in which you question what the right thing to do is. This is an ethical dilemma, which leads us to our next topic.

Understanding the importance of ethical behavior

You have the responsibility to conduct due diligence, be truthful, and be objective during your digital forensic investigation. Your personal and professional ethics determine the baseline of your behavior. Failure to act ethically during your digital forensic investigation can cause the evidence to be excluded and/or result in you facing professional repercussions.

As a digital forensic investigator, you have specialized knowledge that has the potential for misuse. Failure to follow up on potential leads you discovered during your forensic examination is an ethical lapse that could have repercussions on you, a third party, or your organization.

What is the definition of ethics? It is the moral principles that govern the behavior of an individual or activity. It is not a distinct standard; it will depend on your culture to determine what is acceptable and what is not. In a professional setting, an organization may declare a professional set of ethics.

The International Association of Computer Investigative Specialists (IACIS) is an organization I belong to, and because of my membership, I agree to follow their Code of Ethics.

The following Code of Ethics is taken from https://www.iacis.com/wp-content/uploads/2018/02/IACIS-Code-of-Ethics-and-Professional-Conduct-2017-V-1.3.pdf:

IACIS personnel will advise and provide assistance to other IACIS personnel within the scope of their legal authority.

IACIS personnel will be honest and ethical when dealing with each other.

IACIS personnel must respect the rights and authorities of the directors, fellow members, and individuals encountered as a result of their membership in IACIS or in connection with IACIS sponsored or sanctioned activities.

IACIS personnel's actions, when representing or acting on behalf of IACIS, must be free from discrimination, libel, slander or harassment. Each person must be accorded equal opportunity, regardless of age, race, sex, sexual preference, color, creed, religion, national origin, marital status, veteran's status, handicap, or disability.

IACIS personnel may not misrepresent their credentials, employment, education, training and experience, or membership status; nor may they misrepresent the credentials, employment, education, training and experience, or membership status of any other member of IACIS.

IACIS personnel may not issue public statements that appear to represent the position of IACIS without specific written authority from the Board of Directors.

IACIS personnel must not commit any act of professional dishonesty.

IACIS personnel may not knowingly submit, aid, or abet the submission of plagiarized or any non-uniquely authored piece of work during any phase of an IACIS certification process or test. To do so will be considered to have been a dishonest act.

IACIS personnel have an obligation to report acts or suspected acts of dishonesty committed by IACIS personnel. Failure to report acts or suspected acts of dishonesty will be considered to have been a dishonest act.

IACIS personnel's criminal convictions are a serious affront to the ideals of IACIS and, as such, are not tolerated.

IACIS personnel have an obligation to fully and honestly cooperate with any investigation or inquiry conducted at the direction of the IACIS Ethics Committee or members of an IACIS Investigative Team.

Does that code of ethics apply to all digital forensic investigators? No. The ethics of an organization apply specifically to that organization. You can take that framework and use it in your professional and personal environments. You will notice that the only portion dealing with a digital forensic investigation is the one that states that IACIS personnel must not commit any act of professional dishonesty.

That is a broad statement. It is not a clear line in the sand of what is allowed or not allowed. Determine what is ethical as you perform your duties as a digital forensic investigator.

The International Society of Forensic Computer Examiners (ISFCE) has a much more specific code of ethics regarding professional behavior during a digital forensic investigation.

The following Code of Ethics has been taken from https://www.isfce.com/ethics2.htm for your reference:

Demonstrate commitment and diligence in the performance of assigned duties.

Demonstrate integrity in completing professional assignments.

Maintain the utmost objectivity in all forensic examinations and accurately present findings.

Conduct examinations based on established, validated procedures.

Abide by the highest moral and ethical standards and abide by the Code of the ISFCE.

Testify truthfully in all matters before any board, court, or proceeding.

Avoid any action that would knowingly present a conflict of interest.

Comply with all legal orders of the courts.

Thoroughly examine all evidence within the scope of the engagement.

This code of ethics contains definitive language about what is allowed or not allowed by members of their organization who have certified as a Certified Computer Examiner (CCE). Members and non-members alike should use this code of conduct whenever they are conducting a digital forensic examination.

Maintaining a code of ethics in your professional life allows you to keep your objectivity during the investigation. If you cannot be impartial, you should not be a party to the investigation. I recently took part in a motion hearing to determine whether they should appoint me as an expert. After they questioned me about my qualifications, education, and experience, I was asked my opinion about the state of the evidence I have reviewed. On cross-examination, the prosecution told me, "Your duty as an expert is to find things wrong in the evidence." My reply was that as an expert, my job was to see whether I could recreate the examination and achieve the same results and conclusion. If the information I found was detrimental to the theory supported by the defense or the prosecution, I would disclose it no matter which side of the matter I was appointed to represent. With digital forensics, the data is the data; there is not a lot of interpretation about what the data means.

As you gain training and experience, I recommend that you achieve industry-specific certifications. The possession of certifications does not guarantee or make you an exceptional digital forensic investigator. A certification states that you have met the minimum standards of that organization. It does not mean you cannot make a mistake or come to the wrong conclusion. It also ensures that you are keeping current with the changes in the field. What was acceptable 5 years ago may not be acceptable now because of changes in technology or the law. Your training never stops as you pursue a career in this field.

Ethics is doing the right thing when no one is looking. If you compromise your ethics, you can negatively affect your career and investigation. Remember that your goal is to be unbiased and present the facts of the matter to the fact-finder. You are not an advocate for either side of the matter and you now have the knowledge to accomplish that goal.

Summary

During this chapter, you learned how to prepare to give testimony in an administrative or judicial proceeding. You can now identify the different proceedings and the participants. You can also create a CV and differentiate one from a resume. You also have the skills to ensure that you conduct your digital forensic investigation and exam while maintaining your objectivity and impartiality through the use of a code of ethics.

Thank you for your efforts and for working through my book! I am confident that you can use the skills you've learned here and apply them to a real-world setting.

Questions

An expert witness can offer _______________.
a. Testimony
b. Facts
c. Opinion
d. Hearsay evidence
Preparation starts ________________.
a. When you receive a subpoena
b. When your supervisor tells you to begin
c. When the judge calls you
d. When you start the investigation
Which court officer represents the sovereign?
a. The judge
b. The prosecutor
c. The court reporter
d. The bailiff
In a trial, the fact finder will be who?
a. The jury
b. The grand jury
c. The judge
d. The attorney
Which of the following should you NOT include on a CV?
a. Formal education
b. Teaching experience
c. Professional memberships
d. Salary
Which of the following is an appropriate answer to a question you do not understand?
a. I do not know.
b. You should try and guess.
c. Ask to repeat the question.
d. Look to the judge for help.
Why should you adhere to a code of ethics?
a. To maintain your impartiality
b. To make sure the correct side wins
c. To ensure the accused is found guilty
d. To keep your certification

The answers can be found at the back of this book.

Table of Contents for
Chapter 11: Expert Witness Ethics

Chapter 11: Expert Witness Ethics

Understanding the types of proceedings

Beginning the preparation phase

Understanding the curriculum vitae

Understanding testimony and evidence

Understanding the importance of ethical behavior

Summary

Questions

Further reading

Table of Contents for Chapter 11: Expert Witness Ethics

Create new playlist

Sign In

Sign Up

Chapter 11: Expert Witness Ethics

Understanding the types of proceedings

Beginning the preparation phase

Understanding the curriculum vitae

Understanding testimony and evidence

Understanding the importance of ethical behavior

Summary

Questions

Further reading

Table of Contents for
Chapter 11: Expert Witness Ethics