Evidence-Handling Tasks
A system forensics specialist has three basic tasks related to handling evidence:
Find evidence: Gathering computer evidence goes beyond normal data recovery. Finding and isolating evidence to prove or disprove allegations can be difficult. Investigators may need to investigate thousands of active files and fragments of deleted files to find just one that makes a case. System forensics has therefore been described as looking for one needle in a mountain of needles. Examiners often work in secure laboratories where they check for viruses in suspect machines and isolate data to avoid contamination.
Preserve evidence: Preserving computer evidence is important because data can be destroyed easily. The 1s and 0s that make up data can be hidden and vanish instantly with the push of a button. As a result, forensic examiners should assume that every computer has been rigged to destroy evidence. They must proceed with care in handling computers and storage media.
Prepare evidence: Evidence must be able to withstand judicial scrutiny. Therefore, preparing evidence requires patience and thorough documentation. Failing to document where evidence comes from and failing to ensure that it has not been changed can ruin a case. Judges have dismissed cases because of such failures.
Evidence-Gathering Measures
Here are principles to use when you gather evidence:
Avoid changing the evidence: Photograph equipment in place as you find it before you remove it. Label wires and sockets so that you can put everything back as it was once you get computers and other equipment into your lab. Transport items carefully, and avoid touching hard disks or CDs. Make exact bit-by-bit copies and store them on a medium such as a write-once CD.
Determine when evidence was created: You should create timelines of computer usage and file accesses. This can be difficult, because there are so many ways to falsify data. But timelines can make or break a case.
Trust only physical evidence: The 1s and 0s of data are recorded at the physical level of magnetic materials. This is what counts in system forensics. Other items may be corrupt.
Search throughout a device: You need to search at this level of 1s and 0s across a wide range of areas inside a computer.
Present the evidence well: Forensic examiners must present computer evidence in a logical, compelling, and persuasive manner. A jury must be able to understand the evidence. In addition, the evidence should be solid enough that a defense counsel cannot rebut it.
Expert Reports
An expert report is a formal document that details the expert’s findings. Often this is filed in a case prior to trial. If there are depositions, then the expert report will probably be used as the basis for some questions you are asked during deposition. An expert report will always be needed in civil cases, but may or may not be required in criminal cases. When you do need to write an expert report, it is critical that you do so properly. You should consider several issues.
The first issue is the format of the report. You usually list all items, documents, and evidence you considered. You also detail tests you performed, analysis done, and your conclusion. You should list your entire curriculum vitae (CV)—an extensive document detailing your experience and qualifications for a position—in an appendix. Keep in mind that a CV is much more thorough than a résumé. You should list every publication, award, or credential you have earned. A CV should also include more detail on work history and educational history.
Another issue for your report is thoroughness. In most jurisdictions, if it is not in your report, you are not allowed to testify about it at trial. So be very thorough. Anything you leave out may become a problem at trial. It is critical that you be detailed in what you write and that you document all the analysis done. For example, if you performed three tests and all three support a specific conclusion, make sure you list all three tests. If you list just one, then that is the only test you can testify about at trial.
Finally, back up everything you say. Clearly, you are an expert in forensics or else you would not be asked to testify. But remember that there is an opposing counsel whose job it is to disagree with you. The opposing counsel may have his or her own expert who will testify to different conclusions. It’s good to have well-respected references to support any important claims you make. This way, it is not just your opinion, but rather your opinion along with the support of multiple credible sources.