Laying the Foundation for the Forensic Expert Witness

Following are a series of questions to qualify your expert.
For a witness to be qualified as an expert, he or she must simply be shown to have "knowledge, skill, experience, training, or education" regarding the subject matter involved. Fed. R. Evid. 702. See also People v. Lugashi, 205 C.A.3d 352 (1988); F.D.I.C. v. Carabetta, 739 A.2d 311 (1999).

Direct Examination

[After stating name for the record]

Q:
1. State your occupation?
2. Please tell us how long you have been a computer evidence examiner.
3. Tell us about your educational background.
4. Briefly describe your training.
5. Are you a member of any professional organizations?
6. Which ones?

Overview of Computer Forensics

Q:
1. Can you provide an overview of computer forensics?
2. Briefly tell us how a computer forensic specialist such as yourself conducts a typical investigation?

The Acquisition Process

Q:
1. How is digital information copied from computer media in a proper forensic manner?

The Authentication Process

Q:
1. Please briefly describe how the acquired electronic information is authenticated and verified.
2. What are the odds of two forensic images with different contents having the same hash value?

The Recovery Process

Q:
1. Could you give us a description of how information on a hard drive is stored by the computer?
2. How is the information recorded on the hard disk?
3. Please tell us how information that has been deleted or automatically purged can be recovered?
4. To what extent can this deleted information be retrieved?

Authenticating the EnCase Process Under Rule 901

Q:
1. What specialized software did you use for this investigation?
2. Tell us a little about the EnCase software.
3. How does the investigator use the EnCase software to recover deleted files?
4. Does the same software perform these functions?
5. How is the EnCase process more automated than other tools?

Addressing Daubert Factors

Q:
1. To your knowledge, is the EnCase software generally accepted in the computer forensic investigation community?
2. Has EnCase been tested by any independent third parties?
3. What were the results of the testing of EnCase?
4. Has EnCase been subjected to any publication in the industry that you are aware of at this time?

At this time, Your Honor, I'd like to submit as exhibit __, which are copies of published articles in the industry discussing the EnCase software.

When presenting EnCase-based evidence, it is recommended that the proponent take full advantage of the EnCase process and graphical user interface by presenting screen shots of the EnCase "All Files" and other views to show the full context of the electronic evidence. This technique may also be required to comply with Best Evidence Rule considerations in computer evidence.

Federal Rule of Evidence 1001(3) provides "[if] data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an 'original.'"

When presenting evidence contained within a computer file, a screen shot of the EnCase File View may be the best means to present a visual output which is "shown to reflect the data accurately," and thus constitute an "original" under Rule 1001(3).

When seeking to establish a defendant's state of mind by presenting an electronic audit trail or connecting file date stamps, the ability to display a visual output showing various file attributes and other metadata provides a tremendous advantage to the advocate of such evidence. EnCase software provides the best method to visually display all physical and logical data contained on the target drive, while showing the context of such files by displaying file metadata and other means. When providing testimony, many examiners present evidence through screenshots in a PowerPoint presentation format, or take EnCase software with them into court for a live demonstration.

Please note that for sake of brevity, many of the foundational portions of the direct exam are incorporated by reference from the above section.

Background

[After stating name for the record]

Q:
1. Sir, what is your current occupation?
2. What was your involvement in the investigation of this case?
3. Tell us how long you have been a computer evidence examiner.
4. Tell us when you first came into contact with the Defendant's computer and computer disks.
5. What did you do with the Defendants' computer equipment and disks after you imaged them?
6. Did you then analyze those forensic images made?
7. Please describe your analysis.

Recovery of Hidden Files with Renamed File Extensions

Q:
1. What are file signature mismatches?
2. What is a file name extension?
3. How does EnCase identify mismatches?
4. What was the result of the file mismatch analysis that you conducted in this case?
5. Look at what has been premarked as exhibit X.
6. Can you identify these exhibits?
[Exhibits are introduced into evidence.]

Recovery of Deleted Files

Q:
1. Did you examine the images you made of the Defendant's floppy disks?
2. What did you find?
3. How did you identify those deleted files?
4. Please identify these exhibits?

Recovery of Files "Deleted" from Multiple CD-ROM Sessions

Q:
1. Did you examine the images you made of the Defendant's CD-ROM disks?
2. What did you find?
3. Can files on a writable CD be deleted?
4. Look at what have been premarked as ________. Can you identify these exhibits?
[Exhibits are introduced into evidence.]

Evidence from Swap Files

Q:
1. What else did you find in your examination?
2. What is a swap file?
3. What type of data is written to the swap file?
4. What did you do after you identified search hits for the keyword _____in the swap file area?
5. I'm now handing you what has been previously marked as exhibit___, and ask if you can identify it?
6. If you would, please read the text as it appears on this printout.
[Exhibit is introduced into evidence.]

Evidence Found in File Slack

Q:
1. What else did you find in your examination?
2. What is file slack?
3. What did you do after you identified search hits for the keyword [John Doe] in the area of file slack?
4. Could you determine what kind of document the remnant text in file slack was a part of?
5. I'm now handing you what has been previously marked as exhibit___, and ask if you can identify it?
6. Please read the text as it appears there. [Exhibits are introduced into evidence.]

[Note: Because oral testimony of the recovery of file slack may seem too abstract and because of best evidence rule considerations, it is recommended that a full screen shot of EnCase from the "File View" menu with highlighted text in file slack be projected to show the full context of the relevant text].

Evidence of Windows Metafiles Recovered from Unallocated Clusters

Q:
1. What else did you find in your examination of the Defendant's computer?
2. What are Windows metafiles?
3. How did you recover the metafiles in this case?
4. What did you do after you located the metafiles and output them to a folder?
5. What did you find? 6. What does the fact that this document existed in the form of a metafile mean to you?
7. I'm now handing you what has been previously marked as exhibit___, and ask if you can identify it?
8. Please read the text as it appears there. FA

Albert Barsocchini is Assistant General Counsel at Guidance Software Inc., in Emeryville, CA. He can be reached at albert.barsocchini@guidancesoftware.com. This information does not constitute legal advice and is only informational. Attorneys should verify, update, and interpret all cited authorities.

Published in Family Advocate, Volume 29, No. 3, Winter 2007. © 2007 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

Advertisement