Digital Forensics

Digital Forensics

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Expert Witness and Report Writing - I

November 24, 2008

Outline

Report Writing for High tech investigations Expert Testimony in High tech investigation Reference: Chapter 14, 15 of Textbook

Outline

Selecting and preparing an Expert Witness10 Mistakes an Expert Witness makesExample expert witnessExample expert witness report

Selecting and Preparing an Expert Witness

Reference: 1. The initial interview. The first contact with the expert is

usually over the telephone. You or your paralegal should at the outset establish the expert's familiarity with the general subject matter. You should also ask about his or her experience with testifying in general, as well as testifying on the subject of the litigation at hand. Finally, you should check for conflicts of interest. Never review the facts of the case or postulate strategies and initial theories before you mention the names of the other parties and attorneys. Since you may not be able to use the expert, you do not want to take the risk that the expert will call opposing counsel and reveal information learned from you.


Reference: 2. The personal meeting. Most professional experts are willing

to spend an hour meeting with an attorney before being hired so that the attorney can get a feel for their abilities and expertise. They will bill for this time only if hired. Clients also should be encouraged to attend these meetings.

At this meeting you should question experts thoroughly regarding any history of complaints or claims filed against them. Better to find out now than at deposition or trial. You should listen carefully to determine if the expert speaks with spirit and conviction. You should also discuss the expert's previous testimony on the subject matter of the current litigation. Has the expert ever taken a position--either in writing or in speaking publicly--that could be viewed as inconsistent with the opinion you expect the expert to give on your client's behalf?


Since there is no way to anticipate all the questions on cross-examination, you will want an expert who can extemporize. Some attorneys ask an unexpected question at the interview to test whether the expert can think quickly and give a persuasive, consistent answer. Others pose a complicated hypothetical to see if the expert can follow the facts presented and respond in a meaningful manner.

You must also consider the future availability of the expert. Ask about the expert's general health, plans to move from the area, or scheduling of extended vacations.


Other general considerations include selecting the right type of expert. What kind of expert is most likely to persuade the trier of fact in your case? A retired veteran with impressive credentials? An academic whiz with teaching and publishing credits? Or an active practitioner with field experience? You will want to choose an expert old enough to have significant experience in his or her field but young enough to be receptive to and aware of current developments. The parties' ages should also be considered. For example, it may be more effective to use an expert who is a contemporary of an older defendant to testify as to the defendant's breach of a standard of care.


3. Pleadings. Make sure pleadings are consistent with the testimony you desire from your expert. For example, the judge will not permit questions about standard of care if negligence has not been pleaded.

4. Preparation. Always preview the questions to be asked on direct examination and establish with the expert whether you prefer a quick exchange of question and answer or narrative answers. If you ask a question for which the expert has not been prepared, you run the risk of flustering your own expert and thus undermining his or her credibility.


5. Deposition. At a deposition, both sides can observe the expert's demeanor, ability to respond to new questions, and ability to think on his or her feet. These observations will help determine whether a party will be amendable to settlement or will want to press forward to trial. Thus, the expert's performance at a deposition is vital to the interests of your client. Your expert should be instructed to dress as a professional, maintain eye contact with the examining attorney, speak firmly, and sit erectly. If you find your expert is volunteering too much, is not being responsive to the questions, or is using body language or voice tone that reveal a lack of confidence, you should not hesitate to ask for a recess.

10 Mistakes Expert Witness Makes

Reference

- http://expertpages.com/news/ten_biggest_mistakes.htm #1 - Waiving The Reading of Signing of the Deposition

Transcript At the start of most depositions, counsel will agree on

stipulations. Use of the most common stipulation is that the deponent waives the right to read and sign the deposition transcript. The expert who is interested in accuracy should not agree to this waiver lightly. Experts who agree to waive the reading and signing are agreeing to a documents accuracy with their short testimony without even seeing the document.

Lesson: You have a right to read and sign your deposition. You shouldn't let counsel waive that right unless you want to.


#2 - Failing to Take Breaks Experts routinely fail to ask for and take a break when they need

to or when they would benefit by a break in the proceedings. Lesson: Ask for a break or recess any time you want one, need

one, or feel that it will help you collect your thoughts so that you can return reinvigorated.

#3 - Conference with Counsel Experts often fail to obtain an in-depth meeting with counsel

who has retained them. Lesson: Ask for an obtain a meeting with counsel to review: the

types of questions you will be asked, the pertinent legal standards, your file for work product and privileged information and an update on the current status of the pleadings and litigation.

10 Mistakes Expert Witness Makes #4 - Your Curriculum Vitae Experts often bring a curriculum vitae to the deposition which is not

accurate and is not up-to-date. Lesson: As part of the preparation process, it is crucial for experts to

update and fact check the accuracy of their CVs carefully. Failure to do so can result in needless damage to your credibility that could have been easily avoided through proper preparation.

#5 - Sanitizing Your File Experts attempt to hide damaging documents and notes by removing

them from their file. This is a serious logical and strategic mistake. Lesson: Any attempt by the expert witness to "sanitize" his/her file is

improper. Such an attempt will frequently make the expert look bad in the eyes of the judge or jury. A single act of removal of documents from a file can completely destroy the credibility of an expert witness.


#7 - Billing and Collecting Experts wait until after the deposition is concluded to bill and

attempt to obtain payment for their time and expenses. Lesson: Most experienced expert witnesses strongly recommend

that experts be paid prior to giving a deposition. This is the only way to guarantee collection of your fees. The expert who does not demand payment in advance will run the risk of late payment, no payment, and/or collection problems with counsel.

#8 - Losing Your Temper Experts are pushed into losing their temper by counsel's

questioning. This is always a serious mistake. Lesson: Do not allow yourself to be goaded by counsel into losing

your temper. If you lose your temper, you will give an emotional response to a question. Such an emotional response will not be carefully considered and will come back to haunt you.


#9 - Volunteering Information Experts seek to help counsel by volunteering information to

help "clarify" the issues. Lesson: Volunteering information can be one of the biggest

mistakes an expert makes at deposition. An expert should answer only the questions she is asked and not volunteer information. The volunteering of information will almost always result in new lines of cross-examination. It may also disclose information to which counsel otherwise never would have become privy.


#10 - Videotapes Depositions Experts act in the same manner for their videotapes deposition as

they would for one that is recorded by a stenographer. Lesson: Experts need to look and sound good for their videotape

deposition. I recommend the following: Practice with counsel with a videotape camera Dress conservatively Look directly in the camera when testifying Avoid long pregnant pauses Handle exhibits so they can be easily seen Use make-up powder (for men, get close shave) Avoid eating, chewing gum, drinking, or chewing on pens and

pencils Turn off pagers, cell phones, and beepers


Conclusion The single most important piece of advise for expert witness

is to tell the truth, simply and directly. This cannot be overemphasized. As an expert witness, you have a legal, moral, and ethical obligation to tell the truth. You are testifying under oath. Experts who tell less than the truth run the risk of criminal prosecution for perjury, civil suits for negligence, and revocation or suspension of their professional licenses. Experts who do not tell the truth are discovered and discredited eventually.

Experts who are aware of the above mistakes and take the appropriate action to avoid them are well positioned to succeed during depositions.

Example Expert Witness: Robert Boyell

Reference: http://www.spectrum.ieee.org/apr08/6089- IEEE Spectrum, April 2008

Boyell, an IEEE senior member, has a bachelor’s degree in electrical engineering, a master’s in applied science, and an MBA. It all testifies to a generalist’s training that he says finally made him “a dinosaur” in ….the defense industry.

It turned out, however, to be the perfect background for a forensic expert.“I still use things I learned as a college freshman and sophomore,” he says. “Heat transfer, mechanical advantage, electricity, and magnetism—but applied to real-world problems.”


To make it in this business, you have to know a lot about something and a little about nearly everything else. “Qualifications have become more demanding for experts, as criteria for what’s admissible as evidence have tightened up,” says Marvin Specter, executive director of the National Academy of Forensic Engineers. Some states require that experts have professional licenses.

In 1978, after 20 years developing acoustic tracking and electronic warfare systems in Philadelphia, Baltimore, and New York, Boyell got his first taste of forensic work when an attorney tapped his expertise for a case involving civil radio communications. He turned the gig into a regular sideline, consulting with clients after work and during personal and vacation days. Finally, in 1998, he became a full-time, self-employed consultant.


Forensic experts can earn as much as lawyers. Boyell charges $200 an hour, working anywhere from 20 to 80 hours a week, though only about half the time he spends on his business is billable. There’s marketing, advertising, bookkeeping, professional seminars, and other overhead.

The work is not to everyone’s taste. Even before testifying, a forensic engineer must undergo a rigorous oral examination by the court to ascertain his level of expertise in the pertinent subject matter. Then he gets grilled by lawyers for the opposing side.

“If an adversarial lawyer can’t demolish your technical argument, he will attack your personal credentials,” Boyell says. “You have to be prepared to defend everything in your life that’s been on the public record—even this article. It feels like a combination of defending your thesis and interviewing for a new job. But there’s a real satisfaction in knowing you contributed to the resolution of a contentious matter,” he adds.


However, unlike cases in the television show “CSI,” real‑world cases don’t always end neatly. “It starts as giving advice, then writing reports, and ultimately, you might be deposed or take the stand during a trial. Sometimes that process can take years, and then it’s usually the big-money suits and criminal cases. But that happens in a fraction of the cases. Usually, my report ends the matter.”

An expert must put his client before himself but his professional ethics before even the client. His first duty is to the truth. In one case, Boyell was hired to prove that a hardware defect caused an electrical fire. Not only did he find no evidence of a defect, but he uncovered an errant extension cord that suggested the hardware in question wasn’t even involved.

“If my findings are adverse to what my client wants me to tell them, that’s the end of the job,” he says. “But my real job is to stay objective.”

Sample Report by a Forensics Expert

Computer Forensics Report Pat Smith – Acme Industries Investigator: Chris Simone [email protected] 11/5/06 Investigator Information The following report was conducted by Chris Simone. My job

is to take the evidence presented to me and deliver facts that would seem relevant to the case. The evidence being reviewed has been collected by a previous investigator and verified to be unaltered. Any questions or concerns pertaining to the acquisition of the evidence can be found in his/her report.


Case Description Acme Industries’ Pat Smith is being investigated under the

fear that he may be offering proprietary company information to a competitor in exchange for a job.

Computer and Forensic Tool Statistics The computer was removed from its position in ACME

Industries at 4/12/04 8:27:03 PM where it was carted out to a nearby secure forensics facility. Once settled at the forensics lab the hard drive was imaged to begin the research and testing. The image of the hard drive was tested using the program EnCase Forensic Edition Version 4.17b by Guidance Software. This program has been proven in the court of law to provide valid and accurate results when scanning and analyzing a system.


Investigation The following was the procedure that I took to extract what data I found to

be relevant to the case. I created a new case called Case Study. I added to this case the already

captured image file (C:\forensicsfile\winlabencase.image) by going to File Add Device, clicking sessions, and clicking on add evidence file.

With the case loaded I immediately set the time zone by right clicking on the image Modify Time Zone. From the following screen I selected the time zone that I was working in. This is done to adjust the evidence to all correlate in the same time zone.

The next step was to recover any hidden or deleted folders on the system. Doing this step now would allow my searches to be more complete in the future and determine if there were any actions taken to hide or destroy evidence. In order to do this I right clicked on the image Recover Folders.


I ran a script next to determine the specifications about the computer because I had not been the one to create the image from the suspect machine. The script comes preloaded into EnCase V4. I went to View Scripts and selected the Initialize Case script which prompted me to enter information of the investigator and person conducting the examination. Once the information was entered the script asks where I would like the data saved. I chose to add it to the bookmark section under the folder Encase Computer Analysis Report. I also needed to check which information I would want present. I chose to display the Windows version and registration, time zone settings, network information, user information, and last shutdown time. The report generated can be found on the following page. The important information pulled from the report is that the machine is running a FAT16 file system with Windows XP. The total capacity of the partition is only 22MB. Now that this information has been discovered I can begin my investigation.

Sample Report by a Forensics Expert Volume

File System:FAT16 Drive Type:FixedSectors per cluster:1 Bytes per sector:512Total Sectors:45,360 Total Capacity:23,023,616 bytes (22MB)Total Clusters:44,968 Unallocated:13,872,128 bytes (13.2MB)Free Clusters:27,094 Allocated:9,151,488 bytes (8.7MB)Volume Name:NO NAME Volume Offset:0OEM Version:MSDOS5.0 Serial Number:30E0-8F46Heads:240 Sectors Per Track:63Unused Sectors:12,292,560 Number of FATs:2Sectors Per FAT:176 Boot Sectors:8Device

Evidence Number:Lab5 imageFile Path:C:\forensicsfiles\WinLabEnCase.image.E01Actual Date:04/12/04 08:27:03PMTarget Date:04/12/04 08:27:03PMTotal Size:23,224,320 bytes (22.1MB)Total Sectors:45,360File Integrity:Completely Verified, 0 ErrorsEnCase Version:4.17bSystem Version:Windows XPAcquisition Hash:F70C5FFF082E526A368E2C0A13ABB093Verify Hash:F70C5FFF082E526A368E2C0A13ABB093

Sample Report by a Forensics Expert Daylight Saving Time settings HourDay of WeekWeek of month (5=last)MonthDaylight

start2Sunday14Standard start2Sunday510Time Zone Settings (minutes)

Time Zone Bias:300Daylight Bias:-60Standard Bias:0 Time Zone:(GMT-05:00) Eastern Time (US & Canada)

-- - - - - - - - - -

Sample Report by a Forensics Expert My first task was to compile a list of keywords that I would

need to search the file system for. Knowing what words to start searching on could help me eliminate loads of irrelevant data. The list contained the following: ACME Industries (ACME and ACME Industry as different variations as well), Raytheon, Boeing, and promotion. With this list in hand I created a keyword list by clicking on View Keywords. I right clicked Keywords Add New Folder. I named the folder PSmith Keywords. Once the folder was created I can right click the PSmith Keywords folder Insert Keyword List. The list box gets stored with the keywords previously mentioned. The new keywords were then selected and a search was performed by going to Search at the top. The search was done under the following criteria: search each file for keywords, search file slack, and selected keywords only. The table below shows the numerical results of the search.

Sample Report by a Forensics Expert Search Summary HitsFirst SearchedLast SearchedSearch Text511/05/06

04:57:01PMacme industries011/05/06 04:57:01PMacme industry6711/05/06 04:57:01PMacme25311/05/06 04:57:01PMraytheon12711/05/06 04:57:01PMboeing111/05/06 04:57:01PMpromotion

With so many hits for Raytheon and Boeing I concluded that I was on the right track. I started with the smallest and worked my way up. Promotion’s results were just a spam e-mail. The files found under ACME Industries were project files and some e-mail items. At this point I was more interested in evidence relating to some kind of contact between Pat Smith and Rayteheon and Boeing. The results from ACME came back with 4 interesting hits. Amidst the e-mail files were 4 temporary files found at:

Sample Report by a Forensics Expert Case Study\Lab5 image\Documents and Settings\PSMITH\

Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK50.TMP Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK52.TMPCase Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK56.TMP


These files all contained the message: “I’d like to offer you some material from my company in exchange for a position in your company.” – [email protected]. These files grabbed my attention so I made sure to take down the access times (all last accessed on 3/9/04 around 11:38 AM). I took note by book marking the four files by selecting them and right clicking Bookmark Files. I created a new folder called TMP Files (ACME) and the four were imported there for further consideration later. Boeing’s results were next shuffled through but they were mostly HTML files that Pat Smith must have been visiting. The bulk of the hits came from Raytheon. They were a mix of web files including data and content. The web files came from the Raytheon website where the company’s about and contact pages were visited. Also mixed in were a few e-mails to a [email protected]. I selected a few files which I saved to bookmarks in the DBX Files (Raytheon) folder. Two e-mails in particular stood out that contained information that seemed to relate to this case. The following below is where the files can be located.

Sample Report by a Forensics Expert Case Study\Lab5 image\Documents and Settings\PSMITH\

Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK50.TMP Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK52.TMPCase Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP Case Study\Lab5 image\Documents and Settings\PSMITH\Local Settings\Temporary Internet Files\Content.IE5\WVEXGZIP\WBK56.TMP


The e-mails were both from [email protected] to [email protected]. The following are the content of the two e-mails.

"Pat Smith" <[email protected]> To: "[email protected]" Subject: A Proposition Date: Fri, 23 Jan 2004 12:06:52 -0500 I'd like to offer you some material from my company in

exchange for a position in your company. Pat Smith [email protected]


From: "Pat Smith" <[email protected]> To: "[email protected]" Subject: My Proposition Date: Fri, 01 Jul 2003 10:04:39 -0500 It's been a week since I sent you my proposal. Have you had a

chance to consider it? Pat The first email was the same information found in the

temporary files that I had found earlier from the results of the ACME Industries keyword search.


I was getting closer and closer to when with just the help of the keyword search. I decided to take a look at the timeline of the operating system which documents when a file was created, accessed, and modified. It places each entry in a nice calendar view so an investigator can see when there is a surplus of changes. By selecting the case I was working on and going to Timeline I found that there was heavy traffic on 1/23/04, 3/9/04, and 3/15/04. Starting with the earliest date and moving forward I examined the data by honed in on each date where it gets more detailed by hour and minute the closer you zoom in. The traffic generated on 1/23/04 was mainly searching for a new job through sites like Monster.com, Yahoo Jobs, and searching the Raytheon and Boeing website. The web files and cookies that were created on this date confirm this; they are found at:


Case Study\Lab5 image\Documents and Settings\PSMITH\Cookies

The files on 3/9/04 and 3/15/04 are the heaviest in traffic. They include many cookies and website files being created and deleted in temporary files space along with the two e-mails previously started above being modified and deleted.

There were still a few more tests I could complete on this test case. One was to go through the image Gallery and check the images found on the file system. In order to do this I had to specify which folders contained images. I decided to check the entire case and brought open the Gallery view. There were many images from the Raytheon website as well as images pertaining to finding a new job, adding nothing more than we already know.


I had found clues on the who, the when, and the where but I was still missing what and how. My next step was to run a signature analysis to see if any files were still hidden that I may have overlooked because their extensions were modified. Running a signature analysis will take the proper signature that a file should be and see if it matches up against the extension that it actually is. If there is a mismatch it will be labeled as so and Encase will tell me what extension it should be. Running a signature analysis has me selecting the complete image and doing a Search (the same Search as done prior). The only option that should be selected is Verify File Signatures and to have the results saved to a bookmark called Signature Mismatch. A few files stuck out from the others:

Sample Report by a Forensics Expert Case Study\Lab5 image\Documents and Settings\PSMITH\My Documents\

Confidential\Project 238x.pdfCase Study\Lab5 image\Documents and Settings\PSMITH\My Documents\Confidential\Project 47x.xls

Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00000.SPLCase Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00001.SPL

The first two files are project files from ACME Industries that were kept in a confidential folder with altered file extensions. The last two files are printing spools that look like they have been altered. The spools correspond to each of the first two files being sent to the IP address of 192.168.1.106. The Project 238x was sent to that address on 3/9/04 and the Project 47x file was sent on 3/15/04 by the user name PSMITH. The IP address is mapped to the HP LaserJet 4000 Series PCL6 at ACME Industries. Both spool files can be found at:

Sample Report by a Forensics Expert C:\Windows\system32\spool\Printers Just to make sure I had covered all pertinent data I ran two more scripts

before completion of my investigation. I ran the IE history parser with keyword search script to make sure that all the websites that I had seen through the cookies and temporary web files were actually visited and to make sure that I had not missed any others. In order to run this script I went to the Scripts menu and added the options of add bookmarks and create web page and tab-delimited files and to search all files. The report did not deliver any new information that had not already been discovered. The last script I ran was to see if there was any information I could obtain from the NTFS INFO2 file. This is the Recycle Bin file that would contain any deleted file information. By running the script NTFS INFO2 Record Finder and selecting to only read INFO2 files only and saving it to the bookmark Recovered NTFS Info2 Records I came up with only one file deleted from the My Documents folder of PSMITH relating to Boeing. It did not seem to be of any value to this case.


Conclusion This report has pointed out pieces of information relating to the

case of Pat Smith from ACME Industries and his relations with the companies Raytheon and Boeing. It is now up to the judge reading this report to determine if this information is of any value to the case. It is important to state that there was no evidence present that B. Conrad from Raytheon contacted Pat Smith or that the printed files ever left the officer. It is interesting though that the printing spools and project files were altered after printing. The printing spool files are often not touched except by the operating system so it is obvious that they were targeted. Determining any further information on this cause is up to be conducted by a crime scene investigator and falls out of my jurisdiction. My job is to present the