The next section should provide a summary of your conclusions, called the results section. This should state what you were directed to do, what evidence you have found, and what subsequent requests were made. Remember that this will be the last part of your report that many people see and understand before you get into the “technical voodoo,” so be sure that you make every point in this section that you plan to reinforce with evidence within the report itself. Here’s an example of the results section:
After imaging the system of Mr. Suspect, I was instructed by Ms. Supervisor to identify and analyze all e-mails sent between Mr. Suspect and Mr. Ex-employee. Upon my reviewing the recovered e-mails, it is my opinion that Mr. Suspect has been supplying confidential information to Mr. Ex-employee and evidence of this can be found in section X of this report. Upon notification of this, Ms. Supervisor asked that further analysis be done to determine what other Internet-based activities Mr. Suspect had been involved in and what files were recently deleted. It is my opinion that Mr. Suspect is using company resources to distribute materials and send spam e-mails.
Following that section is the evidence you have recovered from the suspect’s system. You should annotate each piece of evidence, explaining what it is and why you believe it to be of relevance. It is also recommended that you convert your report to a format such as Portable Document Format (PDF) or something similar so that you can be confident that your report will not be inadvertently modified as people review it and pass it to others.
Figures 14-1 and 14-2 show examples of the information that may be contained in an internal report. The information shown here is from a consultative perspective, but the exact same model can be applied to any internal report.
Figure 14-1 The report cover page
Figure 14-2 An example internal report
DECLARATION
After you have written your initial report of an investigation and the attorneys decide to proceed with legal action, you will normally be asked to draft a declaration. Declarations are used by attorneys to support motions they present to the court. A motion can be just about any type of action that someone is requesting the court to take, such as motions to compel, temporary restraining orders, motions to dismiss, motions for summary judgment, motions for sanctions, or motions for expedited discovery. Your declaration would provide the technical merit for your attorney’s argument.
A declaration differs from an internal report in that it is meant to be viewed and understood by a judge and opposing counsel. More so than in an internal report, you must ensure that all of your statements make sense to someone who does not have technical knowledge and that your conclusions are not lost in a maze of technical details. You should also be aware that the opposing counsel will base their arguments partly on the report you create; this means that any evidence you state and support will be examined and possibly attacked. Be prepared to defend any statement you have made, and realize that any evidence you reference could be requested or subpoenaed by the opposing counsel.
When the opposing counsel subpoenas some evidence, it means that they have gone to the judge and gotten a written order stating that whatever evidence they have referenced must now be produced in whatever manner the judge has granted them. Sometimes this means that an image will be handed over; other times it means that the original system will be produced to the opposing counsel and their expert will re-image the system and try to re-create your findings. If any of your conclusions were based on assumptions or any accidental access to the original evidence—and this can and will happen—and you did not state such in your declaration, the opposing counsel will challenge the evidence itself.
The same scenario plays both ways; if you are working for the defense and the plaintiff’s expert has produced some evidence that shows signs of accidental or intentional tampering, you would most likely be asked to create a declaration stating this case. You must be careful, though, when moving toward these kinds of motions, as you never know all of what happened during the lifetime of the evidence. Make such suggestion to the attorneys only when you believe you have ample evidence to support your claims.
A declaration is also meant to be a factual statement. While you are not getting a notary to witness your signing of the document, as you would with an affidavit, you are still swearing to the fact that the statements you have written are true. This is important, because knowingly making false statements can bring serious repercussions such as perjury charges. Though making false statements in a declaration is probably not something you aspire to do, many attorneys who do not understand the details of the technology you are dealing with may ask you to reinterpret or more forcefully support a conclusion in a way that makes you feel less than comfortable. This is understandable, as the attorneys believe that your new conclusions may just be a point of view and not the actual factual representation that you and the opposing expert would understand. Remember that no matter who is paying you, you’re signing your name on these documents, and you—not the attorneys—are liable for any false statements that are made.
Construction of a Declaration
Declarations have a very standard form regarding how they begin and end. It is what goes in the middle that lets you create a unique document. You should be sure to express your opinions in the matter, but remember to be as professional as possible. All declarations should begin with a statement similar to the following (the sections that you should fill in are underlined):
I, your name here, declare as follows:
I am a your title with your company, a description of what your company does. Your company has been retained by counsel for the plaintiffs/defense (name of the plaintiff/defendant) in abc v. def, Civil Action No. some number (D. some state) to render an opinion regarding the possibility of what you where asked to do. The following contains my the opinion that you are planning to defend based upon my experience in the field and my knowledge of the current case.
The next section of a declaration is a primer on your background, stating what makes you qualified as an expert to make the opinions and conclusions you are about to state to the court. It should look something like the following, but it will be unique based on how you choose to represent yourself and your experience. The parts you should change or fill in are underlined.
My educational background is mainly technological/academic in nature, featuring more than some years of direct experience in the areas of what you have done and your job duties relating to this case or your investigation. I currently hold any certificates you might have. I am also an active member of any associations you may be a part of that have some bearing on your ability to be an expert. I have been trained in whatever and whoever has trained you in the areas relevant to the opinion you are making. If you are a consultant, you should name the company you work for and indicate your billing rate here.
After this, you should begin stating information on what you have been asked to base your opinion and on what you have reviewed in doing so. You should explain in layman’s terms the technical aspects of whatever processes you have undertaken and discuss the evidence you have reviewed. This is important, as you can make opinions and conclusions based only on firsthand knowledge. Making a statement like “I was told by Ms. Jones that he arrived at work at 10 AM” would be considered hearsay. Be sure to ask for and review any documents or records that you will discuss in your declaration. You should also number your paragraphs so attorneys can easily reference them.
A declaration has no particular minimum or maximum page length requirements. If you can make all of your points and conclusions in one page, and it is understandable to a layman, that’s fine. When you are done stating your opinions, you should end your declaration with a conclusion that covers all your opinions and conclusions about the matter and reaffirms your overall statement and support for the motion. An example of a conclusion is shown here:
After reviewing and analyzing all of the whatever evidence you reviewed in making your opinions, I am left wi
th the opinion that whatever conclusion you have come to. Discuss the ramifications of what this opinion means to the motion at hand. In my opinion, state your overall conclusion and support for the motion.
An example of a declaration is shown in Figures 14-3 and 14-4. This declaration takes a more consultative perspective, but the same exact model can be applied to any declaration.
You do not have the same document modification concerns for a declaration after you have submitted it, since your signature must be in place on a printed document.
Figure 14-3 Front page of a sample declaration
Figure 14-4 Last page of a sample declaration
However, you should carefully review any document that is put in front of you to sign, to make sure that no last-minute revisions were made that are inaccurate or that you cannot stand behind.
At the end of your declaration, you may want to add a glossary with a section name, such as “Definitions.” Within this section, you should define any technical terms you have not explained in the declaration as well as any specific methodologies you followed. The glossary becomes a powerful tool for you in restricting the interpretability of your statements in that you can limit the scope and impact of particular technical terminology. This is very useful as you deal with opposing attorneys and experts who may be aggressive in trying to rebuke your otherwise factual declaration.
AFFIDAVIT
Affidavits are much like declarations, except that the paper affidavit documents require a notarized signature. Affidavits are viewed as “stronger” documents than declarations because of this signature, but the request for an affidavit or a declaration will be based on the court’s needs, whether state or federal, and the type of motion you are supporting. Otherwise, an affidavit can be structured much like a declaration with the same rules applied.
EXPERT REPORT
Expert reports are the pinnacle of formal reports to a court. The expert report is your dissertation to the court on the matters at hand and your opinions regarding them. If you are being asked to create an expert report, it is because you have been deemed an expert witness by your attorney; you must readily adhere to the warning mentioned earlier in the chapter regarding such documentation.
While a declaration and an affidavit are made in support of a motion, an expert report stands alone as a document submitted to the courts. The expert report shows your abilities as an expert to state facts, explain details, and clearly support conclusions and opinions. Remember that as an expert, you have the ability and right to make opinions that are aggregated from the evidence you have reviewed, but you should do so carefully. Opposing counsel will have their own experts, possibly even one of the authors of this book, who will be scrutinizing every word of your report. If you have offered any opinions that are based mainly on speculation, they will be quickly opposed and refuted. Any opinion you can make based on reconstructed evidence and outside support will stand much better against the opposing onslaught.
It also works the other way, though. As the expert witness, you will review the opposing expert’s opinion and will have the opportunity to respond by providing supplemental and rebuttal reports that address other documents that have been submitted to the court. This includes expert reports, declarations, affidavits, deposition testimony, and any other evidence that has been submitted to the court. Your expert report will also be used against you and the opposing expert when and if you are asked to testify before the courts.
When testifying, make sure that you make reference to your report and quote it when you can. Going back to your expert report allows you to reiterate your opinions to the judge and stand firm behind previous statements. Many attorneys will simply try to get you to restate your opinion in contrast to your report as a tactic to discredit you. Referring back to your report allows you to defend yourself and your opinions from attack.
When making any type of conclusion in your report, it is always a good idea to make use of an outside party’s formal papers and reports. This is not considered hearsay, as you have personal knowledge of some published research paper or standard that is available for public use. This is especially true any time you are dealing with some kind of standard, whether it is a network protocol or a function of communication of a standardized service, such as HTTP. Making direct quotations and citing these public works enhances the credibility of your documentation.
You should also carefully research any public articles or presentations you have made in the past. Any public documents you have created in the past can be used against you if they pertain to the matter at hand. For instance, if at some point in the past you wrote an article about intrusion-detection systems and their inability to provide accurate reporting, you should be wary of making a statement in an expert report later stating that you believe the reports generated from the intrusion-detection system are always valid and factual.
Construction of an Expert Report
Expert reports can vary in their construction from expert to expert, but the form put forward here is fairly standard. You should begin the report with a cover page that states that this is your expert report in the following case. Next, the actual report begins. Expert reports are usually separated by sections that are numbered with Roman numerals. The first numbered section in this example is “I. Overview.” The overview should state who you have been retained by, the matter name (the names of the entities suing each other), and what you were retained to do. An example overview follows:
I. OVERVIEW
I have been retained by ABC in the matter styled ABC v. DEF to analyze the items seized from DEF during the court-ordered seizure of systems from DEF. This report sets forth my analysis and my expert opinions.
The next section, entitled “II. Qualifications,” is much like the qualifications section that you would write for a declaration. The following section, though, is unique to expert reports.
The next section is entitled “III. Prior Expert Witness Experience.” In this section, you must list every case with which you have been involved and for which you have been declared the expert and provided a report. This is a very specific list, as it applies only when as an expert, you took some action in the suit. So if you were declared the expert in a lawsuit that then settled, you should not include that suit here, since you provided no actual services to the client. Unlike in the security world, where most client engagements are confidential and you cannot reveal the names of your clients, the legal world expects to see each case as soon as it is filed, as the lawsuit becomes public knowledge. While motions may be filed under seal, the overlying case will always be public record. This means that you cannot attempt to show some kind of expert experience without listing a public case that the court and opposing counsel can research and verify. Attempting to mislead or take out of context your role in a case would quickly lead to your removal as an expert in a case.
The qualifications section should resemble something like the following:
III. PRIOR EXPERT WITNESS EXPERIENCE
I have previously been designated as testify expert witness in the following lawsuits: XYZ v. 123 (Anytown District Court), Bob v Jane (D. Anystate).
The next sections are relatively straightforward; you must include a section stating your compensation for the work, if any, and what exactly you have reviewed in preparation for this report. The “Items Reviewed” section is important, because you are basically limiting yourself to these sources as potential evidence that you can quote from and show as support in your report. Make sure that you do not omit any evidence that you reviewed, as that will possibly create an argument without basis, which is an easy argument to refute.
The next section, “Analysis,” is the bulk of the document, where you refer to your expert knowledge and the evidence you cited in the previous section to make your opinions and conclusions.
It is important always to be a professional and to be as concise as possible. Remember that a judge will be reading your statements and needs to be able to
understand all of the technical points to understand and uphold your point of view.
The last section is the “Conclusion” section. Much like declarations and affidavits, this is where you restate your conclusions and opinions and state their impacts on the matter at hand. In this section, you should quickly and concisely state your overall opinion and what harm you believe has occurred. Examples of an expert report are shown in Figures 14-5, 14-6, and 14-7.
Figure 14-5 The cover of an expert report
Figure 14-6 The first page of an expert report
Figure 14-7 The last page of an expert report
CHAPTER 15
THE JUSTICE SYSTEM
The global surge in the use of computers and electronic information over the past three decades has driven a proportionate demand for experts in the field of computer forensics. To this point, this book has focused on the best practices for a forensic expert to collect, analyze, and report findings based on electronic evidence. Where an investigation leads to a dispute between two parties, however—for instance, between an entity investigating a network breach and the perpetrator of that breach—the outcome of the dispute will often be decided by the courts. Whether the dispute is litigated in a civil or criminal court, and whether it is decided before a judge or a jury, it is imperative that you understand the role of electronic evidence and the use of computer forensics in the American justice system. This chapter provides a brief overview of our court system and explains how forensic evidence functions within it.
At bottom, “forensic science”—or “forensics” for short—applies principles from a wide array of sciences to provide answers to legal questions. “Forensic evidence,” then, is simply evidence suitable for use in a court of law. Computer forensics is but one branch of forensic science that applies scientifically proven principles, accepted in the industry, to answer questions in a legal dispute over electronic evidence. The questions presented may range from what was found on a computer or storage device to how it arrived there, who placed it there, or what was done with it thereafter. The success of the forensic expert providing the answers will often depend on the legal admissibility of the physical evidence and the expert’s direct testimony.
Hacking Exposed Page 32