Modern computer forensics has exploded beyond its origins in the military and law enforcement and into the private sector. Highly trained and competent industry experts are frequently engaged by clients to investigate violations of criminal and civil law ranging from trade secret misappropriation to “cyber-hacking.” While investigators with the US Department of Defense or branches of federal and state law enforcement agencies are well-educated in proper practices for presenting evidence in a court of law, private computer experts often lack formal training in collecting and presenting forensic evidence.
The best practices described in other chapters of this book for the preservation, analysis, and presentation of electronic evidence are of paramount concern for the forensic expert who is engaged by a private-sector client. We continue, then, with a basic description of the two distinct court systems—criminal and civil courts—and explain how the forensic consultant provides competent evidence in a trial.
THE CRIMINAL COURT SYSTEM
A criminal case generally begins when a complaint is lodged with a prosecutor in a specific state or federal jurisdiction. Each jurisdiction is governed by its own set of substantive laws and procedural rules. Federal crimes are governed in all federal courts by Title 18 of the US Code, as codified by Congress, and by the Federal Rules of Criminal Procedure promulgated by the US Supreme Court. Generally, the federal criminal statutes address conduct that extends beyond state borders or impacts a federally protected interest. State statutes likewise codify crimes that directly impact the persons of that state and are prosecuted under that state’s own rules of procedure. While some states employ procedural rules modeled on the federal rules, other states’ rules differ significantly.
Fundamental to the criminal justice system, however, is that the attorney who brings formal charges in any criminal case, whether a US attorney or a county prosecutor, represents the government—not the aggrieved party. Thus, while a private citizen can approach law enforcement or government attorneys to request a criminal investigation and formal charges, the decision whether to proceed with “pressing charges” is left to the government’s attorneys. Once a complaint is lodged and prosecution begins, control over the prosecution and the evidence lies with the government. A complainant in a case involving a computer crime risks ceding control over his/her/their own data.
Importantly, while a private consultant is competent to forensically image and preserve a computer system and restore the original media to its prior uses, law enforcement in a criminal case must often seize the original media to establish the proper chain of custody and testify with first-hand knowledge regarding the preservation and analysis of the electronic evidence. A complaining party can lose control over the “crime scene”—which might include the party’s own equipment, databases, or other critical systems. Though law enforcement today goes to great lengths to cooperate with the private sector, control over the evidence is fundamental to the prosecution’s case. The decision whether to report a case for criminal prosecution or to pursue it privately through the civil courts, then, should not be taken lightly.
Equally important is that once a criminal case is commenced, the prosecution retains control, as the representative of the government, over whether to drop the charges. That is, even if the complainant and the accused reach an amicable settlement between them, the government is not obligated to halt criminal proceedings and might decide to press forward to a conviction. This independence can interfere with and even deter a private settlement of the dispute because the complainant cannot offer the accused finality without the government’s consent.
At the heart of any complainant’s decision to refer a case for prosecution, therefore, is its goal in resolving the underlying dispute. Some “crimes” are so damaging or egregious that criminal prosecution is the only appropriate remedy; others are better resolved through civil litigation or other private means. Even where the ultimate goal is to deter future criminal activity, a civil suit can provide that deterrence through publicity that is dictated and controlled by the plaintiff, not the government.
THE CIVIL JUSTICE SYSTEM
Civil courts resolve private controversies between individuals or entities. Far and away, civil courts are the better forum for an aggrieved private entity to address wrongs against it. Because civil lawsuits are initiated and controlled by private citizens—plaintiffs— litigants maintain their freedom to resolve and settle their disputes without governmental intrusion. While specific procedural rules govern “discovery”—the exchange of information about the dispute supplied by the litigants themselves—parties can agree through counsel on the volume, breadth, and format of the exchange to limit expense and reduce business interruption.
A civil suit proceeds in several phases:
1. Investigation of the underlying dispute
2. Commencing suit by filing a complaint or petition in the appropriate court
3. Discovery
4. Trial.
A brief description of each phase follows.
Phase One: Investigation
Prior to commencing suit, a private party and its counsel are obligated to investigate the core facts underlying a dispute to ensure that a good-faith basis exists for filing a complaint. For a computer forensics expert retained by a potential plaintiff, this phase is crucial to the ultimate success of the lawsuit. The expert should assess the perceived wrong, identify systems that contain potentially relevant data, and preserve those systems in a forensically sound manner while working with the client to ensure that relevant data is not lost or destroyed. An expert should also help the client to identify potential custodians of relevant evidence and offer advice on the best methods to gather data from the opposing party. While an expert may offer opinions during the investigation phase, these opinions are not typically written as formal opinions because they might change as information is discovered over time. It is imperative that a forensic expert remain objective during the investigation phase to provide the client with sound advice on how to proceed. An emphatic, conclusive opinion that later proves to be incorrect can have disastrous consequences for the client and the opposing party.
Phase Two: Commencing Suit
Once the initial investigation is completed and a party has assessed the merits of its case with its counsel, the attorneys file complaints (or petitions) that set forth the basic facts in the dispute and the legal claims against the defendant. In a trade-secrets case, for instance, the complaint will set forth in sufficient detail a description of the underlying trade secrets, the method of misappropriation of those secrets, and the specific laws violated by the defendant. The complaint will likely ask for monetary damages and, often, for injunctive relief requesting some form of restraint on the defendant’s ability to cause further harm.
When a complaint is filed, it becomes public information. Documents included with the complaint or attached as evidence supporting a request for injunctive relief become public also—unless a party requests that the information be sealed and demonstrates a compelling need to keep sensitive information from the public.
After a plaintiff commences suit by filing a complaint and serving the defendant with process, the court becomes the arbiter of the lawsuit and presides over procedural disputes and the discovery process.
Phase Three: Discovery
In a case involving computer forensics, the formal “discovery” phase is often the most costly and time-consuming. Depending on the volume of data and the nature of the underlying dispute, an expert may be required to assist in the exchange of electronically stored information (ESI), review an opponent’s computer systems, or direct counsel on the likely location of relevant evidence. That evidence may come in the form of deposition (pretrial) testimony, documents and ESI exchanged between the litigants or secured from third parties, interrogatories and responses, and informal interviews of persons with knowledge of relevant facts. The intent of the discovery phase is to provide the litigants with the building blocks for
the prosecution or defense of their case—and it will often take many turns as opposing parties seek to secure information that supports their specific claims or defenses. For instance, a plaintiff alleging a trade-secret violation might request the analysis of a former employee’s personal computer to determine whether the employee took confidential electronic files prior to departing. The expert might also direct counsel to obtain ESI from a third-party service provider such as Yahoo! or Hotmail if the defendant forwarded confidential material to a personal e-mail account. Each factual scenario presents its own unique problems—including claims of privacy, for instance, by the service provider or the defendant—and can lead to disputes and compromises between the litigants.
The discovery phase commences either at the filing of the lawsuit or shortly after the defendant answers the lawsuit—depending on the jurisdiction’s procedural rules—and typically ends 30 to 60 days before the scheduled trial date. The timing and scope of discovery may be altered by agreement of the parties or upon request to the court.
The Federal Rules of Civil Procedure were amended effective December 1, 2006, to provide specifically for the preservation and exchange of ESI between litigants. The changes in the rules are an effort to reflect the change in times: In an electronic world, discovery rules governing the exchange of paper documents no longer fit the bill. The Federal Rules now provide defaults for the preservation and format of ESI production, the methods for requesting production, and safeguards for ensuring that privileged documents are not disclosed inadvertently. Many states have enacted similar procedural rules governing electronic discovery.
While requests for ESI and its exchange with party opponents are accomplished largely through counsel, a forensic consultant should be familiar with the basic concepts in order to advise a client’s attorney on how best to procure evidence from an opponent in a manner and format that will be helpful to the case. Generally, a party will obtain ESI or identify the relevant computer systems of an opponent through requests for production, depositions, and interrogatories.
Requests for Production
A request for production asks the responding party to produce tangible items to the requesting party within 30 days of receipt of the request. Tangible items can be anything from a one-page document to all of the corporate e-mails related to the particular event in question. The production request must be in relation to the case and its scope will reflect that. However, in some cases, that scope can be extremely broad, as in anti-trust cases where almost any document might be considered relevant. In such cases, data produced could range in the terabytes. The lion’s share of a forensics consultant’s work will occur in relation to a request for production. Attorneys are quickly learning the value of electronic data and the secrets it holds. However, two types of documents do not have to be produced—privileged and nonrelevant documents.
Privileged Documents Privilege means that a legal basis exists for the withholding of a document due to the nature of either its creation or to whom it was sent. For example, any document sent to an attorney or from an attorney or containing the attorney’s thoughts on the matter at hand can be considered to be attorney work product and privileged. Likewise, correspondence between a client and his or her attorney can be considered privileged by virtue of the attorney-client privilege. Finally, and most importantly for the purposes of this chapter, correspondence between you, as the expert, and the attorney can be withheld as privileged under the attorney work product privilege. This privilege extends to agents of the attorney, such as nontestifying expert consultants who are involved in the preparation of the case. However, all privileged documents must be tracked in a privilege log, and their status as privileged may be challenged by the opposing party. It is up to the requesting party to challenge the designation of privileged. At that point, the responding party will provide a privilege log to the court, which will then review the documents privately, or in camera, and make a determination as to whether the privilege applies to the documents.
Nonrelevant Documents Documents can be deemed nonrelevant by an attorney or the court. It is not a designation to be made by an expert. As an expert, you can render an opinion, but the actual act of declaring something nonrelevant is not your place. The responsibility of a production falls directly on an attorney and his or her client, so the ultimate decision must stay with them. A document is declared nonrelevant if the information contained within the document does not relate to the matter at hand.
Interrogatories
An interrogatory is similar to a request for production in that it is a tool used to learn new information. However, in an interrogatory, the requesting party is seeking answers and not tangible things. Using this discovery tool, counsel discovers the basis of the cause of the action, the names of the relevant witnesses, the names of the designated testifying experts, as well as any background information deemed to be relevant. For the purposes of computer forensics, this discovery tool has very little to do with your job.
Depositions
Depositions take place during the discovery phase of a trial. During this phase, both parties are seeking evidence that can bolster their cases. A deposition is a formal question-and-answer session in which the lawyers who retained your services and opposing counsel take turns asking you questions. The questions and their answers will be part of the official court record and will be on file in the court. All statements are recorded and transcribed by a court reporter that has obtained a court reporter certificate and transcribes all statements made during the deposition. In addition to a court reporter, the lawyers can ask that a videographer attend a deposition. Video is a powerful tool in that it allows the judge and jury to see, in a deponent’s reluctance or slowness in responding, what a written transcription might miss.
For a period of time after deposition testimony, the deponent (the person whose deposition was taken) can correct the transcript before it is entered into the court record. Deponents can use this opportunity either to correct possible errors made by the court reporter, fill in answers that were not known at the time of the deposition, or add information to answers that were originally left incomplete. A deposition can take place at an attorney’s office, your office, opposing counsel’s office, or, in the very rare occasion, a courtroom. The location does not change the fact that you are making sworn testimony to the court. Transcription will begin when you “go on the record” and will stop any time counsel from either side requests that you “go off the record.” When off the record, any statements made will not be transcribed, but they are still admissible in court.
Depositions begin with the swearing in of the witness to ensure that what is said during the deposition is considered testimony to the court and as such carries the burden of perjury. To commit perjury is to make false statements knowingly under oath, considered a felony that carries with it the penalty of imprisonment. During the deposition, counsel will take turns asking questions. The attorney requesting the deposition will begin and continue questioning until complete. The responding party may then ask questions of his or her own witness. Both parties will then have another chance to ask questions or end the deposition after the first round. The attorney representing you will have the opportunity to object to questions asked by opposing counsel. Be careful not to talk over the attorney’s objections, and make certain that you do not answer the question before asking counsel for permission to answer. Opposing counsel will frequently look for ways to get confidential information from the witness. It is your attorney’s job to keep that information from being shared, because of the privileged nature of the information. Always be careful of your statements, as they may contain privileged information. We will discuss more on privilege later in the chapter in the section “Expert Status.”
Frequently, local or state rules mandate time limits on an individual’s deposition. However, a deposition can last as little as 10 minutes or as long as five days—it simply depends on whether an agreement was reached between the parties
regarding the length of depositions. In fact, for example, a deposition could last five days and then be put on hold. This means that the attorney can reopen the deposition at a later date because, as of today, the attorney does not believe that he or she has adequate information to ask you all of the relevant questions.
Phase Four: Trial
The trial phase is the final phase, wherein the fruits of the discovery are brought into the courtroom. At this point, testimony from the particular experts has already been elicited during depositions. The trial phase can take anywhere from one day to several months, and parties can agree to a trial by jury or judge. A typical trial consists of four phases: opening arguments, plaintiff’s case, defendant’s case, and then closing arguments. Expert testimony takes place during the presentation of the plaintiff’s and defendant’s cases.
Trial testimony takes place under oath in the courtroom in front of a judge and possibly a jury. Unlike deposition testimony, however, trial testimony allows for questions from a third party—the judge is allowed at any time to ask a question of the witness. Oftentimes, a judge will do this to get clarification on a topic or to determine your bias toward an opinion. There are no time limits. Testimony can last for anywhere from 10 minutes to five days. Like depositions, both parties will have an opportunity to ask questions.
Hacking Exposed Page 33