It's becoming inevitable in the computer forensics law enforcement world… testifying.
I'm looking for tips, suggestions, from those of you who have testified to forensic evidence in court. How did you prepare for court? What did you wish you knew before testifying? What did you learn from testifying that may help those who have not yet gone through the experience?
I look forward to learn from and use your input!
Watch others in your department in the courtroom. Watch how the different prosecutors work with your department and how the defense attorneys work. If your department is large enough, Mock Court. Let some of your peers grill you.
For a little lite reading
I made sure I had good notes and I brought a copy of it with me. Studied my notes before going to court. Looking over your notes in court is OK since some details of the case is lost due to the time from exam to court date can be months to years later, but knowing it all in memory is better. I looked over the Deputy DA's PowerPoint slides as well. Practiced with the Deputy DA before going to court, so I know what questions he will ask and he will know what my answers will be. This was done for the preliminary hearing and actual trial.
You probably will be asked to explain what computer forensics is, imaging a hard drive, hash value, programs you used to image and examine the HD, what procedures you used to acquire and examine the HD, and other basic things. You will be asked to talk about your education, computer forensics training, computer experience, and other things about you to qualify you as an expert witness. Talk to the attorney and ask him what he will ask you during trial.
Tell the truth, the whole truth, and nothing but the truth when asked, even if it goes against your case (if the truth is always told, then no witness can really be against each other, as the facts are what the facts are). Don't be pressured to say what is not accurate as it is YOU on the stand and YOUR credibility at stake.
csusama008,
may be you should clarify, in what role are you planning to testify. To provide an opinion and act as an expert is one thing, and to provide factual evidence only is another.
When giving evidence as an expert, there are additional requirements that you need to be aware of.
Learn some good analogies that help explain some technical issues or simple laymans explanations of the common evidence locations that are clear & simple enough for a non technical person, lawyer, Judge or more importantly a Jury to understand.
e.g. Hashes being more unique than DNA, a library or filing cabinet analogy for FAT etc etc
As mentioned previously learn your evidence in advance & THINK before you speak, a defence lawyer will try to lead you somewhere they want you to go, If you think quickly enough you can be smart enough in your reply to stop them in their tracks or at least fluster them - (When that happens it's great to see lol !!!).
Cheers Dave
Rehearse! The attorney(s) representing your client (or your side), should help you prepare through a mock examination. If they are good, they'll make you sweat and squirm at anything about which you are unsure or unclear which should give you time to reformulate your response. Don't miss this opportunity to practice your presentation. Being on the stand is as much about the impression that you make as it is about the facts and opinions you present.
Have your presentation (if you are are presenting), done well in advance and go over it, again and again. Think about the questions that you might ask if this was the other side's case. In particular, think about the questions that you don't want to be asked and remove any open doors that would allow the other side to walk in. Unless you have an unlimited amount of time there will always be things about a case or the evidence which are still unknown or unclear at the time of the hearing/trial but uncertainty can be used to question your expertise. Limit yourself, your presentation and your testimony to that which you can reasonably support.
If you are presenting slides or other visual materials which purport to be evidence (as opposed to your presentation or conclusions), don't edit or alter it in a manner which enhances your case at the expense of the complete truth. I was in a case, once, where an expert put up what he alleged was a screen shot of the data contained in unallocated space showing the presence of what he alleged was a fragment of a confidential file. He deliberately obscured the data on either side of the fragment, he said, in order to make the presentation more clear. In reality, the data that he obscured was exculpatory and when we presented the entire cluster not only were his conclusions in doubt, so was his honesty.
Never say more than the minimum that you need to say to answer the question. Any statement that you make, however seemingly, insignificant, can come back to haunt you. If you can answer yes or no, limit yourself to that. If the attorney wants to know more he/she will ask you to clarify your answer. Remember that you aren't there to show off what you know (your expertise will either be stipulated to or you'll face a Daubert challenge which will clarify what you know).
Try to avoid showing negative emotions during a hostile examination. Keeping your cool is the key to handling these types of issues because it keeps control of the testimony in your hands. Adversarial attorneys will try to goad you, bait you or trick you into saying more than what you need to say or losing your composure. Don't take the bait.
There is never a need to answer the question without pausing to think. Take your time to formulate your response. This is not a sign of uncertainty and it is definitely better than spewing out a response that you'll come to regret. If you don't understand the question, ask that it be rephrased or clarified. Often times, this can get you out of a jam.
If you have already answered a question, it is fine to say, "I believe that I already answered that." While getting the cross-examining attorney to rephrase a question can be a good strategy on your part, giving a second answer to a question, where the answer may vary even slightly from the first, can get you into trouble.
Don't be afraid to admit what you can't explain. It is likely that if you can't explain it, the other side can't draw significant conclusions about it (unless you are simply over your head), so now is your time to question their conclusions. If you don't think that the facts warrant the explanation given, say so. You can always say something like "I have found no where in the forensic literature where these conclusions have been supported by these facts." Once in awhile you'll run across an "expert" who attempts to take a button and sew a vest on it. This is your chance to point out that the "expert" may be grasping at straws.
In some cases, you reach the point where discovery is ended and you can present no new evidence. If you honestly think that additional research or testing may allow you to understand better what you are unable to explain at that time, leave open the door to presenting this at a later time. You can say something like "I cannot, yet, explain this to a reasonable degree of forensic scientific certainty but I am continuing to investigate this and may have an answer at a later point in time (assuming that there will be other opportunities to testify). Once discovery is closed, the other side will likely press to have new evidence or conclusions excluded from being heard but if you leave the door open, you may have a shot at introducing clarifying testimony at a later time.
Most of all, stay in control. You are the expert and, presumably, you know more than counsel for your side or the other side. That control remains yours unless you surrender it by saying too much or the wrong thing. Think, think, think before you speak.
Sage advice seanmcl.
Some "Common Sense" advice
(mind you, NOT "right sense", only "common", meaning that it may be not "fair", but it is like things go)
LOOK does count
don't dress too elegant
don't dress shabby
no piercings
no long hair or "savage" beard
you have to convey the impression you are a serious professional, not that of a geek or hacker of some kind
TAKE your time
listen attentively to the questions that are asked you, take a little bit of time to understand them fully and to form mentally an answer, check the semantics used and make sure your answer is the exact, proper answer to the question asked, without any possibility of it being considered "vague" or "deceiving"
SPEAK clearly
try avoiding use of "slang" or regional inflections/accents
whenever you use a "strictly technical" word, add a SHORT explanation of what it means
Be BRIEF
only answer with the least possible amount of words, as directly as possible and do not add any unrequested comment
the only answers to a question worded like
"Would it be correct to state that ……."
are either
Yes, correct.
No, it would not be accurate.
DON'T be intimidated
if a question is asked to you in such a way that it could lead to an ambiguous reply don't be afraid to state that you did not fully understand it
and ask for it to be re-worded more clearly
BE PREPARED
to have your owns words "twisted" by the opponent's lawyer/public prosecutor in order to undermine your credibility by doubting your knowledge or experience - they have nothing against you - it's their "job" - in these cases be firm, calm and detached, simply reply to the raised point flatly, re-stating what you already said or confirming or denying the raised point
jaclaz