Being Your Own Expert Witness

Presenters: Brandon Dunlap, Global CISO at Black & Veatch and Managing Director – Research at Brightfly, Inc.; Herbert Joe, Certified Forensics Consultant, Yonovitz & Joe, LLP; Andrew Neal, TransPerfect

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Brandon Dunlap: Good morning, good afternoon, and good evening, depending upon where you may be on this spinning rock we call home. Welcome to today’s From the Trenches (ISC)2 webinar, where we have the luxury of being able to get your questions answered by some leading folks out there in the field, I the trenches, as we say. Today’s conversation is going to be about being your own expert witness. Many of us have seen in the news lately, with data breaches and leakage incidents becoming top of the fold there, investigations are taking on more and more importance. This calls, obviously, for a new set of skills to be developed, the ability to work with all levels of law enforcement, attorneys, and paid attorney spokespersons.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

So today, we are joined by a great lineup, as always. We have Mr Andrew Neil back on the program. He’s the Director of Forensic Technology and Consulting from TransPerfect. We also have Herbert Joe, a Managing Partner from Yonovitz & Joe, who’s also an attorney and has many, many certifications after his name in this space. So bringing with us some folks who have been down this path before, and can share with us their experiences.

Before we start off, I want to let everybody know about the certified cyber-forensics professional certification from (ISC)2. It covers six separate domains: legal and ethical principles, investigations, forensic science, digital forensics, application forensics, and then hybrid and emerging technologies. This is a fantastic certifications for those of you on forensic teams or perhaps even thinking of becoming an expert witness in your space. I think that more information for this is available on the tab to the left there, for your attachments. You can download some additional information on this certification and get your career off to the right path.

Without further ado, let’s dive into the meat of the matter today. As I indicated, many of us are dealing with more and more incidents, and the question becomes: What happens after you’ve effectively closed the incident? In many of these cases, it may go into some degree of local, state, or perhaps even federal law enforcement investigations. And when that happens, often, the real challenges really do begin – how we have preserved evidence, how we present evidence, how we then testify about that evidence, all are critical to the successful outcome of these cases.

What that comes down to also is your own individual expertise and the expertise of those around you and on your team, who have been engaged in that incident since the beginning, and even, to some degree, backing up a little further, perhaps even in the selection, implementation, and utilization of some of the counter-measures and protective technologies that we have, can also be called into question.

So today we’re going to talk a little bit about what it means to be an expert witness, what it takes, some of the challenges inherent in that. But before we do, I want to remind you all that this is going to be interactive. We only have two panelists, we’re going to have more than enough time to get their voices heard, but we want, more importantly, to have your voices heard, so we can get your questions answered. We have a huge number of people signed up for this event, so I know the curiosity is out there, so don’t be shy.

I want to start off though – I’m going to pause here on a slide with just Andrew, Herbert, and my faces, so you can put a face to the voices you’re hearing – but I want to start with Herbert, you telling us a little bit about how we got here, what does the concept of expert witness embody and entail, and what does it mean today?

Herbert Joe: Sure, thanks. I will briefly go over Frye, Daubert, and how that leads up to 702. So it’s important to not only know the law or the legal requirements of the admissibility of expert testimony, but to appreciate that more, let’s see why some experts that are very well qualified are allowed to testify, and why other very well qualified experts are not allowed to testify.

So I’ll try to be very brief with Frye & Daubert. Starting with Frye – one late summer evening in 1921, a wealthy physician was gunned down in his medical office, Dr Robert Brown. One of his colleagues heard the shot and made chase, but could not catch the culprit and could not identify the culprit, and Dr Brown died that night. And unfortunately, that case went cold until the next summer, in 1922. In 1922, James Alphonso Frye was arrested for armed robbery. During his confession of the armed robbery, he also confessed to the murder of Dr Robert Brown. Well, after his confession and before trial, he recanted. Frye said, “No, I didn’t really shoot and kill Dr Brown.”

Well, needless to say, they were going to trial with that admission. Well, at the pre-trial, to determine if Frye’s expert was allowed to testify, that expert, who was a noted physician and attorney, he was working on a new device – it was the systolic blood pressure deception test, which is the precursor to the polygraph machine. Dr Morrison was going to testify on behalf of Frye, and he was explaining that, well, as you tell the truth, there’s really not much thought in answering an easy, truthful question. So if somebody asks me, “What’s your name?” Herbert. “Where do you live?” California. “Do you have kids?” Yes.

So if you’re telling the truth, there’s really not much of a conscious effort or thought to it. Conversely, if you’re telling a lie, then that means you know what the question is, you know what the truth is, you’re going out of your way to supplant the truth with a lie, but in doing so, there is a conscious effort, and that’s manifested by changes in systolic blood pressure. So Dr Morrison was not only going to explain the underlying methodology, but also do a live demonstration on Frye to show that he was telling the truth when he said that he didn’t kill Dr Brown. And you can imagine, the government objected.

Well, the government objected, and the trial court decided not to admit the well renowned legal scholar and medical research scientist. He was convicted, got 16 years. So the issue, on appeal, at the DC Circuit Court of Appeals, is what is the standard of admissibility of new or novel scientific evidence in the federal courtrooms. Because you can’t have one decision of the same facts decided in a federal court in New York and the same facts decided differently in, say, New Mexico.

So the [appellate] judges said, “Well, we know the law very well, but we don’t know all this advancing technology. Who better to decide that type advancing technology than the relevant scientific community?” So that was the law of the land for 70 years. That was how trial courts decided the admissibility of novel or new expert testimony. So if you’re testifying about something that’s generally accepted within your relevant scientific community, then it’ll go in; otherwise, it won’t.

And that was the law of the land for 70 years, until the early 1990s, when Jason Daubert and Eric Schuller were unfortunately born with severe birth defects. They blamed their birth defects on Bendectin. Bendectin is an antiemetic, anti-nausea medicine, manufactured by Merrell Dow and taken by pregnant mothers who are feeling sick. Well, there was a Frye hearing, because Merrell Dow was challenging these experts’ testimonies. They weren’t saying, “We’ll have a battle of the experts at trial.” They were saying, “These experts should not even be allowed to testify.” And even the Supreme Court recognized that all eight of these experts were very well credentialed, but they were going to testify by various in vivo studies, in vitro studies, chemical analyses, a reanalysis of old data, all trying to show a link between Bendectin and birth defects.

Well, Merrell Dow only had one expert, a renowned epidemiologist, Dr [Stephen Lamb]. What he was going to testify to – and he did testify – that he reviewed over 30 different studies involving over 130,000 pregnant women, and he said there is absolutely zero correlation between Bendectin and birth defects.

Well, the trial court said, “Okay, you eight experts, yeah, you’re very well qualified, but every one of your methodologies are not generally accepted within the relevant scientific community.” And actually, then there were some motions for summary judgment, Merrell Dow wins. They appealed that to the Ninth Circuit Court of Appeals in San Francisco. The issue there was the admissibility… were they properly excluded? And the Ninth Circuit Court of Appeals, the whole panel said yes, properly excluded, based on Frye. And that went up to the US Supreme Court in ’92, in 1993. Daubert specifically overruled Frye. So the law of the land in all federal courts, as we all know, since 1993, is Daubert. Daubert took the criteria from the general acceptance to the court’s… now the trial judges were “the gatekeepers”. They had to determine… let the good science in and keep the junk science out. Well, how are they going to do that? Well, the Supreme Court gave guidelines about those, and we’ll talk about those later with questions.

So at any rate, Frye is now the law of the land for all federal courts in 42 states. There are eight Frye states left. So basically the law of the land is that as long as your testimony is relevant and, more importantly, the bigger hurdle, as long as it’s reliable, then you should be allowed to testify. And all of that is codified into Rule 702 of the Federal Rules of Evidence. So that’s pretty much a 90-year summary of everything.

Brandon: [chuckles] You covered 90 years in a very short period of time, Herbert, and I appreciate that background. I think our audience appreciates that too, it’s that how the concept of an expert has kind of evolved over time, and how the courts are responsible for setting that bar as to what constitutes good versus junk science.

So in that context – you’ve been to this a few times yourself. What does it mean in the context of the security professional to be that expert witness?

Andrew Neal: Well, it depends on… that’s my stock response to anything having to do with forensics in terms of questions, is it depends. It depends on the circumstance and why you are being called as an expert. But typically, the security community, the forensics community, when they’re called as an expert, they’re called to discuss and to introduce to the court the technical concepts surrounding a piece of evidence or a piece of material that’s going to be presented in evidence in the proceedings, and typically, my experience has been… I’ve spent much more time in pre-trial hearings, evidentiary hearings, those kinds of things, than I have actually testifying in court, because that’s where a lot of the work is done in these things, is determining if the material you recovered from the server is going to be introduced as evidence of a crime, or if the forensic analysis—

Brandon: Tell me a little bit about what that process is. Tell me a bit about that process there, for the pre-trail stuff. Because I think a lot of people… you know, what gets the [indecipherable], what gets the attention right is when you’re on the stand, the cross-examination, the “You can’t handle the truth” kind of moment… tell us a little bit about that precursor work that has to go into determining whether something is admissible, even your own expert analysis. What is that process like to go through?

Andrew: My experience with it has been… when I’m involved with a case where we’re doing forensics, and that’s primarily where my expertise comes in, in terms of testimony, is we’re doing an analysis of some sort to determine did something occur on a computer, was a website visited, whatever it was. It could be was something tampered with. Whatever it might be. So we do our forensic analysis using the highest possible standards that we can apply to the process. Forensic basically means suitable for use in court, and we make sure that we’re following this process, so that if our evidence or our conclusions are ever questioned, we can show that we used methodologies that are generally accepted in the community, we use tools that are proven to work consistently, if there’s an error rate involved in what we’re doing that we know what that error rate is, and basically that we have followed all the guidelines that are present in the forensic community for achieving a reproducible and defensible result.

So that’s before anything ever goes to a hearing or to trial. And then typically my experience has been – once the legal proceeding starts, they’re sometimes then prepping with your legal team and preparing for the process of getting recognized as an expert and getting your evidence admitted into the proceedings. There’s always some presentation of your credentials, and possibly some interview and… examination and cross-examination by the attorneys, to question you about that, and introduce all that into the record. And at some point, the attorney with whom you are working will say, “We want to admit Andrew as an expert.” And barring any objection, that usually goes forward.

And that typically is, in my experience, a matter of preparation. If you’ve got the right credentials and you can demonstrate that you can speak authoritatively on the subject, the technical subject that’s being addressed, it may get a little uncomfortable with the back-and-forth with the attorneys, but usually it goes through. And then the evidence is what gets examined next.

Brandon: Well, let’s pause on the part about the individual. We spoke earlier – in my intro I talked about forensic certification, you brought up the concept of certification as well. Anybody that looks up Herbert on LinkedIn, you know he’s got more initials after his last name than if you included his entire address for mailing. So Herbert, I want to come to you with that set of credentials. What’s the process like? It sounds like it’s somewhat invasive on the part of the recipient of this questioning to determine the admissibility of an individual as an expert, before you even get to taking into consideration their evidence. Tell us a little bit about what that’s like, to be that person, on the receiving end of that examination.

Herbert: Yeah, obviously, that’s a good point. What I tell people when people ask me, “I’m an expert. Am I qualified to testify in a particular case?” Well, I start off by saying, “Usually, it’s not does the case fit you, but do you fit the case?” What I mean by that is, again, you could be well qualified, but unless your expertise is on a specific matter that addresses a particular issue in that particular case, then no matter how well credentialed you are, it’s [inaudible].

So getting back to your question – how does one qualify? That takes me up to – and I’ll try to be brief about this – Federal Rule 702. Because remember, Frye took us to Daubert, and then Daubert and a couple of other cases called the Daubert Trilogy became all codified in 2010 into Federal Rules of Evidence 702.

Basically, Federal Rules of Evidence 702 says that… and it doesn’t matter if your expertise is purely scientific or if it’s technical or otherwise. It doesn’t matter. If you are an expert witness, then as long as your expertise will assist the [indecipherable], if it will help out the jury understand an issue, then as long as your background… you don’t have to be certified, but obviously, being certified is much better. But as long as you have a wealth of knowledge, skill, experience, training, or education – any of those combinations – then you can testify. You can testify – it doesn’t mean you will. You can testify as long as these three things are in place. So you have the background of yourself – that has to meet a certain criteria. But now, these are the three things that are very important, and in fact, when I am up against another expert, I make sure that not only are they qualified, but they meet these following criteria, because I assure you that the other side will be looking at these as well.

So even if you are very well qualified, number one, well, is your testimony really based on all of the facts or data? Because you can know a whole lot more than anybody else, but unless you use all the facts, then your answer is not going to be reliable. That’s number one. Number two is: okay, now that you have all the facts, Mr Expert, well, what about the principles that you use, or the methodology? How reliable are your principles or methodology? So if you can prove that they are, then okay. And then the third is okay, even if somebody used all the facts, properly, and even if they are using reliable scientific methods, then the third criteria – shouldn’t surprise you – is did you, as an expert, properly apply that reliable scientific foundation to all of the data?

So if you’ve met all of those criteria, then you should be able to testify.

[crosstalk]

Herbert: … the question, because it seemed like I was all over the board there.

Brandon: No, no. Thank you for taking us through the criteria and the codification of this rule. Now, you said earlier that there’s still a few, as you put it, Frye states left. Has 702 swept across and now we have to meet this higher burden? Or are there still holdouts, if you will, to the base criteria being a little lower?

Herbert: Sure, good question. I wouldn’t necessarily say that Frye has a lower standard – it’s just a different standard. But at any rate, keep in mind that Daubert, or specifically Federal Rules of Evidence 702, that applies to every federal courtroom throughout the United States. And 42 states have specifically adopted Daubert as their standard of admissibility for scientific expert testimony. For example – and I’ll go over the remaining eight states – those remaining eight states, specifically the California, Illinois, Maryland, Pennsylvania, New York, New Jersey, and Washington – I think that’s eight.

Those states are still Frye states. So their standard of admissibility is the general acceptance, meaning if you’re testifying in any of those state courts, as long as your methodology is generally accepted within that relevant scientific community, then you should be able or be qualified to testify. Now, do keep in mind that even in those eight states, federal courts could still Daubert or 702.

Brandon: Got you.

Herbert: So for example, I’m in California – California is a Frye state. So if you’re testifying in state court in California, then it’s Frye. But if you’re testifying in federal court in California, then it’s Daubert or 702.

Brandon: Okay. Very important, very interesting distinction. Now, when we start to talk about the method employed… Andrew, I know we’ve had you on in the past, talking exclusively about a lot of mobile forensics and some of the digital forensic aspects. Can you speak to some of the implications, as someone who’s developing perhaps your internal processes around responding to incidents of breaches, and how that development of those processes can have an impact when we get to this admissibility of evidence or yourself as a potential expert.

Andrew: Absolutely. One of the things that’s really important for any scientifically presented evidence is the process and the methodologies that are used. So in spite of the fact that you may be looking at the breach or the incident as a… from a security perspective, from a business continuity perspective, or from a business perspective. In terms of gathering the evidence, you have to look at it from the perspective of scientifically approaching the process. So that includes things like protecting the evidence, that includes things like using known process, that are known to give reliable results that are repeatable. It means following best practices that may have been established in the community. It means a lot of things that, while may seem restrictive, actually give you a clear path to follow in order to get from the beginning of your recognition of the incident to a courtroom setting without making any missteps along the way that allow somebody to attack your process or to attack your evidence.

So it’s kind of a process where early on, when you’re establishing your [cert] procedures, you make sure that you have a process in place that will allow you to get from one end to the other with a defensible data set and analysis and presentation.

Brandon: So again, it sounds to me like… you mentioned best practices… that there has to be… it’s almost like due care. There has to be a generally accepted recognition of how to go about doing something… as we spoke before, Andrew, we start to talk about mobile and such, there are some very new things coming out, with regard to the capturing and analysis done of evidence. Are the courts or the legal system in general, do you feel, able to keep up with that at all, in their determination as to what is admissible?

Andrew: I guess a couple of points here. One – and this is something that I kind of was maybe caught unawares really early in my career – ultimately, the judge – and this is one of the things that Herbert mentioned – the judge decides what’s admissible and what’s not admissible. And sometimes, that is based not necessarily on whether or not you did a good job, it’s based on whether the judge feels that this evidence applies, or that it’s relevant, or that its presentation by you, in this setting, adds something to the proceedings and is useful.

So you may be sitting there, thinking, “Oh yeah, I’ve got a slam-dunk… I can prove this six ways from Sunday.” But it’s not up to you. It’s ultimately up to the judge to decide whether it’s in, whether it gets presented or not. So I’ve had situations where I thought I did a fantastic job. I think it was clear-cut, slam-dunk, “Look, I can show it to you,” graphs, pictures, and everything. And the judge said, “No. We’re not going to go that way.” And I was kind of shocked, but it was an introduction for me into the fact that ultimately it’s the judge that makes that decision.

Now, could the case be appealed, could it go a different direction? Yeah, absolutely. But it’s something to keep in mind, that it’s up to the judge. So your presentation skills may absolutely play into this to a significant degree. I guess that’s the first thing to keep in mind there.

But the other thing about best practices is that in our field, the best practices tend to be general guidelines, not hit… but in a “while standing in this way and holding your left hand in the air”. It tends to be more about process, about quality control, about following a scientifically arrived-at methodology, doing test samples, doing all the things you would do if you were a scientist trying to establish the best way to approach a test or a scientific experiment. It’s that same kind of thing.

So that’s why you’re seeing things like the OSAC. For those of you who may or may not be familiar with that, the Department of Justice, in combination with the Department of Commerce and the National Institutes of Standards and Technology, has recently stood up a group called the OSAC, which is the Organization of Scientific Area Committees, and their job is to develop minimum standards, mandatory minimum standards, for all the forensic sciences. And that includes digital evidence.

So the object here… it’s very early in this process, there’s only been one meeting of this organization so far – it just started within the last year. But the object is to provide the courts, to provide the justice system, to provide the community at large with some well-researched, scientifically-approached minimum standards for competencies, process, avoidance of cognitive bias, all these other things that come into evidence in science. So it’s one of those things that being established to try to address the best practices. In the meantime, while that’s working, you can find best practice guides from places like ASTM or from the scientific working groups on digital evidence, on imaging technologies, or some of these other non-vendor, non-certifying bodies that are trying to just develop scientific best practices.

Brandon: Let’s come back to those items in just a moment, because while you were talking—

Herbert: May I speak up on that?

Brandon: Give me just a second, Herbert. I want to come back to those processes and what constitutes a best practice in just a moment. Because I want to touch on something that Andrew said at the beginning, which was around the education of the court, and that the judge has the decision, and that sometimes it comes down to your presentation skills. Because we had a question come in from the audience about: How much of this is really an educational process for either the judge or the rest of the legal system? How much do you rely on things like props, analogies, to kind of bring them forward and to educate them on what you, as an expert, already know? And Herbert, I’d like to take that one to you, and then we can come to the comment that you had at the end of Andrew’s last bit.

Herbert: Sure. It actually overlaps. A couple of things… to answer your question. I’m going to focus just a second on a Frye hearing, or a Frye challenge or a Daubert challenge. If the opposing counsel thinks that you are not qualified for whatever reason, then the focus is not on your conclusion. It’s not “Did you get something right? How accurate was your conclusion?” That’s not the focus of a Frye or a Daubert challenge. It’s the methodology or procedure. They really do not look at your conclusion; they look at the methodology. It’s like, “Okay, we know what you got, but we want to know how you got there. That’s more important.”

So then, like what Andrew was saying, it is the judge’s discretion about whether to allow something in or not. And here’s the standard for that: a judge – shouldn’t’ surprise you – a trial judge has broad discretion on admitting or excluding evidence, or admitting or excluding expert testimony. So what is at issue – and this is a 1997 Supreme Court case, it was called [Joiner] – but what’s at issue is what is the standard of appellate review when a trial judge incorrectly admits or denies an expert testimony?

So the issue is if a trial judge improperly denied an otherwise qualified expert, or improperly allowed an expert that shouldn’t have testified, what or how does the appellate courts review that? The appellate court says that there’s what’s called a zone of disagreement. Even if the appellate court could say that “We disagree with you, Mr or Mrs Trial Judge, but since you gave a good reason for that, we’re not going to overturn your decision – even if we disagree with it – as long as it was reasonable.” So on the other hand, if the reason why you excluded something or someone, or admitted something or someone, then if it was an abuse of discretion – and that’s actually the standard of review, is abuse of discretion – as long as you didn’t abuse your discretion, we won’t overturn that.

So yes, right or wrong, there’s a lot of latitude for a judge, and that really underscores how important it is when you’re presenting something, you need to not only sound authoritative, you need to be authoritative. In fact, before I testify as an expert witness, I will always have a list of suggested direct examination questions for the attorney that retains me. Because I know what needs to be brought out in, number one, my credentials, and number two, how my expertise objectively analyses the data. So that’s a very important thing for y’all, to have a list of suggested direct examination questions, because you, as an expert, will know more than the attorney that retains you – because that’s why he or she retains you. So have a list of suggested direct examination questions.

Brandon: Great point. Let’s shift gears just a little bit, Herbert, because I want to talk about where this [gratification], shall we say, of expert comes into play, between consulting, rebuttal, and testifying. Can you give us some understanding a little bit there?

Herbert: Sure. There is a factual and legal distinction between a testifying expert, a rebuttal expert, and a consulting expert. For example, my partner and I, we were consulting experts to the defense team in the State of Florida versus George Zimmerman. There, we were consultants, we were the experts as far as the defense team was concerned, to evaluate what the state was doing. So we provided as much information as the defense team needed. So a consulting expert is just that – a consultant. And generally speaking – there are exceptions, but generally speaking – the work product, or the communications are not discoverable as long as you are not testifying.

A rebuttal expert witness is just that: you are an expert to rebut something if it comes up. There are some procedural differences – like I think there’s 90 days… you have to give notice, if you’re a testifying expert, 30 days if you’re a rebuttal… But that’s nothing you really need to worry about. If you’re a rebuttal witness, then you’re just sitting there, waiting for one particular topic to come up. If they bring up that topic, then you can rebut it. If they don’t bring it up, then you can’t testify, because there’s nothing to rebut.

But when somebody thinks of an expert witness, it’s usually a testifying expert witness, and again, 702, Federal Rules of Evidence 702, that’s usually the base guideline of what goes in or what goes out. And keep in mind, that works both ways. Use 702 to know if your qualifications fit into that case, but likewise, there’s so often the battle of experts – make sure that when you look at that other expert, you do the same criteria that I assure you opposing counsels do to you. It’s pretty much the old showdown list of 702.

Brandon: So Andrew, in your background, we had some interesting questions about this concept between a testifying versus consulting expert. Is there a time whereby you look at your incident response process and say, “We might need to bring in somebody who could be that consulting expert in this?” or perhaps bring in an outside individual to be that, say, testifying expert when you start to collect the evidence itself?

Andrew: That’s a really good question. A lot of that is going to have to do with how your team and how your incident response is set up. I know a lot of [cert] programs inside organizations do rely on outside people to be the actual responders from a forensics gather standpoint, and in that case, you would want to make sure that the people on that team that you select could also provide testimony if that was necessary. If you have a totally internal team, then you probably need to be investing as much effort in making sure that their technical chops and their tools and everything are up to speed. Additionally, you need to invest in making sure that they are capable of performing as an expert witness. This is not just…

You do have to be able to get qualified as an expert witness, but you also have to be able to survive what can be a little bit of a brutal process. The opposing counsel is not interested in you having a nice day. What he’s interested in is seeing if he can rattle you and get you to say something that causes them to question either something you said before or something you’re trying to assert as a fact. And it’s not a fair process, it’s not necessarily a fun process, and you’re kind of sitting there all by your lonesome, letting this guy verbally come after you.

And it takes a little bit of confidence, a little bit of a skill set to be able to sit there and stay calm and just answer factually, and stay on track. And that’s as important, in my opinion, if somebody is going to end up on the stand, as the technical aspect. Because I’ve seen brilliant people get up there and just get browbeaten, to the point where they couldn’t put a coherent sentence together.

Brandon: You know, it sounds a little bit like a Senate confirmation hearing, the way you describe it, Andrew. Let’s shift gears a little bit, and for folks who may have to go through this process, what kind of preparation usually comes along with this? We heard Herbert talk about how he helps to kind of coach his counsel on some questions to bring about his expertise in the discussion. But what kind of… you mentioned some of the soft skills. What’s the preparation like around this, and what can people do to make it a more pleasant experience?

Andrew: Well, I’m going to second, first of all, what Herbert said, about write the questions for the attorney. You want to get up there… because you don’t get to sit up there and they say, “Okay, tell us the story.” No, you have to respond directly to questions. So you don’t get to go off on a narrative. You have to have your attorney equipped with the right questions to ask to tell the story or bring the evidence in in the proper way. So you want to make sure that it goes A to B to C to D, and that all those steps are laid out. You want to script that as much as possible.

And there’s two reasons: one, you want to make sure you’re communicating effectively, and the best way to do that is to tell the story of your investigation or to tell the story of your process. And the second thing is if there are any things that you have decided the opposition may try to attack or leverage on, you want to get as much of your version of that… if you’re trying to be very clear on a certain point, or whatever it is, you want to make sure that that comes out in the initial narrative. But other than that, when I’m helping people prep for this kind of thing, there are a couple of things I try to point out. Don’t drink too much coffee, you don’t want to be jittery and jumpy up there. Always take a breath after you’re asked a question – you take a deep breath and you just think about it for a second. Nobody is going to really be in a super hurry here except you. Because you want it to be over. So you just take a deep breath, and as clearly and confidently as you can, answer the question. I also make it a point to make eye contact with the judge, the attorney who’s asking me the question, and the other attorney, during the answer. So you’re trying to appear open, you’re trying to appear confident, and you’re trying to remain calm. And if you get in the habit of taking that breath before you respond, it helps you get in a rhythm where it’s hard for the cross-examination to shake you.

Brandon: That’s some very, very pragmatic and very real-world advice. [indecipherable] hearing you in the background I almost got an “Amen!” from the congregation on that.

[laughter]

Brandon: What would you like to Andrew’s commentary there?

Herbert: That is exactly right, because keep in mind, if you’re testifying, the opposing counsel is not there to highlight your credentials or your qualifications. Opposing counsel, like Andrew said, is going to try to trip you up, because your credibility is at stake. So if you’re not credible, even though you did everything correctly, then the jury will weigh that accordingly. But let me just add one other facet to this.

Everything Andrew said is exactly correct. But let’s go back to just in case somebody is challenged in a Frye hearing or a Daubert hearing. That’s a little bit different. That is not in front of the jury, that is just in front of the judge, where one side says, “Yes, my expert is qualified to testify, Your Honor. You should allow him to testify at trial.” And the other side is saying the exact opposite. So number one, the first thing is the proponent of that expert has the burden of proving to the court, by preponderance of the evidence, that he or she is qualified to testify. And that is actually a high burden, because… I’ve been Daubert challenged one time. And that was literally the entire day.

You’re pretty much on the hot seat, explaining… again, the focus is not… you’re only being challenged because they don’t like your results. So then you’re going to be challenged on, “Okay, we know what your results are. We want to know how you got there. We don’t think your methodology or your principles are either generally accepted or they’re reliable.”

So the whole focus in a true Frye hearing or a Daubert challenge is pretty, again, not on the conclusion or the correctness of your conclusion, but your methodology that you use, the principles that you use. And you’re going to… you may be spending hours on the stand, defending… just like what Andrew said, a scientific approach to the evidence. Well, what was your scientific approach? Is this pretty much the industry standard? How long has this been happening? Is this methodology you’re using, did you just prepare this for trial or do other people use this. It’s all these types of questions, to show that your methodology is either generally accepted, if you’re in a Fry jurisdiction, or your methodology is truly reliable in a legal sense if you’re in a Daubert jurisdiction.

I can see how Andrew’s trick about taking that deep breath before answering the question would definitely help. One, it allows you to collect your thoughts, but two, this is a pretty vicious and somewhat antagonistic process, and I think just having that calming moment so that they don’t get you riled, so you don’t make a mistake in your testimony, is going to be critical.

Brandon: Sounds like this is definitely a tricky, tricky path here. We have about 14 minutes left. We’ve had a number of questions coming in, all great stuff. Keep them coming, folks. I want to shift towards more on this personal side… and Andrew, in your experience, what do you think is really the hardest part about becoming one… you know, trial by fire, shall we say, or having done it in the past, and continuing to have to do it, with regards to being an expert witness.

Andrew: Well, early in my career, the hard part was that the first question an attorney asks you is “Have you ever testified before?” And if you’re in a position like me, where I’m a consultant, the first case is usually the hardest one to get. Because nobody wants to put an untried expert witness on the stand to see if they have the personality and the preparation to deal with the pressure. So that’s part of it, right there.

The other part of it is if you’re a computer expert, an information security expert, or forensics expert, whatever it happens to be, chances are your training had very little to do with being cross-examined by somebody who’s in your face and being very unpleasant. You don’t get training in this unless you arrange for that training yourself. It’s not something you get in school, it’s not something that’s part of any of the major technical certifications. I believe they do some of that in the CFC certification, which Herbert has, certified forensic consultant. But it’s something that, if you’re going to be a testifying expert, you probably want to find some way to get some of this role-playing experience so you kind of know what to expect.

The other thing that I would suggest – if this is a route that somebody is going to go – is make sure you understand what the whole process is. As Herbert brought up, a lot of this stuff happens before the actual trial. And in fact, it’s been my experience that as an expert, you spend a lot more time doing affidavits or depositions or evidentiary hearings than you ever spend in a trial. So you’re involved much more at the beginning of the process, and an awful lot of civil cases settle, that are some agreement reached before a resolution is reached by a jury or by a judge.

So your involvement in it may not go all the way through, and in fact probably won’t, in my experience. There’s much more that happens on the front end of that.

So understanding that whole process and what your role is all the way down the line, and what it’s going to take from a technical aspect, is pretty important. We see a lot of places that have great information security programs. They have great programs for detecting intruders, for repairing systems if somebody gets in and does some damage, and all these kinds of things, but they have very little policy and procedure in place for dealing with the legal process that may come next.

Brandon: Um-hmm. No, and I don’t think you would want to discount the amount of potential distraction that this could be as well, with all of this precursor and prep work. Herbert, based on what Andrew was saying there, what do you feel is perhaps the most trying or difficult aspect of becoming an expert witness?

Herbert: Yeah, obviously, good question. A couple of things come to mind It’s probably intuitive, and y’all apparently all know this, but I don’t think I can emphasize this enough – remember that an expert witness, by definition, is not an advocate like an attorney. An expert witness is unbiased and objective. So to come across credible to a jury, make sure what you’re doing appears as you’re being objective, you’re not fighting for your client, you’re being very objective – that’s very important, to come across as unbiased and objective.

And another thing – and I’m sure y’all know this – but another thing is that there are very few cases that are slam-dunk, smoking gun type of thing. So I always – and I’m sure y’all do this too – I always, whatever the shortcomings in this particular case as far as I’m concerned, I make sure the attorney knows that. Because it’s always better – at least I think so – I’m not really a litigator, but I think it’s always a better idea for you to bring up the shortcomings or the cons in the case, rather than the other side. So just as a practical matter there.

Brandon: Yeah, very good advice. Gentlemen, we’ve only got about eight or nine minutes left. Before we go through and kind of go back and forth between us about maybe some lessons learned and such from this conversation, or highlights, I have one final question that I want to ask from each of you. This one comes from the audience, and it’s a very good one.

As you are well aware, the professional community that comprises (ISC)2, people are making substantial career-based decisions both in seeking a certification, additional certifications beyond the CISSP and others. The question that came in was: in choosing to go down this path as being an expert witness in cases, how has this impacted your career and your reputation? And Andrew, I’d like to start with you on that one.

Andrew: Well, I come from the generation of forensic practitioners that didn’t go to school… or even get out of school and think they would ever end up in forensics. It’s just one of those things that happens. And it was the same thing that occurred in terms of being an expert witness. It was one of those things where I was working on the career, and on making sure I was good at my job and that I was perfecting my craft, and the expert witness part of it came later. So if you have in your mind that you want to be an expert witness, I would go back to the first part – work on your craft, make sure that from a scientific standpoint and from the perspective of being able to defend your processes, and approaching this, as Herbert said, as an objective thing, not “On behalf of my client I’m going to get this guy.” No. It’s “From a scientific perspective, I’m going to analyze this and develop the evidence.” Work on that aspect of it, as much as you do anything else.

Yes, learning how to testify and getting some experience, in terms of mock trials or anything like that is all very important, but it has more to do with making sure that you have this professional skill set, and that’s required for whatever aspects you’re going to be an expert witness on. So that would be my perspective on it.

Brandon: How about you, Herbert?

Herbert: Yeah, I completely agree with that. And the professional skill sets, usually, that includes the various relevant certifications. So if you’re interested in testifying as an expert witness, you’re probably not far away, because if you have the foundation, then it’s more of a kind of a procedural thing to testify as an expert. Because like Andrew said at the beginning, forensic just means the application of science in the courtroom. Y’all are already scientists, so now we’re just going to funnel that into the courtroom.

And again, if there was any take-home message from me, just go down Federal Rules of Evidence 702. Those are all your criteria, if you will, for you in that particular case. And likewise, if there is an opposing expert, same thing. Look what he or she has done on the other side, because if their conclusions are different than yours, and y’all are both in the same area, then the natural tendency to think is, “Hey! Well, they’re wrong!” Well, you can prove that they’re wrong… is go down 702, and just pick out what was deficient in their testimony, and if it’s very deficient, then suggest that the attorney do a Frye or Daubert challenge. But if they’re otherwise qualified, then it’s just a battle of the experts, and that’s where your questions… you can also give a list of suggested cross-examination questions based on what you know about the other expert’s methodology or data.

Brandon: A very interesting point about assisting [indecipherable], it’s really a teamwork effort, you’re not the only one there, though you may be the only one testifying in that case. Good advice.

Gentlemen, it’s been a great conversation. I personally have learned an awful lot from the two of you, and I really appreciate that. Before we conclude today’s event though, I want to go back and forth with each of you. If there’s something in particular that we touched on and maybe didn’t go deep enough with that you’d like to leave people with, perhaps an additional resource that we mentioned, that you want to reinforce, or maybe it’s something we didn’t touch on but you think it’s a critical element of our conversation today, that you’d like to leave the audience members either live or on the archive with. Andrew, I’d like to toss the baton over to you first.

Andrew: Sure. One of the things that some people in our profession, whether it’s forensics or information security or whatever it may be, may be slow to pick up on is that if you’ve been in this community for a while, if you’ve been doing this work for a while, if you have been in the trenches, so to speak, for a good part of your career, then you probably are in a position to contribute to what is considered best practices or the body of knowledge that being an expert or expert testimony would be based on in the first place. So there are places for you to be involved, in your professional community, not just as an expert testifying witness, but as part of the community that decides what a reliable process is, that decides what best practices are.

So I would encourage everybody, if you see yourself as a professional in your field, to get involved in that aspect of it as well, not just the testimony, but in deciding what the standards should be, and in investigating what a new way to present evidence is, or to discover evidence, or to process evidence. So I would encourage involvement at that level, because look to your left, look to your right, one of you is the expert. Might as well be you.

Brandon: [chuckles] Great point. Herbert, what kind of closing thoughts would you like to leave folks with today.

Herbert: Yeah, exactly, those were very good points. Just keep in mind that… again, I just can’t emphasize enough about: just know Federal Rules of Evidence 702. And like Andrew was saying, you, each one of you, make up the relevant scientific community. So you can be active and proactive within that relevant scientific community. And one last thing – this is not splitting hairs here – 702 says, among other things, about the relevant scientific community. But just because if your methodology is not within the generally accepted relevant scientific community… as long as your methodology is employed by a minority of recognized scientists, then that’s okay too. If anything, the take-home message from me is just know 702, be objective, be confident, but also know the weaknesses of your case, and make sure, obviously, the attorney that retained you knows that as well.

Brandon: Great advice from both of you gentlemen. It has truly been a pleasure to have you on today. I think this is just a fantastic topic, one that’s very germane to our profession, especially now, in today’s litigious society. I want to thank you both for the time in both preparing for this, but also time out of your busy day today to join me. Our audience members, please take a moment, let us know how we did. How is this From the Trenches program shaping up for you? And give us your comments, not just a ranking, but let us know what we can do to make these better, or what you really enjoyed or really liked about this one. We take your feedback very seriously, and use it to continually improve these educational opportunities for you.

Well, that’s all the time we have, unfortunately. It’s been a pleasure having our guests on today, and interacting with you out there in the audience. Until next time – I look forward to continuing the conversation. Take care.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 22 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles