Digital Forensics - PowerPoint PPT Presentation

Loading...

PPT – Digital Forensics PowerPoint presentation | free to download - id: 64efa3-YzI5O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Digital Forensics

Description:

Title: Example: Data Mining for the NBA Author: Chris Clifton Last modified by: bxt043000 Created Date: 8/31/1999 4:11:00 PM Document presentation format – PowerPoint PPT presentation

Number of Views:7
Avg rating:3.0/5.0
Date added: 12 February 2020
Slides: 48
Provided by: ChrisC113
Learn more at: http://www.utdallas.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Digital Forensics


1
Digital Forensics
  • Dr. Bhavani Thuraisingham
  • The University of Texas at Dallas
  • Expert Witness and Report Writing
  • October 3, 2011

2
Outline
  • Selecting and preparing an Expert Witness
  • 10 Mistakes an Expert Witness makes
  • Example expert witness
  • Example expert witness report
  • Report Writing for High-tech Investigations
  • Reference Chapter 14 and 15

3
Selecting and Preparing an Expert Witness
  • Reference
  • 1. The initial interview.  The first contact with
    the expert is usually over the telephone.  You or
    your paralegal should at the outset establish the
    expert's familiarity with the general subject
    matter.   You should also ask about his or her
    experience with testifying in general, as well as
    testifying on the subject of the litigation at
    hand.  Finally, you should check for conflicts of
    interest.  Never review the facts of the case or
    postulate strategies and initial theories before
    you mention the names of the other parties and
    attorneys.  Since you may not be able to use the
    expert, you do not want to take the risk that the
    expert will call opposing counsel and reveal
    information learned from you.

4
Selecting and Preparing an Expert Witness
  • Reference
  • 2.  The personal meeting.  Most professional
    experts are willing to spend an hour meeting with
    an attorney before being hired so that the
    attorney can get a feel for their abilities and
    expertise.  They will bill for this time only if
    hired. Clients also should be encouraged to
    attend these meetings.
  • At this meeting you should question experts
    thoroughly regarding any history of complaints or
    claims filed against them.  Better to find out
    now than at deposition or trial.  You should
    listen carefully to determine if the expert
    speaks with spirit and conviction.  You should
    also discuss the expert's previous testimony on
    the subject matter of the current litigation. 
    Has the expert ever taken a position--either in
    writing or in speaking publicly--that could be
    viewed as inconsistent with the opinion you
    expect the expert to give on your client's behalf?

5
Selecting and Preparing an Expert Witness
  • Since there is no way to anticipate all the
    questions on cross-examination, you will want an
    expert who can extemporize.  Some attorneys ask
    an unexpected question at the interview to test
    whether the expert can think quickly and give a
    persuasive, consistent answer.  Others pose a
    complicated hypothetical to see if the expert can
    follow the facts presented and respond in a
    meaningful manner.
  • You must also consider the future availability of
    the expert.  Ask about the expert's general
    health, plans to move from the area, or
    scheduling of extended vacations.

6
Selecting and Preparing an Expert Witness
  • Other general considerations include selecting
    the right type of expert.  What kind of expert is
    most likely to persuade the trier of fact in your
    case?  A retired veteran with impressive
    credentials?  An academic whiz with teaching and
    publishing credits?  Or an active practitioner
    with field experience?  You will want to choose
    an expert old enough to have significant
    experience in his or her field but young enough
    to be receptive to and aware of current
    developments.  The parties' ages should also be
    considered.  For example, it may be more
    effective to use an expert who is a contemporary
    of an older defendant to testify as to the
    defendant's breach of a standard of care.

7
Selecting and Preparing an Expert Witness
  • 3.  Pleadings.  Make sure pleadings are
    consistent with the testimony you desire from
    your expert.  For example, the judge will not
    permit questions about standard of care if
    negligence has not been pleaded.
  • 4.  Preparation. Always preview the questions to
    be asked on direct examination and establish with
    the expert whether you prefer a quick exchange of
    question and answer or narrative answers.  If you
    ask a question for which the expert has not been
    prepared, you run the risk of flustering your own
    expert and thus undermining his or her
    credibility.

8
Selecting and Preparing an Expert Witness
  • 5.  Deposition.  At a deposition, both sides can
    observe the expert's demeanor, ability to respond
    to new questions, and ability to think on his or
    her feet.  These observations will help determine
    whether a party will be amendable to settlement
    or will want to press forward to trial.  Thus,
    the expert's performance at a deposition is vital
    to the interests of your client.  Your expert
    should be instructed to dress as a professional,
    maintain eye contact with the examining attorney,
    speak firmly, and sit erectly.  If you find your
    expert is volunteering too much, is not being
    responsive to the questions, or is using body
    language or voice tone that reveal a lack of
    confidence, you should not hesitate to ask for a
    recess.

9
10 Mistakes Expert Witness Makes
  • Reference
  • http//expertpages.com/news/ten_biggest_mistakes.h
    tm
  • 1 - Waiving The Reading of Signing of the
    Deposition Transcript
  • At the start of most depositions, counsel will
    agree on stipulations. Use of the most common
    stipulation is that the deponent waives the right
    to read and sign the deposition transcript.  The
    expert who is interested in accuracy should not
    agree to this waiver lightly.  Experts who agree
    to waive the reading and signing are agreeing to
    a documents accuracy with their short testimony
    without even seeing the document.
  • Lesson  You have a right to read and sign your
    deposition.  You shouldn't let counsel waive that
    right unless you want to.

10
10 Mistakes Expert Witness Makes
  • 2 - Failing to Take Breaks
  • Experts routinely fail to ask for and take a
    break when they need to or when they would
    benefit by a break in the proceedings.
  • Lesson  Ask for a break or recess any time you
    want one, need one, or feel that it will help you
    collect your thoughts so that you can return
    reinvigorated.
  • 3 - Conference with Counsel
  • Experts often fail to obtain an in-depth meeting
    with counsel who has retained them.
  • Lesson  Ask for an obtain a meeting with counsel
    to review the types of questions you will be
    asked, the pertinent legal standards, your file
    for work product and privileged information and
    an update on the current status of the pleadings
    and litigation.

11
10 Mistakes Expert Witness Makes
  • 4 - Your Curriculum Vitae
  • Experts often bring a curriculum vitae to the
    deposition which is not accurate and is not
    up-to-date.
  • Lesson  As part of the preparation process, it
    is crucial for experts to update and fact check
    the accuracy of their CVs carefully. Failure to
    do so can result in needless damage to your
    credibility that could have been easily avoided
    through proper preparation.
  • 5 - Sanitizing Your File
  • Experts attempt to hide damaging documents and
    notes by removing them from their file.  This is
    a serious logical and strategic mistake.
  • Lesson  Any attempt by the expert witness to
    "sanitize" his/her file is improper.  Such an
    attempt will frequently make the expert look bad
    in the eyes of the judge or jury.  A single act
    of removal of documents from a file can
    completely destroy the credibility of an expert
    witness.

12
10 Mistakes Expert Witness Makes
  • 7 - Billing and Collecting
  • Experts wait until after the deposition is
    concluded to bill and attempt to obtain payment
    for their time and expenses.
  • Lesson Most experienced expert witnesses
    strongly recommend that experts be paid prior to
    giving a deposition.  This is the only way to
    guarantee collection of your fees.  The expert
    who does not demand payment in advance will run
    the risk of late payment, no payment, and/or
    collection problems with counsel.
  • 8 - Losing Your Temper
  • Experts are pushed into losing their temper by
    counsel's questioning.  This is always a serious
    mistake.
  • Lesson  Do not allow yourself to be goaded by
    counsel into losing your temper.  If you lose
    your temper, you will give an emotional response
    to a question. Such an emotional response will
    not be carefully considered and will come back to
    haunt you.

13
10 Mistakes Expert Witness Makes
  • 9 - Volunteering Information
  • Experts seek to help counsel by volunteering
    information to help "clarify" the issues.
  • Lesson  Volunteering information can be one of
    the biggest mistakes an expert makes at
    deposition.  An expert should answer only the
    questions she is asked and not volunteer
    information.  The volunteering of information
    will almost always result in new lines of
    cross-examination.   It may also disclose
    information to which counsel otherwise never
    would have become privy.

14
10 Mistakes Expert Witness Makes
  • 10 - Videotapes Depositions
  • Experts act in the same manner for their
    videotapes deposition as they would for one that
    is recorded by a stenographer.
  • Lesson  Experts need to look and sound good for
    their videotape deposition.  I recommend the
    following
  • Practice with counsel with a videotape camera
  • Dress conservatively
  • Look directly in the camera when testifying
  • Avoid long pregnant pauses
  • Handle exhibits so they can be easily seen
  • Use make-up powder (for men, get close shave)
  • Avoid eating, chewing gum, drinking, or chewing
    on pens and pencils
  • Turn off pagers, cell phones, and beepers

15
10 Mistakes Expert Witness Makes
  • Conclusion
  • The single most important piece of advise for
    expert witness is to tell the truth, simply and
    directly. This cannot be overemphasized.  As an
    expert witness, you have a legal, moral, and
    ethical obligation to tell the truth.  You are
    testifying under oath.  Experts who tell less
    than the truth run the risk of criminal
    prosecution for perjury, civil suits for
    negligence, and revocation or suspension of their
    professional licenses.  Experts who do not tell
    the truth are discovered and discredited
    eventually.
  • Experts who are aware of the above mistakes and
    take the appropriate action to avoid them are
    well positioned to succeed during depositions.

16
Example Expert Witness Robert Boyell
  • Reference http//www.spectrum.ieee.org/apr08/6089
  • IEEE Spectrum, April 2008
  • Boyell, an IEEE senior member, has a bachelors
    degree in electrical engineering, a masters in
    applied science, and an MBA. It all testifies to
    a generalists training that he says finally made
    him a dinosaur in .the defense industry.
  • It turned out, however, to be the perfect
    background for a forensic expert.I still use
    things I learned as a college freshman and
    sophomore, he says. Heat transfer, mechanical
    advantage, electricity, and magnetismbut
    applied to real-world problems.

17
Example Expert Witness Robert Boyell
  • To make it in this business, you have to know a
    lot about something and a little about nearly
    everything else. Qualifications have become more
    demanding for experts, as criteria for whats
    admissible as evidence have tightened up, says
    Marvin Specter, executive director of the
    National Academy of Forensic Engineers. Some
    states require that experts have professional
    licenses.
  • In 1978, after 20 years developing acoustic
    tracking and electronic warfare systems in
    Philadelphia, Baltimore, and New York, Boyell got
    his first taste of forensic work when an
    attorney tapped his expertise for a case
    involving civil radio communications. He turned
    the gig into a regular sideline, consulting with
    clients after work and during personal and
    vacation days. Finally, in 1998, he became a
    full-time, self-employed consultant.

18
Example Expert Witness Robert Boyell
  • Forensic experts can earn as much as lawyers.
    Boyell charges 200 an hour, working anywhere
    from 20 to 80 hours a week, though only about
    half the time he spends on his business is
    billable. Theres marketing, advertising,
    bookkeeping, professional seminars, and other
    overhead.
  • The work is not to everyones taste. Even before
    testifying, a forensic engineer must undergo a
    rigorous oral examination by the court to
    ascertain his level of expertise in the
    pertinent subject matter. Then he gets grilled
    by lawyers for the opposing side.
  • If an adversarial lawyer cant demolish your
    technical argument, he will attack your personal
    credentials, Boyell says. You have to be
    prepared to defend everything in your life
    thats been on the public recordeven this
    article. It feels like a combination of
    defending your thesis and interviewing for a new
    job. But theres a real satisfaction in knowing
    you contributed to the resolution of a
    contentious matter, he adds.

19
Example Expert Witness Robert Boyell
  • However, unlike cases in the television show
    CSI, real-world cases dont always end neatly.
    It starts as giving advice, then writing
    reports, and ultimately, you might be deposed or
    take the stand during a trial. Sometimes that
    process can take years, and then its usually the
    big-money suits and criminal cases. But that
    happens in a fraction of the cases. Usually, my
    report ends the matter.
  • An expert must put his client before himself but
    his professional ethics before even the client.
    His first duty is to the truth. In one case,
    Boyell was hired to prove that a hardware defect
    caused an electrical fire. Not only did he find
    no evidence of a defect, but he uncovered an
    errant extension cord that suggested the hardware
    in question wasnt even involved.
  • If my findings are adverse to what my client
    wants me to tell them, thats the end of the
    job, he says. But my real job is to stay
    objective.

20
Sample Report by a Forensics Expert
  • Computer Forensics Report
  • Pat Smith Acme Industries
  • Investigator Chris Simone
  • christophersimone_at_gmail.com
  • 11/5/06
  • Investigator Information
  • The following report was conducted by Chris
    Simone. My job is to take the evidence presented
    to me and deliver facts that would seem relevant
    to the case. The evidence being reviewed has
    been collected by a previous investigator and
    verified to be unaltered. Any questions or
    concerns pertaining to the acquisition of the
    evidence can be found in his/her report.

21
Sample Report by a Forensics Expert
  • Case Description
  • Acme Industries Pat Smith is being investigated
    under the fear that he may be offering
    proprietary company information to a competitor
    in exchange for a job.
  • Computer and Forensic Tool Statistics
  • The computer was removed from its position in
    ACME Industries at 4/12/04 82703 PM where it
    was carted out to a nearby secure forensics
    facility. Once settled at the forensics lab the
    hard drive was imaged to begin the research and
    testing. The image of the hard drive was tested
    using the program EnCase Forensic Edition Version
    4.17b by Guidance Software. This program has
    been proven in the court of law to provide valid
    and accurate results when scanning and analyzing
    a system.

22
Sample Report by a Forensics Expert
  • Investigation
  • The following was the procedure that I took to
    extract what data I found to be relevant to the
    case.
  • I created a new case called Case Study. I added
    to this case the already captured image file
    (C\forensicsfile\winlabencase.image) by going to
    File ? Add Device, clicking sessions, and
    clicking on add evidence file.
  • With the case loaded I immediately set the time
    zone by right clicking on the image ? Modify Time
    Zone. From the following screen I selected the
    time zone that I was working in. This is done to
    adjust the evidence to all correlate in the same
    time zone.
  • The next step was to recover any hidden or
    deleted folders on the system. Doing this step
    now would allow my searches to be more complete
    in the future and determine if there were any
    actions taken to hide or destroy evidence. In
    order to do this I right clicked on the image ?
    Recover Folders.

23
Sample Report by a Forensics Expert
  • I ran a script next to determine the
    specifications about the computer because I had
    not been the one to create the image from the
    suspect machine. The script comes preloaded into
    EnCase V4. I went to View ? Scripts and selected
    the Initialize Case script which prompted me to
    enter information of the investigator and person
    conducting the examination. Once the information
    was entered the script asks where I would like
    the data saved. I chose to add it to the
    bookmark section under the folder Encase Computer
    Analysis Report. I also needed to check which
    information I would want present. I chose to
    display the Windows version and registration,
    time zone settings, network information, user
    information, and last shutdown time. The report
    generated can be found on the following page.
    The important information pulled from the report
    is that the machine is running a FAT16 file
    system with Windows XP. The total capacity of
    the partition is only 22MB. Now that this
    information has been discovered I can begin my
    investigation.

24
Sample Report by a Forensics Expert
  • Volume
  • File SystemFAT16 Drive TypeFixedSectors per
    cluster1 Bytes per sector512Total
    Sectors45,360 Total Capacity23,023,616 bytes
    (22MB)Total Clusters44,968 Unallocated13,872,128
    bytes (13.2MB)Free Clusters27,094 Allocated9,15
    1,488 bytes (8.7MB)Volume NameNO NAME Volume
    Offset0OEM VersionMSDOS5.0 Serial
    Number30E0-8F46Heads240 Sectors Per
    Track63Unused Sectors12,292,560 Number of
    FATs2Sectors Per FAT176 Boot Sectors8 Device
  • Evidence NumberLab5 imageFile PathC\forensicsfi
    les\WinLabEnCase.image.E01Actual Date04/12/04
    082703PMTarget Date04/12/04 082703PMTotal
    Size23,224,320 bytes (22.1MB)Total
    Sectors45,360File IntegrityCompletely Verified,
    0 ErrorsEnCase Version4.17bSystem
    VersionWindows XPAcquisition HashF70C5FFF082E526
    A368E2C0A13ABB093Verify HashF70C5FFF082E526A368E2
    C0A13ABB093

25
Sample Report by a Forensics Expert
  • Daylight Saving Time settings
  • HourDay of WeekWeek of month (5last)MonthDaylight
    start2Sunday14Standard start2Sunday510 Time Zone
    Settings (minutes)
  • Time Zone Bias300Daylight Bias-60Standard
    Bias0
  • Time Zone(GMT-0500) Eastern Time (US
    Canada) -- - - - - - - - - -

26
Sample Report by a Forensics Expert
  • My first task was to compile a list of keywords
    that I would need to search the file system for.
    Knowing what words to start searching on could
    help me eliminate loads of irrelevant data. The
    list contained the following ACME Industries
    (ACME and ACME Industry as different variations
    as well), Raytheon, Boeing, and promotion. With
    this list in hand I created a keyword list by
    clicking on View ? Keywords. I right clicked
    Keywords ? Add New Folder. I named the folder
    PSmith Keywords. Once the folder was created I
    can right click the PSmith Keywords folder ?
    Insert Keyword List. The list box gets stored
    with the keywords previously mentioned. The new
    keywords were then selected and a search was
    performed by going to Search at the top. The
    search was done under the following criteria
    search each file for keywords, search file slack,
    and selected keywords only. The table below
    shows the numerical results of the search.

27
Sample Report by a Forensics Expert
  • Search Summary
  • HitsFirst SearchedLast SearchedSearch
    Text511/05/06 045701PMacme industries011/05/06
    045701PMacme industry6711/05/06
    045701PMacme25311/05/06 045701PMraytheon12711/
    05/06 045701PMboeing111/05/06
    045701PMpromotion
  • With so many hits for Raytheon and Boeing I
    concluded that I was on the right track. I
    started with the smallest and worked my way up.
    Promotions results were just a spam e-mail. The
    files found under ACME Industries were project
    files and some e-mail items. At this point I
    was more interested in evidence relating to some
    kind of contact between Pat Smith and Rayteheon
    and Boeing. The results from ACME came back with
    4 interesting hits. Amidst the e-mail files were
    4 temporary files found at

28
Sample Report by a Forensics Expert
  • Case Study\Lab5 image\Documents and
    Settings\PSMITH\Local Settings\Temporary Internet
    Files\Content.IE5\WVEXGZIP\WBK50.TMP Case
    Study\Lab5 image\Documents and Settings\PSMITH\Loc
    al Settings\Temporary Internet Files\Content.IE5\W
    VEXGZIP\WBK52.TMP Case Study\Lab5 image\Documents
    and Settings\PSMITH\Local Settings\Temporary
    Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP
    Case Study\Lab5 image\Documents and
    Settings\PSMITH\Local Settings\Temporary Internet
    Files\Content.IE5\WVEXGZIP\WBK56.TMP

29
Sample Report by a Forensics Expert
  • These files all contained the message Id like
    to offer you some material from my company in
    exchange for a position in your company.
    psmith_at_acme.com. These files grabbed my
    attention so I made sure to take down the access
    times (all last accessed on 3/9/04 around 1138
    AM). I took note by book marking the four files
    by selecting them and right clicking ? Bookmark
    Files. I created a new folder called TMP Files
    (ACME) and the four were imported there for
    further consideration later. Boeings results
    were next shuffled through but they were mostly
    HTML files that Pat Smith must have been
    visiting. The bulk of the hits came from
    Raytheon. They were a mix of web files including
    data and content. The web files came from the
    Raytheon website where the companys about and
    contact pages were visited. Also mixed in were a
    few e-mails to a bconrad_at_raytheon.com. I
    selected a few files which I saved to bookmarks
    in the DBX Files (Raytheon) folder. Two e-mails
    in particular stood out that contained
    information that seemed to relate to this case.
    The following below is where the files can be
    located.

30
Sample Report by a Forensics Expert
  • Case Study\Lab5 image\Documents and
    Settings\PSMITH\Local Settings\Temporary Internet
    Files\Content.IE5\WVEXGZIP\WBK50.TMP Case
    Study\Lab5 image\Documents and Settings\PSMITH\Loc
    al Settings\Temporary Internet Files\Content.IE5\W
    VEXGZIP\WBK52.TMP Case Study\Lab5 image\Documents
    and Settings\PSMITH\Local Settings\Temporary
    Internet Files\Content.IE5\WVEXGZIP\WBK54.TMP
    Case Study\Lab5 image\Documents and
    Settings\PSMITH\Local Settings\Temporary Internet
    Files\Content.IE5\WVEXGZIP\WBK56.TMP

31
Sample Report by a Forensics Expert
  • The e-mails were both from psmith_at_acme.com to
    bconrad_at_raytheon.com. The following are the
    content of the two e-mails.
  • "Pat Smith" ltpsmith_at_acme.comgt
  • To "bconrad_at_raytheon.com"
  • Subject A Proposition
  • Date Fri, 23 Jan 2004 120652 -0500
  • I'd like to offer you some material from my
    company in exchange for a position in your
    company.
  • Pat Smith
  • psmith_at_acme.com

32
Sample Report by a Forensics Expert
  • From "Pat Smith" ltpsmith_at_acme.comgt
  • To "bconrad_at_raytheon.com"
  • Subject My Proposition
  • Date Fri, 01 Jul 2003 100439 -0500
  • It's been a week since I sent you my proposal.
    Have you had a chance to consider it?
  • Pat
  • The first email was the same information found in
    the temporary files that I had found earlier from
    the results of the ACME Industries keyword
    search.

33
Sample Report by a Forensics Expert
  • I was getting closer and closer to when with just
    the help of the keyword search. I decided to
    take a look at the timeline of the operating
    system which documents when a file was created,
    accessed, and modified. It places each entry in
    a nice calendar view so an investigator can see
    when there is a surplus of changes. By selecting
    the case I was working on and going to Timeline I
    found that there was heavy traffic on 1/23/04,
    3/9/04, and 3/15/04. Starting with the earliest
    date and moving forward I examined the data by
    honed in on each date where it gets more detailed
    by hour and minute the closer you zoom in. The
    traffic generated on 1/23/04 was mainly searching
    for a new job through sites like Monster.com,
    Yahoo Jobs, and searching the Raytheon and Boeing
    website. The web files and cookies that were
    created on this date confirm this they are found
    at

34
Sample Report by a Forensics Expert
  • Case Study\Lab5 image\Documents and
    Settings\PSMITH\Cookies
  • The files on 3/9/04 and 3/15/04 are the heaviest
    in traffic. They include many cookies and
    website files being created and deleted in
    temporary files space along with the two e-mails
    previously started above being modified and
    deleted.
  • There were still a few more tests I could
    complete on this test case. One was to go
    through the image Gallery and check the images
    found on the file system. In order to do this I
    had to specify which folders contained images. I
    decided to check the entire case and brought open
    the Gallery view. There were many images from
    the Raytheon website as well as images pertaining
    to finding a new job, adding nothing more than we
    already know.

35
Sample Report by a Forensics Expert
  • I had found clues on the who, the when, and the
    where but I was still missing what and how. My
    next step was to run a signature analysis to see
    if any files were still hidden that I may have
    overlooked because their extensions were
    modified. Running a signature analysis will take
    the proper signature that a file should be and
    see if it matches up against the extension that
    it actually is. If there is a mismatch it will
    be labeled as so and Encase will tell me what
    extension it should be. Running a signature
    analysis has me selecting the complete image and
    doing a Search (the same Search as done prior).
    The only option that should be selected is Verify
    File Signatures and to have the results saved to
    a bookmark called Signature Mismatch. A few
    files stuck out from the others

36
Sample Report by a Forensics Expert
  • Case Study\Lab5 image\Documents and
    Settings\PSMITH\My Documents\Confidential\Project
    238x.pdf Case Study\Lab5 image\Documents and
    Settings\PSMITH\My Documents\Confidential\Project
    47x.xls
  • Case Study\Lab5 image\WINDOWS\SYSTEM32\SPOOL\PRINT
    ERS\FP00000.SPL Case Study\Lab5
    image\WINDOWS\SYSTEM32\SPOOL\PRINTERS\FP00001.SPL
  • The first two files are project files from ACME
    Industries that were kept in a confidential
    folder with altered file extensions. The last
    two files are printing spools that look like they
    have been altered. The spools correspond to each
    of the first two files being sent to the IP
    address of 192.168.1.106. The Project 238x was
    sent to that address on 3/9/04 and the Project
    47x file was sent on 3/15/04 by the user name
    PSMITH. The IP address is mapped to the HP
    LaserJet 4000 Series PCL6 at ACME Industries.
    Both spool files can be found at

37
Sample Report by a Forensics Expert
  • C\Windows\system32\spool\Printers
  • Just to make sure I had covered all pertinent
    data I ran two more scripts before completion of
    my investigation. I ran the IE history parser
    with keyword search script to make sure that all
    the websites that I had seen through the cookies
    and temporary web files were actually visited and
    to make sure that I had not missed any others.
    In order to run this script I went to the Scripts
    menu and added the options of add bookmarks and
    create web page and tab-delimited files and to
    search all files. The report did not deliver any
    new information that had not already been
    discovered. The last script I ran was to see if
    there was any information I could obtain from the
    NTFS INFO2 file. This is the Recycle Bin file
    that would contain any deleted file information.
    By running the script NTFS INFO2 Record Finder
    and selecting to only read INFO2 files only and
    saving it to the bookmark Recovered NTFS Info2
    Records I came up with only one file deleted from
    the My Documents folder of PSMITH relating to
    Boeing. It did not seem to be of any value to
    this case.

38
Sample Report by a Forensics Expert
  • Conclusion
  • This report has pointed out pieces of information
    relating to the case of Pat Smith from ACME
    Industries and his relations with the companies
    Raytheon and Boeing. It is now up to the judge
    reading this report to determine if this
    information is of any value to the case. It is
    important to state that there was no evidence
    present that B. Conrad from Raytheon contacted
    Pat Smith or that the printed files ever left the
    officer. It is interesting though that the
    printing spools and project files were altered
    after printing. The printing spool files are
    often not touched except by the operating system
    so it is obvious that they were targeted.
    Determining any further information on this cause
    is up to be conducted by a crime scene
    investigator and falls out of my jurisdiction.
    My job is to present the

39
Report Writing
  • Understanding the Importance of Reports
  • Limiting report to specifics
  • Types of reports
  • Guidelines for writing reports
  • What to include in preliminary reports
  • Report structure
  • Writing reports clearly
  • Designing layout and presentation of reports
  • References
  • Generating report with forensics tools

40
Understanding the importance of reports
  • Reports are the means to communicate effectively
    the findings of the expert witness
  • Therefore reports have to be specific and to the
    point
  • Reports could be verbal reports or most often
    written reports

41
Guidelines for writing reports
  • Preliminary reports may include tentative
    conclusions this could be interim reports
  • Final reports must have structure
  • Abstract, Table of contents, Body of report,
    Conclusions, Reference, Glossary,
    Acknowledgements, Appendix,
  • Actual References may have to attached to the
    report.
  • Writing style has to be precise
  • Need to communicate well, Grammar and vocabulary
    are crucial, Punctuation and spelling have to be
    correct
  • Need to justify all conclusions.

42
Using Forensics Tools
  • Many tools like ENCASE have report writing
    capabilities
  • Advantages of using these tools is that can
    include screen shots directly from the tools
  • Chapter 14 describes the use of both ProDiscover
    and FTK for writing reports

43
Expert Testimony
  • Preparing for Testimony
  • Testifying in Court
  • Preparing for a deposition or hearing
  • Preparing forensic evidence

44
Preparing for Testimony
  • Be very thorough with your report
  • Document the evidence and prepare it in a format
    that can be understood
  • Be prepared to explain every sentence in your
    report and evidence
  • Have a current resume
  • Know all the definitions
  • Need to deal with the news media

45
Testifying in Court
  • Be prepared for intense cross examination
  • Think before you say anything and be prepared to
    justify all your statements
  • Learn about testifying during direct examination
    (questions from your attorney) and testifying
    during cross examination (oppositions attorney)
  • Review the details in Lecture 29
  • More details in Chapter 15

46
Preparing for a Deposition or Hearing
  • Deposition is not testifying in court
  • There are no judge and jury
  • Both attorneys are present and ask questions
  • Hearing is similar to a deposition and can be
    carried out in an administrative agency or
    legislative body or court

47
Using Forensics Tools for Testimony
  • Tools like ENCASE can be used to gather
    information needed for testimony
  • Similar to generating reports
  • Chapter 15 describes how Prodiscover and FTK can
    be used to prepare testimony
About PowerShow.com