Articles
Cross Examining the Computer Expert Witness
“Brings a knife to a gunfight”
These words were uttered by Sean Connery in The Untouchables film. A knock at the door and upon opening he is met with a hit man attempting to take him out with a knife. Of course, Sean has a gun and quickly dispatches of the hit man.
It is a phrase, or a derivation thereof, that I like to use with clients. You need to meet your opponent with the same weapons that are being brought to bear against you. Sure, one can get away without their own expert to assist with reviewing reports and testimony and helping with cross examination, but doing so is like walking a slippery slope.
For the attorneys reading this blog post, I know that I’m preaching to the choir. Before cross examining any expert, you need to read and understand their report(s), you need to depose the expert and understand their opinion. Most importantly, though, you need to understand what they are saying. More often than not, when I’m dealing with clients or their counsel, I hear the phrase “I know absolutely nothing about computers”. Well, if you know nothing about computers, why are you trying to interrogate someone about computers?
For the business owners, and ultimate end clients, reading this blog, I can’t stress to you enough that if counsel suggests that you consider hiring an expert that you consider it. Every decision is a business decision weighing the costs with the potential benefit and comparing that with the possible downside if you didn’t move forward. That said, in scrutinizing an opposing expert, or merely just understanding what they are trying to convey you often need to have your own expert. Your expert will help with the cross examination of the opposing expert.
I’ve been involved in cases wherein I didn’t testify but just served as a consultant. In one criminal case, which was rather high profile, I recall just being in the courtroom. I had access to various data on my laptop and a few pads of paper. As my client’s counsel cross examined the computer forensic expert witness, I furiously scribbled notes and questions on pieces of paper and passed them up. Questions were asked and testimony was concentrated, limited or turned around. While I never had the chance to quiz the judge or jury about the importance of the questions I submitted, I did receive compliments from counsel as he felt that those questions helped him keep the expert under control.
Having your own expert to guide you will prevent you from asking questions that you think are correct but in reality are going to allow the expert on the stand to put forth their opinion again.
In a matter involving a former employee leaving for a competing company, I was quizzed numerous times about the use of a wiping application (a wiping application is one that will delete files or other relevant artifacts in such a way that the information is unrecoverable). Somehow through my testimony, opposing counsel on cross examination came to the belief that nothing bad had happened. He asked, “So if I am understanding your testimony, my client did nothing nefarious”. To which I replied, “other than installing this data destruction application one week before he tendered his resignation and then running it multiple times destroying files he had accessed and other data left on his computer, no”. Clearly opposing counsel was unprepared for my testimony and did not understand my opinion nor the facts upon which I based that opinion.
Review the expert’s Curriculm Vitae ahead of time. Do they have any relevant certifications, training or testimony experience regarding computer forensics? Just being in IT often isn’t good enough. I like to analogize the IT world with that of the medical world. In the medical world, there are general practitioners, orthopedists, coroners, oncologists, etc. While doctors in the various fields have some knowledge of the particulars in fields that they do not specialize, they typically only practice where they have the most knowledge. The same holds true for those in the IT world. A programmer has some knowledge on security, but you would not ask them to fortify your firewall. You would also not ask an IT administrator to testify regarding forensic issues.
I witnessed once an individual who was in IT attempt to testify to a matter that involved metadata on documents that he had preserved. I’m sure that most of you reading this understand the importance of preserving documents in such a way that the metadata is not altered. In this case the metadata was altered but the IT person had no idea how that occurred, he was oblivious to the fact. Counsel for my client did a good job of bringing that out but soon enough the judge hearing the case was getting lost as the situation involved an IT person who was not an expert on the topic being questioned by an attorney who would be the first to admit that he was in the same boat. Which brings me to my next point…
Rely on your expert to assist with the cross examination where possible. And when you receive that advice, listen and act on it. Your expert should be able to provide you questions to use in cross examination. More importantly, your expert should be able to provide what will be the likely answers to the questions and provide guidance based on what the actual answer is. Your expert should also be able to provide you analogies so that in asking your questions, you can word them in such a way that the judge and jury will understand the question and hopefully the answer.
Another thing to observe is whether or not the computer forensic expert is stepping out of their realm of expertise or testifying outside of their realm of analysis. In one case in which I testified, the crux of my testimony was in regards to spoliation. The opposing party had withheld USB devices and had deleted data on those USB devices. The opposing party had their own expert. Instead of analyzing my claims of deletion and other devices, they had him instead scrutinize the search we performed on the data and whether or not the results all conformed to the request. Upon hearing the analysis that the opposing expert conducted, counsel for my client immediately requested that the court limit his testimony to just those areas that he had analyzed. The court agreed and immediately there was no rebuttal to my analysis that data was destroyed and devices were left behind.
Another point to make in your questioning, especially in criminal matters, is to interrogate the computer forensics expert witness as to what evidence exists that puts the custodian of the computer at the keyboard during the time of the alleged activity. Is the custodian the only person with physical access to the computer? Is the computer password protected and are there user accounts that can be matched up to the custodian? Was there other activity occurring at the same time that can provide circumstantial evidence indicating that the custodian was the one at the keyboard during the key points in time?
To circle back around for those of you who remember the movie The Untouchables. After Sean Connery chases off the knife wielding hit man he immediately finds himself in the alley face to face with a second hit man, only this one is holding a gun. That hit man, properly armed, was able to take care of the job. You too, properly armed, can perform your job properly when it comes to cross examining a computer forensic expert witness.
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations