Govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

9.1 What is an expert?

Depending on your state or jurisdiction, the test used to determine whether or not expert testimony will be allowed by the court may be the Frye test (Frye v. United States, 293 F. 1013 (D.C. Cir. 1923))1, Daubert test (Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993))2, Porter test (State v. Porter, 241 Conn. 57, 698 A.2d 739 (1997))3, cert. denied, 523 U.S. 1058, 118 S. Ct. 1384, 140 L. Ed. 2d 645 (1998) (Sec. 7-2 Connecticut Code of Evidence)4 or other test outlined in that state’s code. Many states have practice manuals and a set of specific statutes that govern experts and expert testimony. Contacting your state bar association is an excellent way to locate this type of information.

The federal system uses Section 700 of the Federal Rules of Evidence, and specifically Rule 702 to define expert witness testimony.

Federal Rules of Evidence: Rule 702. Testimony by Experts:5

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.6

No matter which rule governs your particular case, all experts must first qualify as an expert in any case in the United States where they will be asked to provide expert testimony. However, depending on the court and the judge, this qualification process can be all over the board. Some judges are willing to qualify anyone as a computer forensics expert if they have any computer background at all, since many judges lack the basic understanding of what a computer forensics expert does and what should be a minimum floor for qualification as an expert.

Using experts in court is a battle not only of expertise, but of perception. Experts who look good on paper may not be the best choice if they have limited public speaking experience, do not present themselves professionally, or have trouble explaining complex technical concepts in a simple, easy-to-understand way, which can be a problem when taking the expert to court.

While prior court testimony experience is a big plus, lack of testimony experience is certainly not a reason not to hire an expert.

While the legal definition of an expert is outlined very specifically, the practical side of determining whether someone is an expert in a particular field is equally if not more important than making sure that the expert you engage can qualify in court. Also, it is important to make sure that the expert is the right one for you and your case.

An important step in your initial hiring process is to interview the expert, preferably face to face. In any event, you will want to judge the demeanor of your expert early on, just as a precaution. While an expert might have a great resume, if he is abrasive or condescending or unable to communicate in a nontechnical way, he could become a problem in front of a jury.

Having said that, it is still important that your examiner be able to qualify as an expert in the event that you need the expert to testify in a court of law, bearing in mind that even if she is not required to testify in the initial matter, she may need to testify in the event of an appeal or may have to go through the deposition process.

From a practical standpoint, an expert is someone who not only has technical training and experience in the area that you wish to engage their services, but they should also have references to back up that expertise.

The same holds true for certifications in the field of forensics. Forensic certifications are expensive to pursue and difficult to obtain, and while they add confidence to the credentials of the examiner, they are not required for an examiner to qualify in court or to be engaged to provide expert services.

However, beware of the expert who does not have at least a minimum of experience or training specifically in the area of expertise that you need. The reason for this is that the expert must have specific knowledge of forensic methods and processes. The danger for the unaware is that you can hire someone who has expertise in computers, for instance, but does not have specific training or expertise in dealing with computer or cell phone data as evidence. This lack of expertise in the forensic aspects of technology can become a real problem if your case involves an opposing expert who does have that expertise and can show where your expert has failed to properly protect evidence or even destroyed evidence.

The second part of prequalifying an expert as a practical matter is to understand that having experience and or training in forensic investigations is of particular importance where the case involves complex civil or criminal litigation. These cases go beyond simple data recovery and production and can involve multiple persons, specific types of data such as financial records, proprietary software formats, complex relationships between user accounts, data-hiding techniques, and correlation to external devices.

For example, a marital infidelity examination normally involves locating e-mails, Internet history, chat logs, and perhaps pictures, and may not go beyond simply producing this information to show a connection to a paramour.

A criminal case, on the other hand, will always have an expert on the side of the government who has already performed a forensic investigation into the digital evidence. In these cases, if the defense employs an expert, and they certainly should, the expert must not only be able to duplicate and verify the prosecution examiner’s work, but they must also be able to properly perform their own examination to ensure that the claims being made by the prosecution are in fact valid and have been properly interpreted.

Rules of Evidence

The guidelines that dictate whether a person can be recognized as an expert witness, and the admissibility of evidence, are governed by the laws of the jurisdiction of the court in which the evidence will be introduced. Thus, it is extremely important for investigators to become familiar with the applicable laws. These rules are adopted by statute and are usually codified into a document titled “Rules of Evidence.”

In the United States, Congress adopted the Federal Rules of Evidence (FRE) as a set of standards that determine how evidence is presented and deemed admissible in court. Because state and federal laws are different, many states have also adopted their own sets of rules, some of which are identical to those in the Federal Rules. The FRE contains a considerable number of rules, but those dealing with opinions and expert testimony are explained under Article VII. The rules under this article consist of the following:

Rule 701, Opinion Testimony by Lay Witnesses

Rule 702, Testimony by Experts

Rule 703, Basis of Opinion Testimony by Experts

Rule 704, Opinion on Ultimate Issue

Rule 705, Disclosure of Facts or Data Underlying Expert Opinion

Rule 706, Court Appointed Experts

CyberLaw Review

Lay Witnesses

As private security performs its investigatory functions, it must rely on evidence provided by witnesses. The measure of witness competency will largely be determined by whether the witness is lay or expert. A wise practice is to evaluate lay witnesses in the field, since these very individuals, who are providing crucial information, may be the best foundation on which a case rests. If incompetent in the field, they will clearly be incompetent on the stand.143 By competency, we merely hold that the witness is capable of relating facts and conditions in a reliable and dependable way.

Lay competency is generally defined by Rule 602 of the Federal Rules of Evidence as follows:

The witness has the capacity to actually perceive, record and recollect impressions of fact (physical and mental capacity);

The witness in fact did perceive, record and recollect impressions having a tendency to establish a fact of consequence in the litigation (personal knowledge);

The witness be capable of understanding the obligation to tell the trust (oath or affirmation);

The witness possess the capacity to express himself understandably where necessary with the aid of an interpreter.144

Competency does not require genius but the capacity to perceive, record, and recollect impressions of fact as influenced by a wide assortment of social and biogenic factors.145 All lay witnesses, in order to be effective on the witness stand, need to be evaluated in light of these criteria:

What is their present age?

Do they have any personal habits that would indicate their powers of recollection and thought retention would be influenced by chemical or drug usage?

From an observational point of view, do these individuals appear intellectually ordered?

Would a street person, bag lady, or heroin abuser be a witness who could withstand the competency standard?

Did they have any personal knowledge of the events or is their viewpoint strictly the product of hearsay?146

Certain witnesses—such as children, a spouse, a coconspirator who has been granted immunity, or a person who has been adjudged insane—will trigger credibility concerns.147 Lack of credibility, however, does not disallow a witness from taking the stand.148

Security practitioners should evaluate the levels of sincerity and credibility of any witness they interview during the investigative process. Employing simple human relations skills will often permit the security professional to judge the quality and credibility of any witness. When evaluating a witness, utilize the checklist presented in Figure 6.12.149

The security officer needs to evaluate and weigh not only the physical and real evidence he or she collects but also the testimony from interested as well as disinterested witnesses. Conduct the type of human observation that ferrets out the unreliable in favor of the reliable lay witness. Make human judgments that work for the average person, and avoid witnesses who are disgruntled individuals, abhorrent characters, and courtroom groupies whose sole purpose in life is to meddle in the affairs of others.150

US Federal Rules of Evidence

The Federal Rules of Evidence (FRE) are the guides for investigators and responders in the actual collection and use of evidence in court cases. The FRE is the code of evidence law governing the admission of facts by which parties in the US federal court system may prove their cases, both civil and criminal. The FRE were the product of protracted academic, legislative, and judicial examination before being finally approved in 1975. US states are free to adopt or maintain evidence rules different from the Federal Rules, but a significant majority (47 out of 50) has adopted codes in whole or part based on the FRE.

The FRE primarily serve to govern federal trial courts rather than appellate courts, because they (FRE) govern the initial presentation of evidence in a trial; especially since appellate courts, due to their function and scope address very few questions touching upon the facts of a case. Primarily the purpose of these FRE is to regulate the evidence that the US Federal Court judge and/or jury may use to reach a verdict. The FRE strive to eliminate the historical distrust of jurors, and encourage admitting evidence in close cases. The many types of information presented to a judge or jury are designed to convince them of the truth or falsity of key facts. Strict rules limit what can be properly admitted as evidence, but dozens of exceptions to these rules often mean that lawyers find a way to introduce such testimony or other items into evidence.

At the same time, the FRE centers on a few basic ideas—relevance, efficiency, reliability of evidence, unfair surprise, and overall fairness of the adversary (prosecution/defense) process. The FRE grant trial judges broad discretion to admit evidence in the face of competing arguments from the parties. This ensures that the jury has a broad spectrum of evidence before it, but not so much evidence that is repetitive, inflammatory, or unnecessarily confusing. The FRE define relevance broadly and relax the common-law prohibitions on witnesses’ competence to testify. Hearsay standards are similarly relaxed, as are the standards for authenticating written documents. At the same time, the judge retains power to exclude evidence that has too great a danger for unfair prejudice to a party due to its inflammatory, repetitive, or confusing nature or its propensity to waste the court’s time.

There are 67 individually numbered rules, divided among 11 articles within the FRE:

General Provisions

Judicial Notice

Presumptions in Civil Actions and Proceedings

Relevancy and Its Limits

Privileges

Witnesses

Opinions and Expert Testimony

Hearsay

Authentication and Identification

Contents of Writings, Recordings, and Photographs

Miscellaneous Rules.

The FRE embody some very common concepts, and attorneys frequently refer to those concepts by the rule number. The most important concept—the balancing of relevance against other competing interests—is embodied in Rule 403.

Although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or misleading the jury, or by considerations of undue delay, waste of time, or needless presentation of cumulative evidence.

Background

In my opinion, a digital forensic analyst should be familiar with or understand the Federal Rules of Evidence (FRE; www.law.cornell.edu/rules/fre/index.html) as well as the process model provided by the U.S. Department of Justice in its “Electronic Crime Scene Investigation: A Guide for First Responders” (www.ncjrs.org/pdffiles1/nij/187736.pdf ), Further, industry-accepted models for digital investigations are readily available, such as the Enhanced Digital Investigation Process Model that can guide the investigator through a process that has been found to be suitable for digital investigations (www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf ).

Standards Governing Expert Witness Testimony

The admissibility of expert testimony is governed in federal courts by Rule 702 of the Federal Rules of Evidence (FRE). This rule states:

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

This threshold for admissibility is designed to allow novel approaches to addressing issues in litigation, yet to preclude testimony based on “junk science.”

Understanding the Daubert and Frye Standards

In 1993, the Supreme Court of the United States made a revolutionary change in the Federal Rules of Evidence. The court overturned the 70-year-old rule of admissibility of expert scientific testimony in Frye v. United States, 293 F. 1013 (D.C. Cir. 1923).

The court indicated that there are at least four factors to consider in Daubert.

In Daubert v. Merrell Dow Pharmaceuticals, 113 S.Ct. 2786 (1993), the older Frye rule stated that expert scientific testimony is to be admitted only when it receives general acceptance from the scientific community.

As with all theories, having a theory publicized is a relevant consideration in determining whether a scientific theory or technique is valid.

Daubert does not require proof of mathematical precision in expert opinions.

Under the Frye test, expert scientific evidence was admissible only if the principles on which it was based had gained “general acceptance” in the scientific community.

Evidence Rules

Rules of evidence govern when, how, and for what purpose, proof of a legal case may be placed before a trier of fact for consideration. Traditionally, the legal system interpreted digital data as hearsay evidence2 because the contents of this data cannot be proven, beyond a reasonable doubt, to be true. In some jurisdictions, such as under the United States (U.S.) Federal Rules of Evidence 803(6), exceptions to the rule of hearsay evidence exist where digital data is admissible in court if it demonstrates “records of regularly conducted activity” as a business record; such as an act, event, condition, opinion, or diagnosis.

Qualifying business records under this exception requires that the electronically stored information (ESI) can be demonstrated as authentic, reliable, and trustworthy. As described in U.S. Federal Rules of Evidence 803(6), the requirements for qualifying business record are achieved by proving:

the record was made at or near the time by—or information was transmitted by—someone with knowledge3;

the record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit;

making the record was a regular practice of that activity;

all these conditions are shown by the testimony of the custodian or another qualified witness, or by a certification that complies with Rule 902(11) or (12) or with a statute permitting certification; and

neither the source of information nor the method or circumstances of preparation indicate a lack of trustworthiness.

As described in the U.S. Federal Rules of Evidence 902(11), the requirements for certifying domestic records of regularly conducted activity are achieved by:

The original or a copy of a domestic record that meets the requirements of Rule 803(6)(A)-(C) as shown by a certification of the custodian or another qualified person that must be signed in a manner that, if falsely made, would subject the signer to criminal penalty under the laws where the certification was signed. Before the trial or hearing, the proponent must give an adverse party reasonable written notice of the intent to offer the record—and must make the record and certification available for inspection—so that the party has a fair opportunity to challenge them.

As described in the U.S. Federal Rules of Evidence 902(12), the requirements for certifying foreign records of regularly conducted activity are achieved by:

The original or a copy of a foreign record that meets the requirements of Rule 803(6)(A)-(C) as shown by a certification of the custodian or another qualified person that must be signed in a manner that, if falsely made, would subject the signer to criminal penalty under the laws where the certification was signed. Before the trial or hearing, the proponent must give an adverse party reasonable written notice of the intent to offer the record—and must make the record and certification available for inspection—so that the party has a fair opportunity to challenge them.

Criteria for what type of data constitutes an admissible business record fall within one of the following categories:

Technology-generated data is information that has been created and is being maintained as a result of programmatic processes or algorithms (eg, log files). This type of data can fall within the rules of hearsay exception only when the data is proven to be authentic as a result of properly functioning programmatic processes or algorithms.

Technology-stored data is information that has been created and is being maintained as a result of user input and interactions (eg, word processor document). This type of data can fall within the rules of hearsay exception only when the individual creating the data is reliable, trustworthy, and has not altered the data it any way.

Business records are commonly challenged on issues of whether data was altered or damaged after its creation (integrity) and the validation and verification of the programmatic processes used (authenticity). As a means of lessening these challenges, Federal Rules of Evidence 1002 describes the need for proving the trustworthiness of digital evidence through the production of the original document. To meet this requirement, organizations must implement a series of safeguards, precautions, and controls to ensure that when digital evidence is admitted into a court of law it can be demonstrably proven as authentic against its original source.

Legal Admissibility

Essentially, admissibility is the determination of whether information that is presented before the trier of fact1 (ie, judge, jury) is worthy to be accepted in court of law as evidence. Generally, in order for digital evidence to be admissible in a court of law it must be proven to have relevance (ie, material, factual) and is not overshadowed by invalidating considerations (ie, unfairly prejudicial, hearsay2).

Within the legal system, there are a set of rules that is used as precedence for governing whether, when, how, and for what purpose digital evidence can be placed before a trier of fact. Traditionally, the legal system viewed digital evidence as being hearsay because its authenticity could not be proven, beyond a reasonable doubt, to be factual. However, exceptions do exist under the Federal Rules of Evidence 803(6) where digital evidence can be admitted into a legal proceeding only if it demonstrates “records of regularly conducted activity” as a business record; such as an act, event, condition, opinion, or diagnosis.

In order for digital evidence to qualify under this exception, organizations have to demonstrate that their business records are authentic, reliable, and trustworthy. As stated in the Federal Rules of Evidence, in order to attain these qualifying properties, organizations must be able to demonstrate that their business records:

was created as a regular practice of that activity;

were created at or near the time by—or from information transmitted by— someone with knowledge;

have been preserved in the course of a regularly conducted activity of a business, organization, occupation, or calling;

are being presented by the custodian, another qualified witness, by a certification that complies with either Rule 902(11) or Rule 902(12), or with a statute granting certification;

do not show that the source of information or method or circumstances of its preparation indicate a lack of trustworthiness.

Furthermore, even if a business record qualifies under these exceptions, organizations must still determine if the business record falls within the context of being either:

Technology-generated data that has been created and is being maintained as a result of programmatic processes or algorithms (eg, log files). These records fall within the rules of hearsay exception on the basis that the data is proven to be authentic as a result of properly functioning programmatic processes or algorithms.

Technology-stored data that has been created and is being maintained as a result of user input and interactions (eg, word processor document). These records fall within the rules of hearsay exception on the basis that author of the data is reliable, trustworthy, and has not altered it.

Even if a business record meets the above criteria for being admissible as digital evidence, there is the potential that it will be challenged during legal proceedings. The basis for these contests is directed at the authenticity of the data and whether it has been altered or damaged either after it was created or as a result of interactions and exchanges with the data.

In an effort to reduce these oppositions the Federal Rules of Evidence 1002 described the need for proving, beyond a reasonable doubt, that the trustworthiness of digital evidence must be demonstrated through the production of the authentic and original business record. Meeting this rule requires that organizations demonstrate their due diligence in preserving the authenticity of the original data source through the implementation of safeguards, precautions, and controls to guarantee that business records can be admitted as digital evidence during legal proceeding.

11.3 Evidence

The rules for admissibility of evidence are governed by the laws of the jurisdiction of the Court or tribunal where the evidence is to be introduced. For this reason, among others, it is essential that all Forensic Laboratory employees connected to a case are fully familiar with these requirements and comply with them.

The rules are typically defined as “the Rules of Evidence” for the jurisdiction. These vary between jurisdictions and types of Court or tribunal.