Computer Forensics Expert Witness Testimonial Gone Bad

If you’re at all involved in computer forensics, I highly recommend that you read this deposition of a RIAA expert witness, in which a defense attorney enjoys some success at attacking the witness’s methods, experience, and claims:

Deposition of RIAA’s Expert Available Online

This really illustrates how well you need to document and understand your processes when you are perfoming an investigation. There are a few genuinely cringe-worthy moments in there, and I put together a few bullet points on things one should pay close attention to before going into a situation like this…

• Experience – This guy didn’t really come across as an expert in the field
• Knowledge of your procedures
• Knowing the details of how your tools work – This, and the above. Knowing what the tool tells you about your evidence without knowing how it came to that conclusion is not very impressive.
• Using your tools properly – This fellow used EnCase on the evidence drive, and yet he did not log any data from it or generate any reports. This blows my mind.
• Knowledge of the network environment the evidence came from – A bit of preparation could have made a lot of the confusion over DHCP lease times and the network topology less of a problem.
• The importance of network forensics – The hard drive is not an island. It belongs in a system, which belongs on a network, which you presumably have some corroborating evidence on, albeit from a viewpoint across the internet. You need to be able to bring the network forensics results and the results of analyzing the drive(s) together as much as possible, and be very careful about any conclusions you might be jumping to.
• Being careful with terminology – Again, nailed on wording. The witness claimed he would demonstrate how the computer owned by the defendant was the computer observed by the peer-to-peer tracking program, when he really couldn’t demonstrate the ownership or even the computer.
• Careful documentation – Notes should be taken in a careful, journal form with signatures and dates, and with the knowledge that they will come out in proceedings like this. Again, the logging and documentation features of the software he used should have been utilized.