You can be an Expert Witness!

• First, the Courts need the best available expertise to advise and inform them in complicated cases - and you, because you are professionals and specialists in your own fields, are the best.
• Second, it is a personal challenge, for you, to describe yourself as an expert, stand and deliver your knowledge and opinion publicly and have the confidence to submit yourself to cross-examination.
• Third, it is very well paid!
• Fourth is really part of the first. The quality of expert evidence the Courts are receiving, especially in criminal cases, is currently somewhat poor. The BCS, as the computing industry's professional body, ought to be providing the majority of expert evidence in the nation's Courts. Currently it is not and we need to do something about this.

What are Computer Forensics?

What is an Expert Witness?

So, in principle, every one of you in this room has the necessary qualifications to act as an expert witness; because you know a great deal about something that the general populus does not know about. Which brings me to the first point; an expert must not give an opinion on something that does not demand expertise. Example: the Protection of Children Act (and its subsequent amendments) makes it a serious offence to possess or make or distribute an indecent photograph of a child under sixteen years of age. One of the jobs I have been doing in recent years has been providing reports for the Defence in some of the very large number of cases of that type that have been brought. I am allowed to express an opinion on where the picture came from (internet, CDs, email) and whether the Defendant knew it was there, whether it had been deleted and so on. What I am not allowed to do is express an opinion on whether the person in the phot is under sixteen. That is for the Court - magistrate or jury to decide, because no special expertise is needed. In a recent case the judge told the jury: "Look at your children, your grandchildren or your nieces and decide from your own experience".

A witness is, of course, a person who gives evidence. There are two important kinds of evidence: testimony and exhibits. Testimony is where a person, after promising to tell the truth, tells the Court what they saw or did or heard. Only one class of witnesses - expert witnesses - can also give testimony concerning their opinion. These are tasks that, as I say, any of you is qualified to do. However there are other tasks that you may be asked to perform that you may not yet be able to do and one of these concerns the analysis of exhibits, which is the core of forensic computing.

Exhibits

The exhibit is often a computer, or a disc or storage tape, or it may be a collection of data obtained from a computer or storage device. I knew nothing about how to examine such things when I first started acting as an expert, but I have learned how and, nowadays, there are far better textbooks and software available than when I started, so (if you have a basic understanding of computers and software, you will not find it difficult; but it needs working on and you may need to spend money on good kit.

What you do is determined by certain principles of evidence that have to be followed by all forensic specialists and computer analysts are no different.

Alterations to Exhibits

Last week, in the Teesside Crown Court, I showed that, because a Ministry of Defence Police Constable had booted the Defendant's PC in Windows, during the period when the PC was in police custody, he had altered the evidence that the police were to examine. The Association of Chief Police Officers has produced, and is currently revising, guidelines for police who seize computers. The officer in question had either not studied these guidelines or was deliberately ignoring them. We never got to the bottom of that because the lawyers had managed to cock matters up between them and the policeman concerned was currently on holiday in Florida and could not be cross-examined. In fact the alterations were fairly minor and did not affect the core evidence, so it was not worth asking for an adjournment until he was available. The Defendant has just started an eighteen-month prison sentence. Learning how to work with lawyers and persuade them to plan ahead and give you time to do a careful job is another art that the expert witness may take time to acquire!

Civil Disputes

Separating Fact and Opinion

From these three, different kinds of facts, I may draw an opinion. However here I have to be careful. If I say to the Court "In my opinion the Chief Accountant is guilty as charged of giving himself a 100% pay rise" the Court will object. Expert witnesses must not give opinions on "the ultimate issue". There is good reason. It might be that the Chief Executive is a liar, and suspects that the Chief Accountant is about to get his job, so wants to discredit him. My expertise is about computers, not about judging whether individuals are honest, and I must not wander into that area. So my opinion ought to be more like: "If the Court accepts the Chief Executive's statement then the Chief Accountant was the only person who could legitimately access the payroll file. Note the "legitimately". That covers me if it subsequently transpires that the IT Director had altered the file to discredit the Chief Accountant who had discovered he had been accepting bribes from a would-be hardware supplier.

Know the Law - but Keep Quiet!

Now it is not an expert witness's job to argue to a Court which of these (apparently conflicting) judgements applies. It may, however, win or lose the case if the buyer's expert is able to determine that a supplier caused the computer's problems because the software was buggy and that it was buggy because it had been altered, for good reason, but not regression tested thereafter. Only if the expert understands what constitutes a supplier's duty of care will the barrister be able to persuade the Judge that that duty was not met and the supplier is liable for its customer's damage claim. This can be very rewarding, when the barrister praises you to the skies for discovering the case-winning point. It can also be very frustrating when it becomes obvious that the barrister, who arrived only half an hour before the case started and has not understood your carefully phrased report, muddles the whole thing up.

Who are you Working For?

In the Civil courts there has been a substantial change, the CPR or Civil Procedure Rules produced by Lord Wolfe, who is now the Lord Chief Justice. The CPR says, unequivocally, that the Expert Witness's first duty is to the Court, not to his client. If an expert turns up a piece of evidence that harms his client's case he is to report it, even if the other side has not discovered it. His client has the option of not disclosing his report to the other side. His client may, if the piece of evidence is damning, decide to make an offer to settle the claim, before the other side discovers it themselves.

In the criminal courts, matters are less clear, although following the Auld report they are going the same way. It is up to the Prosecution to put the case against a Defendant; it is not clear whether the Defence is obliged to assist the Prosecution by announcing damning evidence that the Prosecution has not discovered.

In the criminal law, ethical conflicts are common. If a Defence expert discovers that his opposite number has missed clear, incriminating evidence, what should he do?

In my case I was fortunate that I had already written and submitted my report. When I found this damaging piece of evidence I did not write another report but, instead, wrote to the solicitor who was instructing me to tell him what I had found. I told him that if I was asked about it in Court I would have to give the details. Later he presented this finding to the Defendant who agreed to plead guilty. Had he not done so I would have been in a difficult position. My oath was not just to tell the truth but to tell "the whole truth". My instructing solicitor pointed out that, in giving evidence, an expert is only expected to answer the questions put by Counsel. If Counsel did not ask the question, he told me, I was not required to volunteer information. I was unconvinced! However the Auld reforms are doing for the Criminal Law just what Wolfe did for Civil Law: making the expert responsible to the Court before the Client. I wish Mr Justice Auld would clarify whether that means I would have been obliged to have volunteered that information, without being asked, had the situation arisen.

The Challenge of Extending Technologies

Tracing emails, chat sessions, News feeds and web pages is the new equivalent of Sherlock Holmes examining footprints with his magnifying glass. The work is intellectually challenging, endlessly varied yet frequently repetitive, and needs both an alert young mind and the range that only ages of experience can give. Sherlock Holmes had it easy, because the society in which he worked was comparatively static. If he said in 1880: "That footprint can only have been made by a shoe that was manufactured by Fred Cobbler of Regent Street" he could reckon the same probably applied in 1885. But what if he had said: "Ah that is the Version 8.4 release 6 shoe, compiled with the Rational C compiler on Sequent architecture with patches 9126749 and 9376295"? A single patch can make all the difference, as I found in a case concerning a Sun workstation used in the pre-press industry (creating plates for printers). The software, supplied by a world-famous multinational company, was alleged not to work. After the parties had argued over it for six months I discovered that the reason why was that one patch had not been applied. When I told my client that he had better settle on the best terms he could he replied "No way. Our pockets are far deeper than theirs". Fortunately an out-of-court settlement was achieved, or I would have had the embarrassing task of giving evidence that directly led to my stubborn client losing!

Giving evidence under cross-examination can be a gruelling experience. The only thing that makes it tolerable is when you are absolutely certain of your facts and that there are no skeletons in your cupboard that you wish to hide. In one case recently I had argued that the Prosecution evidence was taken from formerly deleted files that were so corrupt and jumbled they could not be relied upon. What I only realised, while I was on the witness stand pointing this out on one particular file, was that further down the file all the data was repeated, with no corruption. Fortunately neither the extremely confused barrister, nor the Military Policeman who was acting as his expert in this Court Martial, ever scrolled down that far.

One important skill is to be able to speak the Queen's English and avoid use of words that have more than two syllables.` There is great satisfaction in explaining complexities to a judge and jury, so that their eyes light up with understanding when they had expected to be baffled. Sadly, most computer specialists are particularly bad at this.

The Tests

1. You are a systems administrator trying to decide whether files have been tampered with:
   1. What does it imply when the last-modified date of a file is older than the created date?

   2. If a file has a certain last-accessed date, does it mean that the file was opened on that date?
2. A computer I examined had files on it whose last-modified date and time was some hours later than the time the police had seized the computer. The Scotland Yard detectives assured the Court they had had been driving it back to London and had not operated the computer? Were they telling the truth?
3. The girl claimed the boy had sent her an obscene harassing email. She gave the police a print which she claimed was printed straight off her computer. I noticed it was printed in more than one typeface. Had she forged it? What other evidence of forgery would you look for?

Hardware and Software

1. A job (and a family) from which you can absent yourself at odd times.
2. A high performance PC that can be dedicated solely to this, so that none of your other work can cross-contaminate. Or vice versa; it could be very embarassing to send someone an email attachment which, when opened, said "Click on this link to access the latest tools for email forgery (or the latest steamiest kinky sex, bondage, spanking, bestiality or snuff movie web site).

   It needs removable disc caddies for a couple of slave hard drives and a very active virus checker.

3. A few software tools of which the most important is EnCase from the U.S. company Guidance Software. The bad news is it costs about $2000. There are British alternatives, from Vogon or DIBS which cost more.  So most U.K. police forces have switched to EnCase now which makes it easy to work on jobs where they are involved.

   Another useful tool is Net Analysis, written by a policeman with Kent Police, which makes it easy to analyse web activity.

How to get Work

The BCS maintains an Expert Witness section as part of its advice services, which are advertised on its web site: click Advice -> Professional Advice Register -> Expert Witness Section. At present there are only seven names on there; we need you there too.

There are two bodies that attempt to raise the standards of expert evidence: the Academy of Experts and the Expert Witness Institute. They compete and quarrel disgracefully. Most of the BCS experts are in the Academy. The Academy has one excellent feature: very low cost Professional Indemnity Insurance, which is a must.

An excellent organisation is the UK Register of Expert Witnesses, run by a very capable individual called Chris Pamphlin of J.S. Publications. Their web site is www.jspubs.com.  You can get on their register with no difficulty; which means it is less prestigious but it is a start.

The prestigious directory, used by most solicitors and barristers to find experts, is the Law Society Directory, published by Sweet and Maxwell. It will only allow you to enter if you can produce references from two solicitors for whom you have worked.

Then there are lots of directories that will take your money and you will never know if you got work through them or not!

The University of Leeds runs ULIS, a commercial consultancy which sometimes has to go outside the University to find specialists. Send them your details.

Finally you can just circulate your details to local solicitors.

Answers

1.  
   1. Clearly the file had been created on a different volume and moved onto this volume. Its last-modified date rem,ained the same; its created date is the date it was created on this volume.
   2. No, because the last accessed date is altered if a file is copied to another volume, for example.
2. The files were downloaded from a Far East web site. They had only just been put on the site so their last-modified dates were still a few hours later than the time when the police seized the computer.

   I only worked this out, from a remark by one of the policemen while giving his evidence. The Court, which had clearly been troubled by the notion of police malpractice, heaved an audible sign of relief.

3. I concluded she had forget it, by printing out different parts of two emails, pasting them together, then photocopying the result and giving it to the police.

   Other evidence was that the "From:" field had two parts, both in <> brackets. Also that the list of hops in the full header did not match the sender's domain name.