Polimi CS - Notes

Evaluation and presentation

9 min read

  • evaluation
  • presentation

Evaluation phase

During the evaluation phase, the digital forensic expert needs to match the evidence elements (facts) with the required legal elements to support (or negate) a legal theory. The items to evaluate include the elements to support the indictment, alternative explanations to the elements, and analyzing what can be said, what cannot, and what further experiments would be needed to say more. The latter is important to analyze whether these experiments will be performed by the counterpart, and whether performing them or asking for them to be performed entails risk.

The relationship with lawyers is important, as they own the choice of defense strategy, and the relationship with the customer. They may ask for the expert’s counsel, but the expert must yield to them. The lawyers also own the relationship with the client. The expert should never tarnish this relationship. If the expert is unable to do this, they need to resign. The lawyers and customer pay the expert’s bill, but do not dictate what the expert writes or says. The expert should always write and say only that of which they are personally convinced. The expert may be asked to omit a finding, as long as this omission is not the same as lying.

The relationship with prosecutors/police is also important. Assisting the prosecutors or the police does not entail moral superiority. It is still very important to stick to science and facts. It is important not to get the expert’s words or thoughts shaped by “justice”.

The relationship with the customer is also important. The expert assists one of the parts in the judgment. This is not the same as “helping someone escape law”. This is part of the due process of applying law. “Process truth” is not the same as historical truth.

Analyzing Documents in the Evaluation Process

A critical aspect of the evaluation process in legal and forensic contexts is the thorough review of documents and evidence that have already been presented during the proceedings. This involves scrutinizing various forms of written documentation, particularly reports from expert witnesses and investigators.

When reviewing these documents, it’s essential to identify several key issues:

  1. Technical and Factual Errors:
    • Acquisition Errors: These involve mistakes during the collection of evidence, such as errors in the search and seizure process, issues with the chain of custody, problems with seals, inaccurate descriptions of seized or analyzed materials, and flaws in the hashing and cloning procedures. For instance, improper use of write blockers can compromise the integrity of digital evidence.
    • Analysis Errors: These occur during the examination of evidence and might include failures to verify hashing, reliance on proprietary software with potential bugs or vulnerabilities, inadequate descriptions of analytical processes, and other technical mistakes that could lead to incorrect conclusions.
  2. Presentation and Reasoning Flaws:
    • Unclear Reasoning or Methodologies: Look for reasoning that is not well-explained or methodologies that are poorly described, making it difficult to understand the basis of the findings.
    • Suggestive Writing: This refers to writing that may unintentionally bias the reader by implying certain conclusions without sufficient evidence. It is important to distinguish between opinions, hypotheses, and established facts.
    • Unsubstantiated Opinions and Hypotheses: Opinions or hypotheses presented without clear evidence or logical support can mislead the judge or other parties involved in the proceedings. It’s crucial to ensure that any opinions or hypotheses are clearly labeled as such and are backed by appropriate evidence.
    • Lack of Alternative Hypotheses: Failure to explore and present alternative explanations or hypotheses can lead to biased or incomplete conclusions. A thorough analysis should consider and evaluate different possible interpretations of the evidence.
  3. Omissions and Inadequate Explanations: Missing explanations or inadequate descriptions can hinder the judge’s or jury’s understanding of the evidence. It is important to provide clear and detailed explanations that fully convey the significance and context of the findings.

When conducting a technical review, it is essential to apply a methodical approach to ensure all aspects of the evidence are thoroughly examined:

  • Verification of Hashing: Ensure that the integrity of digital evidence was maintained throughout the process by verifying that hashing was correctly performed at each stage.
  • Use of Software Tools: Evaluate the software tools used during the analysis, checking for potential bugs, vulnerabilities, or limitations that could affect the accuracy of the findings.
  • Documentation of Procedures: Assess whether the procedures followed during evidence acquisition and analysis were fully documented and adhered to established standards and protocols.

Presentation: Writing an Effective Expert Report

When preparing an expert report, clarity should be the foremost priority. The report must be focused, concise, and tailored to the specific points that the expert intends to explain. If the report is written in the national language, it should minimize the use of English terminology, ensuring that all technical terms are clearly explained—either within the text or in footnotes.

  1. Clarity and Relevance:
    • Explain the Importance: Clearly articulate why your statements are relevant to the reader, particularly if the reader is a judge. Judges may not automatically grasp the significance of the details you present, so it is crucial to connect your findings to the broader context of the case.
    • Justify Your Statements: Avoid making definitive statements like “This does not work” without providing a clear explanation. What might be obvious to you as an expert may not be immediately evident to the reader, who might not share your technical background.
  2. Language and Tone:
    • Avoid Suggestions and Innuendo: Stay away from implying conclusions or making suggestive comments. Your language should be straightforward and objective, free from unnecessary complexity.
    • Use Accessible Language: Technical jargon should be minimized or explained, as it can detract from the clarity of your arguments. The goal is not to overwhelm the reader with complexity but to convey your findings in an understandable way.
    • Maintain Objectivity: Ensure that your report remains impartial. Avoid showing any bias toward your client, the aggrieved party, or the victim. Your role as an expert is to present facts with scientific neutrality.
    • Respectful Tone: While it is important to be respectful to the judge, avoid being overly deferential. Refrain from using sarcasm, and if you choose to use irony, do so sparingly and with confidence.
  3. Strength of Arguments:
    • Prioritize Strong Arguments: When presenting your case, lead with your strongest points. Weaker arguments should be used sparingly and only when they contribute to the overall understanding of the case.

Structure of a Report

A well-structured report resembles a scientific paper or academic report, with each section serving a clear purpose. The structure should guide the reader through your analysis methodically, presenting evidence and conclusions in a logical sequence. The report should be constructed like an obstacle course, challenging the judge to consider each point carefully and thoughtfully. Here’s a suggested structure:

  1. Foreword: Begin with a statement that confirms you have reviewed the relevant documents and evidence. Clearly outline the purpose of the report, specifying the questions or issues it aims to address.
  2. Introduction: Provide an overview of the report’s content. This section should explain what will be discussed and how it relates to the central question of the case. The introduction sets the stage for the detailed analysis that follows.
  3. Acquisition Issues: Address any initial observations regarding the evidence acquisition process. For example, if there were missing computed hashes or other issues, discuss the potential implications. This section highlights any flaws that could undermine the integrity of the evidence.
  4. Technical Analysis: Delve into the technical aspects of the evidence. Identify and explain any discrepancies, errors, or inconsistencies in the connection between relevant elements. Refute any erroneous claims made in the adversarial report and point out missing experiments or evidence that could be critical to the analysis.
  5. Conclusions: Summarize the report’s key findings. Emphasize any improper acquisition of evidence, potential contamination, and inaccuracies in the description of events. Offer alternative explanations if applicable. Conclude with a strong, evidence-backed statement that supports the theory or position you advocate.

Throughout the report, ensure that your writing is clear and concise. Technical terms should be explained when necessary, and the structure should guide the reader through the evidence in a way that challenges them to consider each point with due care. By doing so, the report not only conveys the expert’s findings but also compels the judge to engage deeply with the material presented.

Testimony as a witness

Definition

The expert witness is a person who has specialized knowledge in a particular field and is called to testify in court to help the judge or jury understand complex issues. Expert witnesses are typically called by one of the parties in a legal proceeding to provide their opinion on a specific matter.

In many legal jurisdictions, the process for expert witnesses varies. In some cases, experts are required to submit a report before being called as a witness, while in others (like Italy) they must first testify and then submit their report. Regardless of the jurisdiction, expert witnesses are bound by the duty to provide truthful testimony and are not allowed to claim confidentiality or professional secrecy.

During the direct examination, the expert is typically called by their own side and undergoes a friendly questioning. It is important for the expert to be well-prepared and have a script in collaboration with their side’s lawyer. They should strive to be clear, helpful, and thorough in explaining their findings to the judge. It is also important to be patient and expect the judge to ask their own questions. The expert should remain calm and composed, as they will soon face cross-examination.

During cross-examination, the questioning by the opposing party may be less friendly and even hostile at times. To navigate this phase, the expert should thoroughly review the previous records of the lawyer, prosecutor, or judge involved. They can use their report as a shield and take time to carefully consider their answers. If possible, the expert should provide concise responses such as “yes” or “no”. If a question requires a more complex answer, they should make it difficult to understand. If a question unexpectedly elicits a positive response, the expert should quickly return to being clear and helpful. It is important for the expert to remain composed and not be surprised if their competence is challenged.

Backlinks

Graph View