Testifying in a Computer Crimes Case
By: Deb Shinder
Note: This article has previously appeared over on our affiliates site Windows Security. The original article can be found here.
As an IT professional and working network administrator, you may find yourself called upon to testify as a victim or witness (i.e., a representative of a company whose network is victimized) in a computer-related crime. Another possibility is that you might someday want to use your technical expertise to become a professional expert witness in computer-related cases. In this article, we examine the basics of testifying in either capacity in a case involving computer crimes, and how you can move into the lucrative field of computer forensics, on either a full- or part-time basis.
Understanding Computer Crime Concepts
As the incidence of intrusions, attacks, and release of malicious code (viruses, worms, Trojans, etc.) has grown and the real cost to businesses of dealing with these attacks has become more evident, prosecution of computer crime has become more common despite the difficulties involved in identifying and proving the case against an offender who most often does his dirty work from a remote location.
Note: The discussion in this article is based on the U.S. legal system. The process of testifying is similar in most jurisdictions, but different rules and procedures may apply in other countries.
Before testifying in court, it's important to understand basic legal concepts surrounding network attacks and intrusions. In the U.S. (and many other countries), a case can be brought against attackers and intruders under either criminal or civil law. A civil case, called a tort, is a lawsuit brought by a private citizen (or corporation, which is an entity under law) against another person or legal entity, seeking some sort of relief (usually this is money, but sometimes it's in the form of an injunction, which is a court order compelling the other person to do or not do something). A criminal case is an action brought by the government (local, state or federal) on the behalf of society, and seeks to punish the offender. The punishment can be in the form of a fine, jail or imprisonment, or even (in capital cases, which generally only apply to the offense of murder with special circumstances) the death penalty.
The civil and criminal justice systems are completely separate. The same act can be both a crime and a tort, and a hacker could be sued in civil court and prosecuted in criminal court for the same act (the prohibition on double jeopardy applies only to criminal cases). In both civil and criminal cases, rules of evidence apply. These rules are not the same for both types of cases, however. For example, the burden of proof is much higher in a criminal case. To win a civil case, the person bringing the suit (the plaintiff) is only required to prove his/her case by a preponderance of the evidence. That is, there must be more evidence supporting the allegation than there is against it. In a criminal case, the state must prove its case beyond a reasonable doubt, which means it is almost a certainty that the offender committed the crime.
In addition, crimes are prosecuted under different jurisdictions. An act may be a violation of local, state or federal law -- or all three. A person can be prosecuted and acquitted by the state and then prosecuted again under federal law for the same act; this does not constitute double jeopardy, either).
Regardless of what type of case you're testifying in, you are required to take an oath promising to tell the truth, and lying on the witness stand is a criminal offense itself, even if the case in which you're testifying is a civil case.
Testifying as a Witness or Victim
Attorneys present cases in court by introducing evidence. There are two basic types of evidence:
* Physical evidence: things that support the attorney's argument. This could be the "smoking gun," a photograph, or in the case of computer crimes, a firewall log or a computer hard disk holding data.
* Direct evidence: testimony of a person who has direct (first-hand) knowledge of what happened. Hearsay evidence (second-hand testimony from someone who was told something by a person who had direct knowledge) is generally not admissible except in special cases such as dying declarations, in which the person with the first-hand knowledge told the witness the information before dying.
Note that physical evidence must always be accompanied by direct evidence. That is, when a physical object is introduced as evidence, someone must testify as to its relevance to the case. As a network administrator or IT worker, you might be asked to testify that the firewall log introduced into evidence is the one you printed out immediately following an intrusion or attack.
Note: There is a third type of evidence, intangible evidence, which refers to something that cannot be seen or touched.
When you testify as a witness or victim, it's important that your knowledge be first-hand -- not something you heard from someone else. If it's a jury trial, speak to the jury, not just to the attorney posing the question. If you don't understand the question, ask for clarification. If you don't know the answer to a question, say so. Don't just make something up.
Remember that jury members (and the judge, for that matter) are probably not technology experts. Make sure your answers are clear and simple enough for non-techies to understand. Avoid jargon and acronyms, even the ones that seem obvious to you (the average juror doesn't know what DNS is, and may not even know what DSL is). Don't "talk down" to the jury.
The opposing attorney may try to shake you up, make you contradict yourself or cast doubt on your testimony. That's his/her job. Don't take it personally. Even if the attorney shouts at you or derides you, just calmly answer the questions. Remain professional at all times. Not only does this lend more credibility to your testimony, but if you get angry and say things that are inappropriate, you could be found in contempt of court and fined or even jailed.
If no question has been asked (the attorney simply makes a statement, especially a provocative one such as "I don't think you really know how to read a firewall log," say nothing. Wait for a question. When being questioned by the opposing attorney (in most cases, that'll be the defense attorney), answer only the question that's asked, and no more. Don't volunteer anything. Don't try to "explain" things. Stick to "just the facts." If you think a question is improper, pause long enough to give the prosecutor time to object.
If you are testifying as a witness or victim, you should meet with the prosecutor or a member of the prosecution team prior to giving your testimony. They should not tell you what to say, but they can give you advice on how to say it. If your testimony is used to introduce physical evidence, be sure you know exactly when the evidence left your hands and to whom it was given. This is important in establishing the chain of custody, which is a record of where the evidence was and who had control of it, from the time it was collected until the time it is presented in court.
Remember that when testifying as a witness or victim, you can give only facts, not opinion.
Testifying as an Expert Witness
When testifying as an expert witness, your opinion is what it's all about. An expert witness does not have personal knowledge of the offense, but testifies based on his or her expertise in the subject matter about the facts given by other witnesses and provided by the physical evidence.
If you are testifying as an expert witness, you are actually working for one side or the other. Expert witnesses are hired by either the prosecution or the defense, and are usually paid (often quite well) for their testimony at a per-diem rate. There are many professional expert witnesses who provide testimony in many different cases (and for both prosecution and defense, although not for both sides in the same case).
The most important aspect of testifying as an expert witness is establishing your credentials. The court must accept your qualifications as an expert in order for you to be allowed to testify. The attorney on whose side you're called as an expert will ask you a series of questions designed to show your qualifications as an expert. You might be asked about your formal education in computer science, how many years you've worked in the tech business, specifics about your experience in the technical area the case involves (for example, encryption), books and articles you've published, awards you've received, courses you've taught, and so forth.
The opposing attorney will usually attempt to attack your credentials to get your testimony excluded or to cast doubt on its credibility if it is admitted.
The job of the expert witness is also to help simplify highly technical material so that non-technical people (judge and jury) can understand it and make decisions based on it.
There are books and training courses available for those who want to be expert witnesses in the computer crimes area. New Technologies, Inc. (NTI), which makes computer forensics software, offers training in presenting expert testimony on electronic evidence (see http://www.forensics-intl.com/expert.html). Books such as Expert Witness Handbook by Dan Poynter (http://www.amazon.com/exec/obidos/tg/detail/-/1568600275/qid=1105214011…) offer tips on becoming a successful expert witness.
Some experts don't take the stand and testify, but instead act as consultants to the attorneys on the case. To get hired as an expert witness or consultant, you need to establish a reputation in the field of expertise and then make known your interest in participating in the judicial process. There are a number of services that locate expert witnesses for attorneys (see http://www.ims-expertservices.com/specialties/computer-hardware.htm and http://www.jurispro.com/). You can register as an expert with these services (for a fee).
Summary
More and more laws are being passed that pertain to computers and networks. As an IT professional, you may at some time in your career find yourself called upon to testify in court, either in relation to a criminal offense or civil action involving your own organization's computers or to give your expert opinion in a case in which you have no personal involvement.
The most important thing to remember, in both cases, is to be sure you "know your stuff" inside and out. The judicial process is an adversarial one, which means there are attorneys on both sides attempting to build their own case and tear down the opposition's case. As a witness, you are called by and seen as part of one side or the other, and you must be prepared for questions from the opposing side that will challenge your testimony and perhaps even attempt to cast doubt about your honesty, integrity and expertise.
Your testimony as a victim or eye witness could be instrumental in bringing a computer criminal to justice or recovering damages for your organization. Your testimony as an expert witness could be the deciding factor in a criminal or civil trial and could also result in a lucrative career for you.
1.) A Solution To Red Hat PIE Protection - Zarul Shahrin
2.) The Convergence of Hacking and Security Tools - Don Parker
3.) Testifying in a Computer Crimes Case - Deb Shinder
4.) How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD - Rosli Sukri
5.) Protecting the Administrator Account - Derek Melber
6.) Mobile Systems: A Threat to Corporate Security - Fernando de la Cuadra