Imagine that you are sitting in a witness chair. You have found several files on a computer that have been entered as evidence in the trial. The opposing attorney approaches you and asks you these questions:
Questions asked by an opposing attorney:
“Do you know what a Trojan Virus is?”
“Define to the jury what a Trojan Virus is.”
“Could a have Trojan Virus placed the files entered as evidence on the examined computer?”
“Did you run Malware detection on the ceased computer?”
“Could Malware allow an outside party to ‘hack’ into a computer?”
“Did you run Malware detection on the ceased computer?”
This line of questioning can really make a bad day for a digital forensic examiner on the witness stand. It has been used many times before. Regardless of how impossible it may be from the examiner’s perspective that a Trojan Virus placed files on a computer, this line of defense can easily confuse a jury and make the examiner look incompetent. So how can you prepare for this as complete your examination before heading to trial?
Conversely, imagine being on the witness stand and being asked these following questions:
“Did you run a complete examination of all the files on the defendant’s computer?”
“Do you have Malware detections programs to protect your forensic examination computers?”
“Was the Malware program operating when you examined my client’s computer?”
“Is it true that the Malware program will quarantine infected files as they are discovered when your forensic processes examine the computer image?”
“So, then, you did not actually conduct a full examination of the computer….”
These questions are in brief for this article. Questioning of expert witnesses can be quite lengthy in trial. Designed to that the attorney can find a wedge for advantage, and to tire the witnesses.
So, what does the examiner do? If Malware detection is utilized, then there will be accusation that a full examination was not conducted. If Malware detection in not utilized, then there may be a defense used stating that a Trojan virus placed the files in question on the examined computer.
A careful digital forensic examiner should consider making the following procedures a regular practice.
Create an up-to-date computer forensic examination computer.
Have up-to-date Malware detection software installed.
Create a restorable image of the computer.
You might also consider creating a virtual examination computer to operate your examinations. This will make it very easy to install a new, clean environment to conduct your examinations, each time you begin a new case.
Before the beginning of a new examination, restore a clean image to operate from. This will also defeat the ‘cross contamination’ accusations by the opposing attorney.
After the evidence has been processed by your forensic examination software, run the Malware detection software. Note any malware discovered, and research the implications of the software. Make any discoveries known to the attorney presenting your case.
Discuss with the attorney presenting your case whether a follow-up examination should be conducted to confirm that the evidence found prior to utilizing Malware detection software is the same after malware has been detected (most likely, you will be conducting a follow-up examination.)
And always … research and prepare for all questions that could scrutinize your examination and expertise.
Comments