Becoming a Better Digital Forensics Witness
Avoid the Absolute Lawyers like absolute responses like “never,” “impossible” and “always” because they’re easy targets for attacking a witness’ credibility-even when those attacks are pretty silly.
I was once asked to demonstrate cross-examination at a computer forensics conference. The witness was an expert of renown and an unquestionably capable examiner. He brought his laptop running the forensic software he’d written (like I said, a serious expert). I sparred with the witness long enough to make him defensive (and a bit cocky), then gave him a thumb drive holding two simple text files. I asked him to calculate an MD5 hash for each. He glanced at the contents, saw that each contained my name and address, and quickly calculated identical MD5 hashes for the two. I asked him if, despite their different file names, the contents of the two files were identical. He said they were. I asked him if he was certain and tried to toss a little mud on his methodology to get him puffed up. The expert testified that he was certain the files were identical because they had matching hash values. I then had him explain how hashing was a technology central to his evidence authentication, deduplication, chain of custody, etc. I concluded by asking if he was as certain about the two files being identical as he was about the other opinions he’d expressed. He said he was, adding that it was impossible for the two to be different if they have matching hash values.
The hook was set.
I then asked the expert to pull the contents of the “identical” files into a hex editor, and I gave him the offset addresses of six places in the file where there were differences between them. He was floored to find the differences were real. I then wrote the names of the files on the board: 5h1t and 5h1n0la, and I ended my cross-examination noting that he apparently wasn’t expert enough to tell one from the other.
All I’d done to set him up was append my name and address to tiny files engineered by Chinese researchers to demonstrate the feasibility of a MD5 hash collision. The testifying expert forgot the difference between a collision being computationally infeasible and impossible. MD5 hash collisions are real, but exceedingly rare. Never having seen a hash collision and knowing the gargantuan odds against ever seeing one, the expert was maneuvered by hubris into making a categorical statement he couldn’t defend and allowing his credibility to be tied to one point.
Expect the Unexpected As a trial lawyer, my credo was that even adverse witnesses could do my case some good. I began each cross-examination by getting adverse experts to stress the strengths of my case, sometimes to the point of their conceding things beyond their expertise. Medical doctors would corroborate liability facts, and engineering experts would concede my client was permanently disabled. I could do this because opposing counsel were loath to challenge their own witnesses’ expertise, and the witnesses weren’t prepped to expect the unexpected.
Even without pushing witnesses outside their expertise, I knew every expert could concede something about my case even if it were, “You would agree that my client’s computer was powered by electricity, correct?” If they fought me on everything, it underscored their bias and hurt their credibility.
The lesson: The witnesses making concessions were too sure of themselves to say, “I don’t know,” and the combative witnesses were too invested in the outcome to concede the obvious.
Know what’s out-of-bounds In most jury trials, the Court determines that there are matters that may not be disclosed to the jury. These may be a creature of statute, of common law or the consequence of a motion to exclude called a Motion in Limine. You need to know what’s out-of-bounds, and sometimes, counsel will forget to tell you. Always ask about excluded matters before you take the stand! Remember that the fact that certain evidence has been excluded may itself be something you can’t mention on the stand.
Occasionally, counsel for the party who sought to exclude the evidence will ask a question that necessitates mention of the excluded matter. This is called “opening the door;” but, don’t be too quick to enter. Let the court and the attorneys see that you are hesitant to respond so as to allow the lawyers an opportunity to seek guidance from the Court. You must carefully balance the Court’s intention to exclude the evidence against the obligation to answer a question that necessitates disclosure. Misjudgment can prompt a mistrial. Accordingly, do all you reasonably can to afford the Court and counsel an opportunity to resolve this before disclosing excluded matter.
Craig Ball Attorney and Forensic Technologist Certified Computer Forensic Examiner www.ballinyourcourt.com