Friday, July 11, 2008

Defendant as Expert?

I was talking to an attorney the other day about a Internet predator case where the defendant testified about the chat logs, etc. in opposition to the prosecution expert.

To me, that is like having a defendant testify as a ballistics expert about the gun he used in a crime.

Independent of the person's level of expertise, I am trying to figure out how a jury would see this as anything other than highly biased, and probably suspect, testimony.

Especially in a case where the issue at hand is protecting children from Internet predators.

Who has more credibility in this instance: The law enforcement officer who is working to protect the children in the community, or the person accused of attempting to violate that very safety by allegedly soliciting a minor over the Internet in a chat room?

These cases are very difficult, even if you use an independent expert.

The odd thing about computer experts versus, say, a ballistics expert is that computers are available to everyone, so a great many people are exposed to computers and develop various levels of expertise, from "I just get my email on the thing", to the self-appointed guru.

And there are a lot of self-appointed gurus out there.

Of course, what that means is debatable, since who gets to measure the true level of expertise of the self-appointed guru?

These days it seems that all a person has to do to qualify as a self-appointed guru is to know enough geek-speak to confound the listener.

Computer users asks the Guru, "My computer is running slow and I keep getting booted off the Internet. Any idea what is wrong with it?"

Guru responds, "That could be anything from the vundo trojan to a problem with your TCP/IP socket layer. Or maybe your hosts file has been compromised. It could even be a chattering NIC, or your computer may be botted by an attacker to be used in a DOS attack."

Computer user replies, "Huh? Can you explain any of that in English please?"

Guru responds, "Here, let me just fix it." While thinking, "Even if I did explain it, you wouldn't understand it."

This becomes even more problematic when it comes to court testimony and you have to explain to a jury exactly what happened and how it happened in plain everyday terms.

Sadly, this is even the case in my field where people are buying a forensics suite of software and putting themselves out there as self-appointed computer forensics experts.

And this is compounded by the fact that commercial computer forensics suites can make finding some types of information relatively simple. So simple, almost anyone with a middling level of computer expertise can do it.

What these suites cannot do is locate information about things that are not pre-programmed into the scripts used by the software.

Case in point: Evidence erasers.

I testified in a court case earlier this year where an Internet privacy program was installed on the defendant's computer.

This fact that this program was found on the defendant's computer was emphasized early on and through out the case by the prosecuting attorney, to cast doubt on the intentions of the defendant in wanting to cover his tracks and erase evidence from the computer.

In order to clarify the facts about the privacy program, I located the registry entries for the program. (The Windows registry is a database that Windows uses to keep track of things like program settings, user names, etc.)

I then located and installed an exact version copy of the privacy software on a clean computer in my lab and read the registry entries based on a default installation.

Then I went and located the documentation for the privacy program to determine the correct translations of the registry entries.

Many programs store information in the registry in unusual ways. In this case, the automatic wiping schedule for the program was stored as a single digit integer. i.e. 4

Based on the documentation I located, that meant the program would automatically run once every 12 hours.

Comparing the registry entries from the defendant's computer with the registry entries from the control computer, I was able to determine that all of the entries were set upon installation as default settings.

The program was also set by default to run every time the computer started up.

I also located the log files for the privacy program that showed what was erased and when it was erased.

Taking all of this to court allowed me to show exactly was what going on with this particular program and that the defendant did not set it up to erase his tracks. In fact, it was installed by his computer support person over a year earlier and had never been adjusted and had not been manually run by the defendant at any point during the time in question.

I think something a lot of people don't realize about court cases, is that it is really about each side telling a story based on the facts and circumstances of the case to a jury of twelve people.

Then it is up to the jury to decide who told the story that provides the least amount of reasonable doubt. Or in other words, who was more believable.

How does forensics analysis like the above effect the stories?

On the prosecution side, all they have to do is say that the defendant had a program installed on his computer to wipe out evidence of his actions on the computer. That is enough to establish some doubt about the intentions of the defendant.

On the defense side, telling "The rest of the story." as Paul Harvey would say, sheds light on the actual use of the program and the intentions of the defendant.

The purpose of going through that example is to show that owning some computer forensics software and even attending training is not always enough to provide expert forensics services.

Experts come in all levels of expertise. The better ones will have not only the right tools and know how to use them, they will also have a significant depth of knowledge about software, hardware, programming, databases, email, the Internet, social networking, file sharing programs, evidence handling, search and seizure laws and court presentation.

The problem for defense attorneys and public defenders is that very few computer forensics experts will do defense work and especially sex crimes defense work.

In my opinion, that is where the expertise of an experienced forensics examiner is most needed. Law enforcement will always have an expert on their side of the table. The defense should as well to balance the scales.


No comments:

Post a Comment

I have moderated my comments due to spam.