Digital Forensics and Ethical Hacking

Motivations & Definitions

The CPS define FOUR types of witness

• Ordinary
• Professional Witness
• Expert Witness
• Interpreters

What is a "Witness"? - Ordinary

This is someone who sees an incident take place, e.g., someone witnessing a robbery or road accident. Doctors acting in this capacity do so as members of the public. You can only claim out-of-pocket expenses for court attendance and may be summoned to attend court.​

What is a "Witness"? - Professional Witness

This is someone who gives evidence from knowledge obtained in a professional capacity, and whose evidence is confined to matters of fact (e.g., doctor giving evidence on treatment given to the subject of the proceedings).​

What is a "Witness"? - Expert Witness

This is someone specifically called in by one side or the other to interpret the facts using his/her expertise. Fees are paid where the specialist is engaged to give expert evidence and opinion. ​

What is a "Witness"? - Interpreters

If a suspect has been interviewed through an interpreter and there is an issue about what was said, evidence will have to be given by the interpreter. The only valid witness as to what the defendant said is the interpreter. (Archbold 4-36).​

What is a "Witness Statement"?

• Formal, factual account of an incident or series of events
• Record What the witness saw, heard, or felt
• Forms your evidence
• Must be admissible to be used

See https://www.cps.gov.uk/legal-guidance/witness-expenses-and-allowances

Who Requests a Witness Statement?

Witness statements can be requested by:

• Police
• Coroner
• Employer
• Other official bodies, e.g., H&S Executive

Why Have a Witness Statement?

You have witnessed or know something about:

• A crime
• A civil dispute
• A practice misconduct investigation
• An employment tribunal

How observant are you?

Well?

Click to see this video.

Aims of a Witness Statement

In preparing your statement, you are seeking to convey:

• What you did
• How you did it
• What you found/saw
• The meaning of what you found/saw

What You Aren't Preparing for

You are not preparing to:

• Demonstrate how complicated things can be
• Teach the court how to do your job
• Use more detail than is really needed
• Show what a smart Alec you are

What You Aren't Preparing For But May Have to

• Enter into a technical discussion, especially to rebut an argument
• Be prepared to substantiate any conclusions
• Answer questions on topics which you did not anticipate would arise

Preparing the Evidence

• If your evidence is good and clear, you will likely not need to attend court
• Any exhibits you produce should be relevant
• As far as possible, present your evidence on paper (easily reproduced for Jury bundles)

Resource Details

• If you use any software to prepare evidence, include the version number
• If you use any equipment, include the serial number or other unique identifier

Separating the Detail

• As stated previously, keep technical detail to a minimum in your statement
• Reserve detail to any contemporaneous notes you keep
• You never know what might be important later on!

Establish your Credibility

• Include your qualifications, training and experience
• These are important as you may be asked to give expert evidence

Grouping

• Use a logical order - don't jump around
• Deal with one topic at a time
• If your statement covers multiple events/people/items, keep them separate

Jargon

When using jargon, provide brief and simplified descriptions of what these terms mean

Establish Procedures

• If you use a phrase like, "Following normal procedure...", provide a copy of the documented 'normal procedure'
• If this is not practical, be prepared to answer questions on the procedure

Errors and Issues

• If things go wrong, then explain this in your statement and its impact (if any)
• If your evidence is not as good as it would have been as a result, leave it to the Court or CPS to decide on the value of what you have produced

Criminal Proceedings

• Section 9 of the Criminal Justice Act 1967 allows witness statements to be introduced to court

• Guidance on this is contained in the Criminal Procedure Rules (Part 16)

The list to the right shows what a witness statement MUST contain.

Civil Proceedings

• Section 32.8 of the Civil Procedure Rules covers the witness statement format
• Guidance on this is contained in Practice Direction 32 (Part 17)

Example Statements

On Blackboard, in the folder for this session, you will find example statements:

• A - CIVIL case - Employment tribunal statement (Annotated for guidance)
• B - CRIMINAL case - Paedophile investigation (What required elements are present?)
• C1-C11 - Supplied statements (Use what you have learnt so far to critique in groups, time permitting)

Being a Witness

• Ministry of Justice guidance on being a witness can be found here

• Support available as a witness can be found here and here

Typical Courtroom Layouts

Magistrates' Court

Typical Courtroom Layouts

Crown Court

Typical Courtroom Layouts

Youth Court

Typical Courtroom Layouts

Coroner's Court

Being a Witness (cont'd)

• Essentials - travel plans, availability, etc. can be found here

• Court layouts are explained here

• Who's who, is discussed here

More detail on "Who's Who":

• More Crown court details are discussed here
• More Magistrate's court details are discussed here

Preparing for Court

Exercise

• In pairs, imagine you have been called to give evidence in a case where you witnessed an act of professional misconduct
• Make a list of what preparations you would make before you attend court

Exercise - Preparation should include a review of what you need:

• Ensure that continuity is correct for any exhibits relied upon and produced
• Re-read your notes, exhibits, statement and report (if produced)
• If there are any errors, inform the lawyer calling you immediately
• Ensure any contemporaneous notes you rely upon are available and have been disclosed
• Identify any weaknesses with your evidence and consider a response

Exercise - Preparation should include practical logistics:

• Check when you are needed in court
• Check the status and title of the judge
• Contact telephone numbers (liaison usually with CPS)
• Meeting-point in court
• Get formal clothing ready
• Transport arrangements
• Venue - Magistrate's or Crown court?

Exercise - Personal:

• Don't expect to be called at your allotted time - take some reading material!
• Have your important effects with you, e.g., any medication you may need, reading glasses, etc.
• Be prepared to get very bored waiting for hours to be told you are no longer needed that day or at all!

Appearance

Five main factors influencing the jury's perception of a witness (Tanton, 1979):

• Men aged around 43, short grey/balding projected air of authority
• Women aged around 37, short neat/hair were the most trusted
• Well-dressed implied more reliable
• Briefcase or glasses reinforced trustworthiness
• Juries appreciated neatness, intelligence, self-control and confidence (minor nerves)

Procedure in the Witness Box

Examination-in-Chief

• Questions asked by the lawyer calling you
• Non-hostile questioning
• Sometimes discussed/clarified beforehand
• Take time to answer and make your answer easy to understand
• No leading questions to guide you are allowed
• Be familiar with your own statements/notes/exhibits
• Criminal: Oral testimony
• Civil: Statement + supplementary questions

Cross-examination

• Questions asked by the lawyer for the opposing party
• Can be hostile questioning!
• Great care needed in answering
• Take time to answer and make your answer easy to understand

In the Box

• Keep your answers short and don't offer additional information
• Consider using everyday analogies in any explanations you give
• Assume zero technical knowledge

Uncertainty in the Box

• NEVER dig a hole for yourself by making an assertion about something you are unsure of
• Don't be afraid to say you don't know
• Stick to what you do know

Remember, as the saying goes: Assumption is the mother of all f***-ups!

Expert Upgrade

• The court may accept you as an expert witness
• You must satisfy the court that you have both qualifications and experience to do so
• If you are accepted, your status in the court changes...

The Expert Witness

• As an Expert witness, you are no longer an advocate of the prosecution or defence
• Your role is to help the court, prosecution and defence
• You will be allowed to offer opinion on your own evidence and that of others

With Great Power

• As an Expert witness you are in both, a powerful and exposed position

• Powerful: Allowed a lot more latitude and influence

• Exposed: Everyone expects you to have comprehensive knowledge

Remember

• Don't be afraid of Expert status
• You will almost certainly know a good deal more about your subject than those in court

What is "Continuity"?

In plain English:

• The way the evidence has been handled
• Lifecycle includes:
  • Found
  • Seized
  • Produced
  • Transported
  • Storage
  • Examined
  • Court
  • Disposed/Released

How to Evidence Continuity

Complete and accurate record of:

• Who seized/produced the item
• Where the item was seized/produced
• Where the item was found
• Date and time the item was seized
• Date and time the item was released to someone else
• Integrity of the item (now, exhibit) is intact

Evidence Bags

What's wrong here?

The bag (right) is removed from the property store by a junior member of the team to be returned to the Case Officer

How to Reseal an Exhibit

Ideally:

• Place old bag AND exhibit in a new bag
• Old bag is positioned so details can be read through back of the new bag

Fallback 1:

• Reseal bag with tamper-evident sticker
• Stickers have unique numbers
• Sign/date over sticker

Fallback 2:

• Reseal bag with tamper-evident tape
• Sign/date over tape

Fallback 3:

• Reseal bag with sellotape
• Sign/date over tape

What are "Contemporaneous Notes"?

• A record of:
  • Something you witnessed/experienced
  • A decision you made, with rationale
• MUST be made at the time or at the earliest opportunity thereafter

What Should be Recorded?

Why Keep a Contemporaneous Record?

• Judgement calls are frequent - defend yourself!
• Expect to be challenged!
• Restraints by others that can/do impact on results
• Justification/rationale for your methods
• Often need to revisit your work months later
• Allows work to be repeated/verified by others

What if I Make a Mistake in an Entry?

Paper-based records:

• Don't redact (black out), e.g., "The xxxx ..."
• Strike out and initial, e.g., "The mouse house ..."

Electronic records:

• Add a new entry, e.g.: 28/11/2017 20:19 CORRECTION - The entry dated 26/11/2017 14:23 should read "Exhibit ABC/", not "Exhibit ABC/2"

How do I Preserve the Integrity?

Paper notes:

• Example policies list steps to take

Digital notes:

• Hash the file/entries
• Incapable of post-entry editing (read-only)
• Limited number of specialist applications available, for example:
  • Case Notes
  • Forensic Notes

References

Tanton, R.L. (1979) Jury preconceptions and their effect on expert scientific testimony. ASTM International.

Image References

• https://cdn-wordpress-info.futurelearn.com/info/wp-content/uploads/dcc239b6-010e-4ba6-8ec9-83aaf3436131-768x1085.png