7.8 Presenting Digital Evidence

Preparation is one of the most important aspects of testifying in court (National Center for Forensic Science 2003). Scripting direct examination and rehearsing it with the attorney ahead of time provides an opportunity to identify areas that need further explanation and to anticipate questions that the opposition might raise during cross-examination. Conclusions should be stated early in testimony rather than as a punch line at the end because there is a risk that the opportunity will not arise later. During cross-examination, attorneys often attempt to point out flaws and details that were overlooked by the digital investigator. The most effective response to this type of questioning is to be prepared with clear explanations and supporting evidence.

It is advisable to pause before answering questions to give your attorney time to express objections. When objections are raised, carefully consider why the attorney is objecting before answering the question. If prompted to answer a complex question with simply "Yes" or "No," inform the court that you do not feel that you can adequately address the question with such a simplistic answer but follow the direction of the court. Above all, be honest.

In addition to presenting findings, it is necessary to explain how the evidence was handled and analyzed to demonstrate chain of custody and thoroughness of methods. Also, expect to be asked about underlying technical aspects in a relatively non-technical way, such as how files are deleted and recovered and how tools acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly recommended.

It can be difficult to present digital evidence in even the simplest of cases. In direct examination, the attorney usually needs to refer to digital evidence and display it for the trier of fact (e.g. judge, jury). This presentation can become confusing and counterproductive, particularly if materials are voluminous and not well arranged. For instance, referring to printed pages in a binder is difficult for each person in a jury to follow, particularly when it is necessary to flip forwards and backwards to find exhibits and compare items. Such disorder can be reduced by arranging exhibits in a way that facilitates understanding and by projecting data onto a screen to make it visible to everyone in the court.

Displaying digital evidence with the tools used to examine and analyze it can help clarify details and provide context, taking some of the weight of explaining off the examiner. Some examiners place links to exhibits in their final reports, enabling them to display the reports onscreen and efficiently display relevant evidence when required. However, it is important to become familiar with the computer that will be used during the presentation to ensure a smooth testimony. Visual representations of timelines, locations of computers, and other fundamental features of a case also help provide context and clarity. Also, when presenting technical aspects of digital evidence such as how files are recovered or how logon records are generated, first give a simplified, generalized example and then demonstrate how this applies to the evidence in the case.

The risk of confusion increases when multiple computers are involved and it is not completely clear where each piece of evidence originated. Therefore, make every effort to maintain the context of each exhibit, noting which computer or floppy disk it came from and the associated evidence number. Also, when presenting reconstructions of events based on large amounts of data such as server logs or telephone records, provide simplified visual depictions of the main entities and events rather than just presenting the complex data. It should not be necessary to fumble through pages of notes to determine the associated computer or evidence number. Also, refer to exhibit numbers during testimony rather than saying, "this e-mail" or "that print screen."

Digital investigators are often required to provide all notes related to their work and possibly different versions of an edited/corrected report. Therefore, organize any screenshots or printouts (initialed, dated, and numbered) of important items found during examination. For instance, create a neatly written index of all screenshots and printouts.