You are a computer forensic examiner . If you are called as an expert witness , you will likely be asked to explain your process of collecting evidence. Many jurors will find this process interesting, but tedious as well. Most people are unfamiliar with the processes necessary to acquire and store digital evidence in a manner that preserves the state of the evidence. You will have to educate them.
You must know your own process and your toolset like the back of your hand. It is imperative that you know, and can clearly explain, the steps you take and the tools you use in an investigation. You will be asked to explain each of your steps as you collected and analyzed evidence. If you need to use notes in your testimony, get permission from the judge first. He or she will usually ensure that your notes have already been admitted into evidence and then allow you to look at them to assist in the accuracy of your testimony. Don't just read your notes to the court -your credibility will suffer if you appear to lean too much on your notes.
The opposing counsel will certainly hammer you if you are unsure about your own practices. Don't provide the opportunity.
A good place to start in explaining your own forensic process is by referencing industry best practices. A wealth of information that outlines best practices in most security areas is available online. There are several very good websites that discuss current computer forensic best practices. Look at several of these websites to make sure your processes and tools are consistent with current best practices:
SANS Reading Room http://www.sans.org/rr/
United States Secret Service http://www.ustreas.gov/usss/electronic_evidence.shtml
CERT Coordination Center http://www.cert.org/tech_tips/win-UNIX-system_compromise.html (mostly related to incident response)
Enterprise Systems http://www.esj.com/news/article.asp?EditorialsID=826
Many more useful websites are available for additional best practices information. Take some time to explore several of them. They will help your investigation practices, as well as your ability to be accepted as an expert in court.
The primary source of information for the testimony explaining your forensics process is your evidence documentation. You should have an activity log that shows every action taken with respect to evidence during your investigation. The activity log should commence with evidence acquisition and be current up through the current day.
Complete documentation gives the jury the impression that you have been careful. Although it is possible to win a case without appropriate documentation, it makes your job far more difficult. Make sure you are meticulous in documenting the investigation process. You will need the logs if you are called to appear in court. Organized written information gives judges and juries the impression that you are responsible and meticulous.
Be prepared to explain the contents of your forensic toolkit. Include all hardware and software you use during an investigation. For each component, explain why you have it in your toolkit, what function it performs , and how you used it for the current investigation. Corroborating third-party information may be helpful.
For instance, your forensic software tools vendor might maintain information on the reliability of its product. Many commercial products provide online resources that make the use of their product more accepted in a court of law. Showing how your product maintains the chain of evidence gives some jurors the answers they were seeking.
Know exactly what tools you have and which ones you use. Be ready to justify your choice of tools and explain why your choice was sufficient get the job done.