A Guide to Forensic Testimony. The Art and Practice of Presenting Testimony as an Expert Technical Witness
by Fred Smith and Rebecca Bace

Addison-Wesley 2003. ISBN 0-201-75279-4. LoC KF8961.S63 2003. 509 pages. $49.99. Index, two appendices.

Reviewed by  Robert Bruen   November 11, 2002 

As feared by many in the early days of computers, the legal system has discovered the Internet and the world of digital technology.  The early case are illustrated by security cases (Morris, Mitnik and LaMacchia), business problems (Lotus) and big cases (Microsoft).  These cases were more the exception than the rule, but they were merely hints of what was to come.  Today digital forensics are a fact of daily life. Now that business and commerce are almost completely dependent on digital technology for record keeping, communication, analysis, and so forth, the inevitable intrusion of the legal process has happened.  This is not material for headlines, like the political process, but instead, is the standard procedure for handling disputes through the impartial third party: Our Legal System.

This intrusion is not necessarily a bad thing, but any case, it is here to stay. If your corporate network has been compromised, perhaps resulting in the theft of a trade secret, then the legal system is your next stop.  For the IT professional, this means several new experiences, most of which will be unpleasant.  First, an evidence preservation team may swoop down and block your access to the machines you manage. Next, you may find yourself testifying in court.  Yes, testifying in court.  For most of the IT players, this is a new and terrifying experience.  The world of lawyers and judges is very different from the comfortable world of SNMP, Apache and patching OS problems.

The explosion of computers in business and the almost standard operating procedure of seizing computers in any criminal investigation and arrest, has created a need for IT experts to appear in court.  Unfortunately, most IT folks are ill prepared for such an adventure, especially, when one considers than often they are invited to participate in the proceedings, rather than appearing by choice (read subpoena).  Lawyers are trained to intimidate, confuse and impeach the credibility of witness.  Juries and judges expect a level of expertise and courtroom demeanor that keyboard jocks are simply not used to. The involvement of IT professionals in courtroom will explode in the same way that the Internet exploded across the planet, simply because business lives there.

It is therefore a good idea for IT people to learn about that world before learning through experience.  If you have been making presentations on a regular basis, that will help.  If you have been able to explain how to reverse engineer a binary to you mother, that will also help.  However unless you also went to law school, I recommend strongly that you read this book.  Smith is a lawyer and Bace is already known in the security field.  The book is written to explain what it takes to appear in court as an expert witness.  There are already books on appearing as an expert witness, but not one for IT professionals like this one. The guide is a wonderful marriage of the two worlds, delivered with a sense humor, lots of examples and real testimony from the likes of Bill Gates.  The analysis is of his testimony is enlightening.  Not only are his mistakes explained, but so are the legal maneuvers behind the questions.

This is a highly recommended book for security professionals and for most IT professionals.  It deals with an area that most of us do not come in contact with very often, but being expert witness is not a skill one develops overnight.  It is not only better to be prepared in advance, but also to be helped by authors who have a clue about what we do.  Keep in mind that your chances of being called in court go up every day.  It could be as a witness, or perhaps as a defendant, just because you work with IT, and not you have done anything wrong.  Remember, these guys went to law school, not justice school.  Be prepared.