As a defense expert, you are not under the Brady requirement that the prosecution is under to disclose exculpatory (or, symmetrically, inculpatory) evidence that you may or may not identify. Instead, you have been asked to identify interpretationsĀ of the evidence that would be favorable to your client. Keep in mind that you are be subject to cross-examination that impacts your credibility if you miss “obvious” findings.
As an expert witness you are allowed to not only identify facts from the evidence but also to testify in the form of an opinionĀ if your scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence. Your report should be based on sufficient facts or data, be the product of reliable principles and methods, and you must reliably apply these principles and methods to the facts of the case.
The underlying facts of digital evidence are, to a large extent, rather mundane (e.g. here’s a file on the desktop, this is a URL that was accessed) and extracted automatically by your tools. As an expert witness you should provide meaning to these factual arguments. For example: what events happened that led to this particular set of data being memorialized on the disk image you are analyzing, what person (as opposed to user account) initiated these activities, or what was the timeline of events to an outside clock (as opposed to the date and time stamps you are directly observing in your tools).
In the capstone class DFOR 790, you are putting together the tools you have learned about in the program to generate both a set of facts as well as an opinion on them. Additionally, with the defense report of examination, you have an additional constraint placed on you to consider what you are viewing critically and where an “obvious” interpretation may not be the accurate on