Skip to Main Content
Official Seal - Department of Defense Cyber Crime Center (DC3)

DC3

Department of Defense
Cyber Crime Center

A Federal Cyber Center

DC3 Digital Forensic Examiners Go to Court


FORT GEORGE G. MEADE, Md. (Feb. 11, 2019) DoD Cyber Crime Center (DC3) Digital Forensic Examiner Alyssa Lisiewski provides expert witness testimony during a mock trial at the Ft. George G. Meade, Md., Feb. 11. DC3s Cyber Forensic Laboratory facilitated the training to prepare its digital forensic examiners for providing expert witness testimony in actual courtroom trials. (Photo by Stephen Murphy)

By Stephen Murphy, DC3 Public Affairs

FORT GEORGE G. MEADE, Md. -- Air Force Office of Special Investigations personnel, along with 28 digital forensic examiners from the DoD-Cyber Crime Center (DC3) Cyber Forensics Laboratory (CFL), filed into the courtroom at Ft. George G. Meade, Md., Feb 11.

It wasn’t the trial of the century, and no one was facing prison time. The examiners were actually in store for eight hours of courtroom advocacy training intended to prepare them for success when providing expert witness testimony.

DC3 digital forensic examiners play a key role in supporting DoD investigations and associated litigation by recovering and examining evidence from digital media. They examine many types of digital media from devices including hard drives, cell phones, laptops and cameras. In some cases, devices must first be repaired or unlocked prior to forensic examination.

Their examinations and analyses are critical for many types of cases including, but not limited to child pornography, sexual assault, voyeurism, narcotics, fraud, physical assault, and less frequently, murder. These digital forensic examiners are often called upon to support criminal litigation at courts-martial under the Uniform Code of Military Justice. As important as this part of their job is, relating and explaining their findings and opinions as expert witnesses is just as crucial.

“The future of the accused, the peace of mind and well-being of any victims, the reputation of DC3 and CFL, and the reputation of the examiner who is testifying [are all at stake],” said Ruth Cowell, CFL Chief, Litigation Support. “The examiner must convey professionalism, technical expertise, poise, a willingness to admit when they don’t know the answer, and finally, impartiality.”

The training was divided into four sessions where the examiners were presented with topics covering the roles of trial participants, the basic sequence of a trial, and one of the key challenges they will face – cross examination by opposing attorneys. As expert witnesses, the examiners need to be prepared to engage with opposing attorneys who are actively trying to discredit their work, their findings and the procedures used to reach their conclusions.

Digital forensic examiners must also overcome language barriers when explaining their findings. Attorneys, judges and jurors are not usually well versed in digital forensics. In some cases, the work and findings of the examiners are at risk of being ruled inadmissible if they are not clearly explained to the court. The participating examiners received a hands-on lesson with this during a mock trial that closed out the training.

"If you've never been inside a courtroom, everything is new - the environment, the people, who does what, what will be asked and how you will answer,” said Kimberley Stokes, DC3 Digital Forensics Examiner. “The best part was hearing all the different perspectives and getting a greater understanding of the inner workings of a courtroom. The number of unknowns adds stress to the situation. If you take this training, the amount of unknowns decreases.”

Prior to working on examinations and being eligible to testify as expert witnesses, DC3 examiners must complete certification training by DC3s Cyber Training Academy as a DoD Digital Forensic Examiner. Cowell said that, in addition to this, there are other well-respected forensic certifications specific to mobile devices, Apple Mac devices and specific forensic tools the forensic examiners may earn that are applicable to certain types of digital media.

The likelihood and frequency for forensic examiners to sit on the witness stand is unpredictable and varies from examiner to examiner. Cowell said that, of the trials in which DC3 testimony is requested, roughly two-thirds are resolved via a pre-trial agreement (PTA), so testimony is ultimately not needed. Either way, the forensic examiners must be certified and prepared to take the stand.

“I spoke with an examiner today who has been with DC3/CFL for six years, and has yet to testify,” said Cowell. “Others have testified four or five times in one year. The challenge is that PTAs are typically reached in the days shortly before trial, so that’s likely to be after the examiner has already prepared for trial.”

Based on survey feedback, the training was well received and there were varying suggestions on how to enhance the training to make it even better. One recurring takeaway from the feedback is the desire that the witness training continue in the future.

Cowell said that she would like to see this type of training held annually, with a greater focus on the mock trial exercise and discussion. She also plans to augment training with opportunities for less seasoned examiners to observe local testimony regarding digital evidence.

“This type of training is extremely valuable to the forensic examiner,” said Michael Ricucci, Acting Director, Cyber Forensics Laboratory. “Oftentimes, the examiner is not cognizant of the tactical aspects of presenting a case in court. Leveraging input from career military prosecutors and defense experts, in a learning and non-adversarial environment, allows for a clearer understanding of what all parties are in court for. This is to empirically present the evidence, in a clear and unbiased manner, allowing the judge and jury to come to a fair decision.”