The Personal Computer As Evidence

Expanded Course Outline

One Day CLE-Certified Seminar for Lawyers
(Ask us About our Discount for Multiple Attendees from the Same Firm)

SESSION A: 9am to 12 Noon

This Session focuses on the fundamentals of computer forensics analysis: basic structures, what the computer expert looks for behind the scenes, and how the expert can help prepare you for trial and depositions. You will learn the terminology used by computer forensics experts, and what you can expect to gather from computers whose contents become evidence in your cases.

I. The Basics of a DOS/WINDOWS Computer

  • Concepts and Usage of the Directory and File Structures
  • How Computer Owner use the DIR command, the File Manager, or the Windows Explorer
  • Understanding File Extensions
  • What Computer Experts Understand About the Booting Process
  • Understanding Hardware and Software Booby Traps
  • Understanding Trace Evidence Possibilities When Suspects Try to Cover Up, Hide, or Destroy What Has Been Done.
  • Understanding Trace Evidence Possibilities During Internet-Oriented Activities

    II. What the Computer Forensics Expert Looks For Behind the Scenes
  • What File Characteristics (Attributes, Extensions, Content) Can Reveal
  • What Evidence Lurks in Hidden Files
  • What Pitfalls Lie in Wait for Imprudent Searches and Accesses
  • Understanding and Exploring Slack Space
  • Understanding and Exploring Free (Unallocated) Space
  • Understanding and Exploring Hidden Disk Drives and Drive Partitions

    III. How the Computer Forensics Expert Can Help Prepare You for Trial, Depositions, Computer Seizures, and Internal Investigations
  • Understanding the relevant technical facts
  • Analyzing written reports for overstatements and errors
  • Characterizing the evidence in the best possible technical light
  • Identifying both the plusses and the minuses of the facts
  • Assisting with questions and answers during depositions or trials
  • Suggesting lines of questioning to highlight weaknesses

    IV. Decisional Law Concerning Computer Related Evidence

    SESSION B: 1pm to 4pm

    This Session goes beyond the basics. It explains the proper protocols that should be followed by computer forensics experts when handling computer equipment that may be (or contain) evidence. You will learn what precautions should be (or should have been) taken by computer experts, and you learn the hardware and software procedures that lead to well-founded expert opinions. You will also learn potential flaws and weaknesses in computer forensics expert presentations, as well as receive tips and techniques for preparing your computer forensics expert to present his/her opinions.
    I. Computer Forensics Considerations and Issues for Lawyers

  • Recognizing, Reconstructing, and Viewing Different Types of File Evidence
  • What Procedures Does the Computer Expert Use for Mirroring and Analysis?
  • Hardware and Software Precautions
  • Verifying That Your (or Their) Computer Expert Has Avoided Booby Traps
  • Legal and Effective Seizure Protocols: USDOJ, Local, Cautions, Warrants
  • Analytical Steps for Hardware Assessment
  • Dealing With MacIntosh Computers

    II. Understanding Internet Analysis Mechanisms and Possibilities
  • What the Computer Forensics Investigator Can Find in Browser Cache Files
  • What the Computer Forensics Investigator Can Find in Browser History Files
  • Exploring Computer and Web Usage Through Bookmark Analysis
  • Tracking Newsgroup Usage
  • Discovering Newsgroup, Email, and Chat Activities in AOL
  • Understanding How 'the Other Side' Obtains Information About You
  • Understanding and Using Email-Related Evidence

    III. Validation and Verification Tips for Examination and Cross Examination
  • What Should the Computer Expert Include in Analysis Reports?
  • What to Consider in Depositions and Trial Testimony
  • How to Present Computer Evidence to a Lay Jury
  • Checklist for Proper Handling by the Computer Forensics Expert
  • Potential Flaws in Computer Evidence Presented
  • Protocols Used by Law Enforcement Agents

    IV. Preparing the Computer Forensics Expert to Present the Evidence at Trial or in a Deposition
  • Asking and avoiding certain types of questions
  • Anticipating questions and preparing best responses
  • Balancing your expert's testimony against the other side's
  • Shooting holes in the other side's expert testimony
    Back to Computer Forensics Network Home Page