wiki.cis.unisa.edu.au€¦ · Web viewwiki.cis.unisa.edu.au
-
Upload
truongthuan -
Category
Documents
-
view
221 -
download
0
Transcript of wiki.cis.unisa.edu.au€¦ · Web viewwiki.cis.unisa.edu.au
An Australian Commonwealth and
Victorian State perspective of SCADA Forensic Computing’s
Expert Witness
by
Andrew Butler
GradDipSc(InformationAssurance)
A thesis submitted for the degree of
Master of Science (Cyber Security and Forensic Computing)
School of Computer and Information Science
Division of Information Technology, Engineering and the Environment
December 2012
ii
Contents
Contents..........................................................................................................................iii
List of Tables...................................................................................................................vi
Glossary..........................................................................................................................vii
Executive Summary.....................................................................................................viii
Declaration......................................................................................................................ix
Acknowledgments............................................................................................................x
1 Introduction.............................................................................................................1
Overview.......................................................................................................................1
Background....................................................................................................................1
SCADA Systems.......................................................................................................2
Cyber-Crime..............................................................................................................2
Public and Private Resourcing...................................................................................2
Purpose of study............................................................................................................3
Research Question.........................................................................................................3
Significance of this study..............................................................................................3
Summary of thesis chapters...........................................................................................4
Chapter 2 – Literature Review..................................................................................4
Chapter 3 – Court Requirements...............................................................................4
Chapter 4 – Standards................................................................................................4
Chapter 5 – Case Studies - SCADA and Computer Forensic cases..........................4
Chapter 6 - Conclusion and Future Work..................................................................4
2 Literature Review....................................................................................................6
Introduction...................................................................................................................6
The Forensic Process.....................................................................................................6
Investigation..................................................................................................................8
iv
Standards and Guides....................................................................................................9
Standards view of the Expert Witness.........................................................................10
General Courts Requirements......................................................................................10
Heydon’s Expert Witness............................................................................................11
Specialised Knowledge...........................................................................................11
Witness is Expert.....................................................................................................11
Opinion – Expert Knowledge..................................................................................12
Proven Facts............................................................................................................12
Fact Foundations.....................................................................................................12
Scientific Conclusions.............................................................................................12
Victoria’s Expert Witness............................................................................................13
Relevant to area of expertise.......................................................................................13
Conclusion...................................................................................................................14
3 Court Requirements..............................................................................................17
Introduction.................................................................................................................17
Historical Background.................................................................................................18
Issue of bias.................................................................................................................21
Deliberate Partisanship............................................................................................21
Unconscious Partisanship........................................................................................22
Selection bias...........................................................................................................22
Solutions..................................................................................................................22
Australian Federal Courts............................................................................................23
Victorian State Courts.................................................................................................27
Other states..................................................................................................................32
New South Wales State Courts................................................................................32
Queensland..............................................................................................................32
Australian Capital Territory....................................................................................32
v
South Australia........................................................................................................32
Western Australia....................................................................................................33
Other counties..............................................................................................................33
Canada.....................................................................................................................33
Sweden....................................................................................................................35
United Kingdom......................................................................................................35
USA.........................................................................................................................36
Conclusion...................................................................................................................37
4 Standards................................................................................................................42
Introduction.................................................................................................................42
Analysis.......................................................................................................................43
Primary Standards...................................................................................................44
Support Standards....................................................................................................50
Conclusion...................................................................................................................52
5 Case Studies - SCADA and Computer Forensic cases.......................................57
Introduction.................................................................................................................57
Analysis.......................................................................................................................58
Case Study 1 – Maroochy Water Hacking Incident................................................58
Case Study 2 – Burnley Tunnel Fire Incident.........................................................61
Case study 3 – Attempted Murder - mobile phone forensics..................................65
Conclusion...................................................................................................................67
6 Conclusion and Future Work...............................................................................71
Conclusion...................................................................................................................71
Court Requirements.................................................................................................71
Standards.................................................................................................................72
Case Studies.............................................................................................................74
vi
Future Work.................................................................................................................77
Court Requirements.................................................................................................77
Standards.................................................................................................................77
Case Studies.............................................................................................................77
A text book scenario................................................................................................77
vii
List of Tables
Table 1 - Court requirements of the Expert Witness.......................................................40
Table 2 - Standards for Cyber Incident Response and the Expert Witness.....................56
Table 3 - Case Summary.................................................................................................70
Table 4 - Overall Conclusion..........................................................................................76
viii
Glossary
CNF - Computer and Network Forensics
CSIRT - Computer Security Incident Response Team
ESI - Electronically Stored Information
ICS - Industrial Control Systems
SCADA - Supervisory, Control and Data Acquisition system
ix
Executive Summary
This thesis reviews current Standards and Guides for Incident Response to Cyber-crime
and the requirements for the presentation of evidence in a court of law, to ascertain if
they are aligned or if there are gaps from an Australian Commonwealth and Victorian
State perspective. The concept being proposed is that despite the ever increasing
landscape of cyber-crime, the prospect of an incident involving SCADA systems, the
finite resources to investigate it, and the courts requirements; the role of expert evidence
and the expert witness could be not as widely known as it needs to be. This study will
examine the role of the forensic computing’s expert witness from three different, but
related perspectives. The research will undertake an analysis of the Court requirements
of the expert witness, how well these requirements are represented in Australian
standards, and finally, observe the effectivity of expert witnesses in Court hearings.
x
Declaration
This thesis presents work carried out by myself and does not incorporate without
acknowledgment any material previously submitted for a degree or diploma in any
university; to the best of my knowledge it does not contain any materials previously
published or written by another person except where due reference is made in the text;
and all substantive contributions by others to the work presented, including jointly
authored publications, are clearly acknowledged.
Andrew Butler
07-Dec-2012
xi
Acknowledgments
Thank you to my principal supervisor, Dr. Kim-Kwang Raymond Choo, for your
encouraging me to undertake this master’s thesis. Your experience, knowledge and
wisdom have been invaluable. Also to the University of South Australia for providing
this opportunity of study, and facilitating my enrolment and prequalification issues. I
offer my humble gratitude to my employer for funding the last three years of study, of
which I am extremely grateful. And finally to my family, and especially my wife Faye,
who have made significant sacrifices and been an endless source of encouragement and
support throughout this journey. It is possibly worth mentioning that the views and
opinions expressed in this thesis are those of the author alone and not those of my
employer or the university.
xii
1 Introduction
Overview
This thesis aims to explore the concept of an Australian Commonwealth and Victorian
State perspective of a SCADA Forensic Computing’s Expert Witness. To do that it is
necessary to briefly identify and examine the many influences, impacts upon, and
contributions to the presentation of evidence by an expert witness. This will begin with
a definition of cyber-crime, the resources to undertake a response to it, the methods
used to investigate it, applicable standards and guides, the courts’ requirements and
conclude with processes versus expectations of the expert witness. The concept being
proposed is that despite the ever increasing landscape of cyber-crime, the prospect of an
incident involving SCADA systems, the finite resources to investigate it, and the courts
requirements; the role of expert evidence and the expert witness could be not as widely
known as it needs to be. To help mitigate this, it may be necessary to more clearly and
effectively define the requirements of the expert witness prior to cyber-incident
response or investigation.
Background
It has been over a decade since the infamous Maroochy Water hacking incident (see
Chapter 5) that brought home the reality of the inadequate security and vulnerability of
Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control
Systems (ICS). Over the last four years there has also been research into the possible
requirements of SCADA Forensic readiness in the event of a cyber-security incident.
During these times there have been several publicly available incident reports and court
transcripts that may suggest the requirements of the forensic process and obligation of
the expert witness need to be more widely propagated to ensure evidence is adequately
Page 1 of 105
presented and admissible in a court of law (Hughes, G 2003; Fabro & Cornelius 2008;
Slay & Sitnikova 2009).
SCADA Systems
Supervisory, Control and Data Acquisition (SCADA) systems are industrial computer
systems with long life cycles of 10 to 15 years and are integral to critical infrastructure.
The life cycles of SCADA systems are in contrast with IT environments which have a
typical 3-5 year life. SCADA systems are used within industries which can include
Electricity, Gas, Water, Telecommunications and Transport as well as other industries.
These entities are large scale projects that provide services to hundreds or thousands of
people, which in the event of an incident can result in fatalities and complete loss of
those services for extended periods (TISN 2005; Slay et al. 2009; Victorian Government
2010).
Cyber-Crime
Since the year 2000, when the term ‘electronic crime’ was used to describe offences
involving a computer as a tool of, subject of, or record of a crime, there has been a
subtle move toward using the term ‘cyber-crime’. Cyber-crime appears to help
acknowledge the realization that many of the crimes now involve two or more
computers connected over greater distance via networks, specifically online networks
such as the Internet, and the level of remote control or remote access that is afforded by
that connectivity (Fuller 2011).
A definition of cyber-crime that is provided by the Australian Government is: those
computer offences which under the Commonwealth Criminal Code Act 1995 (Part 10.7)
are those that involve the unauthorised access to, modification or impairment of
electronic communications. This most probably provides the best definition of
electronic crime in an Australian context and Australian Law (Australian Government
2009; Commonwealth of Australia 2011).
Public and Private Resourcing
Up until a decade ago cyber-crime and crimes involving computers were handled and
investigated on the whole by local law enforcement agencies. Forensic computing grew
Page 2 of 105
from a need, rather than necessarily from a scientific discipline, and as such has been
subject to some questioning of the methods used (identification, preservation,
acquisition, and analysis) and the qualifications of claimed experts. Since then there has
been engagement with academic institutions, private enterprises and other government
agencies in the process and identification for formal standards and certification (Meyers
& Rogers 2004).
Law enforcement agencies have the leading role in criminal investigations and
subsequent prosecutions; however they are not an infinite resource in the overall
response to cyber-crime. The last decade has seen a dramatic increase in the landscape
of cyber-crime, to the point where many law enforcement agencies are likely to be
overwhelmed if constrained to their own resources (Choo 2011a).
An effective response to and prevention of malicious activities requires the partnerships
between government agencies, cyber response contractors and businesses. Whether it is
to provide a capability to deal with criminal, civil or disciplinary events, there is a need
for unbiased expert presentation of the evidence of the forensic computing data. With
partnerships between government agencies, contractors and businesses the capability
should possibly also be a shared one (Choo 2011b).
Purpose of study
The concept being proposed is that despite the ever increasing landscape of cyber-
crime, the prospect of an incident involving SCADA systems, the finite resources to
investigate it, and the Courts’ requirements, the role of expert evidence and the expert
witness is not as widely known as it needs to be.
Research Question
What are the Court’s requirements of an expert witness, how apparent are these
requirements made known in Information Technology Cyber Incident Response
Standards, and how effective is expert evidence and expert witnesses in a Court of Law?
Significance of this study
This study will examine the role of the forensic computing’s expert witness from three
different, but related perspectives. The research will undertake an analysis of the Court Page 3 of 105
requirements of the expert witness, how well these requirements are represented in
Australian standards, and finally, observe the effectivity of expert witnesses in Court
hearings.
Summary of thesis chapters
Chapter 2 – Literature Review
This chapter will undertake a review of literature relevant to forensic computing and the
expert witness.
Chapter 3 – Court Requirements
This chapter will perform an analysis of the requirements of an expert witness from the
perspective of Australian Federal and State Courts, and courts of some other countries.
Chapter 4 – Standards
This chapter will perform an analysis of Australian and International Standards for
computer and cyber incident response to ascertain their perspective of an expert witness.
Chapter 5 – Case Studies - SCADA and Computer Forensic cases
This chapter will analyze three court cases that involve SCADA and computer forensic
evidence, to ascertain the role and impact of the expert witness and expert evidence.
Chapter 6 - Conclusion and Future Work
This chapter will culminate the findings of the previous chapters. It will also propose
avenues for future work.
Page 4 of 105
2 Literature Review
Introduction
For an expert witness to provide their opinion there must be forensic evidence that
requires interpretation and presentation. For forensic evidence to exist an investigative
process would need to have been undertaken in response to an incident. An effective
investigative process is not one made up ad-hoc; rather it requires a well-researched and
documented cyber-security incident response capability that is executed by trained and
drilled practitioners. The expert should not only be trained and experienced in the
identification, preservation and analysis of the evidence, but also in requirements of
them for the presentation of the evidence (Grance, Kent & Kim 2004; Kent et al. 2006;
Shinder & Cross 2008).
The Forensic Process
A widely accepted definition of Forensic Computing is that proposed by McKemmish
in 1999, which includes the steps of: Identification; Preservation; Analysis and
Presentation, while applying the Rules of: Minimal Handling; Account for Change;
Comply with Rules of Evidence and Not Exceeding Ones Knowledge. This method
provides the most succinct definition of digital forensics, in that as well as proposing a
method or process; it also includes rules which should be applied to the process. This is
an excellent model in the application of a process and rigor to arrive at the presentation
in a court of law, however it does stop a little short in actual ‘forensic’ or presentation in
court, which requires an expert witness (McKemmish 1999).
Through both the expectation of a law enforcement authority’s capability to correctly
handle digital evidence and from the Australian Standard HB171 – Guidelines for the
management of IT evidence, there is a requirement of personnel to be trained, Page 6 of 105
experienced and qualified. These probably do more to highlight and justify
McKemmish’s definition of ‘forensic computing’ and making it a reality when applying
the ‘do not exceed your knowledge’ rule (McKemmish 1999; Standards Australia 2003;
Chaikin 2007; Casey 2009).
Supervisory, Control and Data Acquisition (SCADA) systems are industrial computer
systems with long life cycles of 10 to 15 years and are integral to critical infrastructure.
The life cycles of SCADA systems are in contrast with IT environments which have a
typical 3-5 year life. SCADA systems are used within industries which can include
Electricity, Gas, Water, Telecommunications and Transport as well as other industries.
These entities are large scale projects that provide services to hundreds or thousands of
people, which in the event of an incident can result in fatalities and complete loss of
those services for extended periods (TISN 2005; Slay et al. 2009; Victorian Government
2010).
Within the field of forensic computing is a relative new field of Supervisory Control
and Data Acquisition (SCADA) system Forensics, which has led to research topics such
as SCADA Forensic Readiness. Forensic readiness ensures the necessary processes are
known to be able to identify, collect and analyze electronically stored information from
a SCADA system that would be admissible in a court of law. The presentation of the
SCADA Forensic evidence in a court of law would likely require the testimony of an
expert witness, however the requirements for this do not appear to be accounted for in
SCADA Forensic Readiness research (Slay & Sitnikova 2009).
Digital forensics is the process of gathering evidence of some type of an incident or
crime that has involved computer systems and their associated networks. In such
circumstances, the expectation is, that there has been some accumulation or retention of
data by the various components of a system which will need to be identified, preserved
and analyzed. This process can be documented and defined, and be used to transform
information into evidence of a crime or cyber incident. However there remains the
question of who will be expert in the presentation of the evidence, will they be suitably
qualified and will the evidence have been processed in a manner that also qualifies as
being admissible (Yasinsac & Manzano 2001).
Page 7 of 105
In 2004 Rowlingson proposed a ten-step process for forensic readiness that included the
steps of: define the business scenarios that require digital evidence; identify available
sources and different types of potential evidence; determine the evidence collection
requirement; establish a capability for securely gathering legally admissible evidence to
meet the requirement; establish a policy for secure storage and handling of potential
evidence; ensure monitoring and auditing is targeted to detect and deter major incidents;
specify circumstances when escalation to a full formal investigation (which may use
digital evidence) is required; train staff, so that all those involved understand their role
in the digital evidence process and the legal sensitivities of evidence; present an
evidence-based case describing the incident and its impact; and ensure legal review to
facilitate action in response to the incident.
Utilizing the ten step process, it is then possible to identify the appropriate
Australian/International standards and guides that may be necessary in constructing an
incident response capability (Rowlingson 2004).
Investigation
A digital forensic investigation is not undertaken ad-hoc; it is usually in response to
some event or incident that has occurred. It may be performed by the local law
enforcement agency in association with crimes such as drugs, child exploitation, or
murder, however for a business or enterprise it is most likely to be in response to a
computer security incident. A valuable capability to have within an enterprise is a
Computer Security Incident Response Team (CSIRT). The CSIRT should have a policy
and procedures that set the purpose, requirements, when it should be activated, the
escalation path both internally within the enterprise and when and how to engage
external agencies. The CSIRT should contain the appropriate personnel and resources to
be both effective and efficient while completing an investigation (Endorf 2003; Grance,
Kent & Kim 2004; Rowlingson 2004; Standards Australia 2006a).
A computer security incident response and subsequent investigation will generally
progress through the steps of identification, preservation, analysis and then conclude
with the presentation or reporting of the findings. The report needs to clearly describe
the incident and its impact. If possible the following should be covered: who was
involved, can the perpetrator be identified; what happened, what was impacted; why did
Page 8 of 105
the incident occur, was there a vulnerability that was able to be exploited; when did the
incident occur, or was only the effect observed; where did the incident occur, was it
local or remotely executed and finally how was it able to occur. The report should be a
presentation of the facts, and any conclusions should be made upon those facts
(McKemmish 1999; Endorf 2003).
Within the scope of the role of the CSIRT is that the presentation or reporting of the
findings could be used as evidence in criminal or civil court proceedings. The
presentation of the CSIRT findings in a court of law would likely need to be by an
expert witness, which forms additional requirements of CSIRT members. The people
who are part of a CSIRT should be specifically selected for their unique skills and
experience, which may require regular exercises so that familiarity with the necessary
processes are maintained to enable timely and efficient execution of an investigation. It
should also include specific expert witness training and briefing of the legal processes
and requirements.
Standards and Guides
There are several Australian and International Standards and Guides that can be utilized
in constructing an incident management and response capability. Some of these are: HB
171:2003 Handbook Guidelines for the management of IT evidence; NIST SP800-86 -
Guide to Integrating Forensic Techniques into Incident Response; AS/NZS ISO/IEC
15443.1:2006 - Information technology—Security techniques—A framework for IT
security assurance Part 1: Overview and framework; ‘RFC 3227 - Guidelines for
Evidence Collection and Archiving’; AS/NZS ISO/IEC 18044:2006 Information
technology—Security techniques—Information security incident management; and
AS/NZS ISO/IEC 27001:2006 Information technology - Security techniques -
Information security management systems – Requirements. While no individual
publication provides an ultimate guide, collectively they provide a good source of
guidance in setting up an incident management and response capability (Brezinski &
Killalea 2002; Standards Australia 2003; Kent et al. 2006; Standards Australia 2006c,
2006a, 2006b).
Despite these many standards and guides there is very little in regard to defining the role
of the expert witness, or the likely requirements and presentation of evidence in a court
Page 9 of 105
of law. Some, sadly, use the term forensic without linking to the presentation of
evidence in a court of law, or the use of a scientific method, which should be the
primary goal of the application of a forensic process. Some contain statements such as:
Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdictions(s) (Standards Australia 2006b).
This appears to fall a little short and to not indicate the possible and likely requirement
of the expert witness to present such evidence in a court of law that would ensure it
would be admissible (Standards Australia 2006a; Slay & Sitnikova 2009).
Standards view of the Expert Witness
Standards Australia (2003)’s ‘HB171 – Guidelines for the management of IT evidence’
provides guidance for the obligation to provide records, design for evidence, evidence
collection, custody of records, original and copies, and personnel. The guide has many
parallels with McKemmish (1999)’s framework, it contains more information
specifically to personnel, however is a little ambiguous in its provision for an expert
witness (Standards Australia 2003).
Experts operating in the field of Digital Forensics, Cyber and SCADA security incident
response, should not only be aware of the Laws under which prosecutions may be made
upon the evidence they have collected, but also the legal environment in which they
have conducted the investigation. The Standards Australia (2003)’s ‘HB171 –
Guidelines for the management of IT evidence’ contains a list of Laws under which a
prosecution may be made, but little detail or advice of laws such as the Australian
‘Cybercrime Act 2001 (Cth)’ that should be observed when undertaking cyber security
investigations. An important aspect of undertaking the role of an expert witness, is to
ensure evidence does not become discredited during the course of possible cross-
examination ('Cybercrime Act 2001 (Cth)'; McCullagh & McEniery 2002).
Page 10 of 105
General Courts Requirements
The forensic computing expert witness can be at a disadvantage when providing
testimony due to the court’s expectations, rather than its requirements. The court’s
expectations can be defined by the rigor applied with other forensic investigative
disciplines such a motor vehicle incident reconstruction or DNA analysis, where the
methodologies are relatively well understood and only explaining a single event. This
can be in contrast to forensic computing where the meaning of a series of events has to
be explained to complete a whole story, where the methodologies are not as well
understood, and may not have had the same scientific rigor applied. The preparation of
the forensic computing expert witness needs to start at the beginning of an investigation,
not just prior to the court presentation (Carney & Rogers 2004; Peiserty, Bishop &
Marzullo 2008).
Heydon’s Expert Witness
In the 2001 Supreme Court of New South Wales Court of Appeal common law case of
‘Makita (Australia) Pty Ltd v Sprowles [2001] NSWCA 305’, one of the presiding
magistrates, Heydon JA, was very critical of the presentation by the expert witness. Not
only was the appeal allowed, the previous verdict and judgment set aside and Statement
of Claim dismissed, it also led to the recording of lengthy dialogue into case law of the
requirement of the expert witness (Makita (Australia) Pty Ltd v Sprowles 2001).
The ‘expert witness’ appeared to have allowed himself to be persuaded to come to a
conclusion that suited the claimant, and resulted in evidence that may not have been as
independent and balanced as it should have been. The end result was that during a
subsequent appeal the evidence of the ‘expert witness’ was criticized by the judiciary,
and led to an overturning of the previous decision. Following is a brief summary of the
points made by Heydon JA.
Specialised Knowledge
Before an expert witness can give evidence, it must be established that the existing
evidence held by the court requires expert or specialized knowledge to interpret it. The
required expert of the specialized knowledge would be expected to be qualified as being
Page 11 of 105
applicable, through demonstration of specific training, study or experience relevant to
the evidence in question (Makita (Australia) Pty Ltd v Sprowles 2001).
Witness is Expert
After the evidence has been accepted and also seen as requiring presentation by an
expert witness, it is necessary to ensure the witness is an expert in the field and subject
matter contained within the evidence. The appropriateness of the expert witness will be
a question of fact, which will likely be questioned in court. It is vital that the training,
study or experience of the expert witness is sufficient to qualify them as expert in the
field or subject matter upon which the evidence is based (Makita (Australia) Pty Ltd v
Sprowles 2001; Hughes, A & Danne 2006).
Opinion – Expert Knowledge
The testimony of the expert witness must be based on their expert or specialised
knowledge. If they are only expert in a sub-section of evidence being presented, they
must keep their testimony specific to the field of which they are expert. Failure of an
expert witness to contain their testimony to their field of expertise could result in the
risk of providing evidence that is based on speculation or misinformation (Makita
(Australia) Pty Ltd v Sprowles 2001).
Proven Facts
There may be two types of opinion that an expert witness could provide to the court
through their testimony: those made through observations of the facts; and those made
on assumed or accepted facts. Both types, observed and assumed, must be proven to be
admissible. The assumed fact needs to also have another method to prove it as being
sound in some other way (Hughes, A & Danne 2006).
Fact Foundations
When an expert witness provides testimony it must be based on facts. The opinion must
have a proper foundation and prove to be admissible based facts, or state any
assumptions upon which it may be based. Failure of an expert witness to ensure their
testimony is not misinformed, or irrelevant, and not missing vital facts, could lead to a
Page 12 of 105
valueless evidence presentation (Makita (Australia) Pty Ltd v Sprowles 2001; Hughes,
A & Danne 2006).
Scientific Conclusions
The role of the expert witness is to provide the court with an unbiased opinion, based on
their training, study or experience, using scientific criteria to test the accuracy of the
conclusions, to enable the judge or jury to make their own independent judgment
through the application of the same criteria to the facts provided as evidence. Even
though the Court (judge or jury) is not obligated to accept the evidence despite the
expert opinion being based upon research and argument applicable to the particular
point or issue in question. It is vital the expert presents all their findings or opinions, as
their duty is to the Court, not to either party (Makita (Australia) Pty Ltd v Sprowles
2001).
The above points can be summarized, and are frequently used in common law, as the
following five rules for admissibility of expert evidence: the expertise rule, the common
knowledge rule, the area of expertise rule, the ultimate issue rule and the basis rule. This
is a highly regarded rule set and often cited through the publication by Ian Freckelton
and Hugh Selby titled ‘Expert Evidence’ (Hughes, A & Danne 2006).
Victoria’s Expert Witness
Within the state of Victoria, one of the foremost definitions of an expert witness is
possibly in the ‘Supreme Court (General Civil Procedure) Rules 2005 (Victoria), Form
44A - Expert Witness Code of Conduct’, which states first and foremost that ‘A person
engaged as an expert witness has an overriding duty to assist the Court impartially on
matters relevant to the area of expertise of the witness.’. The fundamental concepts here
are that the expert witness is required to be impartial and their primary duty is to assist
the court. See Appendix A for an example of Form 44A, which is required to be
provided to the expert witness as soon as they are engaged to make a report or no later
than 30 days before a trial. (Supreme Court of Victoria 2005).
The Victorian Evidence Act 2008, as well as being uniform in most respects with the
Commonwealth Evidence Act 1995 and the New South Wales Evidence Act 1995,
contains some specific directions for those providing evidence with specialised
Page 13 of 105
knowledge in Sections 13, 37 and 79. These sections pertain to obtaining information or
providing opinion that requires them to have specialised knowledge which is based on
the person’s training, study or experience ('Evidence Act 2008 (Vic)').
Relevant to area of expertise
There is a growing expectation from courts that digital evidence be subject to a
certifiable process, which should be conducted by trained, certificated and accredited
digital forensic practitioners. This is consistent with McKemmish’s requirements of
forensic computing to have processes and rules, and that to undertake the task the
person has the required knowledge (McKemmish 1999; Meyers & Rogers 2005; Simon
& Slay 2007).
There is however a danger of only applying half of the methodology defined by
McKemmish. McKemmish defined the process of identification, preservation, analysis
and presentation. However there were four rules that should also be applied which
greatly enhance the overall process. The rules being: Minimal Handling; Account for
Change; Comply with Rules of Evidence and Not Exceeding Ones Knowledge
(McKemmish 1999; Gaertner, Ruibin & Chan Kai Yun 2005).
It may be argued that to ‘Not Exceed One’s Knowledge’ is to be consistent with the
courts requirement of an Expert Witness to be ‘a person engaged as an expert witness
has an overriding duty to assist the Court impartially on matters relevant to the area of
expertise of the witness.’ The specific points are that the expert witness is to be
impartial and relevant to their area of expertise (Gaertner, Ruibin & Chan Kai Yun
2005; Supreme Court of Victoria 2005).
As the word ‘forensic’ implies, forensic computing is the presentation of evidence in a
Court of Law to support a criminal case. It requires the use of proven scientific methods
to ensure the correct identification, preservation, analysis and presentation of
electronically stored information (ESI) to enable event reconstruction. The forensic
expert evidence is presented to the court by an expert witness (McKemmish 1999;
Digital Forensic Research Workshop 2001).
Page 14 of 105
Conclusion
To explore the concept of an Australian Commonwealth and Victorian State perspective
of a SCADA Forensic Computing’s Expert Witness, it was necessary to identify and
examine the many influences, impacts upon and contributions to the presentation of
evidence by an expert witness. The cyber-crime landscape; law enforcement agency
finite resources; SCADA and computer systems being the tool of a crime, subject of a
crime, record of a crime; private partnerships; and an enterprise’s cyber security
incident response capability, all impact upon the requirements of an expert witness.
Through the definition of cyber-crime, the resources to undertake a response to it, the
methods used to investigate it, applicable standards and guides, and the courts
requirements; it was possible to identify some of the processes pertaining to and
expectations of the expert witness. The concept observed is that despite the ever
increasing landscape of cyber-crime, the prospect of an incident involving SCADA
systems, the finite resource to investigate it, and the courts requirements, the role of the
expert witness can be found to be not as widely known as need be. To help mitigate this
it may be necessary to more clearly and effectively define the requirements of the expert
witness prior to cyber-incident response or investigation.
Page 15 of 105
3 Court Requirements
Introduction
The word forensic can be used to describe the specific task of presentation or reporting
in a court. However it is also commonly used to describe the whole evidence handling
process or method that begins with identification, then collection, analysis and
concludes with the presentation in a Court of Law (Oxford University Press).
If it is accepted that to undertake a process forensically, is for it to be presented in a
court of law or tribunal, then it could be pertinent to review the requirements of the
courts and the courts perception of the expert witness.
The courts do not appear to have any specific requirements of forensic computing;
however there does appear to be clear expectations of the role of expert evidence and its
interpretation for the court by the expert witness.
The following sections will identify the various Australian Federal and State Acts that
provide requirements of the expert witness; it will also review several state Law Reform
Commission reports that provide further insight into the courts perception and role of
the expert witness.
The courts have a dependence upon expert witnesses to present expert evidence and
have done so since the 13th century.
They appear to have three common requirements of the expert in regard to their duty to
court: overriding duty to assist the court on matters relevant to the expert’s area of
expertise; to not be an advocate for a party; and a paramount duty to the Court and not
to the person retaining them.
Page 17 of 105
Historical Background
The general concept of the expert witness can be traced back in England to as early as
the 13th century through the use of expert juries, and the manner in which civil and
criminal matters were resolved. The method was through use of ‘an inquest of
neighbors’ who may have had knowledge of the persons involved in the case. Their role
was not to adduce as such, but rather to provide the Court with their knowledge and
preconceived opinions, and could be required to make additional inquiries into the
communities (New South Wales Law Reform Commission 2005).
During the 14th century this was seen to evolve into juries composed of people from
specific trades or professions. For example a case of being accused of selling bad food
could contain a jury of cooks and fishmongers, or in the case of disputed pregnancy and
paternity could be composed of an all-female jury. This method was exceedingly
common in the city of London for settling trade disputes, and would utilize people of
particular customs or trades. The use of trade specific, specialist juries continued over
the following centuries (New South Wales Law Reform Commission 2005).
The use of expert juries continued up until the 18th century, especially in commercial
cases. Commercial cases frequently used merchant juries, which was a practice
influenced by Lord Mansfield as Chief Justice of the Court of King’s Bench. It could be
argued the Lord Mansfield’s practice of using the merchant juries in commercial
matters has influenced the concept of expert knowledge, and became statute during the
19th century (New South Wales Law Reform Commission 2005).
The conclusion of the 19th century and beginning of the 20th saw the decline in the use of
expert juries and favouring trial by juries for City of London in civil matters. It was at a
similar time that the greater use of expert witnesses was seen. The decline in the use of
expert juries was such that it was abolished by statute in 1971 (New South Wales Law
Reform Commission 2005).
Another method that existed during the same period, which was adopted by the
Admiralty Court from the 14th century, was the use of assessors. The role of the
assessor was to assist the Admiralty Court on matters of which they had special skill,
Page 18 of 105
knowledge or experience. The Admiralty Court’s jurisdiction was predominately in
historical and (then) contemporary maritime procedures in civil law, which required a
distinctive adducing using specialist knowledge. By the 18th century the Admiralty
Court was subsumed into common law (New South Wales Law Reform Commission
2005).
It was during the 19th century that reservations were being raised as to the perceived
influence of assessors in the judicial decision-making process. Some judges treated the
assessors as fellow adjudicators, to the point there was a perception that some judges
could have been abdicating their judicial decision-making responsibilities and acting
purely on the advice of the assessors. This situation was only exacerbated when
assessors provided advice to judges informally both within and outside hearings where
it was not tendered or disclosed and not able to be cross-examined (New South Wales
Law Reform Commission 2005).
As well as the use of expert juries and assessors, the other way specialist knowledge
was adduced in the English courts was through the use of ‘expert witnesses’. As early
as the 14th century, but more frequently through the 16th and 17th centuries, the ‘expert
witness’ was generally a person of specific professional stature such as a surgeon, who
would be required by the court to provide their expert opinion. The following centuries
would see an increase in the number of professions that would be called upon to provide
expert witness to the court, and this would increase significantly with the dawning of
the industrial revolution (New South Wales Law Reform Commission 2005).
England’s Victorian era, which encompassed the second half of the 19th century, saw a
period of great industrial expansion and change that included the increase in the number
of the sciences called upon to provide expert witnesses. Up until this period the expert
witness was the bastion of the medical profession, however now joining those ranks
were chemists, microscopists, geologists, engineers and mechanists. This would in turn
set the scene for change for both scientific professional development and in Courts and
Law through the coming 20th century (Kirby 2002; New South Wales Law Reform
Commission 2005).
By the end of the 19th century the industrial revolution was well underway, with the new
industrial society well established, and so too was the courts dependence on use of
Page 19 of 105
expert witnesses to understand these new sciences. It was also during this same period
that organizations who represent the sciences, such as the British Association for the
Advancement of Science, were undergoing their own transformation (New South Wales
Law Reform Commission 2005).
In 1862, a report by the British Association for the Advancement of Science proposed
that juries be dispensed with in civil cases that contain a significant technical character.
It recommended that the Court bench be composed of a judge and up to three assessors
with the applicable skills complement of the technical character of the case. The
recommendations were not adopted because they were seen to be inconsistent with the
fundamental aspects of the adversarial process, of the right to trial by jury, in civil cases
(New South Wales Law Reform Commission 2005).
The early 20th century saw industrial society become the norm, and with it the new
complexities of modern life which included an increase in the number of sciences and
their involvement in cases. This resulted in an increase in number, complexity and
length of cases involving expert witnesses, which frequently placed the party with lesser
resources at a grave disadvantage. The law and courts came under pressure to be more
scientific, which required significant improvements in the courts processes and
procedures for engagement of the expert witness (New South Wales Law Reform
Commission 2005).
The latter half of 20th century was to be subject to advances in science as possibly not
seen in the history of mankind. Three that are likely to be the most significant are
nuclear physics, informatics and genomics, which are also inter-related. As an example,
nuclear physics was an enabler for getting the space programme off the ground. The
space programme helped drive the need for data processing and communication
electronics miniaturization. The subsequent evolution in computer and
telecommunication technologies was unprecedented, and may have remained relatively
primitive otherwise. The constantly evolving computational power enabled the Human
Genome Project to complete within its 15 year fixed schedule and accelerate during the
later stages (Kirby 2002).
What also occurred at the time that nuclear physics, informatics and genomics came to
fruition is a subtle shift from sciences that could be easily understood by a lay jury, to
Page 20 of 105
sciences that were dependent upon expert witness for interpretation and presentation for
the court. Unlike the mechanical technologies from the industrial revolution, the new
technologies such as nuclear physics, informatics and genomic, it can be difficult and in
many occasions impossible, for even highly intelligent, well-educated lay people to
comprehend. A review of the scientific and technological advances made during the 20th
century, likely suggest their number and complexity will increase rather than diminish
in the future, and in turn their role in court cases will also increase (Kirby 2002).
The role of expert witnesses in Court and the Courts’ dependence upon them is not a
new phenomenon as it can be found to be in existence for many centuries. The expert
witnesses have a specific role in Court for the presenting and providing opinion of
expert evidence, which would be considered outside of the comprehension of the
layman. What has changed over the past centuries and more so over the recent decades,
are the number cases that involve expert evidence, an increasing number of fields of
scientific evidence, and the number of expert witnesses called upon to present and
provide expert opinion. This has led Courts to consider how to best manage and utilize
the expert witness.
Issue of bias
The most significant issue the Courts appear to have with the use of expert witnesses is
adversarial bias. A common theme that appears to have been identified in law reform
reports in the United Kingdom, New South Wales and Victoria, is the issue of
adversarial bias of expert witnesses. These reports suggested adversarial bias could be
broken down into three distinct types: deliberate partisanship, unconscious partisanship
and selection bias. Each different type of bias requires specific responses to this
problem (New South Wales Law Reform Commission 2005; Victorian Law Reform
Commission 2008b).
Deliberate Partisanship
The deliberate partisanship type of adversarial bias is possibly more unusual, where the
expert witness admittedly tailors their evidence to suit a certain point or outcome. Apart
from being the more unusual form of adversarial bias, it possibly has the most
significant impact, as anyone else who knowingly provides evidence to a Court falsely
Page 21 of 105
would be subject to charges of perjury. Deliberate bias of an expert witness is the type
most strongly criticized by judges, influencing their calls to reform the rules for the
conduct of expert witnesses to contain penalties for such conduct (New South Wales
Law Reform Commission 2005; Victorian Law Reform Commission 2008b).
Unconscious Partisanship
The unconscious partisanship type of adversarial bias is more subtle and seen to be
more commonplace than other types. Typically the expert witness has unintentionally
altered the presentation of their evidence to support the cause of the party who engaged
them to present expert evidence. The alteration in the presentation of their evidence is
subtle, such as concealing doubt, overstating a point or downplaying a weaker aspect of
the opinion. This can result in the expert’s opinion being incomplete or not accurately
represented, which rarely serves the interests of the Court in being suitably informed on
a matter (New South Wales Law Reform Commission 2005; Victorian Law Reform
Commission 2008b).
Selection bias
The third type of adversarial bias is selection bias, which is not seen to be an issue with
the expert witnesses, rather the shortcomings of the selection process where both parties
in a dispute result in polarized expert opinions. The parties specifically seek out experts
with extreme views that support their positions, which can result in the Court not
hearing a more moderate or mainstream position. The result is that the Court expends
considerable time and money adducing the extreme opinions of the expert witnesses
rather than mediating the point of fact in question (New South Wales Law Reform
Commission 2005; Victorian Law Reform Commission 2008b).
Solutions
The focus of many law reform reports in regard to expert witnesses is frequently on
reducing the degree of bias. Some of the proposed solutions to reduce expert witness
bias are: only having a single Court appointed expert; each party engaging their own
expert including the Court itself, resulting in three experts; ensuring that both parties
have their own experts and them submitting a joint expert report to the Court.
Page 22 of 105
Attempting to specifically eliminate selection bias could be extremely difficult because
each party consciously selects expert witnesses that will bolster their cause. Possibly the
only method would be for the Court to perform the selection and appointment of experts
for each party to a dispute. This model is not one pursued specifically in Australia;
however it can be seen in some countries where forensic expertise is centralized within
one institution. A method that is now available in some Australian Courts is the
appointment of a single Court expert witness (New South Wales Law Reform
Commission 2005; Victorian Law Reform Commission 2008b; Köpsén & Nyström
2012).
Addressing the deliberate partisanship type bias is seen to be more readily addressed
through the use of ‘codes of conduct’ and sanctions. In some Australian Courts during
the engagement of an expert, the parties are required to provide their experts with a
copy of the Courts code of conduct, which include details of their duty to the Court, the
requirements of their expert report and consultation with other experts as directed by the
Court. Should the expert be found to be in breach of their duties, they could be subject
to sanctions of the Court (New South Wales Law Reform Commission 2005).
One method to address unconscious partisanship is the use of a ‘code of conduct’ for all
expert witnesses, which includes their duty to the Court, requirements of the format and
content of their expert report, and consultation with other experts as directed by the
Court. The use of sanctions in this scenario is seen to be unfair, especially for experts
that may have unknowingly breached the guidelines, and could be unproductive in
encouraging expert participation in the Court process. The issuing of requirements for
the expert report is expected to ensure the real issues are addressed, that proper format is
used in preparation and presentation of the report, which is more readily able to be
reviewed by the Court and peer reviewed by other experts (New South Wales Law
Reform Commission 2005).
Australian Federal Courts
The Australian Commonwealth’s Evidence Act 1995 applies to all proceedings in
Australian federal courts and courts within the Australian Capital Territory (ACT). In
‘Chapter 3 – Admissibility of evidence’, ‘Part 3.3 – Opinion’ and ‘Exception’, is
provision for opinions based on specialised knowledge. It is through this provision in
Page 23 of 105
the Act that expert evidence is adduced through the use of expert witnesses
(Commonwealth of Australia 2012).
The Australian Federal Courts have a set of rules that contain a section specifically for
Experts. Federal Court Rules 2011, ‘Part 23 – Experts’, details the courts specific role
of the expert witness, which includes ‘Practice Note CM7 - Expert witnesses in
proceedings in the Federal Court of Australia’, that goes on to further detail the specific
requirements of the expert report and its presentation. The Federal Court Rules 2011
requires any party calling upon an expert to provide their opinion to a court be provided
a copy of the ‘Practice Note CM7’ as part of the preparations (Victorian Law Reform
Commission 2008b; Federal Court of Australia 2011).
The purpose of ‘Practice Note CM7 - Expert witnesses in proceedings in the Federal
Court of Australia’ is not meant to provide a panacea for every eventuality while
performing the duties of an expert witness. Rather it is to help address issues where
there is a perception the expert witness can appear to lack objectivity, or be favouring
the party calling them. Primarily the Practice Note is to provide guidelines in the
preparation and presentation of expert evidence (Federal Court of Australia 2011).
Practice Note CM7 contains three sections: General Duty to the Court; The Form of the
Expert’s Report; and Experts’ Conference. These three sections provide the guidelines
for the expectations of the expert witness, the method of preparing and presentation of
the expert’s written report, and the consultation with fellow experts. Following these
guidelines should ensure the expert witness provides the decision –makers with the
independent assessments that assists them to make sound and informed decisions
(Australian Law Reform Commission 2005; Victorian Law Reform Commission 2008b;
Federal Court of Australia 2011).
The first section ‘General Duty to the Court’ helps set the foundation to provide clear
expectations for the role of the expert witness. The very first statement makes it quite
clear what the sole purpose of the expert witness is, with the statement:
An expert witness has an overriding duty to assist the Court on matters relevant to the expert’s area of expertise.
Page 24 of 105
This statement contains two important fundamental aspects of the role of the expert
witness; firstly their paramount duty is to assisting the Court, and secondly it is only for
matters relevant to their area of expertise.
It is then followed by two additional statements that only but consolidates the position:
An expert witness is not an advocate for a party even when giving testimony that is necessarily evaluative rather than inferential.
An expert witness’s paramount duty is to the Court and not to the person retaining the expert.
These three statements appear to leave no doubt that the sole purpose of the expert
witness is to assist the Court, and not the interests of other parties. When the expert
witness is called upon to provide assistance to the Court, it is to be in their field or area
of expertise. Based on this, it is reasonable for the expert witness to expect to be tested
in Court to ensure they are suitably qualify to be providing expert evidence for a point
in question (Federal Court of Australia 2011).
The second section ‘The Form of the Expert’s Report’ details the requirements of the
written report to be provided to the Court by the expert witness. It directly references to
the ‘Federal Court Rules 2011’ and its requirements in section ‘23.13 Contents of an
expert report’. The section provides guidelines for the minimum requirements of the
content to be within the report, and its distribution to the Court and other parties
involved in the case (Commonwealth of Australia 2011; Federal Court of Australia
2011).
The Expert’s Report can been seen to be covering four areas: qualification of the expert;
questions being addressed; findings and report; and supplementary material. Both the
‘Federal Court Rules 2011’ and ‘Practice Note CM7 - Expert witnesses in proceedings
in the Federal Court of Australia’ contain the same requirements that need to be
addressed in the Expert’s Report. The four areas help ensure the right expert has been
selected, some knowledge of the question being addressed, contents required of the
report, and disclosure of supporting material used in the assessment (Commonwealth of
Australia 2011; Federal Court of Australia 2011).
Page 25 of 105
The identification and qualification of the expert preparing the report is fundamental to
the whole process. There are what could be seen to be basic requirements that the expert
sign the report and acknowledge that they have read, understood and complied with the
Practice Note. Demonstration that the expert is qualified to undertake the provision of
the report could be of slightly greater importance. The report must contain details of the
experts training, study or experience by which the expert has acquired specialised
knowledge. It is vital the expert does have the relevant expertise pertinent to the subject
matter (Commonwealth of Australia 2011; Federal Court of Australia 2011).
Once the qualification of the expert has been established, a statement of the question or
questions that are to be addressed in the expert’s report must be made. The questions
will be provided by the Court or the party that has engaged them, and are to address a
specific point of fact. This may also include documents or other materials that are
required to be considered, as part of the report. It is possibly at this time the expert to
make it known if a particular question or issue falls outside of their field of expertise
(Commonwealth of Australia 2011; Federal Court of Australia 2011).
When the appropriate expert has been engaged and the necessary questions have been
made known to them, the Court has specific requirements of what should be contained
within their expert report. The Court requires that the expert’s report must separate their
factual findings from their opinions and also from the reasons for their opinions, so is to
provide the Court with greater clarity and assessment of commonality and differences
when provided with reports from multiple experts (Australian Law Reform Commission
2005; Commonwealth of Australia 2011; Federal Court of Australia 2011).
When the expert is reporting their opinions of the findings, they must also state whether
the opinion is based wholly or substantially upon the expert’s specialised knowledge. It
is vital the opinion is not based on pure speculation; rather it must be based on the
expert’s specialised knowledge. Without there being a direct link between the
specialised knowledge and the opinion being offered of the facts, the report may well
have been made by a layman, which would defeat the purpose of the report (Federal
Court of Australia 2011).
There may be occasion where the expert changes their opinion or where the opinion is
not fully researched, in both circumstances it should be made known to the Court and
Page 26 of 105
noted within the report. If after reading another experts’ report the expert changes their
opinion, the report would also need to be changed. If the expert’s opinion is not fully
reached due to incomplete data or other reasons, these need to be made known in the
report. In both situations it needs to be communicated to the Court and notes or
amendments made to their reports (Federal Court of Australia 2011).
To conclude the report the expert witness is required to make a specific declaration,
which should contain the following wordage:
“[the expert] has made all the inquiries that [the expert] believes are desirable and appropriate and that no matters of significance that [the expert] regards as relevant have, to [the expert’s] knowledge, been withheld from the Court.”
This is an opportunity for the expert witness to verify that they have, to the best of their
knowledge, analysed and documented each of the factual findings or assumptions, that
their opinions of these facts are sound, and they have adequately recorded the reasons
for their opinions without reservation (Federal Court of Australia 2011).
The final area of the expert’s report is the supplementary material that was utilized
during the preparation of the expert report, which can include artifacts such as
photographs, plans, literature, calculations, analyses, measurements, survey reports or
other items of interest. When the expert’s report is made available for distribution,
copies of the supplementary material should also be made available (Federal Court of
Australia 2011).
The third and final section of the ‘Practice Note CM7’ is the ‘Experts’ Conference’,
which can expect to occur when there are two or more experts and their expert reports
have been submitted and distributed. The Experts’ Conference, which has also come to
be known as ‘hot-tubbing’, is made under direction from the Court. The Court can
direct that the Experts’ Conference produce a single joint expert report that details the
points of common opinion and those where agreement is not able to be reached
(Victorian Law Reform Commission 2008b; Federal Court of Australia 2011).
Compliance with the requirements of the ‘Federal Court Rules 2011’ and ‘Practice Note
CM7 - Expert witnesses in proceedings in the Federal Court of Australia’ that expert
witnesses provide expert reports is expected to promote transparency for the basis of
their opinion. With the expert’s reports being provided in the required format, it will
Page 27 of 105
greatly assist the Court in its endeavor of ascertaining the trier of fact, and enable the
Court to more readily evaluate the validity of the expert’s opinion. This should result in
an efficient use of the Court’s time and resources, and effective use of invaluable
opinion that can be provided through expert witnesses (Australian Law Reform
Commission 2005).
Victorian State Courts
The 2008 Victorian Law Reform Commission, Civil Justice Review Report, contains
over 270 references to the phrase ‘expert witness’, and almost 200 references to ‘expert
evidence’ in its 758 pages. This can help provide a guide to how integral the role of the
expert witness and expert evidence are to the civil justice process. The report contains a
section dedicated to the role of expert witnesses, which primarily seeks to address the
issue of bias, and concludes with recommendations for changes to the Court rules and
code of conduct for the expert witness (Victorian Law Reform Commission 2008a).
Order 44 ‘Expert Witness’ of the Supreme Court (General Civil Procedure) Rules 2005
(Victoria) and Order 44 ‘Expert Witness’ of the Magistrates' Court General Civil
Procedure Rules 2010 govern the use of expert evidence in Victorian courts. Both of
these rules and orders are aligned, providing consistency for the Supreme, County and
Magistrates Courts of Victoria. Both sets of rules also contain ‘Form 44A – Expert
Witness Code of Conduct’, which further aligns the requirements of the expert witness
within Victorian Courts (Magistrates' Court of Victoria; Supreme Court of Victoria
2005; Victorian Law Reform Commission 2008b).
The following analysis is based on both Order 44 and Form 44A used in the Victorian
Supreme Court Rules and the Magistrates Court Rules, which to all intent are identical
in their content. It will focus on those sections generally applicable to the expert
witness, and not those applicable to specific disciplines such as medical or motor
vehicle assessments which are within the Application section.
Order 44 contains sections titled: Definitions; Report of expert; Other party's report as
evidence; No evidence unless disclosed in report; and Conference between experts.
Intrinsically linked to Order 44 is Form 44A, which together provide the requirements
and expectations of the expert witness, and the format of the expert report.
Page 28 of 105
The Order begins by providing definitions of three key items that are vital for expert
evidence: expert, opinion and the code. ‘The expert’ is defined as ‘a person who has
specialised knowledge based on the person's training, study or experience’, which also
needs to be demonstrated in the experts report, and likely to be one of the first points to
be cross-examined by an opposing party during Court proceedings. ‘Opinion’ is defined
as ‘including more than one opinion’. The term ‘the code’ is that defined by the ‘expert
witness code of conduct’ in Form 44A, the expert must also provide acknowledgement
that they have read and have agreed to be bound by the code (Magistrates' Court of
Victoria; Supreme Court of Victoria 2005).
Form 44A provides further details of the role of the expert witness and their purpose in
the Court, those being:
A person engaged as an expert witness has an overriding duty to assist the Court impartially on matters relevant to the area of expertise of the witness.
And;
An expert witness is not an advocate for a party.
These two statements appear to leave no doubt that the sole purpose of the expert
witness is to assist the Court, and not the interests of any other parties. When the expert
witness is called upon to provide assistance to the Court, it is to only be in their field or
area of expertise. Based on this, it is reasonable for the expert witness to expect to be
tested in Court to ensure they are suitably qualified to be providing expert evidence for
a point in question (Magistrates' Court of Victoria; Supreme Court of Victoria 2005).
The Order and Form 44A both contain requirements of the Experts Report, the Order
more specifically addressed to the party who is engaging the expert, and Form 44A to
the expert themselves. The Order requires that the expert be provided a copy of the
‘code of conduct’ as soon as practicable, and in return a copy of the expert’s report
should be provided to the Court and each other party no later than 30 days prior to the
fixed date of trial. The obligations of the experts report is upon both the engaging party
and the expert to ensure it meets the Court requirements (Magistrates' Court of Victoria;
Supreme Court of Victoria 2005).
Page 29 of 105
The Expert’s Report can been seen to be covering four areas of: qualification of the
expert; questions being addressed; findings and report; and supplementary material.
Both the Order and Form 44A contain the same requirements that need to be addressed
in the Expert’s Report. These four areas help ensure the right expert has been selected,
some knowledge of the question being addressed, contents required of the report, and
disclosure of supporting material used in the assessment (Magistrates' Court of Victoria;
Supreme Court of Victoria 2005).
The identification and qualification of the expert preparing the report is fundamental to
the whole process. There are basic requirements that the expert sign the report and
acknowledge that they have read, understood and complied with the ‘code of conduct’.
Demonstration that the expert is qualified to undertake the provision of the report could
be of slightly greater importance. The report must contain details of the experts training,
study or experience by which the expert has acquired specialised knowledge. It is vital
the expert does have the relevant expertise pertinent to the subject matter (Magistrates'
Court of Victoria; Supreme Court of Victoria 2005).
Once the qualification of the expert has been established, a statement of the question or
questions that are to be addressed in the expert’s report must be made, which is likely to
be in the form a practice note. The questions or practice note will be provided by the
Court or the party that has engaged them, and the expert is to address a specific point of
fact. This may also include documents or other materials that are required to be
considered, as part of the report. It is at this time the expert to make it known if a
particular question or issue falls outside of their field of expertise (Magistrates' Court of
Victoria; Supreme Court of Victoria 2005).
When the appropriate expert has been engaged and the necessary questions have been
made known to them, the Court has specific requirements of what should be contained
within their expert report. The Court requires that the expert’s report must separate their
factual findings from their opinions and also from the reasons for their opinions, so as to
provide the Court with greater clarity and assessment of commonality and differences
when provided with reports from multiple experts (Magistrates' Court of Victoria;
Supreme Court of Victoria 2005).
Page 30 of 105
There may be occasion where the expert changes their opinion or where the opinion is
not fully researched, in both circumstances it should be made known to the Court and
noted within the report. If after reading another experts report the expert changes their
opinion, the report would also need to be changed. If the expert’s opinion is not fully
reached due to incomplete data or other reasons, these need to be made known in the
report. In both situations it needs to be communicated to the Court and notes or
amendments made to their reports (Magistrates' Court of Victoria; Supreme Court of
Victoria 2005).
To conclude the report the expert witness is required to make a specific declaration,
which is to ensure that they have made all the inquiries that they believe desirable and
appropriate and that no matters of significance that could be regarded as relevant have
not, to their knowledge, been withheld from the Court. This is an opportunity for the
expert witness to verify that they have, to the best of their knowledge, analysed and
documented each of the factual findings or assumptions, that their opinions of these
facts are sound, and they have adequately recorded the reasons for their opinions
without reservation (Magistrates' Court of Victoria; Supreme Court of Victoria 2005).
The final area of the Experts Report is the supplementary material that was utilized
during the preparation of the expert report, which can include artifacts such as
photographs, plans, literature, calculations, analyses, measurements, survey reports or
other items of interest. The supplementary material could also include enquiries, tests or
investigations conducted by other persons whom the report has relied upon, so should
record who conducted them and their qualifications. When the expert report is made
available for distribution, copies of the supplementary material should also be made
available (Magistrates' Court of Victoria; Supreme Court of Victoria 2005).
Order 44 contains a specific requirement of ‘No evidence unless disclosed in report’
that states a party shall not adduce evidence from an expert that is not contained within
the expert’s report that was previously provided to the Court. This does not pertain to
cross-examinations, and could be allowed if granted by the Court or affected parties.
The Court requires that expert evidence is adduced as previously stated in the expert
report, and any variations are only those as directed by the Court (Magistrates' Court of
Victoria; Supreme Court of Victoria 2005).
Page 31 of 105
The final section of the Order or Form 44A is the ‘Conference between experts’, which
can expect to occur when there are two or more experts and their expert reports have
been submitted and distributed. The conference, which has also come to be known as
‘hot-tubbing’, is made under direction from the Court. The Court can direct that the
conference produce a single joint expert report that details the points of common
opinion and those where agreement is not able to be reached (Magistrates' Court of
Victoria; Supreme Court of Victoria 2005).
The requirements contained within Order 44 and Form 44A provides guidelines
specifically to help address the issue of bias of the expert witness and the expert report.
This should ensure the expert’s reports are provided in the required format, which will
greatly assist the Courts in their endeavor of ascertaining the trier of fact, and enable the
Courts to more readily evaluate the validity of the expert’s opinion. The requirements
demonstrate that the Courts acknowledge that expert witnesses have a role to play in the
court process, and helps ensure an efficient use of time and resources for all parties
concern.
Other states
Most states and territories in Australia have their own Acts and Rules under which their
Civil Courts function. Despite each state having their own Acts and Rules which
include nuances for their jurisdictions, they can be found to have commonalities for
their basic requirements and purpose of the expert witness. The most fundamental is
that the expert is to provide unbiased opinion and their duty is to the Court and no other
party.
New South Wales State Courts
The requirements of the expert witness and expert reports for Courts in New South
Wales are found in the state’s Uniform Civil Procedure Rules 2005. The rules contain a
definition of an expert witness and the requirements of the expert and their report are
located in ‘Schedule 7 - Expert witness code of conduct’ (New South Wales
Government 2006).
Page 32 of 105
Queensland
Queensland Courts utilize the states ‘Uniform Civil Procedure Rules 1999 (Qld)’, which
contain requirements of the expert witness and the expert report. The expert witness’
duty is to the Court and overrides that of any other of parties that may have engaged
them. The rule provide requirements of the expert report, for its format, content and
permits the Court to be able direct experts into conference with the aim of producing a
joint report. The Queensland rules also have provision for a single Court appointed
expert (Victorian Law Reform Commission 2008b).
Australian Capital Territory
The courts of the Australian Capital Territory (ACT) are subject to the Australian
Federal Court Rules, which contain requirements for the experts report and practice note
for the expert witness which serves as a code of conduct.
South Australia
In South Australia the requirements of the expert witness and the expert report do not
appear to be as succinctly linked as those of the Federal Court and some other states
such as Victoria. The South Australian Supreme Court Civil Rules 2006 (SA) does
contain requirements for the expert report. However the requirements of the expert
witness are located in a different document, the Supreme Court Practice Directions
which operate in conjunction with the Supreme Court Civil Rules. This is different from
that of Victoria where the expert witness ‘code of conduct’ is included as form to be an
integral part of the same rules document (Supreme Court of South Australia).
The South Australian Supreme and District Courts must comply with the Practice
Directions. Practice Direction 5.4 which specifically concerns the ‘Expert Witness’, is
also known as Rule 160, and contains sections for the duty of the expert witness and the
format of the expert report. The requirements of the expert witness and the expert report
are not dissimilar to those found in the ‘code of conduct’ of other states.
The primary duty of the expert witness, as in other state and federal jurisdictions, is to
the Court on matters of which they are expert, and not any party or any other person
retaining them. There is a difference in the expert report - wherein other states the
expert can acquire specialised knowledge through training, study or experience - in Page 33 of 105
South Australia this appears to be by qualifications alone, which at best may discount
specialised knowledge obtained through experience. However, the South Australian
Supreme Court case ‘R v Evans [2005] SASC 184’, suggests that an expert witness can
be qualify through demonstration of sufficient knowledge obtained by training, by study
and experience (Supreme Court of South Australia; R v EVANS 2005).
Western Australia
The codes of conduct for the expert witness in Western Australia are not an integral part
of the court rules document. It was found to be Annexure C of the Consolidated Practice
Direction, Civil Jurisdiction. In the Western Australian Supreme Court is appears that
no expert evidence can be adduced without it being granted by the Court. The Court
would appear to retain significant control of whether expert witnesses are to be engaged
and how many experts for a given fact in question (District Court of Western Australia;
Victorian Law Reform Commission 2008b).
Other counties
Canada
Between 2003 and 2007 four Canadian provinces undertook reviews or reforms of their
court rules in regard to expert evidence. Common issues identified were the number of
experts engaged, the provision of expert reports, the experts duty to the Court, Court
initiated conferences of experts (hot-tubbing), and the possibility for a code of conduct.
Each of the provinces was also able to identify common solutions to many of the issues
(Canadian Bar Association 1996; Alberta Law Reform Institute 2003; Supreme Court of
Nova Scotia 2005; Canadian Bar Association 2007; Osborne 2007).
All provinces were in accord that the number of experts that were previously being
engaged was frequently inappropriate, which led to questioning if there should be limits
on the number of possible expert witnesses. Most recommended that the Court should
control the number of experts and who would engage the experts based on the specific
issues to be adduced. These ranged from a single expert Court appointed, a joint expert
for both parties, to limiting to an allocated number (Alberta Law Reform Institute 2003;
Osborne 2007).
Page 34 of 105
Some provinces identified the need for expert reports, and standardization of the
reports. The courts could more readily assess the opinion being proffered by the expert
witness, and could be utilized in evaluating those opinions in cases of multiple and
conflicting opinions. Setting minimum standards would also assist in accepting reports
from non-professional expert witnesses. They also proposed there should be
requirements on the number of days that expert reports should be made available prior
to trial dates, and the number of days by which responses can be provided (Alberta Law
Reform Institute 2003; Supreme Court of Nova Scotia 2005).
There was identified a requirement that expert witnesses should be reminded that their
duty is to the Court and not to any party that may have engaged them in the first
instance. A possible method to bring this to the attention of the expert is to ensure they
are provided with a ‘code of conduct’ as part of their engagement process. Not all were
in favour of this method, instead advocating it should be the responsibility of associated
professional bodies (Canadian Bar Association 2007; Osborne 2007).
The final issue highlighted was of Court initiated conferences for expert witnesses,
which in one province was considered to be an ‘interesting idea’. There was concern
that there could be problems in arranging conference pre-trial, and questioned if it could
be undermining a party’s ability to utilize its expert evidence to its own advantage.
However there was a positive view that performing expert conferences could save
considerable court time, by experts distilling points of agreement and only presenting
the points of difference to the Court (Canadian Bar Association 1996; Alberta Law
Reform Institute 2003; Osborne 2007).
Sweden
In Sweden all forensic capability is provided by the Swedish National Laboratory of
Forensic Science (SKL). The laboratory is an independent public authority under the
Swedish National Police Board (NPB), making it the formal expert and working in
collaboration with the Swedish judicial system. The forensic experts are responsible for
performing the necessary investigations and providing the statement of witness to the
Court, which helps ensure the consistency in the reporting process. The forensic expert
is trained not only in developing and performing the investigative and analytical skills,
Page 35 of 105
but also in the language necessary for statements of witness for the Courts (Swedish
Ministry of Justice 1998; Köpsén & Nyström 2012).
The requirements of expert witnesses in Swedish courts are made through the ‘The
Swedish Code of Judicial Procedure’, specifically ‘Chapter 40 – Experts’. The expert is
someone who is:
‘A public authority or officer or from a person specially authorized to furnish opinions on the issue or may commission one or more persons known for their integrity and their knowledge of the subject to deliver an opinion.’
The experts must provide their opinion in the form of a written report and must be
submitted to the Court by a date advised by the Court (Swedish Ministry of Justice
1998).
To enter the SKL, one of the public authorities, the training program requires the
applicant to have obtained a minimum degree level of education in a specific field of
which they are to become expert. There is a two year mentored and competence based
quality assured traineeship that the participant passes through to attain the accreditation
of expert witness in their chosen field. The Swedish expert witness has under gone a
process of studies, traineeship and subsequent experience, through an accredited process
(Köpsén & Nyström 2012).
United Kingdom
In 1996 Lord Woolf completed a review of the civil justice system in England and
Wales which culminated in the adoption of recommendations to Part 35 of the Civil
Procedures Rules 1998 (Eng), and the issuing of Practice Directions to supplement Part
35. Many of Woolf’s recommendations involved the effective use of expert evidence
and the Courts ability to provide directions of and to the experts. During the preliminary
proposal phase of his review, Woolf received substantial resistance from those who
benefited due to what had become a large litigation support industry (Woolf 1996).
Woolf’s reforms were to ensure expert witness were only engaged when necessary.
When they were engaged it was for specific points of fact, and the expert witness was to
understand their duty was to the Court. Furthermore when the expert or experts provide
their report to the Court it needed to be in a written form, and if multiple experts had
Page 36 of 105
been engaged they may be required to present a joint report. The most contentious issue
was the recommendation for use of one expert use by both parties (Woolf 1996).
Both the New South Wales Law Reform Commission ‘Report 109 – Expert Witnesses’
and the Victorian Law Reform Commission ‘Civil Justice Review: Report – Chapter 7 –
Changing the Role of Experts’ make reference to the Woolf recommended reforms of
the England and Wales civil justice system. Australia has generally chosen to take a
slightly more tempered approach, that provides for the possibility of a Court appointed
expert, however does not mandate it (New South Wales Law Reform Commission
2005; Victorian Law Reform Commission 2008b).
USA
The United States of America federal Court jurisdiction utilizes what is termed to be a
‘gatekeeper’ to filter the expert witnesses before they present in Court. This role is
performed by the judge that is presiding over the trial, to ensure all expert evidence
admitted is relevant and reliable. To assist the judge with the decision is the Federal
Rules of Evidence, and specifically Rule 702, which states that:
If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.
Rule 702, which was amended in 2000, concludes with three tests that should be applied
to the evidence being provided by the expert witness. The tests help ascertain if the
expert witness testimony is being made using a sound basis and not pure speculation
(Supreme Court Of The United States 2011).
The qualification of the expert is not dissimilar to that found within the ‘Code of
Conduct’ and ‘Practice Directions’ used in Australian Courts. Where it differs is in the
use of the three tests of the expert’s evidence, to ensure it is based on facts, uses sound
methodologies, and that they have been applied correctly to the facts. At present these
aspects must be adduced during the Court hearing.
Page 37 of 105
Conclusion
During this chapter research was undertaken to establish the Court’s requirements of the
expert witness. Analysis of the requirements from Courts of various Australian
jurisdictions and from other countries, suggest there are clear and established
requirements of expert evidence and the expert witness.
By undertaking research into the historical background of Courts and their use of expert
witnesses, it can be demonstrated that the role or function as been in existence since the
14th century. Over the centuries there has been little change in the Court’s requirements
of the expert witness in providing expert opinion on matters that would be beyond the
comprehension of the laymen. What has changed is the increase in the number of fields
of expertise that Courts call upon to provide expert opinion.
Up until the 18th century the fields called upon to provide expert opinion were confined
to those in the medical sciences. The 19th century would see the world subjected to
previously unprecedented change through the industrial revolution, which also brought
about an increase in the number of disciplines or fields that would be called upon to
provide expert opinion. Those now joining the ranks of expert witnesses included
chemists, microscopists, geologists, engineers and mechanists. This would set the scene
for further changes that would occur during the 20th century.
The latter half of the 20th century was to be subject to unprecedented advances in
science as possibly not seen in the history of mankind. Three of the most significant
areas of change were in nuclear physics, informatics and genomics. What occurred at
this time was a subtle shift from sciences that could be easily understood by a lay jury,
to sciences that were solely dependent upon expert witness for interpretation and
presentation for the court. There was also an increase in the prevalence of sciences in
court cases. Courts have continued to adapt and assess the most effective methods of
engaging with the expert witness.
An issue that is apparent in the law reform reports both here in Australia, and from other
countries, was that of ‘bias’ of the expert witness. All jurisdictions had the expectation
and requirement that the expert witness’ sole responsibility was to the Court and not to
any other party. This is not a recent phenomenon, as it can be found to be an issue
Page 38 of 105
historically. The recommendation from the law reform reports was for establishing
minimum requirements through publication of an expert witness ‘Code of Conduct’.
Most Court jurisdictions in Australia now have a ‘Code of Conduct’ or ‘Practice
Direction’ for expert witnesses to advise the potential expert of the Court’s
requirements. The ‘Code of Conduct’ is required to be provided to the expert at the time
of engagement. The expert must ‘acknowledge that they have read the code and agree to
be bound by it’.
An example ‘Code of Conduct’ is provided in Appendix A, Form 44A, from the
Supreme Court (General Civil Procedure) Rules 2005 (Victoria). The content of Form
44A is typical of the ‘Code of Conduct’ or ‘Practice Directions’ now used.
In summary the ‘Code of Conduct’ advises the expert witness that their ‘duty is to the
Court and no other parties’, to ‘demonstrate how they are to be qualified to be expert,
by training, studies or experience’, that ‘they should be only providing expert opinion
on evidence of which they are expert’, and that ‘this shall be provided to the Court
through an Expert Report’.
To complement the ‘Code of Conduct’, is the ‘Expert Report’, which can be known as
the ‘Expert Certificate’ in some jurisdictions. As the ‘Code of Conduct’ is the Court
communicating to the expert witness of their requirements, the ‘Expert Report’ is for
the expert to communicate back to the Court. The ‘Expert Report’ is seen to
significantly improve the communications of the expert back to the Courts prior to trial
and hearing, in a format that is able to be more readily processed and assessed by the
Courts.
When the Courts have two or more expert witness for a case, they are able to utilize the
expert reports to assess if it would be more beneficial to instruct the experts to
conference together, and provide the Court with a joint report. This is a capability that is
at the Court’s discretion, and sometimes known as ‘Hot-Tubbing’.
The ‘Code of Conduct’ does not contain a specific requirement for the minimum
standard qualifications of the expert. The expert must satisfy the Court that they possess
the necessary training, studies or experience, to be providing expert opinion of the
evidence.
Page 39 of 105
Courts in Australia have considerable discretion in regard to the appointment of expert
witnesses, which can vary depending on the jurisdiction and severity of the crime. In
most cases each party is able to engage their own expert witnesses. The Court however,
may limit the number of experts, appoint is own expert, or appoint a single joint expert.
The recommendations of the Australian law reform reports were that the capability
should exist, however it should not be mandated, so as to provide flexibility, and
assignment of expert witnesses should be as dictated by the case requirements.
The Court requirements have been summarized in Table 1. The table lists the various
aspects that have been identified and whether the Courts of that State or Country have
any specific requirements. As outlined in the table, it appears that there are many
commonalities of the Courts in respect to their requirements of the Expert Witness and
Expert Reports.
Y = known, blank = not known
Page 40 of 105
Table 1 - Court requirements of the Expert Witness
Issues Fede
ral
Vic
NSW QLD
AC
T
SA WA
Can
ada
Swed
en
UK
USA
Expert Witness Y Y Y Y Y Y Y Y Y Y Y
Duty to the Court and the community
Y Y Y Y Y Y Y Y Y Y
Code of conduct Y Y Y Y Y Y Y
Expert Report Y Y Y Y Y Y Y Y Y Y
Qualification of Expert Y Y Y Y Y Y Y Y Y
Joint Expert Y Y Y Y Y
Court appointed expert
Y Y Y Y Y Y Y Y
Exchange reports Y Y Y Y Y Y
Court directed Conferences
Y Y Y Y Y Y Y
Joint Report Y Y Y Y Y Y Y
Page 41 of 105
4 Standards
Introduction
The previous chapter focused on the Courts Requirements of the expert witness and the
expert report. This chapter will investigate the standards and guidelines that are likely to
be applicable to Information Technology evidence and its presentation in court and
more specifically the capability that would be required of a cyber-security incident
response in an industrial control systems environment. The analysis will seek to
ascertain how well the requirements of the courts are represented in the standards and
guidelines.
Before undertaking analysis of the standards and guidelines it is worthwhile stating
several concepts for digital forensic investigations that could be expected to conclude
with presentation in a Court of Law.
The first concept is of performing a task forensically. The dictionary definition of
‘forensically’ is the presentation in a Court of Law. So a task that is performed
forensically results, or concludes, in a presentation in a Court of Law.
The second concept is of minimum requirements, or a basic model for undertaking a
digital forensic investigation. Possibly the method most widely accepted is that
provided by McKemmish in 1999, which contains four steps and four rules to be
applied whilst preforming those steps. The steps are Identification, Preservation,
Analysis and Presentation. The rules to be applied are: Minimal handling; Account for
any change; Comply with the Rules of evidence; and Do not exceed your knowledge.
The successful execution of McKemmish (1999)’s method requires the application of
the rule set to every step of the process.
Page 43 of 105
The third concept is that the presentation in a Court of Law of digital forensic evidence,
or expert evidence as it is termed in Court, will in most cases require the services of an
expert witness (New South Wales Law Reform Commission 2005).
The fourth concept is that the Courts have specific requirements of the expert witness
and the expert report. Their fundamental requirements of the expert witness is that: the
expert witness should be unbiased; their duty is to the Court and no other parties; they
should be suitably qualified to provide expert opinion either by their training, study or
experience; the opinion proffered is only of that which they are expert; and the report is
in a form prescribed by the Court (Supreme Court of Victoria 2005).
There is possibly a relationship between McKemmish’s rule of ‘do not exceed your
knowledge’ and the Court requirement of ‘the opinion proffered is only of that which
they are expert’. McKemmish is advocating the forensic process should not be
undertaken by persons who are not adequately trained, complete the necessary studies,
or have the required experience. The Court requires that expert opinion should not be
provided unless the persons are adequately trained, completed the necessary studies, or
have the required experience. It appears reasonable to expect that the application of
McKemmish’s rule set to a forensic process would place it in a better stead to be
compliant with the requirements of the Courts (McKemmish 1999; Supreme Court of
Victoria 2005).
All of these concepts should influence how digital forensic investigations are
undertaken and the methods by which reports are prepared and presented.
Many digital investigations which on the outset appear to be a routine system failure
can in some circumstances result in becoming expert evidence used in a Court of Law,
as will be demonstrated later in the Case Studies chapter.
Analysis
The standards and guides to be considered during this analysis are: ‘AS/NZS ISO/IEC
27001:2006 Information technology - Security techniques - Information security
management systems – Requirement’, ‘AS/NZS ISO/IEC 18044:2006 Information
technology—Security techniques—Information security incident management’, ‘HB
171:2003 Handbook Guidelines for the management of IT evidence’, ‘NIST SP800-86 -
Page 44 of 105
Guide to Integrating Forensic Techniques into Incident Response’, ‘AS/NZS ISO/IEC
15443.1:2006 - Information technology—Security techniques—A framework for IT
security assurance Part 1: Overview and framework’, and ‘RFC 3227 - Guidelines for
Evidence Collection and Archiving’. These standards and guides were selected by
accessing the associated websites and searching for standards and guides related to
information technology evidence and cyber incident response (Brezinski & Killalea
2002; Standards Australia 2003; Kent et al. 2006; Standards Australia 2006c, 2006a,
2006b).
The above standards and guides do not necessarily purport to offer a comprehensive
methodology for undertaking digital forensic investigations. However collectively they
may provide compilation of publically available best practice guides for performing
digital forensic investigations.
The standards and guides were grouped into Primary Standards and Support Standards.
The Primary Standards where AS27001, AS18044 and HB171, which were believed,
would need to be used collectively. The Support Standards where SP800-86, AS154431
and RFC3227, are those that could be used individually as required to supplement the
Primary Standards. The primary group is composed of Australian standards and guides,
the support group are both Australian and International standards and guides.
The purpose of the analysis is not necessarily to highlight deficiencies in the standards
or guides, however, if they are meant to be examples of best practice, and to enable the
practitioners to be well informed then those gaps will be highlighted. For experts to
ensure they are familiar with best practice there should be a reasonable expectation that
the standards and guides should be a reliable source of that information.
Primary Standards
Information security management systems – Requirements
The Standards Australia publication ‘AS/NZS ISO/IEC 27001:2006 Information
technology - Security techniques - Information security management systems –
Requirements’, will be referred to as AS27001 for the purpose of this analysis
(Standards Australia 2006b).
Page 45 of 105
The approach being suggested by the standard is to use a risk based approach to the
requirements of information security management systems for information technology
security techniques.
Standard AS27001 provides an overall framework for the requirements of an
Information Security Management System. However it appears to be extremely limited
in the area of an Incident Response capability, and nothing in the vein of a cyber-
forensic incident response capability. The United States National Institute of Standards
and Technology recommend through their Special Publication 800-86, that every
organization have the capacity to perform cyber incident response and forensic analysis
(Kent et al. 2006).
Following the recommended methodologies prescribed in the standard would place an
organization in good stead during normal operations. However there is concern that it
may not be offering sufficient advice in ensuring an organization is adequately prepared
for a cyber-security incident, and appropriately ensure it has a response capability.
The standard has a reference to ISO 18044 ‘Information technology—Security
techniques—Information security incident management’ in section ‘3 - Terms and
definitions’, however it has very little guidance for further reference, and does not
contain any reference to HB171 ‘Handbook Guidelines for the management of IT
evidence’. Both of these Australian Standard publications are expected to be suitable
references for defining the requirements to identify, collect, analyze and present
information technology evidence in the event of a cyber-security incident.
AS27001 does utilize information security terms when it defines the loss of
confidentiality, integrity or availability in reference to risk assessments (4.2.1.d.4),
when identifying risks (4.2.1.e.1), and a general definition of information security (3.4),
however, it does not use these terms in describing a cyber-security incident. It would be
beneficial to utilize the same terms throughout the whole document, in setting
requirements, processes and incident response.
AS27001 appears to be very weak in respect to information security incidents, the
collection of evidence and necessary controls. The controls describe performing
evidence collection as a follow-up process, not a process integral to an established cyber
Page 46 of 105
incident response capability. Cross referencing with other Standards that provide
guidance in incident response would significantly enhance this aspect of the standard.
Section ‘5.2.2 Training, awareness and competence’ recommends that all personnel
should be competent to perform the duties that are assigned to them. It goes on to ensure
that personnel are suitably trained, have completed relevant or required studies, or have
the necessary experience to meet the objectives of the Information Security
Management System. These are vital to undertaking a cyber-forensic investigation and
should be part of the objectives of the Information Security Management System.
Information security incident management
The Standards Australia publication ‘AS/NZS ISO/IEC 18044:2006 Information
technology—Security techniques—Information security incident management’, for the
purpose of this analysis will be referred to as AS18044 (Standards Australia 2006a).
A digital forensic capability is not one of the objectives stated in the standard, yet
further into the Standard it contains a specific section for forensic analysis (section
8.5.5). Possibly the objectives require some amendment to ensure they reflect the
actions and outcomes expressed throughout the remainder of the standard. The section
‘4.1 Objectives’ contains a statement of categorizing the incidents, yet only uses the
terms of confidentiality, integrity and availability as a footnote to that specific
statement. It is not clear if these are objectives or not, especially as these terms are
fundamental in accurately classifying an information security incident.
Section ‘5.2.3 Legal and Regulatory Aspects’ contains what appears to be a very strong
statement that ‘information security incidents need to be typically attributable to an
individual’. This type of statement may lead to a blame culture that is not necessary
beneficial to an effective incident investigation, ascertaining root causes or remaining
unbiased. Incidents ‘could be attributable to individual’ however it may not be correct
that they ‘need to be attributable to an individual’.
The ‘Legal and Regulatory Aspect’ section is extensive, mostly covering contractual
obligations, however, does contain two subheadings that could be applicable to the Law,
Courts and Tribunals. The section contains the sub headings of ‘Law Enforcement
Page 47 of 105
Requirements are Addressed’ and ‘Prosecutions, or Internal Disciplinary Procedures,
can be Successful’.
The subheading ‘Law Enforcement Requirements are Addressed’ appears to be
specifically focused on ascertaining the minimum requirements at which incidents
should be documented and how long those documents should be retained for. It does not
appear to make any consideration for a Court’s processes or requirements of evidence,
or a Court initiated discovery process.
The second subheading of ‘Prosecutions, or Internal Disciplinary Procedures, can be
Successful’ attempts to offer a few useful tips to help facilitate successful prosecutions
or internal disciplinary action against ‘attackers’. The tips are to ensure that ‘records are
complete and not been tampered with’, ‘evidence copies are identical to the originals’,
and that the ‘system was operating correctly at the time the evidence was recorded’.
These points would not guarantee a forensic process has been achieved, nor does it
mention that it should be conducted by people who have been trained, or studied, or
have the necessary experience. This could be an opportunity to cross-reference or refer
to another Australian Standard publication, such as ‘HB 171:2003 Handbook Guidelines
for the management of IT evidence’, that could provide more accurate advice.
When describing a cyber-security incident, the standard does not appear to mention or
use the terms such as the loss of confidentiality, integrity or availability as measures.
However ‘page 3’ of its ‘Information Security Incident Report’ requires the recording of
information if there has been a breach of Confidentiality, Integrity, Availability or Non-
Repudiation. There appears to be some inconsistencies in the terminology used in
examples of information security incidents and with that used to report them.
AS18044 contains section ‘8.5.5 Forensic Analysis’, which includes a statement that the
‘proficiency’ of those undertaking the task needs to be recorded. It does not elaborate
any further on why this should be done, or of the possible implications from a forensic
evidentiary perspective. It could bring to the reader’s attention that should the evidence
need to be presented in a Court of Law; there will likely be questions of the persons
training, studies or experience to be undertaking the task.
Page 48 of 105
This standard does not appear to reference Standards Australia’s own publication ‘HB
171:2003 Handbook Guidelines for the management of IT evidence’ which was
published only three years earlier. Neither does it appear to reference AS27001. Yet it
does reference NIST SP 800-3 ‘Establishing a Computer Incident Response Capability’,
which was published in 1991, and now appears to be obsolete.
Handbook Guidelines for the management of IT evidence
Standards Australia’s ‘HB 171:2003 Handbook Guidelines for the management of IT
evidence’ aims to ‘provide guidance on the management of electronic records that may
be used as evidence in judicial or administrative proceedings’, which raises expectations
that the methods provided by the guide should be closely aligned with the requirements
of the Courts. For the remainder of this discussion the handbook will be referred to as
HB171 (Standards Australia 2003).
In the most part HB171 provides a comprehensive guide for the management of IT
evidence, providing details of what IT evidence is, principles of its management and a
model for the IT evidence management lifecycle.
HB171 does contain some reference to the qualifications of those undertaking the
management of IT evidence, however it is dispersed in various and seemingly disparate
sections. In section ‘2.2 The Principles’, and more specifically section ‘2.2.6 Personnel’,
there is a recommendation to ensure those involved in the management of IT evidence
have appropriate training, experience and qualifications to fulfill their role. It is not until
section ‘3.5 Stage 4: Analyse evidence’, and specifically section ‘3.5.2 Personnel
qualifications’, where there is further reference and introduction of the concepts of
ordinary witnesses and expert witnesses, and concludes with reference to Appendix D
‘Expert witness code of conduct’ (Standards Australia 2003).
It could be more helpful if section ‘2.2.6 Personnel’ contained a link or reference the
‘3.5.2 Personnel qualifications’ section, to help bring to the reader’s attention that there
are specific requirements that if not anticipated, could influence the effectiveness of the
expert witness’ evidence. Section ‘2.2.6 Personnel’ could benefit from containing
further explanation of possible roles that personnel should be appropriately trained,
experienced and qualified for.
Page 49 of 105
Related to the issue of personnel, is the assignment of roles for the various stages of the
IT evidence management lifecycle. During the presentation of expert evidence in Court,
there can be occasion where more than one person may have contributed to the evidence
itself, potentially requiring the names, training, studies and experience of all those
involved. Having the roles and those responsible for performing each role can be vital,
and could contribute to the admissibility of the evidence.
A concept that other standards and guides use to classify and ascertain if there has been
a cyber-security incident is to identify if a system’s confidentiality, integrity, or
availability has been compromised. If there has been a compromise then there is a
higher probability that the investigation could escalate to become a disciplinary, civil or
criminal issue. Accurately classifying the type of information security compromise
could impact the methodology utilized in the management of the IT evidence.
It appears that this guide is not referenced in other Standards Australia publications
where it is expected it could have been, such in AS27001 and AS18044, however these
were both published and updated since that of HB171. It does make a reference to The
Internet Society guide ‘RFC 3227 Guidelines for Evidence Collection and Archiving’ as
advice to frontline first responders to a cyber-incident that may require evidence
collection. Is also makes a brief reference to ‘ISO PDTR 18044 – Information Security
Incident Handling Guidelines, section 8.2.7 – Forensic Analysis’.
The guide indicates those crimes where IT evidence is required, to be either a computer
focused crime or a computer assisted crime. It does not appear to consider crimes where
the IT system is neither the subject nor tool of a crime, but where it is the record or
evidence of a crime unrelated to the IT system. This could have bearing upon the
requirements for management of the IT evidence, how it is presented, by whom and
how they may be qualified to do so.
Other than a note in the opening Preface titled ‘Qualification’, there does not appear to
be any further mention of engagement with Legal and Law enforcement agencies.
Considering this guide contains considerable detail for the management of IT evidence
for the purpose of supporting civil, administrative or criminal proceedings, even
providing a copy of an ‘expert code of conduct’, it is anticipated that engagement with
legal and law enforcement would have been a necessity.
Page 50 of 105
The section ‘1.5 Why manage IT evidence ?’ contains the statement:
Thirdly, while there are incidents where IT specialist skills (including forensic skills) will be required, there vast majority of situations are not technically complex and special skills will not be required.
It does not go any further to elaborate or qualify the statement. The statement is made in
the context of a handbook for the management of IT evidence, and possibly leave it
unresolved in appropriate training, studies or experience are required or not. It appears
to be advocating that if a situation that is not technically complex or not require special
skills, lessens the need for it be managed with the same standards. The expectation had
been that regardless of the situation the same technique or method should be present for
whoever is undertaking the task.
Support Standards
Guide to Integrating Forensic Techniques into Incident Response
In August 2006 the United States National Institute of Standards and Technology
(NIST) released Special Publication (SP) 800-60 entitled ‘Guide to Integrating Forensic
Techniques into Incident Response’, which contains recommendations from the NIST
Computer Security Division for undertaking such techniques. For the purposes of this
analysis ‘NIST SP800-86 - Guide to Integrating Forensic Techniques into Incident
Response’ will be referred to as SP800-86 (Kent et al. 2006).
Despite being a United States publication, SP800-86 can provide valuable insight into
the requirements of a digital forensic process. SP800-86 defines a four step digital
forensic process which contains the phases of: Collection, Examination, Analysis and
Reporting. This process is not too dissimilar to that prescribed by McKemmish (see
Martini & Choo 2012 for a comparison between these two processes), however, it does
not appear to apply a rule set as does McKemmish (Martini & Choo 2012).
The guide begins by stating that ‘every Organization needs to have the capability to
perform digital forensics and how this is seen to be an integral part of an effective cyber
incident response’. There would now be very few organizations that do not have a
significant dependence upon Information Technology systems and for which it is
integral to their day-to-day operations. Integral function to operating and maintaining an
Page 51 of 105
organizations information technology systems is an effective cyber incident response
capability (Kent et al. 2006).
It does contain a recommendation that roles to be identified and they be assigned to the
appropriate personnel.
The recommendations within this guide are that it be used as only a starting point to
establishing a forensic capability for incident response, and that extensive engagement
with legal, law enforcement and management should be made. This is sound advice, and
later is elaborated upon to provide additional information into legal issues that could
occur or that will need to be addressed; however it does not appear to mention expert
witness and expert evidence requirements.
A framework for IT security assurance Part 1: Overview and framework
The Standards Australia publication ‘AS/NZS ISO/IEC 15443.1:2006 - Information
technology—Security techniques—A framework for IT security assurance Part 1:
Overview and framework’, for the purpose of this analysis will be referred to as
AS154431 (Standards Australia 2006c).
This standard is very specifically focused on IT security assurance and could be useful
if paired with AS27001, in providing overview and framework for incident response. It
does make a valuable point to ensure all stakeholders are identified, which is invaluable
for an incident response capability that could result in a presentation of evidence to a
tribunal or Court of Law. How often the Court is identified as a stakeholder is not
known.
The value of having a capability prior to an event can be difficult in some circumstance
to justify, however when an event does occur, the capability is invaluable. This
statement is made specifically in regard to IT security assurance. However, it is equally
true of a computer forensic investigative capability that produces evidence that is
admissible in a Court of Law, and able to be presented by personnel who are
appropriately trained, have studied, or possess the necessary experience.
Guidelines for Evidence Collection and Archiving
‘RFC 3227 - Guidelines for Evidence Collection and Archiving’ was published in
February 2002 by The Internet Society as a guide for ‘best current practice’ in evidence Page 52 of 105
collection and archiving. For the purpose of this analysis it will be referred to as
RFC3227 (Brezinski & Killalea 2002).
The guide contains the following statement in its opening Abstract:
If evidence collection is done correctly, it is much more useful in apprehending the attacker, and stands a much greater chance of being admissible in the event of a prosecution.
This appears to be a sound position from which to begin evidence collection, and uses
terms commonly associated with the Court and Law environment, those of admissibility
and prosecution. However, it does suggest that there must be an attacker, which could
indicate possible bias and not an impartial investigation.
The first statement in its guiding principles is:
Adhere to your site’s Security Policy and engage the appropriate Incident Handling and Law Enforcement personnel.
This again appears to be a sound position to begin evidence collection. However it does
not appear to contain any requirement of the person undertaking the process to be
suitably trained, undertaken specific studies or have appropriate experience. This can
leave the process to be undertaken by persons that could be exceeding their knowledge,
and even though the evidence may have been admissible, the expert witness may not
satisfy the Court’s requirements to present it.
It is referred to in the Australian Standard guide ‘HB 171:2003 Handbook Guidelines
for the management of IT evidence’.
Conclusion
The standards and guides considered during this analysis were: ‘AS/NZS ISO/IEC
27001:2006 Information technology - Security techniques - Information security
management systems – Requirement’, ‘AS/NZS ISO/IEC 18044:2006 Information
technology—Security techniques—Information security incident management’, ‘HB
171:2003 Handbook Guidelines for the management of IT evidence’, ‘NIST SP800-86 -
Guide to Integrating Forensic Techniques into Incident Response’, ‘AS/NZS ISO/IEC
15443.1:2006 - Information technology—Security techniques—A framework for IT
security assurance Part 1: Overview and framework’, and ‘RFC 3227 - Guidelines for Page 53 of 105
Evidence Collection and Archiving’. These standards and guides were selected by
accessing the associated websites and searching for standards and guides related to
information technology evidence and cyber incident response (Brezinski & Killalea
2002; Standards Australia 2003; Kent et al. 2006; Standards Australia 2006b, 2006a,
2006c).
The standards and guides were grouped into Primary Standards and Support Standards.
The Primary Standards were AS27001, AS18044 and HB171, which would need to be
used collectively. The Support Standards where SP800-86, AS154431 and RFC3227,
are those that could be used individually as required to supplement the Primary
Standards. The primary group was composed of Australian standards and guides, the
support group were both Australian and International standards and guides.
These standards and guides did not necessarily purport to offer a comprehensive
methodology for undertaking digital forensic investigations. However the analysis
appears to indicate there is very little acknowledgement of the requirements of Courts in
relation to the role of expert evidence and expert witnesses. This was disappointing, as
collectively they were expected to provide a compilation of publically available best
practice guides for performing digital forensic investigations.
There was not an expectation that the standards on their own would provide a
comprehensive methodology for undertaking cyber incident response, along with the
capability to provide computer forensic data which was presentable and admissible in a
Court of Law. However, collectively, it was anticipated that they may provide sufficient
guidance to allow the practitioner to be well informed of the likely requirements of IT
evidence by the Courts. Whether they were able to meet this need appears to be
doubtful.
In isolation each standard or guide appears to offer sound advice in regard to its title and
purpose. Each document is generally quite narrow in its focus, and so is dependent upon
other sources for additional information. They do make use of, and reference to, other
standards, for example they reference the ISO/IEC 13335 family of standards. Thus the
concept of utilizing other sources is apparent.
Page 54 of 105
The standards to do not appear to cross reference others in regard to incident
management and management of IT evidence. If AS27001 was considered to be the
overarching standard, it could have made reference to AS18044 for incident
management. If AS18044 was the next tier down, then it could have made reference to
HB171 for management of IT evidence. More efficient use could be made of the
standards if they cross-referenced each other.
HB171 contained a copy of the Expert Witness Code of Conduct, however provided
very little comment on the purpose and implications of the Code upon the management
of IT evidence. The other standards did not demonstrate an awareness of the Courts
expectations or requirements. Yet many of the standards detailed a forensic process, and
that evidence could be used in disciplinary, civil or criminal undertakings. Without an
awareness of the Courts requirements this could result in inadequately prepared
evidence being inadmissible.
The standards all contained requirements that personnel should be trained, undertake
studies and the have necessary experience to undertake their roles. However, they did
not state the purpose for doing so, or that there could be implications for the evidence
and its presentation in a Court of Law. There was very little warning to not exceed ones
knowledge, and no indication of the impact upon forensic evidence on doing so.
The terms confidentiality, integrity and availability are commonly used to describe and
assess, information security. The standards appeared to be inconsistent, and seen to be
ad-hoc in their use of the terms. For example AS27001 uses them in it definitions, and
AS18044 uses them in its ‘Information Security Incident Report’, however neither of
them used the terms in assessing an information security incident.
As well as being inconsistent in the use of terminology to describe information security,
the standards can be seen to be incomplete in their descriptions of cyber-crime types. A
commonly held description is that a computer can be the subject of a crime, the tool of a
crime and also the record of a crime. The standards made some attempt to describe the
‘subject of a crime’ and ‘tool of a crime’; however they fail to mention the ‘record of a
crime’. Being aware that computers can also be the ‘record of a crime’, and in some
instances an unrelated crime, can significantly widen the incident response scope and
also increase the instances where an incident response may be required.
Page 55 of 105
The standards and guides in their current form are inadequate in preparing for and
responding to cyber incidents that can provide admissible computer forensic data, which
can be presented by the appropriate expert witness, and satisfy the Court’s
requirements.
The analysis of standards and guides applicable to cyber security incident handling has
been summarized in Table 2. It provides an indication whether the standard or guide
contains references to Court requirements, specifically the Expert Witness, unbiased
and expert evidence. The table concludes with an indication whether the standard or
guide contains references to the information technology security concepts of
Confidentiality, Identification or Availability.
If an aspect is not applicable to that standard or guide an ‘n/a’ will be indicated.
Y = defined and used, y = definition only, N = no mention, n = mention, not defined or
used
Page 56 of 105
Table 2 - Standards for Cyber Incident Response and the Expert Witness
Primary Standards Support Standards
Issues AS27001 AS18044 HB171 SP800-86 AS154431 RFC3227
Expert Witness N N Y N n/a N
Expert Evidence N N N N n/a N
Court Requirements N N N N n/a N
Unbiased Evidence N N N N n/a N
Trained, Studied or Experienced
Y y Y y n/a n
Cross Ref. Aust. Stds. N N y n/a n/a n/a
Evidence Collection Y Y Y Y n/a Y
Law/Legal y Y Y Y y Y
Prosecution / Disciplinary Action
N Y Y n/a Y
Forensics N Y Y Y n/a y
Confidentiality, Integrity and Availability
n n N n/a N
Page 57 of 105
5 Case Studies - SCADA and Computer Forensic cases
Introduction
The purpose of this chapter is to perform an analysis of three court cases that involve
Computers, Supervisory Control and Data Acquisition (SCADA) systems or Industrial
Control Systems (ICS), to ascertain the role forensic evidence from those systems, the
role of expert witnesses and their influence upon the outcome of the case.
The analysis will not be questioning the outcome of the trials; rather to make
observations of computer forensic evidence and expert witnesses and their use within
the trials. It will utilize the publically available Court transcripts and other reports of
investigation into the incidents.
The three cases that have been chosen are expected to provide three unique insights into
the use of forensic evidence from crimes, the role expert evidence and expert witnesses
played in the trials. The three cases are the ‘Maroochy Water Hacking Incident’, the
‘Burnley Tunnel Fire Incident’, and a case of ‘Attempted murder – mobile phone
forensics’.
The ‘Maroochy Water Hacking Incident’ was chosen due to it involving computer
hacking, SCADA systems, expert evidence and expert witnesses. The incident has
received considerable attention from academia, governments and industry in regard to
SCADA security and SCADA forensic readiness. However, this appears to be the first
occasion it has been considered from an expert evidence and expert witness perspective.
From a cyber-crime point of view, it is an example of a computer as the subject of crime
and as the tool of a crime.
Page 58 of 105
The ‘Burnley Tunnel Fire Incident’ was chosen due to it involving SCADA systems,
and forensic or expert evidence. During the incident investigation and subsequent trial,
there was considerable use of data from the computer systems within the tunnel, and
there was some questioning of the time synchronization of the systems which led to
evidence being withdrawn. From a cyber-crime point of view, it was neither the subject
of, nor the tool of a crime; however, it is an example of a computer record or witness to,
an unrelated crime.
The ‘Attempted murder – mobile phone forensics’ was chosen as it involved computer
forensic evidence and expert witnesses. From a cyber-crime point of view, it was
neither the subject of, nor the tool of a crime; however, it is an example of a computer
record or witness to, a crime. The digital evidence in this case is possibly slightly
different from the previous two cases, where the evidence appeared to have been
deliberately recorded on a mobile phone by one of the participants in the crime.
Analysis
Case Study 1 – Maroochy Water Hacking Incident
The Maroochy Shire Council, which in 2008 amalgamated with several other councils
to form the Sunshine Coast Regional Council, is located 100km north of Brisbane in
Queensland, Australia. In the year 2000 when the offences were committed, the
Maroochy Shire Council managed their own sewerage system, which included pumping
stations and treatment plants in the surrounding areas of Buderim, Nambour and Mount
Coolum.
The two Court transcripts that are to be reviewed in this analysis are from the Supreme
Court of Queensland and the High Court of Australia, Brisbane. The first is from the
‘Supreme Court of Queensland, Court of Appeal’ heard on 21-Mar-2002 and the
decision delivered on 10-May-2002, ‘R v Boden [2002] QCA 164’. The second is from
the ‘High Court of Australia’ heard on 25-Jun-2003, ‘Boden v The Queen B55/2002
[2003] HCATrans 828’.
The timeline of this case study is drawn out over three and a half years. The crime was
committed during February to April 2000; the trial was heard during October 2001,
sentencing on the 31-Oct-2001. The appeal to the Supreme Court of Queensland was on
Page 59 of 105
21-Mar-2002 with the decision delivered on 10-May-2002, and the High Court appeal
heard on 25-Jun-2003.
The original trial dealt with two aspects of the crime: the computer as the subject of the
crime; and the computer as the tool of the crime. When the accused was apprehended by
Police, he was found to be in possession of computers and other equipment that were
not his, hence the computer was the subject of a crime. There was also the issue of what
the computers had been used for by the accused when they were in their possession,
hence the computer tool of a crime.
The issue of the possession of the computers and other equipment was relatively easily
addressed through identification by the owners. The owners would later appear in the
Court proceedings as witnesses for the prosecution. This task in many respects could
have been undertaken by almost anyone representing the original owners that knew of
the equipment identification process or method.
The issue in regard the use of the computers and other equipment to commit a crime,
where the computer was the tool used, required specialist knowledge or expert evidence
to be presented. These witnesses would require detailed knowledge of how the system
normally operated, how it had been behaving during the times it was being manipulated
to commit a crime, and how the computers seized during the arrest were involved.
These witnesses would be required to provide expert evidence, and expert opinion.
During the original trial there were 13 witnesses called by the prosecution. One is
known to be a Police computer expert, and five known to be employees of Hunter
Watertech. Some of the Hunter Watertech employees are referred to as witnesses, used
in the identification and ownership of equipment seized during the arrest. Others are
referred to as expert witnesses, who are recorded as providing opinion evidence for the
interpretation of data and computer system behavior.
The accused in this case was a previous employee of Hunter Watertech, as were at least
two of the expert witnesses that were called upon by the prosecution. There is no
indication of any bias by these expert witnesses. It could however have placed
significant pressure upon those expert witnesses who were both former colleagues and
supervisors of the accused.
Page 60 of 105
Two weeks prior to the original trial, the accused was provided a CD by the Police
Forensic Unit that contained a copy of their computer forensic examinations. This CD
was viewed by the accused; however they did not engage the services of their own
computer forensic expert. Despite the CD being supplied approximately two weeks
prior to the trial, there was an opportunity for the defence to have engaged their own
expert witness and provided an analysis of the evidence, however, they chose not to.
During the appeals it was indicated that there may have been a discrepancy in an aspect
of the Police computer forensic expert witness’ analysis and evidence. Unfortunately
the discrepancies were not adequately explored either prior to, or during the original
trial. There could quite possibly have been a plausible explanation for the discrepancy.
However, without an equivalent forensic analysis by the defence, or any cross-
examination, it would be difficult to ascertain the reason for the discrepancy.
The case called upon several expert witnesses to support the prosecution; however,
there were no expert witnesses for the defence. The original case concluded with the
Judge sentencing on 26 counts of ‘computer hacking’. Two subsequently unsuccessful
appeals by the defendant, may suggest a balanced use of expert witnesses could have
been a more effective use of the Courts time and resources in the longer term.
The transcript of the High Court application hearing confirms the original case
contained significant technical evidence that required specialist and expert presentation,
which should have required a similar defence to provide a balanced presentation from
both parties. It could be speculated that if the defence had provided an equally capable
expert witness assessment and cross-examination of the prosecution’s witnesses; it may
have negated the need for the two unsuccessful appeals against the conviction.
This case is an example of what is likely to transpire when there is well organized
expert evidence and expert witnesses to present it, and when there is little or no defence
or cross-examination of it. It was able to show that Courts are able to utilize the services
of expert evidence and expert witnesses. However, without balanced preparation and
representation by both parties, it will likely lead to an unsatisfactory or unexpected
outcome.
Page 61 of 105
The result of the appeal to the Supreme Court of Queensland was a reduction in
recorded convictions from 26 down to 20 counts, for the offence of using a restricted
computer without the consent of its controller. The appeal to the High Court was
unsuccessful.
Case Study 2 – Burnley Tunnel Fire Incident
CityLink is a private toll road in Melbourne, Victoria, Australia, owned and operated by
Transurban. CityLink is comprised of 22km of roadway which includes the Burnley and
Domain Tunnels. Both the tunnels contain fire and evacuation safety systems that are
controlled by a central computer system. The computer system is used to control jet
fans, deluge, smoke extraction and other industrial type machinery which are integrated
into the tunnel’s safety systems.
The dedicated computer systems are critical to the tunnel’s operation, as proven on 3-
Oct-2012, when the both tunnels were closed for over 12 hours due to a malfunction of
the computer systems (Carey 2012; Edwards & Stavropoulos 2012; Levy 2012).
To be able to control and monitor industrial machinery such as jet fans and deluge
requires the use of a SCADA system or an ICS. The CityLink tunnels and roadway
utilizes an advanced computer system not only to control and monitor the equipment,
but also detect and record incidents. The data recorded and logged by these systems is
likely to be an invaluable source of information during incident reconstruction and
investigation (Citilog 2003; Dix 2010; Montgomery & Bueker 2010; Transdyn 2011).
Computer systems can be the subject of crime, the tool of a crime and can also be the
record of an unrelated crime. There was speculation during the CityLink computer
malfunction on the 3-Oct-2012, where it could have become the subject of a crime,
which was later dismissed by Transurban. In the Burnley Tunnel Fire incident the
CityLink computer systems were the record of a crime, they were not the subject of, nor
the tool of a crime (Levy 2012).
The two Court transcripts that are to be reviewed in this analysis are from the Supreme
Court of Victoria, Melbourne Criminal Division. The first is from a hearing on 15-Jul-
2009 for ‘Ruling No1’ in regard to previous evidence that should be excluded, ‘R v
Page 62 of 105
Kalwig (Ruling No 1) [2009] VSC 213’. The second is from the ‘Sentencing’ on 1-Sep-
2009 as a result of the trial, ‘R v Kalwig [2009] VSC 373’.
Other material is that publically available is from the Independent Investigator for the
Coroner, Professor Arnold Dix. The material demonstrates the record of events, and
could have, if events had not been favorable, resulted in the systems becoming the focus
of the investigation.
The crime occurred on 23-Mar-2007, over two years later the trial was undertaken
during July 2009 and sentencing was completed on 1-Sep-2009. It is important to note
here that there was more than two years between the date of the crime and its Court
hearing. It could be expected that this would have been adequate time to process and
prepare the computer forensic evidence that was to be adduced during the trial.
This case study provides two examples for the use of computer forensic evidence, one
which was extremely successful in obtaining the resultant conviction, and the second
could have been cause for a retrial. The retrial was avoided after considerable
contemplation by the presiding Judge, and the evidence was held to be irrelevant. In
both examples the same computer forensic evidence is utilized, however by different
experts, to archive different aims.
The Burnley Tunnel Fire incident occurred on 23-Mar-2007 just after 09:54am. It was a
multi vehicle collision, involving cars and trucks, and resulted in the deaths of three
men. The subsequent accident investigation brought about charging one of the truck
drivers with culpable driving. The driver would later be convicted on the lesser offence
of dangerous driving causing death.
Successful use of expert evidence
During the trial two Police experts gave evidence of the vehicles trajectory. To form
their opinions, they used data from the CityLink computer systems, which aided the
incident reconstruction. The Judge made comment in his sentencing address, that the
jury’s verdict was likely to have been formed upon presentation of this evidence. Expert
evidence in the hands of suitably trained, studied or experienced expert witnesses can
provide basis for a convincing argument (ABC News 2008a).
Page 63 of 105
In this scenario the police were experts in accident reconstruction, who are able to
utilize the computer data in their assessment. Not only were they able to calculate the
speed of the accused vehicle, but also the path and speed of every vehicle in the tunnel
at that time. This was, in turn, successfully demonstrated to the Judge and jury in their
expert evidence presentation.
Less successful use of expert evidence
The matter raised in ‘Ruling No 1’, was a discrepancy between the Telstra mobile
telephone system time and the CityLink computer system time. This was a significant
issue due to the Crown’s ‘draft opening’ and ’oral submissions’ where the accused had
intentionally answered their mobile phone, distracting them from driving, and
contributing to the incident. When the discrepancy became apparent, the Crown was left
in a position where they would attempt to argue the exact opposite.
The discrepancy was a seven seconds difference between the Telstra mobile telephone
system and the CityLink computer system. If the times had been synchronized, the call
would have occurred after the impact and incident, and this was not possible due to the
phone being in the truck, while it was on fire and the driver had already escaped the
vehicle.
The Crown had originally planned to lead evidence from Telstra and CityLink as to the
operation and accuracy of their clocks. This type of evidence would, in all likelihood,
need to be provided by expert witnesses, in presenting evidence of a systems operation
and accuracy. When it was revealed the two systems were not synchronized, it no
longer supported the Crown’s argument and need to be brought to the Court’s attention.
Despite the clocks of the two systems to be shown to be accurate after the incident,
there was an unaccounted discrepancy at the time of the incident. As the Judge
commented in his Ruling address, ‘one or other of the two clocks must have been
operating inaccurately on the morning in question’. After the Ruling was made, it
negated the need for the evidence to be adduced, and the reason for the seven second
discrepancy would remain unknown.
The Judge was uncomplimentary of the Crown for their ‘remarkable change of
position’, especially as it was a ‘carefully considered submission, prepared in writing
Page 64 of 105
well in advance of the trial’. It is open to speculation that the Crown did not ensure an
adequate computer forensic investigation is undertaken of the systems, and did not
produce evidence that could be supported by expert witnesses. It could also be possible
that the Crown preparations were incomplete or were not thorough enough to uncover
the discrepancy.
A Question of Timing
The scenario that unfolded on the 23-Mar-2007 was attributed to the driver of one of the
trucks involved in the incident. On this occasion evidence from the CityLink computer
systems were used in the incident reconstruction, and contained the records or expert
evidence of a crime. ‘Ruling No 1’ left an outstanding question of the clocks of one or
other systems operating inaccurately. This could have had implications on other aspects
of the trial that relied upon expert evidence from the computer systems.
The Burnley Tunnel Fire received considerable media and public attention, and
necessitated the State Coroner to appoint an Independent Investigator, which was
provided through the services of special expert investigator, Professor Arnold Dix. The
Coroner’s report is still subject to suppression by Court Order; however Dix has made
reference to some of his observations through his own publications (ABC News 2008a,
2008b).
A section of dialogue from the trial frequently quoted by Dix is the evidence provided
by the CityLink computer operator who was responsible for activating the water deluge
system in response to the incident. The preamble to this is that the operator had initiated
all the necessary computer incident response plans for managing the traffic, and had
reached the point of responding to the ensuing fire. Following is the dialogue between
the Crown, the Operator and the Judge:
Operator: then at 9.56 I activated the deluge systemCrown: Did the deluge come on or did you have to do something more?Operator: The deluge didn't come on straight away so for a second time I clicked the same zone again, [it] took about 30 seconds for that zone to activate.Judge: Sorry, you dropped your voice again at the end?Operator: Sorry, Your Honor. Yes, I had to - I clicked it for a second time. It took about 30 seconds for that zone to activate.Crown: And did the deluge system eventually activate?Operator: It did, yes.
Page 65 of 105
In this dialogue there is an indication the CityLink computer system did not function as
expected, and saw a delay of 30 seconds that was not expected (Dix 2010).
Without access to the full trial transcript or the Coroner’s incident investigation report,
it is impossible to ascertain if there could have been a more serious computer system
issue present on the day of the fire. However, it is worthy of consideration that if it was
seen that the computer system was a contributing factor in the deaths, due to it not
responding as designed, it could have become the focus of the investigation.
If the computer system was found to be a contributing factor, there is some question as
to whether it is the subject of a crime, the tool of the crime, or the record of a crime, or
another unexplored category.
The result of the ruling was that no evidence ought to be led regarding the mobile phone
calls. This was due to the prosecution significantly changing their position in regard to
the digital evidence, which was leading that the evidence should be excluded.
Case study 3 – Attempted Murder - mobile phone forensics
There is a single Court transcript to be reviewed in this case study, from the Supreme
Court of Victoria, Melbourne Criminal Division. It is for a hearing on 14-Jun-2012 and
subsequent ruling on 15-Jun-2012, ‘DPP v Waleed Haddara (Ruling No 2) [2012] VSC
277’. It is not a transcript of the whole trial; it is of a ruling for the late admittance of
digital evidence, bringing into question the computer forensic evidence and the expert
witness.
In this scenario the computers are mobile phones, and are believed to have contained
records of a crime. When the crime was allegedly committed, there were voice
recordings and photos created on mobile telephones by an accomplice of the accused,
which were later tendered as supporting evidence. Both the prosecution and defence had
access to the evidence prior to the trial as hand-up briefs for the case.
The timeline of this case is relatively straight forward with the crime allegedly being
committed on 6-Jun-2010, the trial hearing was undertaken during June 2012 and the
Ruling made on 15-Jun-2012.
Page 66 of 105
Of particular interest in this case is the qualification of the expert witness, and the
method used to obtain the forensic evidence. The prosecution’s mobile phone ‘expert
witness’, as they were identified by the defence Counsel, was alleged to be qualified by
being ‘employed by Nokia Corp as an assistant manager of its Hurstville store’. In their
role, one of their duties is to analyze customers’ mobile phones and assist with the
backup or recovery of data.
Even though the expert had not presented their evidence in court, they were responsible
for assisting the Police in the original analysis and extraction of the data from the
mobile phone. The voice recording and photo data obtained from the phone formed part
of the trial hand-up brief, which contained date and time stamp information with copies
of the files.
The key witness had claimed they had made the recordings and taken the photos on
their phone at the scene of the crime. What the defence Counsel were able to discover
prior to the trial was that there were discrepancies in the file time stamps, the evidence
statement of the expert and the statement of the key witness for the prosecution. This
was made known to the prosecution by the defence at the beginning of the trial, and
shortly after referred to in their opening addresses. At that time the prosecution
appeared to have made little effort to address the issue.
It was then almost a week into the trial, when the defence was cross-examining the
prosecution’s key witness, that the issue of the inconsistencies in the time stamps was
raised by the defence. It appears that at this time the prosecution decided they needed to
obtain an explanation and were attempting to contact the Melbourne Nokia shop,
however it had closed and they were then seeking a Nokia expert from Sydney.
At this time the prosecution and their expert witness suggested, (what could possibly
have been pure speculation), that the time stamp issues could have been a result of the
mobile phone operating on a European version of software, and its date and time had
defaulted to Greenwich Mean Time. The Counsel for the defence appeared to be
reasonably confident the hypothesis did not adequately explain the discrepancies.
The Judge is his assessment of the situation, stated that the prosecution’s expert witness
was possibly as a witness to the attaining of the data from the mobile phone for the
Page 67 of 105
Police, however, they were not necessarily an expert. This is a significant change of the
evidence from the witness, as they are now providing evidence of an observation to a
point of fact, rather than providing expert opinion. This point was also noted by the
Judge.
This case, unlike the Maroochy water case, highlights what can transpire if the forensic
computing is not undertaken by those expert in forensics, and the benefits of utilizing
Counsel that are well versed in a computer forensic processes.
This is highlighted by the Judge who points out to the prosecution that it is
inconceivable for a case whose evidence is dependent upon date and time stamping of
digital evidence to not have anticipated that it would be one of the first lines of cross-
examination for the defence.
The result of the ruling was that the prosecution’s evidence from their witness or expert
witness was ruled as being inadmissible.
Conclusion
The three cases that were chosen provided three unique insights into the use of
computer forensic evidence from crimes and the role that expert evidence and expert
witnesses played in the trials. These three cases were the ‘Maroochy Water Hacking
Incident’, the ‘Burnley Tunnel Fire Incident’, and ‘Attempted murder – mobile phone
forensics’.
The ‘Maroochy Water Hacking Incident’ involved computer hacking, Supervisory
Control and Data Acquisition (SCADA) systems, expert evidence and expert witnesses.
The incident has received considerable attention from academia, governments and
industry in regard to SCADA security and SCADA forensic readiness. However, this
appears to be the first occasion it has been considered from an expert evidence and
expert witness perspective. From a cyber-crime perspective, it is an example of a
computer as the subject of crime and as the tool of a crime.
The ‘Burnley Tunnel Fire Incident’ involved Supervisory Control and Data Acquisition
(SCADA) systems, and forensic or expert evidence. During the incident investigation
and subsequent trial, there was considerable use of data from the computer systems
Page 68 of 105
within the tunnel, and there was some questioning of the time synchronization of the
systems which led to evidence being withdrawn. From a cyber-crime point of view, it
was neither the subject of, nor the tool of a crime; however, it is an example of a
computer record or witness to, an unrelated crime.
The ‘Attempted murder – mobile phone forensics’, involved computer forensic
evidence and expert witnesses. From a cyber-crime point of view, it was neither the
subject of, nor the tool of a crime; however, it is an example of a computer record or
witness to, a crime. The digital evidence in this case is possibly slightly different from
the previous cases, where the evidence appeared to have been deliberately recorded on a
mobile phone by one of the participants in the crime.
During each of the case studies, it is possible to observe that the Courts were capable of
receiving and processing expert evidence from expert witnesses of computer forensic
investigations. However, the capabilities of either the prosecution or the defence in
adequately presenting their computer forensic evidence were found to be wanting.
The prosecution for ‘Maroochy Water Hacking Incident’ was well prepared and
presented a very strong case through the use of their expert witnesses. The defence
however, appeared to not have undertaken any preparations, did not call any expert
witnesses, and was not effective in their cross-examinations. This resulted in a
significant imbalance of the use of expert evidence and expert witnesses, and may have
contributed to the subsequent unsuccessful appeals.
During the original trial there were 13 witnesses called by the prosecution. One is
known to be a police computer expert, and five known to be employees of Hunter
Watertech. Some of the Hunter Watertech employees are referred to as witnesses and
are used in the identification and ownership of equipment seized during the arrest. At
least two are referred to as expert witnesses, recorded as providing opinion evidence for
the interpretation of data and computer system behavior. This appears to suggest that
organizations would benefit for being aware of the Courts requirements of both
witnesses and expert witnesses.
In the ‘Burnley Tunnel Fire Incident’ trial the Crown had originally planned to lead
evidence from Telstra and CityLink as to the operation and accuracy of their clocks.
Page 69 of 105
This type of evidence would, in all likelihood, need to be provided by expert witnesses,
in presenting evidence of a systems operation and accuracy. When it was revealed the
two systems were not synchronized, it no longer supported the Crown’s argument and
needed to be brought to the Court’s attention.
Despite the clocks of the two systems to be shown to be accurate after the incident,
there was an unaccounted discrepancy at the time of the incident. As the Judge
commented in his Ruling address, ‘one or other of the two clocks must have been
operating inaccurately on the morning in question’. After the Ruling was made, it
negated the need for the evidence to be adduced, and the reason for the seven second
discrepancy would remain unknown.
The Judge was uncomplimentary of the Crown for their ‘remarkable change of
position’, especially as it was a ‘carefully considered submission, prepared in writing
well in advance of the trial’. It is open to speculation that the Crown did not ensure an
adequate computer forensic investigation was undertaken, and did not produce evidence
that could be supported by expert witnesses. It could also be possible that the Crown
preparations were incomplete or were not thorough enough to uncover the discrepancy.
The prosecution’s case in ‘Attempted murder – mobile phone forensics’ trial was
significantly dependent upon voice recording and photos from a mobile telephone.
Unfortunately those claiming to be experts undertaking the forensic computing were not
thorough, which resulted in inconsistencies for the date and time stamping of the files.
This fact was not lost on the defence Counsel who was able to make good use of the
shortcomings.
The Judge in his assessment of the situation stated that the prosecution’s expert witness
was as a witness to the attaining of the data from the mobile phone for the Police;
however, they were not necessarily an expert. This was a significant change in the
evidence from the witness, rather than providing expert opinion, they are witness as an
observation to a point of fact. This point was also noted by the Judge.
This case, unlike the Maroochy water case, highlighted what can transpire if the
forensic computing is not undertaken by those expert in forensics, and the benefits of
utilizing Counsel that are well versed in a computer forensic processes. This is
Page 70 of 105
highlighted by the Judge who pointed out to the prosecution that it is inconceivable for a
case whose evidence is dependent upon date and time stamping of digital evidence to
not have anticipated that it would be one of the first lines of cross-examination for the
defence.
The results of the three case studies have been summarized into Table 3. The table
presents the issues and an indication of how each case faired.
Y = specifically referred to in proceedings, y = inferred in proceedings, N = Does not
appear in proceedings, n/a = not applicable, ? = unknown
Page 71 of 105
Table 3 - Case Summary
IssueMaroochy Water Burnley Tunnel Fire Phone Expert
Digital Evidence Y Y Y
Expert Witness Y y Y
Prosecution Expert Witness
Y y Y
Defence Expert Witness
N ? N
Bias y ? y
Appeals Y N ?
Rulings related to admissibility
N Y Y
Computer Subject of a crime
Y N N
Computer Tool of a crime
Y N y
Computer Record of the crime
y N Y
Computer Record of an unrelated crime
N Y N
Page 72 of 105
6 Conclusion and Future Work
Conclusion
This thesis proposed the concept that despite the ever increasing landscape of cyber-
crime, the prospect of an incident involving SCADA systems, the finite resources to
investigate it, and the courts requirements; the role of expert evidence and the expert
witness could be not as widely known as it needs to be.
This study undertook to examine the role of the forensic computing’s expert witness
from three different, but related perspectives. The research performed an analysis of the
Court requirements of the expert witness, how well these requirements are represented
in Australian standards, and finally, observed the effectivity of expert witnesses in
Court hearings.
Court Requirements
During this thesis research was undertaken to establish the Court’s requirements of the
expert witness. Analysis of the requirements from Courts of various Australian
jurisdictions and from other countries, suggest there are clear and established
requirements of expert evidence and the expert witness.
An issue that is apparent in the law reform reports both here in Australia, and from other
countries, was that of ‘bias’ of the expert witness. All jurisdictions had the expectation
and requirement that the expert witness’ sole responsibility was to the Court and not to
any other party. This is not a recent phenomenon, as it can be found to be an issue
historically. The recommendation from the law reform reports was for establishing
minimum requirements through publication of an expert witness ‘Code of Conduct’.
Page 74 of 105
Most Court jurisdictions in Australia now have a ‘Code of Conduct’ or ‘Practice
Direction’ for expert witnesses to advise the potential expert of the Court’s
requirements. The ‘Code of Conduct’ is required to be provided to the expert at the time
of engagement. The expert must ‘acknowledge that they have read the code and agree to
be bound by it’.
An example ‘Code of Conduct’ is provided in Appendix A, Form 44A, from the
Supreme Court (General Civil Procedure) Rules 2005 (Victoria). The content of Form
44A is typical of the ‘Code of Conduct’ or ‘Practice Directions’ now used.
In summary the ‘Code of Conduct’ advises the expert witness that their ‘duty is to the
Court and no other parties’, to ‘demonstrate how they are to be qualified to be expert,
by training, studies or experience’, that ‘they should be only providing expert opinion
on evidence of which they are expert’, and that ‘this shall be provided to the Court
through an Expert Report’.
To complement the ‘Code of Conduct’, is the ‘Expert Report’, which can be known as
the ‘Expert Certificate’ in some jurisdictions. As the ‘Code of Conduct’ is the Court
communicating to the expert witness of their requirements, the ‘Expert Report’ is for
the expert to communicate back to the Court. The ‘Expert Report’ is seen to
significantly improve the communications of the expert back to the Courts prior to trial
and hearing, in a format that is able to be more readily processed and assessed by the
Courts.
Standards
The standards and guides considered during this thesis were: ‘AS/NZS ISO/IEC
27001:2006 Information technology - Security techniques - Information security
management systems – Requirement’, ‘AS/NZS ISO/IEC 18044:2006 Information
technology—Security techniques—Information security incident management’, ‘HB
171:2003 Handbook Guidelines for the management of IT evidence’, ‘NIST SP800-86 -
Guide to Integrating Forensic Techniques into Incident Response’, ‘AS/NZS ISO/IEC
15443.1:2006 - Information technology—Security techniques—A framework for IT
security assurance Part 1: Overview and framework’, and ‘RFC 3227 - Guidelines for
Page 75 of 105
Evidence Collection and Archiving’ (Brezinski & Killalea 2002; Standards Australia
2003; Kent et al. 2006; Standards Australia 2006c, 2006b, 2006a).
The standards and guides did not necessarily purport to offer a comprehensive
methodology for undertaking digital forensic investigations. However the analysis
appears to indicate there is very little acknowledgement of the requirements of Courts in
relation to the role of expert evidence and expert witnesses. This was disappointing, as
collectively they were expected to provide a compilation of publically available best
practice guides for performing digital forensic investigations.
There was not an expectation that the standards on their own would provide a
comprehensive methodology for undertaking cyber incident response, along with the
capability to provide computer forensic data which was presentable and admissible in a
Court of Law. However, collectively, it was anticipated that they may provide sufficient
guidance to allow the practitioner to be well informed of the likely requirements of IT
evidence by the Courts.
The standards to do not appear to cross reference others in regard to incident
management and management of IT evidence. If AS27001 was considered to be the
overarching standard, it could have made reference to AS18044 for incident
management. If AS18044 was the next tier down, then it could have made reference to
HB171 for management of IT evidence. More efficient use could be made of the
standards if they cross-referenced each other.
HB171 contained a copy of the Expert Witness Code of Conduct, however provided
very little comment on the purpose and implications of the Code upon the management
of IT evidence. The other standards did not demonstrate an awareness of the Court’s
expectations or requirements. Yet many of the standards detailed a forensic process, and
that evidence could be used in disciplinary, civil or criminal undertakings. Without an
awareness of the Court’s requirements this could result in inadequately prepared
evidence and for it to be inadmissible.
The standards all contained requirements that personnel should be trained, undertake
studies and possess necessary experience to undertake their roles. However, they did not
state the purpose for doing so, or that there could be implications for the evidence and
Page 76 of 105
its presentation in a Court of Law. There was very little warning to not exceed one’s
knowledge, and no indication of the impact upon forensic evidence in doing so.
The standards and guides in their current form are inadequate in preparing for and
responding to cyber incidents that can provide admissible computer forensic data, which
can be presented by the appropriate expert witness, and satisfy the Courts requirements.
Case Studies
The three cases that were chosen provided three unique insights into the use of
computer forensic evidence from crimes and the role that expert evidence and expert
witnesses played in the trials. These three cases were the ‘Maroochy Water Hacking
Incident’, the ‘Burnley Tunnel Fire Incident’, and ‘Attempted murder – mobile phone
forensics’.
The ‘Maroochy Water Hacking Incident’ involved computer hacking, Supervisory
Control and Data Acquisition (SCADA) systems, expert evidence and expert witnesses.
The incident has received considerable attention from academia, governments and
industry in regard to SCADA security and SCADA forensic readiness. However, this
appears to have been the first occasion it had been considered from an expert evidence
and expert witness perspective. From a cyber-crime perspective, it is an example of a
computer as the subject of crime and as the tool of a crime. This case demonstrated a
significant imbalance in the use of expert evidence and expert witnesses between the
prosecution and the defence, and may have contributed to the subsequent unsuccessful
appeals.
The ‘Burnley Tunnel Fire Incident’ involved Supervisory Control and Data Acquisition
(SCADA) systems, and forensic or expert evidence. During the incident investigation
and subsequent trial, there was considerable use of data from the computer systems
within the tunnel, and there was some questioning of the time synchronization of the
systems which led to evidence being withdrawn. From a cyber-crime point of view, it
was neither the subject of, nor the tool of a crime; however, it is an example of a
computer record or witness to, an unrelated crime. This case was open to speculation
that the prosecution did not ensure an adequate computer forensic investigation was
undertaken, and did not produce evidence that could be supported by expert witnesses.
Page 77 of 105
The ‘Attempted murder – mobile phone forensics’, involved computer forensic
evidence and expert witnesses. From a cyber-crime point of view, it was neither the
subject of, nor the tool of a crime; however, it is an example of a computer record or
witness to, a crime. The digital evidence in this case is possibly slightly different from
the previous cases, where the evidence appeared to have been deliberately recorded on a
mobile phone by one of the participants in the crime. This case observed a significant
change in the computer forensic evidence from the witness - from providing expert
opinion, to providing witness as an observation to a point of fact.
During each of the case studies, it is possible to observe that the Courts were capable of
receiving and processing expert evidence from expert witnesses of computer forensic
investigations. However, the capabilities of either the prosecution or the defence in
adequately presenting their computer forensic evidence were found to be wanting, and
thus the expert evidence or expert witnesses were not as effective as the cases required.
The overall findings have been summarised into Table 4 to include the Court Requirements, Standards and Case Studies.
Y = Stated explicitly, y = possible or inferred, N = Not present, n = Present but not used
Page 78 of 105
Table 4 - Overall Conclusion
IssuesCourts Standards Case Studies
Expert Witness Y n Y
Evidence Y Y Y
Digital Evidence Y y Y
Expert Evidence Y N Y
Qualifications Y y Y
Bias Y N y
Page 79 of 105
Future Work
Each chapter of this thesis contains opportunities for future work in the fields of Court
Requirements, Standards and Cases Studies.
Court Requirements
With cyber-crime not being limited to, or confined by state, territory or international
boundaries, it could be of value to examine the Court Requirements from a larger
international perspective.
Standards
It could be of value to canvas several organisations whose core business is not forensic
computing, and undertake an analysis of what capabilities exist for incident response,
and what standards are utilized to support those activities.
Case Studies
A larger sample of case studies could be reviewed to enable a statistical analysis of the
effectiveness of the expert witness, their engagement, and the impact upon the
outcomes.
A text book scenario
To perform a review of an operator of critical infrastructure’s procedures and incident
response capability when responding to a cyber-threat and assess how it might deal with
the aftereffect of a cyber-crime. To analyse an organization’s policies and procedures to
ascertain how they record and process their digital evidence and who would present
such evidence in Court.
Page 80 of 105
References
ABC News 2008a, 'Court watches graphic video of Burnley tunnel crash', ABC News,, Mon Sep 1, 2008.
ABC News 2008b, 'Coroner orders suppression of Burnley Tunnel report', ABC News,, Fri Apr 4, 2008.
Alberta Law Reform Institute 2003, 'Expert Evidence and “Independent” Medical Examinations, Consultation Memorandum No. 12.3', February 2003.
Australian Law Reform Commission 2005, 'Uniform Evidence Law (ALRC Report 102)', 5 December 2005.
Brezinski, D & Killalea, T 2002, 'RFC 3227 - Guidelines for Evidence Collection and Archiving', IETF - http://www.ietf.org/rfc.html, February 2002.
Canadian Bar Association 1996, 'Systems of Civil Justice Task Forcse Report', August 1996.
Canadian Bar Association 2007, 'Effective And Affordable Civil Justice', June 2007.
Carey, A 2012, 'CityLink tunnels re-opened', The Age, October 3, 2012 - 5:16PM
Carney, M & Rogers, M 2004, 'The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction', International Journal of Digital Evidence, vol. 2, no. 4, Spring 2004.
Casey, E 2009, 'Digital forensics: Coming of age', Digital Investigation, vol. 6, no. 1-2, September 2009.
Page 81 of 105
Chaikin, D 2007, 'Network investigations of cyber attacks - the limits of digital evidence', Crime Law Soc Change (2006), vol. 46, no. 4-5, 15 March 2007, p. 18.
Choo, K-KR 2011a, 'The cyber threat landscape: Challenges and future research directions ', Computers & Security, vol. 30, no. 8, pp. 719-731.
Choo, K-KR 2011b, 'Cyber threat landscape faced by financial and insurance industry', Trends & Issues in Crime and Criminal Justice, vol. 408, pp. 1-6.
Citilog 2003, 'Snapshot of Citilog Applications in Asia Pacific - Melbourne CityLink, Australia', <http://www.citilog.com/pdfs/Melbourne%20CityLinkLE_Snapshot.pdf>.
Commonwealth of Australia 2011, 'Federal Court Rules 2011', 20 July 2011.
Commonwealth of Australia 2012, 'Evidence Act 1995 (Cth)', Attorney General’s Department, 1 July 2012.
'Cybercrime Act 2001 (Cth)', www.findlaw.com.au, 11 Oct 2001.
Digital Forensic Research Workshop 2001, 'A Road Map for Digital Forensic Research', DFRWS TECHNICAL REPORT, November 6th, 2001.
District Court of Western Australia 'Consolidated Practice Direction Civil Jurisdication (WA)', 27 October 2011.
Dix, A 2010, 'The Burnley Incident In a current theoretical perspective', 5th th International Conference – ‘Tunnel Safety and VentilationTunnel Ventilation’ – Graz, Austria, 4 May 2010.
Edwards, J & Stavropoulos, P 2012, 'Melbourne back on the move', ABC News.
Page 82 of 105
Endorf, CF 2003, 'Running an IT Investigation in the Corporate Environment', Global Information Assurance Certification Paper, 2003.
'Evidence Act 2008 (Vic)', 22 June 2011.
Fabro, M & Cornelius, E 2008, 'Recommended Practice: Creating Cyber Forensics Plans for Control Systems', DHS, August 2008.
Federal Court of Australia 2011, 'Practice Note CM 7 - Expert witnesses in proceedings in the Federal Court of Australia', 1 August 2011.
Fuller, G 2011, 'Australian crime: Facts & figures 2010', Australian Institute of Criminology, 2011.
Gaertner, M, Ruibin, G & Chan Kai Yun, T 2005, 'Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework', International Journal of Digital Evidence, vol. 4, no. 1, Spring 2005.
Grance, T, Kent, K & Kim, B 2004, 'NIST SP800-61 - Computer Security Incident Handling Guide', NIST, January 2004.
Hughes, A & Danne, A 2006, 'Expert Opinion Evidence in Australia', International Association of Defense Counsel, November 2006.
Hughes, G 2003, 'The cyberspace invaders', The Age.
Kent, K, Chevalier, S, Grance, T & Dang, H 2006, 'NIST SP800-86 - Guide to Integrating Forensic Techniques into Incident Response', NIST, August 2006.
Page 83 of 105
Kirby, M 2002, 'Expert Evidence: Causation, Proof and Presentation', 3 July 2002.
Köpsén, S & Nyström, S 2012, 'Learning in practice for becoming a professional forensic expert', Forensic Science International, vol. 222, no. 1-3, 10 October 2012, pp. 208–215.
Levy, M 2012, 'Tunnels could be closed for afternoon peak', The Age, October 3, 2012 - 10:48AM
Magistrates' Court of Victoria 'Magistrates' Court General Civil Procedure Rules 2010', 8 August 2011.
Makita (Australia) Pty Ltd v Sprowles 2001, NSWCA 305.
Martini, B & Choo, K-KR 2012, 'An integrated conceptual digital forensic framework for cloud computing', Digital Investigation, 4 July 2012.
McCullagh, A & McEniery, M 2002, 'Cybercrime Act: some unforeseen consequences', 19 Sep 2002.
McKemmish, R 1999, 'What is Forensic Computing?', Trends and Issues in Crime and Criminal Justice, no. 118, June 1999.
Meyers, M & Rogers, M 2004, 'Computer Forensics: The Need for Standardization and Certification', International Journal of Digital Evidence, vol. 3, no. 2, Fall 2004.
Meyers, M & Rogers, M 2005, 'Digital Forensics - Meeting the Challenges of Scientific Evidence ', IFIP International Federation for Information Processing, 2005.
Montgomery, J & Bueker, T 2010, 'Incident Management An immediate reply', Thinking Highways, vol. 5, no. 1.
Page 84 of 105
New South Wales Government 2006, 'Uniform Civil Procedure Rules (Amendment No 12) 2006', Gazette No 175, 8 December 2006.
New South Wales Law Reform Commission 2005, 'Expert Witnesses', Report 109, June 2005.
Osborne, C 2007, 'Civil Justice Reform Project: Summary of Findings and Recommendations ', Friday, November 23, 2007
Oxford University Press 'Definition for forensic', Oxford Dictionary.
Peiserty, S, Bishop, M & Marzullo, K 2008, 'Computer Forensics In Forensis', ACM SIGOPS Operating Systems Review, vol. 42, no. 3, April 2008, pp. 112-122.
R v EVANS 2005, SASC 184.
Rowlingson, R 2004, 'A Ten Step Process for Forensic Readiness', International Journal of Digital Evidence, vol. 2, no. 3, Winter 2004.
Shinder, L & Cross, M 2008, 'Chapter 17 - Becoming an Expert Witness', Scene of the Cybercrime (Second Edition), 9 June 2008, pp. 693-725.
Simon, M & Slay, J 2007, 'Forensic Computing Training, Certification and Accreditation: An Australian Overview', IFIP International Federation for Information Processing, vol. 237, 2007, pp. 105-112.
Slay, J & Sitnikova, E 2009, 'The Development of a Generic Framework for the Forensic Analysis of SCADA and Process Control Systems ', vol. 8, no. 1, 2009, pp. 77-82.
Page 85 of 105
Slay, J, Sitnikova, E, Campbell, P, Daniels, B & May, R 2009, 'Process Control System Security and Forensics: A Risk Management Simulation.', 2009.
Standards Australia 2003, 'HB 171:2003 Handbook Guidelines for the management of IT evidence', Standards Australia.
Standards Australia 2006a, 'AS/NZS ISO/IEC 18044:2006 Information technology—Security techniques—Information security incident management', 2 August 2006.
Standards Australia 2006b, 'AS/NZS ISO/IEC 27001:2006 Information technology - Security techniques - Information security management systems - Requirements', 23-Jun-2006.
Standards Australia 2006c, 'AS/NZS ISO/IEC 15443.1:2006 - Information technology—Security techniques—A framework for IT security assurance Part 1: Overview and framework', 2 August 2006.
Supreme Court of Nova Scotia 2005, 'Civil Procedure Rules Revision Project, Evidence Working Group Final Report', May 19, 2005.
Supreme Court of South Australia 'Supreme Court Practice Directions 2006 (SA)', 1 April 2012.
Supreme Court Of The United States 2011, 'Federal Rules of Evidence', December 1, 2011.
Supreme Court of Victoria 2005, 'Supreme Court (General Civil Procedure) Rules 2005 (Victoria)', 8 August 2011.
Swedish Ministry of Justice 1998, 'The Swedish Code of Judicial Procedure'.
TISN 2005, 'SCADA Security - Advice for CEOs', 12-Jan-2005.
Page 86 of 105
Transdyn 2011, CityLink Automated Tollway Traffic & Facilities Management System, updated 27-May-2011, <http://www.transdyn.com/pdf/citylink-automated-tollway-traffic-management-system.pdf>.
Victorian Government 2010, 'Security of Infrastructure Control Systems for Water and Transport', October 2010.
Victorian Law Reform Commission 2008a, 'Civil Justice Review - Report 14', March 2008.
Victorian Law Reform Commission 2008b, 'Civil Justice Review: Report - Chapter 7: Changing The Role Of Experts', 01 Jan 2008.
Woolf, H 1996, Access to Justice: Final Report to the Lord Chancellor on the Civil Justice System in England and Wales, H.M. Stationery Office,
Yasinsac, A & Manzano, Y 2001, 'Policies to Enhance Computer and Network Forensics', Proceedings of the 2001 IEEE. Workshop on Information Assurance and Security. United States Military Academy, West Point, NY, 5-6 June, 2001.
Page 87 of 105
Case Reference List
Boden v The Queen B55/2002 [2003] HCATrans 828
DPP v Waleed Haddara (Ruling No 2) [2012] VSC 277
Makita (Australia) Pty Ltd v Sprowles [2001] NSWCA 305
R v Boden [2002] QCA 164
R v Evans [2005] SASC 184
R v Kalwig [2009] VSC 373
R v Kalwig (Ruling No 1) [2009] VSC 213
Page 89 of 105
Legislation Reference List
'Criminal Code Act 1995 (Cth)', Attorney General’s Department, 29 July 2011.
'Cybercrime Act 2001 (Cth)', www.findlaw.com.au, 11 Oct 2001.
'Evidence Act 1995 (Cth)', Attorney General’s Department, 1 July 2012.
'Evidence Act 2008 (Vic)', 22 June 2011.
Page 91 of 105
Appendix A Form 44A
Supreme Court (General Civil Procedure) Rules 2005
S.R. No. 148/2005
FORM 44A
Rule 44.01
EXPERT WITNESS CODE OF CONDUCT
1. A person engaged as an expert witness has an overriding duty to assist the Court impartially on matters relevant to the area of expertise of the witness.
2. An expert witness is not an advocate for a party.
3. Every report prepared by an expert witness for the use of the Court shall state the opinion or opinions of the expert and shall state, specify or provide—
(a) the name and address of the expert;
(b) an acknowledgement that the expert has read this code and agrees to be bound by it;
(c) the qualifications of the expert to prepare the report;
(d) the facts, matters and assumptions on which each opinion expressed in the report is based (a letter of instructions may be annexed);
(e) (i) the reasons for,
(ii) any literature or other materials utilized in support of,
(iii) a summary of—
each such opinion;
(f) (if applicable) that a particular question, issue or matter falls outside the expert's field of expertise;
(g) any examinations, tests or other investigations on which the expert has relied, identifying the person who carried them out and that person's qualifications;
(h) a declaration that the expert has made all the inquiries which the expert believes are desirable and appropriate, and that no matters of significance which the expert regards as relevant have, to the knowledge of the expert, been withheld from the Court;
(i) any qualification of an opinion expressed in the report without
which the report is or may be incomplete or inaccurate; and
Page 92 of 105
(j) whether any opinion expressed in the report is not a concluded opinion because of insufficient research or insufficient data or for any other reason. 4. Where an expert witness has provided to a party (or that party's legal representative) a report for the use of the Court, and the expert thereafter changes his or her opinion on a material matter, the expert shall forthwith provide to the party (or that party's legal representative) a supplementary report which shall state, specify or provide the information referred to in paragraphs (a), (d), (e), (g), (h), (i) and (j) of clause 3 of this code and, if applicable, paragraph (f) of that clause.
5. If directed to do so by the Court, an expert witness shall—
(a) confer with any other expert witness; and
(b) provide the Court with a joint report specifying (as the case requires) matters agreed and matters not agreed and the reasons for the experts not agreeing.
6. Each expert witness shall exercise his or her independent judgment in relation to every conference in which the expert participates pursuant to a direction of the Court and in relation to each report thereafter provided, and shall not act on any instruction or request to withhold or avoid agreement.
Authorised by the Chief Parliamentary Counsel
(Supreme Court of Victoria 2005)
Page 93 of 105