Trial Illustration Posters

The Perfect Aid for Testimony About Computer Evidence in Court

It has been said for ages and it is certainly true when computer evidence is presented in trial or during a deposition....."A picture is worth a thousand words".

Many times juries, judges and lawyers have a difficult time understanding complex computer terms and related computer technology issues. When trial illustrations are used, in combination with expert testimony, juries and judges quickly grasp the technical issues. For this reason, NTI has created a series of eight trial illustration posters for use by computer forensics experts in court. The use of these generic computer forensics trial illustrations is demonstrated in NTI's Computer Expert Witness Training Course and each participant of that training class receives a full set of the trial illustration posters in the price of tuition. The posters can also be purchased separately and they are laminated in plastic for durability. The trial illustration posters measure 2 feet by 3 feet so they are large enough for visibility in the court room but they are still small enough for portable. NTI can also create customized trial illustrations with in-house graphics talent for use in specific instances when a visual presentation of technical computer evidence is required.

NTI's Set of Eight Trial Illustration Posters

Poster 1

Bit Stream Backups are essential in the preservation of computer evidence and NTI's SafeBack software is the industry standard for the US DoD, FBI, DEA, etc. However, the concept of making an exact bit stream backup can be difficult for a jury to fully understand. NTI has created a trial illustration poster which is intended for use by expert witnesses who may be required to testify about the making of an "evidence grade" copy of a computer hard disk drive. In this case, Aimee McGinnis is using one of the posters to describe the accuracy of a bit stream backup in combination with her testimony about the process.

Poster 2

Sectors are the most basic building blocks of data storage on computer data storage devices. When physical computer forensic searches are required using low level computer forensic search utilities like NTI's TextSearch Plus sectors become the reference point used to identify where the targeted data was found. In this example Sean Barry is using a trial illustration poster to supplement his testimony about evidence found in a sector on a computer hard disk drive.

Poster 3

Clusters consist of even numbered blocks of sectors and they are the building blocks of computer files. The last cluster assigned to a file is also where File Slack is found. Cluster sizes vary depending upon the operating system involved and in some cases the size of the data storage device involved. In this case Jerry Shallenberger is using a trial illustration poster to assist in his explanation of data associated with a particular cluster on a hard disk drive.

Poster 4

File Dates and Time Stamps are extremely important in computer related investigations. Microsoft-based operating systems automatically record file creation dates and times, last modified dates and times, and access dates. In the case of Windows NT, Windows 2000 and Windows XP access times are also automatically recorded. These dates and times are important in creating timelines of computer usage and in the investigation of conspiracies which involve computer usage. In this example, Scott Stevens is using a trial illustration poster to describe how file dates and times are stored on computer storage devices.

Poster 5

Windows Swap Files are used transparently by Microsoft Windows operating systems and the data stored in the swap file can be a source of valuable leads and evidence in computer related investigations. These unique files essentially act as a scratch pad for use by the operating system and Windows swap files can potentially contain any data that was viewed, read, created or even touched by a Windows-based application. In this example, Andrew Batman is using a trial illustration poster to supplement his testimony concerning evidence found in a Windows swap file.

Poster 6

Ram Slack is a unique source of potential leads and evidence in computer related investigations. Slack potentially is tied to every file (and previously deleted file) on the computer. Most computer users, jury members and judges are unaware of file slack and ram slack as a potential source of computer leads and evidence. In this case, Mike Sanders is using a trial illustration to supplement his testimony concerning evidence found in ram slack.

Poster 7

Deleted files aren't really deleted when it comes to Microsoft based operating systems. When files are deleted, by the computer user, the storage space assigned to the file is released and made available for the overwrite of new files. Sometimes this space is referred to as unallocated storage space but it is interesting to note that the data remains behind for forensic discovery until the space is overwritten. In this example, Wayne Bowers is using a trial illustration poster to supplement his testimony concerning data found in a previously deleted file.

Poster 8

Mathematical Hashing is used in computer forensics to identify changes made to data and it is also used to verify the exact match of identical data sources. Mathematical hashes are frequently used in computer forensics when accuracy is important. Some computer forensics tools automatically incorporate mathematical hashes, e.g., when bit stream backups are made. In this example, Ryan Anderson is using a trial illustration to help explain the use of the RSA MD5 hash when files are compared.