viaForensics » Computer Forensics Glossary Archives – viaForensics

ADP1

ahoog — Thu, 19 Feb 2009 17:38:22 +0000

The Android Developer Phone (ADP or ADP1) is a version of the G1/HTC Dream for developers and engineers. Some differences from the retail version include a slightly different look and feel, root access, unlokced SIM and an special bootloader (to name a few). Here is a nice write up (with pictures) on the ADP1.

IMSI

ahoog — Sun, 15 Feb 2009 20:38:47 +0000

The International Mobile Subscriber Identity (IMSI) is an 18-20 digit number uniquely identifying each SIM card. The information can be used to identify, track or clone a subscriber and is sent as rarely as possible. Instead, a randomly generated Temporary Mobile Subscriber Identity (TMSI) is used whenever possible.

The first 3 digits of the IMSI represent the Mobile Country Code followed by 2-3 digits for the Mobile Network Code. The remaining digits are the Mobile Station Identification Number (MSIN) assigned by the network provider.

SWGDE

ahoog — Sun, 15 Feb 2009 12:46:11 +0000

Scientific Working Group on Digital Evidence (SWGDE) is a government and law enforcement only that “brings together organizations actively engaged in the field of digital and multimedia evidence to foster communication and cooperation as well as ensuring quality and consistency within the forensic community.”

In their Best Practices for Computer Forensics, they have a section on “Forensic Analysis/Examination of Non-Traditional Computer Technologies” which I think is important as it addresses situations that ultimately do arise.

IMEI

ahoog — Sat, 07 Feb 2009 20:53:59 +0000

International Mobile Equipment Identifier (IMEI) is a code uniquely identifying the a GSM cell phone on the network generally displayed on a phone beneath the battery. They can have 15 (14 decimal digits plus a check digit) or 16 (IMEISV) digits and encoded in the number are the origin, model, and serial number of the device. Devices generally report their IMEI number by typing *#06# on the phone.

tableau-parm

ahoog — Tue, 13 Jan 2009 22:06:14 +0000

tableau-parm is a utility which runs on Linux for interaction with Tableau’s forensic write blockers. If you use Tableau’s products and don’t run on Windows, you can use this utility to query information from the write blocker (i.e. hard drive information, HPA, DCO, etc.) and even remove HPA/DCO. The Windows version of the utility by Tableau is called Tableau Disk Monitor. If you use their hardware, ensure the firmware is up to date with Tableau Firmware Update.

Sample Output

Below is sample out from the T35e connected to a WD SATA hard drive:

wintermute:/home/ahoog# tableau-parm /dev/sdd
## Bridge Information ##
chan_index: 0×00
chan_type: SATA
writes_permitted: FALSE
declare_write_blocked: TRUE
declare_write_errors: TRUE
bridge_serial: 000ECC020035C00F
bridge_vendor: Tableau
bridge_model: T35e
firmware_date: Nov 6 2008
firmware_time: 14:22:38

## Drive Information ##
drive_vendor:
drive_model: WDC WD2500JD-55HBB1
drive_serial: WD-WCAL73972498
drive_revision: 08.02D08

## Drive HPA/DCO/Security Information ##
security_in_use: FALSE
security_support: TRUE
hpa_in_use: FALSE
hpa_support: TRUE
dco_in_use: FALSE
dco_support: TRUE
drive_capacity: 488397168
hpa_capacity: 488397168
dco_capacity: 488397168

exifprobe

ahoog — Mon, 05 Jan 2009 18:59:47 +0000

Exifprobe is a utility to read EXIF information from digital image files. I compiles and runs easily on Linux. From the website:

“Exifprobe reads image files produced by digital cameras (including several so-called “raw” file formats) and reports the structure of the files and the auxilliary data and metadata contained within them. In addition to TIFF, JPEG, and EXIF, the program understands several formats which may contain “raw” camera data, including MRW, CIFF/CRW, JP2/JPEG2000, RAF, and X3F, as well as most most TIFF-derived “raw” formats, including DNG, ORF, CR2, NEF, K25/KDC/DCR, and PEF.”

Sample output is available in our exif definition.

EXIF

ahoog — Mon, 05 Jan 2009 18:51:48 +0000

Exchangeable Image File Format (EXIF) is a standard for storing information (or metadata) with an digital image, generally one from a digital camera. EXIF can contain valuable information about an image, in some cases it will even store the GPS coordinates of where the picture was taken.

Concerns over verifiability of EXIF data

While EXIF data can be extremely useful, a forensic analysts must not assume this data is accurate. This information can be easily manipulated or modified. For instance, the time on the camera can be easily changed. Or the GPS device may be inaccurate. Also, there are widely available programs which will allow you to view and update the EXIF information. In the easly iPhone 2.x releases, the GPS data (also known as a geotag, geocode or geolocation) was missing the degree of seconds, making it impossible to point point the exact location.

Sample output

For reference, the following is the EXIF information recovered from a .jpg that was carved from a file system:

FileType = JPEG
FileSize = 145653
JPEG.APP0           = @2:16
JPEG.APP0.Version       = 1.1
JPEG.APP0.Units         = ‘dots/inch’
JPEG.APP0.Xdensity      = 96
JPEG.APP0.Ydensity      = 96
JPEG.APP0.XThumbnail    = 0
JPEG.APP0.YThumbnail    = 0
JPEG.APP1           = @20:10454
JPEG.APP1.Ifd0.Make                        = ‘Canon’
JPEG.APP1.Ifd0.Model                       = ‘Canon PowerShot SD900′
JPEG.APP1.Ifd0.Orientation                 = 1 = ’0,0 is top left’
JPEG.APP1.Ifd0.XResolution                 = 180
JPEG.APP1.Ifd0.YResolution                 = 180
JPEG.APP1.Ifd0.ResolutionUnit              = 2 = ‘pixels per inch’
JPEG.APP1.Ifd0.DateTime                    = ’2008:05:31 09:42:15′
JPEG.APP1.Ifd0.YCbCrPositioning            = 1 = ‘centered’
JPEG.APP1.Ifd0.TAG_0x1001                  = 3648
JPEG.APP1.Ifd0.TAG_0x1002                  = 2736
JPEG.APP1.Ifd0.ExifIFDPointer              = @308
JPEG.APP1.Ifd0.CustomRendered              = 0 = ‘Normal’
JPEG.APP1.Ifd0.ExposureMode                = 0 = ‘Auto’
JPEG.APP1.Ifd0.WhiteBalance                = 0 = ‘Auto’
JPEG.APP1.Ifd0.DigitalZoomRatio            = 1
JPEG.APP1.Ifd0.SceneCaptureType            = 0 = ‘Standard’
JPEG.APP1.Ifd0.Exif.ExposureTime                = 0.00625 sec
JPEG.APP1.Ifd0.Exif.FNumber                     = 8 APEX = ‘f16.0′
JPEG.APP1.Ifd0.Exif.Version                     = ’0220′
JPEG.APP1.Ifd0.Exif.DateTimeOriginal            = ’2008:05:31 09:42:15′
JPEG.APP1.Ifd0.Exif.DateTimeDigitized           = ’2008:05:31 09:42:15′
JPEG.APP1.Ifd0.Exif.ComponentsConfiguration     = 1,2,3,0 = ‘YCbCr’
JPEG.APP1.Ifd0.Exif.CompressedBitsPerPixel      = 5
JPEG.APP1.Ifd0.Exif.ShutterSpeedValue           = 7.3125 APEX = ’0.00629098 sec’JPEG.APP1.Ifd0.Exif.ApertureValue               = 6 APEX = ‘f8.0′
JPEG.APP1.Ifd0.Exif.ExposureBiasValue           = 0 APEX
JPEG.APP1.Ifd0.Exif.MaxApertureValue            = 2.96875 APEX = ‘f2.8′
JPEG.APP1.Ifd0.Exif.MeteringMode                = 5 = ‘Pattern’
JPEG.APP1.Ifd0.Exif.Flash                       = 24 = ‘no flash – auto’
JPEG.APP1.Ifd0.Exif.FocalLength                 = 7.7 mm
JPEG.APP1.Ifd0.Exif.MakerNote                   = @718:2372    # UNDEFINED
JPEG.APP1.Ifd0.Exif.UserComment                 = @3090:264 = ” # CC=’undefined’    # UNDEFINED
JPEG.APP1.Ifd0.Exif.FlashPixVersion             = ’0100′
JPEG.APP1.Ifd0.Exif.ColorSpace                  = 1 = ‘sRGB’
JPEG.APP1.Ifd0.Exif.PixelXDimension             = 3648
JPEG.APP1.Ifd0.Exif.PixelYDimension             = 2736
JPEG.APP1.Ifd0.Exif.FocalPlaneXResolution       = 12710.8
JPEG.APP1.Ifd0.Exif.FocalPlaneYResolution       = 12725.6
JPEG.APP1.Ifd0.Exif.FocalPlaneResolutionUnit    = 2 = ‘pixels per inch’
JPEG.APP1.Ifd0.Exif.SensingMethod               = 2 = ‘One-chip color area sensor’
JPEG.APP1.Ifd0.Exif.FileSource                  = 3 = ‘DSC’
JPEG.APP1.Ifd0.Exif.MakerNote.Offset                    = @718
JPEG.APP1.Ifd0.Exif.MakerNote.Length                    = 2372
JPEG.APP1.Ifd0.Exif.MakerNote.Scheme                    = ‘Plain IFD’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings            = ’45 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.01_MacroMode               = 3026 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.02_SelfTimer               = 0 = ‘off’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.03_Quality                 = 0 = ‘unknown’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.04_FlashMode               = 0 = ‘flash did not fire’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.05_ContinuousMode          = 92 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.06_Unknown                 = 2
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.07_FocusMode               = 0 = ‘One Shot AF’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.08_Unknown                 = 5
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.09_Unknown                 = 5
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.10_ImageSize               = 0 = ‘Large’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.11_EasyShootMode           = 0 = ‘Full Auto’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.12_DigitalZoom             = 4 = ‘(2 * ZoomedResBase) / ZoomedResValue**’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.13_Contrast                = 65535 = ‘Low’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.14_Saturation              = 1 = ‘High’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.15_Sharpness               = 0 = ‘Normal’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.16_ISO                     = 0/0 = ‘Use Exif ISOSpeedRating’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.17_MeteringMode            = 0 = ‘Default’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.18_FocusType               = 0 = ‘Manual’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.19_AFPositionSelected      = 0 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.20_ExposureMode            = 0 = ‘Easy Shooting’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.21_Unknown                 = 15
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.22_LensType                = 3
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.23_FocalLength_long        = 1 units
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.24_FocalLength_short       = 16390 units
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.25_FocalUnits*             = 0 unit per mm
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.26_Unknown                 = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.27_Unknown                 = 65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.28_FlashActivity           = 0x5a3c = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.29_FlashDetails            = 0x1e14 = ‘external E-TTL,Internal flash**,2nd-curtain sync used,FP sync enabled’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.30_Unknown                 = 1000
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.31_Unknown                 = 95
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.32_FocusMode               = 192 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.33_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.34_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.35_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.36_ZoomedResValue**        = 0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.37_ZoomedResBase**         = 0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.38_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.39_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.40_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.41_undefined               = 0xe40/3648
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.42_ColorTone**             = 0xe40/3648
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.43_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.44_undefined               = 0/0
JPEG.APP1.Ifd0.Exif.MakerNote.CameraSettings.45_undefined               = 0xffff/65535
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo                 = ’4 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.00_unknown                = 0
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.01_FocalLength            = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.02_FocalPlaneXSize        = 32767
JPEG.APP1.Ifd0.Exif.MakerNote.FocusInfo.03_FocalPlaneYSize        = 0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0003                = 0,2,7700,294
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo                  = ’33 entries’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.01_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.02_ISO                          = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.03_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.04_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.05_Unknown                      = 0×4468
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.06_ExposureCompensation**       = 65523
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.07_WhiteBalance                 = 160 = ‘undefined’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.08_Unknown                      = 0×125293
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.09_SequenceNumber               = 192
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.10_Unknown                      = 0xea234JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.11_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.12_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.13_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.14_AFPositionUsed               = 0 = ‘MF’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.15_FlashBias                    = 0 = ’0 EV’
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.16_AutoExposureBracketing**     = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.17_AEBracketValue**             = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.18_Unknown                      = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.19_FocusDistanceMax**           = 0 mm
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.20_FocusDistanceMin**           = 0 mm
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.21_ApertureValue**              = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.22_ExposureTime**               = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.23_Undefined                    = 0×11
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.24_BulbDuration**               = 73
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.25_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.26_Undefined                    = 0xb9185JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.27_AutoRotate**                 = 231
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.28_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.29_SelfTimer2**                 = 0
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.30_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.31_Undefined                    = 0xfa250JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.32_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.ShotInfo.33_Undefined                    = 00
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_000000                = 0,0,0,0,0,0
JPEG.APP1.Ifd0.Exif.MakerNote.ImageType                 = ”
JPEG.APP1.Ifd0.Exif.MakerNote.FirmwareVersion           = ‘EG’
JPEG.APP1.Ifd0.Exif.MakerNote.ImageNumber               = 1003599
JPEG.APP1.Ifd0.Exif.MakerNote.OwnerName                 = ‘on 1.00′
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X000D                = 0,0,24313856 … ,2031616 (148)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0010                = 25755648
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_000000                = 0,9,0,770,11057 … ,0 (19)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0026                = 0,0,0,0,0 … ,41 (48)JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0013                = 41,16,0,0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0018                = 04,00,00,00,00,00,00,00,00,00 … ,00 (256)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0019                = 1
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001C                = 0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001D                = 0,0,0,0,0 … ,0 (16)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001E                = 16777984
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X001F                = 0,0,0,0,0 … ,0 (69)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0022                = 0,0,0,0,0 … ,0 (208)JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0023                = 0,0
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0024                = 0,8,0,0,0 … ,0 (78)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0025                = 00,00,00,00,00,00,00,00,00,00 … ,00 (14)
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0027                = 0,4
JPEG.APP1.Ifd0.Exif.MakerNote.TAG_0X0028                = 00,00,00,00,00,00,00,00,00,00 … ,df (16)
JPEG.APP1.Ifd1.Compression                 = 6 = ‘Exif/old JPEG’
JPEG.APP1.Ifd1.XResolution                 = 180
JPEG.APP1.Ifd1.YResolution                 = 180
JPEG.APP1.Ifd1.ResolutionUnit              = 2 = ‘pixels per inch’
JPEG.APP1.Ifd1.JPEGInterchangeFormat       = @3464
JPEG.APP1.Ifd1.JPEGInterchangeFormatLength = 7012
# Start of JPEG baseline DCT compressed primary image [985x739<=3648x2736] length 145653 at offset 0/0
#   End of JPEG primary image data at offset 0x238f4/145652
# Start of JPEG baseline DCT compressed reduced-resolution image [160x120] length 7012 (IFD 1) at offset 0xd88/3464
#   End of JPEG reduced-resolution image data at offset 0x28eb/10475
NumberOfImages = 2
FileFormat = JPEG/APP0/JFIF/APP1/TIFF/EXIF # with MakerNote (Canon [1])

Scalpel

ahoog — Mon, 05 Jan 2009 15:52:56 +0000

Scalpel is an open source file carving utility like foremost but with an emphasis on speed and efficiency. When analyzing a 15GB dd image, scalpel took just under 2 minutes while foremost took nearly 15 minutes. Foremost carved more files however most were invalid (this is anecdotal and may not always be the case!). Here is the full description from the scalpel website:

“Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. Scalpel resulted from a complete rewrite of foremost 0.69 a popular open source file carver, to enhance performance and decrease memory usage.”

See also

Daubert

ahoog — Tue, 23 Dec 2008 17:52:20 +0000

Daubert refers to the legal precedent set by the United States Supreme Court in 1993 which defined the criteria for admissibility of expert witness testimony in the Federal Courts. The Daubert ruling (Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579) superseded the long-standing Frye standard (set in 1923) for expert witness testimony.

Daubert criteria

The criteria set by Daubert is two-pronged:

Relevant: whether or not the expert’s evidence “fits” the facts of the case
Reliable:
- (1) whether the methods upon which the testimony is based are centered upon a testable hypothesis;
- (2) the known or potential rate of error associated with the method;
- (3) whether the method has been subject to peer review; and
- (4) whether the method is generally accepted in the relevant scientific community.

With a ruling that carries such impact on cases, there has understandably been quite a bit of confusion and interpretation of this standard.

Federal Rule of Evidence 702

An important factor underlying the Daubert standard is detailed in the Federal Rules of Evidence, which states:

“Rule 702. Testimony by Experts

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.”

So the expert testimony is warranted if it will assist the trier in the establishment of a fact and if the witness applied reliable principles and method to the facts.

Beyond Scientific Knowledge: Kumho Tire Company, Ltd. v. Carmichael

In a further clarification of the Daubert standard, the United States Supreme Court ruled in 1999 that the standard “applies not only to testimony based on ‘scientific’ knowledge, but also to testimony based on ‘technical’ and ‘other specialized’ knowledge.” In one sense, this closed a loop hold used when an expert witness was classified as “non-scientific” and thus a strict reading of the Daubert standard meant the criteria did not apply.

State by State Adoption of Daubert

The following is a list of States status with regard to accepting the Daubert standard in their State court proceedings.

States which fully apply Daubert:

Connecticut
Delaware
Georgia
Indiana
Kentucky
Louisiana
North Carolina
Ohio
Oklahoma
Oregon
Rhode Island
South Dakota
Tennessee
Vermont
Washington
West Virginia
Wyoming

States which apply Daubert-like standard:

Alabama
Arkansas
Colorado
Hawaii
Idaho
Iowa
Maine
Montana
Nevada
Texas
Utah

States will apply Frye standard:

Alaska
Arizona
California
Florida
Illinois
Kansas
Massachusetts
Maryland
Michigan
Minnesota
Mississippi
Missouri
Nebraska
New Hampshire
New Jersey
New Mexico
New York
Pennsylvania

And finally the following states have developed their own standards:

North Dakota
South Carolina
Virginia
Wisconsin

Federal Rules of Evidence Rule 502

ahoog — Mon, 22 Dec 2008 22:30:27 +0000

The Federal Rules of Evidence Rule 502 (Attorney-Client Privilege and Work Product; Limitations on Waiver) was enacted by Congress and made effective September 19, 2008. This important rules was created to address the dramatically increasing costs of electronic discovery by providing a predictable and consistent standard to govern the waiver of privileged information.

Rising costs of pre-production review

Due to the proliferation of electronic documents, attorneys became justifiably concerned that a single disclosure of attorney-client privilege or work product (in a collection of documents that could easily exceed one million documents) would result in waiver of not only the document(s) produced but in a general subject matter waiver for the current and any future litigation. The results of such a waiver could be devastating and as a result, some felt a record-by-record review of all electronically discovered material was warranted.

Important highlights of FRE Rule 502

Rule 502 protects against inadvertent disclosures provided reasonable steps were taken to prevent the disclosure and reasonable and prompt steps to rectify the error were taken (notably Federal Rule of Civil Procedure 26(b)(5)(B)). It also states that a Federal court order stating that protection was not waived must be respected in all Federal and State courts. This comity is an important detail as any rule lacking such cooperation would require the attorney to still incur the pre-production costs since the materials could be discovered in State proceedings.

Additional links

These additional links are provided for further reference:

Archive of all documents related to Rule 502 on http://www.uscourts.gov
Cornell Law School’s Federal Rules of Evidence (more readable on-screen)