Skip to content

CH15: The Expert Witness

Chapter Overview

Every technical decision made across the previous fourteen chapters eventually lands in front of a judge or jury. The write blocker chosen at the scene, the hashing algorithm selected during imaging, the registry keys parsed in the lab, the memory capture taken before shutdown, the cloud preservation letter sent in week three of the case: each one has an audience of one in the short term and an audience of twelve in the long term. The examiner who collected the evidence is often the same person who has to explain it from a witness stand, defend the methodology under cross-examination, and withstand challenges to their qualifications.

This chapter covers the standards, duties, and courtroom mechanics that govern that role. Federal Rule of Evidence 702, the Daubert framework, and Federal Rule of Civil Procedure 26 are not distant legal theory. They are the rules that decide whether the forensic report you authored survives the trip from lab to admission. The chapter also reconnects the forensic report from Chapter 3 to its ultimate purpose. The report is not a deliverable that ends at the client's inbox. It is the spine of a deposition transcript, the skeleton of an expert report, and the script for direct examination.

You will not become a seasoned expert witness by reading a chapter. Courtroom experience is earned one ruling at a time. What you can build here is the examiner's mental model of the process: who decides what testimony gets heard, what the rules actually require, and how daily habits in the lab either support or sabotage credibility months later on the stand.

Learning Objectives

By the end of this chapter, you will be able to:

  • Distinguish a lay (fact) witness from an expert witness under the Federal Rules of Evidence.
  • Apply the Daubert admissibility framework to a digital forensics methodology and cite the role of NIST tool validation in supporting reliability.
  • Identify the elements of a Federal Rule of Civil Procedure 26(a)(2)(B) expert disclosure and trace each element back to contemporaneous notes and the forensic report.
  • Describe the examiner's ethical duties across retention, deposition, direct examination, and cross-examination.
  • Recognize common cross-examination tactics and formulate defensible responses grounded in the forensic record.

15.1 Witnesses in the Courtroom

A witness is a person who provides sworn testimony about facts relevant to a legal proceeding. Federal Rule of Evidence (FRE) 701 and 702 divide witnesses into two categories, and the distinction matters because each category operates under different rules.

A lay witness, also called a fact witness, testifies to what they personally perceived. They saw something, heard something, or did something. Under FRE 701, a lay witness may offer opinions only when those opinions are rationally based on their own perception and helpful to understanding their testimony. A lay witness cannot offer opinions grounded in specialized knowledge.

An expert witness testifies to opinions that require training, education, or experience beyond ordinary life. Under FRE 702, a witness qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion if four conditions are met:

  • The expert's scientific, technical, or specialized knowledge will help the trier of fact understand the evidence or determine a fact in issue.
  • The testimony is based on sufficient facts or data.
  • The testimony is the product of reliable principles and methods.
  • The expert has reliably applied those principles and methods to the facts of the case.

Digital forensics examiners are almost always qualified as experts. A jury cannot independently understand what a Volume Shadow Copy is, why a SHA-256 hash value matters, or how a prefetch file proves program execution. Without an expert to translate, the evidence is unintelligible.

Some examiners end up functioning as both fact witness and expert witness in the same case. The responding examiner saw the scene, bagged the device, and imaged the drive (fact testimony), then later analyzed the artifacts and formed opinions about user activity (expert testimony). Dual-capacity testimony is permissible but requires care. Opposing counsel will often attempt to exploit the gap, challenging the examiner's objectivity by framing the expert analysis as motivated reasoning from the first responder.

Analyst Perspective

If you know at the scene that you will probably end up testifying as an expert later, document the scene with that future testimony in mind. The photograph you did not take on day one becomes the exhibit you cannot produce on trial day one hundred and eighty.

A side-by-side comparison diagram with two vertical panels. The left panel, labeled Lay (Fact) Witness under FRE 701, lists three bullet points: testifies to personal perception, opinions only if rationally based on own perception, and no specialized or technical opinions. The right panel, labeled Expert Witness under FRE 702, lists four bullet points: helpful specialized knowledge, based on sufficient facts or data, reliable principles and methods, and reliable application to the case.

Figure 15.1: The two witness categories under the Federal Rules of Evidence. Lay witnesses testify to perception under FRE 701; expert witnesses testify to opinions under FRE 702 when the four reliability conditions are met.

15.2 Admissibility Standards for Expert Testimony

Before a jury hears a single word of expert testimony, a judge must decide whether that testimony is admissible. The judge operates as the gatekeeper, screening expert opinions against the governing admissibility standard. In federal court, that standard is anchored in FRE 702 as interpreted by the Supreme Court in a series of cases known collectively as the Daubert trilogy.

Federal Rule of Evidence 702 (December 2023 Amendment)

FRE 702 was amended effective December 1, 2023, to clarify two points that lower courts had been applying inconsistently. First, the proponent of expert testimony (the party calling the expert) must demonstrate by a preponderance of the evidence that the rule's requirements are met. Second, the court must find that the expert's opinion reflects a reliable application of principles and methods to the facts. The amendment did not change the substance of the rule. It tightened judicial enforcement of a rule that had drifted toward a lighter touch.

The Daubert Trilogy

  • Daubert v. Merrell Dow Pharmaceuticals, Inc. (1993). The Supreme Court held that FRE 702 superseded the older "general acceptance" standard and assigned trial judges a gatekeeping role. The Court identified non-exhaustive factors a judge may consider when evaluating reliability:
    • Whether the theory or technique can be and has been tested.
    • Whether it has been subjected to peer review and publication.
    • The known or potential error rate.
    • The existence and maintenance of standards controlling the technique's operation.
    • General acceptance within the relevant scientific community.
  • General Electric Co. v. Joiner (1997). The Court held that appellate review of a trial court's admissibility decision uses an abuse-of-discretion standard, giving the gatekeeper substantial latitude.
  • Kumho Tire Co. v. Carmichael (1999). The Court extended Daubert beyond scientific testimony to all technical and specialized knowledge. This case is what explicitly brings digital forensics methodology under the Daubert framework.

NIST Computer Forensics Tool Testing (CFTT)

The Daubert factors ask whether a technique has been tested, whether error rates are known, and whether standards control its operation. For digital forensics tools, the most direct answer to those questions is the National Institute of Standards and Technology Computer Forensics Tool Testing (CFTT) program.

CFTT was established by NIST in 2000 to develop rigorous, reproducible testing methodologies for forensic software and hardware. The program produces two deliverables that examiners and attorneys should know by name:

  • Test methodologies. Public specifications describing how a tool category should be evaluated. Examples include specifications for disk imaging tools, hardware write blockers, software write blockers, mobile device acquisition tools, deleted file recovery tools, and forensic string search tools.
  • Tool Test Reports. Published evaluations of specific tool versions against the relevant methodology. Each report documents the test environment, the procedures executed, and the anomalies observed.

CFTT reports are hosted by NIST and by the Department of Homeland Security Science and Technology Directorate. When an examiner states in an expert report that "image acquisition was performed using [tool X, version Y], which has been evaluated under the NIST CFTT disk imaging test methodology," that single sentence addresses three Daubert factors simultaneously. The technique has been tested. The error rate has been characterized. Standards control the tool's operation.

Not every tool an examiner uses will have a current CFTT report. That is not automatically disqualifying, but it shifts the burden. If a tool lacks independent validation, the examiner should be prepared to explain how they validated the tool themselves, reference internal test results, or cite peer-reviewed publications evaluating the tool. The less independent validation exists, the more the examiner must personally own the reliability argument.

Analyst Perspective

Before you use a tool in a case that might go to trial, pull the CFTT methodology for that tool category and read it. You will learn what the testers were looking for, what common failure modes exist, and what your own tool validation routine ought to cover. This habit costs an afternoon and pays for itself the first time opposing counsel asks whether you know how your imager handles bad sectors.

A diagram showing the four Daubert reliability factors on the left — testable, peer reviewed, known error rate, and standards controlling operation — connected by arrows to a central box labeled NIST CFTT Tool Test Report, which is then connected on the right to a column labeled Admissibility of Forensic Tool Output under FRE 702.

Figure 15.2: The NIST CFTT tool test report addresses multiple Daubert reliability factors simultaneously, making it a central artifact in admissibility arguments about digital forensics tools.

15.3 Qualifying as an Expert

A witness is not an expert by self-declaration. The court must qualify the witness through a process that begins with a written offer of qualifications and often ends with a live examination in front of the judge.

Building the Curriculum Vitae

The expert's curriculum vitae (CV) is the document the court will review first. A defensible forensics CV includes:

  • Education. Degrees, institutions, and dates.
  • Professional certifications. Active certifications with issuing bodies and expiration status. Common digital forensics certifications include the GIAC Certified Forensic Analyst (GCFA), the EnCase Certified Examiner (EnCE), the Certified Forensic Computer Examiner (CFCE) from the International Association of Computer Investigative Specialists, and the Certified Computer Examiner (CCE) from the International Society of Forensic Computer Examiners.
  • Training hours. Specific courses, dates, and continuing education totals. Many certifications require ongoing training to maintain.
  • Casework history. Number of examinations performed, types of cases, types of media examined.
  • Publications. Articles, book chapters, and white papers in peer-reviewed or industry venues.
  • Presentations and teaching. Conference talks, training delivered, academic appointments.
  • Prior testimony. Cases in which the examiner has testified, whether at deposition or trial, and whether qualified as an expert.

Voir Dire on Qualifications

Voir dire is a French term meaning "to speak the truth." In the context of expert witnesses, it refers to the preliminary examination of the witness's qualifications before the witness is permitted to offer opinion testimony. Retaining counsel walks the witness through the CV on direct; opposing counsel then gets an opportunity to challenge qualifications.

Common disqualification attempts focus on:

  • Expired or never-held certifications claimed on the CV.
  • Training that does not match the specific issue in the case (e.g., a general computer forensics examiner testifying about cellular network geolocation).
  • Prior testimony that was excluded or that resulted in findings adverse to the examiner's credibility.
  • Undisclosed relationships with the retaining party.

Warning

Never embellish a CV. A discrepancy between the CV and a transcript, a certification database, or a LinkedIn profile is the easiest possible cross-examination. Credibility lost in voir dire rarely returns during the substantive testimony that follows.

15.4 The Expert's Duties and Ethics

The expert witness is retained by one party but answers to the court. This duty structure is the central ethical feature of the role and the one students most often miss.

The retaining party pays the expert. The retaining party selects the expert and shares case materials. The retaining party's attorney prepares the expert for direct examination. Despite all of this, the expert's opinions must reflect what the evidence supports, not what the client wants. The moment the expert's opinions bend toward the client's preferred outcome, the expert becomes an advocate, and the testimony becomes impeachable.

Professional bodies codify this obligation. The International Association of Computer Investigative Specialists (IACIS) Code of Ethics, the International Society of Forensic Computer Examiners (ISFCE) Code of Ethical and Professional Responsibility, and the Digital Forensics Certification Board (DFCB) code all articulate the same core duties:

  • Conduct examinations with objectivity.
  • Testify truthfully.
  • Disclose limitations and uncertainty.
  • Stay within demonstrated expertise.
  • Avoid conflicts of interest and disclose any that arise.
  • Protect the confidentiality of case information.

Compensation must be transparent. The expert's report must state the compensation arrangement, and testimony must acknowledge the fee structure when asked. Compensation contingent on case outcome is prohibited for testifying experts in nearly every jurisdiction, because it creates an overt financial interest in the opinion.

Warning

Advocacy drift is the most common credibility killer. The moment an examiner starts arguing the case rather than explaining the findings, cross-examination has already won.

A triangular relationship diagram showing three boxes. A teal box labeled The Court sits at the top center. A navy box labeled Retaining Party sits at the bottom left. An amber box labeled Expert Witness sits at the bottom right. A solid arrow from Retaining Party to Expert Witness is labeled Retains, Pays, Shares Materials. A solid bold arrow from Expert Witness up to The Court is labeled Primary Duty: Objectivity. A dashed red-orange arrow curves back from Expert Witness toward Retaining Party, labeled Advocacy Drift — Failure Mode.

Figure 15.3: The expert witness's duty structure. The retaining party pays and provides materials, but the expert's primary duty runs to the court. Advocacy drift, where opinions bend toward the retaining party's interests, is the central failure mode.

15.5 From Forensic Report to Expert Report

This is the bridge back to Chapter 3. The forensic report authored at the end of examination is not a terminal document. It is the evidentiary spine of everything that follows.

Federal Rule of Civil Procedure 26(a)(2)(B)

In federal civil litigation, a retained testifying expert must produce a written report. FRCP 26(a)(2)(B) specifies six required elements:

  • A complete statement of all opinions the witness will express and the basis and reasons for them.
  • The facts or data considered in forming the opinions.
  • Any exhibits that will be used to summarize or support the opinions.
  • The witness's qualifications, including publications authored in the previous ten years.
  • A list of all other cases in which the witness testified as an expert at trial or by deposition in the previous four years.
  • A statement of the compensation to be paid for the study and testimony.
A checklist diagram titled FRCP 26(a)(2)(B) Required Expert Report Elements. Six numbered navy boxes are arranged in a three-by-two grid. Box 1: Opinions and Bases, sourced from the Forensic Report. Box 2: Facts or Data Considered, sourced from Notes plus Report. Box 3: Exhibits, sourced from the Case File. Box 4: Qualifications with ten-year publications, sourced from the CV. Box 5: Prior Testimony within four years, sourced from the CV or testimony log. Box 6: Compensation Statement, sourced from the fee agreement.

Figure 15.4: The six required elements of an FRCP 26(a)(2)(B) expert disclosure, each traceable to its source document. A missing or mismatched source is the most common cause of disclosure challenges.

In federal criminal cases, expert disclosure is governed by Federal Rule of Criminal Procedure 16. The rule was substantially amended in 2022 to require a written summary of expert testimony, the bases and reasons for opinions, the witness's qualifications, and a list of prior cases. The two regimes are not identical, but the direction is the same. Courts have moved steadily toward requiring fuller, earlier disclosure of expert analysis.

Consistency Across the Four Documents

An expert witness is judged against four written or spoken records, and any inconsistency among them will be exposed.

A horizontal flow diagram showing four boxes connected by arrows. From left to right the boxes are labeled Contemporaneous Notes, Forensic Report, Expert Report, and Sworn Testimony. A single arrow labeled Consistency runs across all four boxes, and a smaller arrow labeled Credibility Risk points downward between each pair of boxes.

Figure 15.5: The consistency chain from field notes to testimony. Any gap or contradiction between these four records becomes a cross-examination target.

  • Contemporaneous notes are what the examiner wrote as events occurred: serial numbers, timestamps, tool commands, observations.
  • The forensic report is the structured analysis produced at the close of examination. Chapter 3 covered its required sections: case summary, chain of custody, tools used, findings, and appendices.
  • The expert report is the FRCP 26 deliverable that takes the forensic report's findings and frames them as sworn opinions with explicit basis and reasoning.
  • Sworn testimony is what the expert says at deposition and trial.

An opinion in the expert report that does not appear in the forensic report will be questioned. A finding in the forensic report that contradicts a note from the examination will be exploited. A statement on the stand that goes beyond the expert report may be excluded entirely under FRCP 37(c)(1), which permits sanctions when a party fails to disclose information required by Rule 26(a).

Language Precision Revisited

Chapter 3 emphasized the difference between observation and conclusion in forensic writing. That discipline becomes existential in expert testimony. An examiner who writes "the user opened the file at 10:42 UTC" has made a claim about a person's conduct. An examiner who writes "the file's LastAccess timestamp recorded under the user account shows 10:42 UTC, consistent with the file having been opened by that user" has made a claim about an artifact and described the inference the artifact supports. The first sentence is a cross-examination target. The second sentence is defensible.

15.6 Pre-Trial: Depositions and Discovery

A deposition is sworn, out-of-court testimony taken during the discovery phase of a case. Depositions are recorded, transcribed, and may be used at trial to impeach a witness whose trial testimony contradicts their deposition answers.

For an expert witness, the deposition serves two purposes. For opposing counsel, it is an opportunity to lock down the expert's opinions, surface the bases for those opinions, and find material for cross-examination. For retaining counsel, it is a test of whether the expert can hold the opinions up under hostile questioning before the stakes of trial.

During discovery, the expert must typically produce their full case file. This includes notes, disk images, tool output, chain-of-custody forms, the forensic report, correspondence relevant to the analysis, and any drafts of the expert report where applicable. Work product doctrine and attorney-client privilege protect some communications with counsel, but the scope of those protections for testifying experts is narrower than many students expect. The 2010 amendment to FRCP 26(b)(4) protects draft expert reports and most attorney-expert communications, but the facts and data considered by the expert remain discoverable.

Rebuttal reports are common in cases with opposing experts. One party's expert issues a report; the other party's expert issues a rebuttal; the first expert may issue a sur-rebuttal. The cycle is exhausting and is part of why expert work in civil litigation takes the time it does.

15.7 Direct Examination

Direct examination is the portion of trial testimony conducted by retaining counsel. The expert tells the evidentiary story through a series of open-ended questions designed to walk the jury from qualifications through methodology to conclusions.

Effective direct examination of a digital forensics expert shares several characteristics:

  • Plain language. Registry hives become "Windows configuration databases." Hash values become "digital fingerprints." Volume Shadow Copies become "point-in-time snapshots the operating system takes automatically."
  • Analogy where technical precision can wait. A write blocker is "a one-way valve." An MD5 collision is "two different documents that happen to produce the same fingerprint, which is why we switched to SHA-256."
  • Demonstratives. Printed screenshots, annotated timelines, side-by-side comparisons of hash values. Jurors retain visual content far better than verbal testimony alone.
  • Pace. The expert speaks to the jury, not to the lawyer. Pauses after key findings let the point land.
  • Precision on the critical terms. "Consistent with" and "supports the inference that" are deliberate word choices. The expert should use them intentionally and be ready to explain why they are not stating an absolute.

The goal of direct examination is not to impress the jury with expertise. The goal is to make the evidence intelligible so the jury can evaluate it.

15.8 Cross-Examination: Holding the Line

Cross-examination is conducted by opposing counsel with a defined objective: to weaken the expert's credibility, to narrow the scope of the expert's conclusions, or to extract admissions that help the opposing party's theory of the case. Students should understand the classic tactics so they are not surprised by them.

Common Cross-Examination Tactics

  • Attacks on qualifications. "Isn't it true your EnCE certification expired in 2023?" "Have you ever been excluded as an expert by a federal court?" The defense is accurate credentials and honest answers.
  • Attacks on methodology. "You chose to image this drive with a tool that has not been updated in four years. Why?" The defense is thorough validation documentation and CFTT references.
  • Attacks on bias. "How much is your firm being paid for your testimony in this case?" The defense is transparent compensation disclosure and steady demeanor.
  • Compound questions. A single question that embeds multiple assertions. The witness can ask counsel to break the question into parts.
  • Leading questions that mischaracterize prior testimony. The witness can decline to adopt the characterization ("That is not what I said earlier. What I said was...").
  • Ultimate-issue traps. Under FRE 704(a), opinions embracing an ultimate issue are generally admissible, but FRE 704(b) bars expert testimony on whether a criminal defendant had the mental state constituting an element of the crime. Opposing counsel may bait an examiner into an ultimate-issue opinion that the rule excludes.

Defensible Responses

  • "I don't know" is a complete answer. An expert does not know everything. Inventing an answer to avoid admitting uncertainty is how careers end.
  • "That is outside the scope of my examination" is a complete answer. Expert testimony is limited to the analysis performed and the opinions disclosed.
  • "I would have to review the document to answer accurately" is a complete answer. When asked about a specific file, log, or prior statement, ask to see it.
  • Composure and pacing. Silence after a hostile question is fine. Filling silence with qualifications is how admissions happen.

Warning

The fastest route to an expulsion from a case is overreaching on an ultimate-issue question. If opposing counsel asks whether the defendant intended to steal the files, the answer is some version of "intent is a question for the jury. I can testify only to what the artifacts show."

A three-column reference table titled Cross-Examination Tactics and Defensible Responses. The columns are labeled Tactic, Example Cue, and Defensible Response. Row one: Attack Qualifications, Cert expired?, Accurate CV and honest answer. Row two: Attack Methodology, Tool lacks CFTT validation?, Validation docs and CFTT reference. Row three: Attack Bias, How much are you being paid?, Disclose fee and steady demeanor. Row four: Compound Question, Multi-part assertion, Ask to break into parts. Row five: Mischaracterize Testimony, You said X earlier, That is not what I said; what I said was... Row six: Ultimate-Issue Trap, Did defendant intend to steal?, Intent is for the jury; artifacts show...

Figure 15.6: A quick-reference matrix of common cross-examination tactics and the defensible responses grounded in the forensic record.

15.9 Putting It Together: A Daubert Challenge in a Trade Secrets Case

Consider a civil trade secrets matter. The plaintiff alleges that a departing engineer copied proprietary source code to a personal external drive on the day of resignation. You were retained by plaintiff's counsel to examine the engineer's corporate laptop. Your forensic report documented registry evidence of USB device connection, shellbag entries reflecting file browsing of the source code repository, and Windows Event Log entries showing a large file copy operation to the connected drive. You authored an expert report under FRCP 26 setting out four opinions, each grounded in specific artifacts.

Opposing counsel files a Daubert motion three weeks before trial. The motion challenges the reliability of your methodology on three grounds. First, that the imaging tool you used lacks current NIST CFTT validation. Second, that your interpretation of shellbag entries relies on an inference opposing counsel characterizes as "speculative." Third, that your testimony about the copy operation assumes the engineer was the logged-in user at the time, a fact they argue is unproven.

Your rebuttal proceeds methodically.

On the imaging tool, you submit documentation that the tool was evaluated under the CFTT disk imaging test methodology in its most recent prior version, that the version you used includes no changes to the imaging subsystem, and that you performed and documented internal validation against a known test image before using the tool on case media. You acknowledge that a current CFTT report for the exact version would be ideal, and you explain why the absence of that specific report does not undermine reliability.

On the shellbag interpretation, you cite the peer-reviewed literature on Windows shellbag forensics, provide the methodology you followed to parse the hive, and explain the specific artifacts that support each inference. You distinguish between what the shellbag data directly establishes (that a folder was viewed in Windows Explorer under a specific user account) and what it supports inferentially (that the user browsed the repository). This language discipline comes straight out of the forensic writing practice from Chapter 3.

On the logged-in user question, you point to the Event Log entries showing the logon session under the engineer's user account, the Security event IDs that correlate to the copy operation's timestamps, and the absence of any session switch or lock event during the relevant interval. You are careful to note what the evidence does not prove: you cannot testify that the engineer, as a physical human being, was sitting at the keyboard. You can testify that the artifacts are consistent with activity under the engineer's account during a continuous active session.

The court holds the Daubert hearing. You testify for two hours. The judge denies the motion. Three weeks later, at trial, opposing counsel revisits each of the three challenges during cross-examination. Your answers are the same ones you gave at the Daubert hearing, which are the same ones you wrote in your expert report, which are the same ones supported by the forensic report, which are traceable back to the notes you wrote during the examination. The consistency chain holds.

Chapter Summary

  • A lay witness testifies to personal perception. An expert witness testifies to opinions grounded in specialized knowledge. Digital forensics examiners routinely qualify as experts under Federal Rule of Evidence 702.
  • The trial judge acts as the gatekeeper for expert testimony. In federal court, the governing framework is FRE 702 as interpreted by the Daubert trilogy (Daubert, Joiner, Kumho Tire). The 2023 amendment to FRE 702 tightened the proponent's burden to show reliable principles, reliable methods, and reliable application.
  • The NIST Computer Forensics Tool Testing (CFTT) program is the single most useful admissibility resource for digital forensics examiners. Its test methodologies and Tool Test Reports address multiple Daubert factors simultaneously. Before using a tool in a case that may go to trial, pull the relevant CFTT methodology and read it.
  • The expert's duty runs to the court, not to the retaining party. Objectivity, scope discipline, and transparent compensation are not optional. Professional codes from IACIS, ISFCE, and DFCB articulate the same core obligations.
  • The forensic report from Chapter 3 is the spine of the expert report under FRCP 26(a)(2)(B). Opinions, bases, facts, exhibits, qualifications, prior testimony, and compensation must all be disclosed in writing. Federal criminal cases follow FRCrP 16, which has moved toward similar disclosure requirements.
  • Contemporaneous notes, the forensic report, the expert report, and sworn testimony form a consistency chain. Any gap between them is a cross-examination target.
  • Cross-examination is designed to attack qualifications, methodology, and bias. "I don't know" and "that is outside the scope of my examination" are complete and defensible answers. Ultimate-issue traps under FRE 704(b) are common and avoidable.

This chapter closes the course. The arc that began with securing a scene and establishing chain of custody ends here, with the sworn testimony that converts a forensic examination into admissible evidence. The habits you build in the lab, the precision you apply in your writing, and the honesty you maintain on the stand are the three variables that determine whether any of the technical work from the previous fourteen chapters survives contact with a courtroom.