*/
Colin Smith looks at the issues arising when using digital evidence in court
How often is it now that none of the evidence in a case is digital? That a case has no information from a computer, mobile phone, company server, laptop? Digital evidence is all around us, but why does it often evade the robust challenging it probably deserves?
Any information that has come from digital sources must be treated diligently if the evidence is to prove reliable and strong. This is well known to digital forensic examiners. Being one myself I became very used to being reminded of the principles of forensics early on, which has resulted in me religiously maintaining the forensic standard of my evidence.
Ultimately, it comes to the lawyers, through cross-examination of the forensic professional in the box, to test the evidence to the point at which it can no longer be questioned. After all, this is the meaning of “forensic” investigation, and with nearly all cases containing digital evidence, it should be a basic skill for barristers.
Any digital forensic investigator should be intimate with the ACPO Good Practice Guidelines for Digital Evidence. These guidelines are developed by the Association of Chief Police Officers E-crime working group and are constantly reviewed and updated. They are intended for use by law enforcement officers, but in practice, they have become the de facto standard for all digital forensic investigations, whether conducted in the public or private sector.
Principle 1
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Principle 1 deals with the changing of data on the original device being examined. This may sound like it is a given, and as far as a forensic professional is concerned, it normally is. We are a fiercely passionate bunch that will potentially become violent towards anyone so much as breathing on our data. However, this does not apply to all in that evidence chain.
On occasions (more than I’d care to mention) I have seen evidence where Police have seized, say, a laptop and have “had a quick look” before it is bagged and tagged. The forensic examiner will spot this almost straight away, the last accessed times associated with the data will show a time AFTER the time of seizure or warrant execution. Most would not offer this information willingly in a forensic report. This will, however, be recorded in the working notes of that examiner. Such a severe impact on the evidence is easily overlooked.
Principle 2 deals with occasions where the evidence is changed due to unavoidable circumstances. With hard drive encryption fast becoming the norm for investigation, it becomes inevitable that the contents of a hard drive will be altered during the investigation process. An examiner at the scene may have to switch a computer on in order to remove the encryption and capture an image of the hard drive. This action should be well documented with concise notes, capable of standing up to scrutiny in the courtroom.
Principle 3 is tested using an independent forensic expert. Here, the initial examiners’ working notes are disclosed and followed meticulously by the expert. If they do not come to the same conclusion, then this should be queried by Counsel. Otherwise it highlights weaknesses in: a) the first investigator’s reliability; and b) the evidence itself.
Equally, the examiners’ working notes remain as unused material and never see the light of a courtroom. A copy of the Police Officers pocket notebook is disclosed and reviewed as standard, why not treat a forensic examiners working notes the same way?
Finally, principle 4 is a safety net for the forensic examiner as the ultimate responsibility falls squarely with the person in charge of the investigation. In reality, there is a duty of care for the forensic experts to make others aware of principle 4. This being said, most forensic issues are typically caused by ignorance rather than an intention to skew the evidence, but this is of course not for the concern of those testing the evidence in court. The intention of principle 4, I believe, is to ensure that investigators turn to forensic professionals for extracting the digital evidence rather than “having a quick look” themselves.
Therefore, it seems reasonable for Counsel to ask the question “Have all the ACPO principles been adhered to in this case?” It fact, it should be a necessity, since the evidence is severely weakened if there is deviation from these principles at any stage in the investigation.
If you are managing a defence case then here you should consider calling upon an expert to review the digital evidence. Your expert should be well equipped to point out where the ACPO principles have been adhered to or breached.
To date most of my court time has been spent explaining technical terms, such as describing what a hard drive is using my trusty ‘Filing Cabinet’ analogy. This is an essential part of the court proceedings, however it should be queried whether this constitutes testing the evidence. On the one hand it is not an easy task to present digital evidence, and phrases such as ‘unallocated clusters’ or ‘MD5 Hash Values’ will often require lengthy explanations. However, being an expert in the field, and the only person in that room who knows what we are talking about, I am certain that digital investigators feel at home in the courtroom.
Surely the role of the expert in court should not be limited to that of a translator of technical speak?
A good question may be “Tell me what is your understanding of the ACPO good practice principles and did you apply them to this case?” The answer to this would take a barrister’s advocacy skills down a much more productive road.
Not that I would question the integrity of any forensic professional at face value, but how can you be sure that they have given the best explanation of what they have done? An independent expert serving the court would be the ideal solution. In most cases experts will concur, but if the digital evidence is the key to winning or successfully defending your case, it is an important consideration.
I may be opening the door on my court experience becoming more challenging, but my time in the box has been relatively easy; in the interests of justice, it probably should not be.
Colin Smith heads up the Digital Forensics team at Monitor Quest and is available as an expert witness in Digital Forensics for all cases.
csmith@monitorquest.com
Ultimately, it comes to the lawyers, through cross-examination of the forensic professional in the box, to test the evidence to the point at which it can no longer be questioned. After all, this is the meaning of “forensic” investigation, and with nearly all cases containing digital evidence, it should be a basic skill for barristers.
Any digital forensic investigator should be intimate with the ACPO Good Practice Guidelines for Digital Evidence. These guidelines are developed by the Association of Chief Police Officers E-crime working group and are constantly reviewed and updated. They are intended for use by law enforcement officers, but in practice, they have become the de facto standard for all digital forensic investigations, whether conducted in the public or private sector.
Principle 1
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Principle 1 deals with the changing of data on the original device being examined. This may sound like it is a given, and as far as a forensic professional is concerned, it normally is. We are a fiercely passionate bunch that will potentially become violent towards anyone so much as breathing on our data. However, this does not apply to all in that evidence chain.
On occasions (more than I’d care to mention) I have seen evidence where Police have seized, say, a laptop and have “had a quick look” before it is bagged and tagged. The forensic examiner will spot this almost straight away, the last accessed times associated with the data will show a time AFTER the time of seizure or warrant execution. Most would not offer this information willingly in a forensic report. This will, however, be recorded in the working notes of that examiner. Such a severe impact on the evidence is easily overlooked.
Principle 2 deals with occasions where the evidence is changed due to unavoidable circumstances. With hard drive encryption fast becoming the norm for investigation, it becomes inevitable that the contents of a hard drive will be altered during the investigation process. An examiner at the scene may have to switch a computer on in order to remove the encryption and capture an image of the hard drive. This action should be well documented with concise notes, capable of standing up to scrutiny in the courtroom.
Principle 3 is tested using an independent forensic expert. Here, the initial examiners’ working notes are disclosed and followed meticulously by the expert. If they do not come to the same conclusion, then this should be queried by Counsel. Otherwise it highlights weaknesses in: a) the first investigator’s reliability; and b) the evidence itself.
Equally, the examiners’ working notes remain as unused material and never see the light of a courtroom. A copy of the Police Officers pocket notebook is disclosed and reviewed as standard, why not treat a forensic examiners working notes the same way?
Finally, principle 4 is a safety net for the forensic examiner as the ultimate responsibility falls squarely with the person in charge of the investigation. In reality, there is a duty of care for the forensic experts to make others aware of principle 4. This being said, most forensic issues are typically caused by ignorance rather than an intention to skew the evidence, but this is of course not for the concern of those testing the evidence in court. The intention of principle 4, I believe, is to ensure that investigators turn to forensic professionals for extracting the digital evidence rather than “having a quick look” themselves.
Therefore, it seems reasonable for Counsel to ask the question “Have all the ACPO principles been adhered to in this case?” It fact, it should be a necessity, since the evidence is severely weakened if there is deviation from these principles at any stage in the investigation.
If you are managing a defence case then here you should consider calling upon an expert to review the digital evidence. Your expert should be well equipped to point out where the ACPO principles have been adhered to or breached.
To date most of my court time has been spent explaining technical terms, such as describing what a hard drive is using my trusty ‘Filing Cabinet’ analogy. This is an essential part of the court proceedings, however it should be queried whether this constitutes testing the evidence. On the one hand it is not an easy task to present digital evidence, and phrases such as ‘unallocated clusters’ or ‘MD5 Hash Values’ will often require lengthy explanations. However, being an expert in the field, and the only person in that room who knows what we are talking about, I am certain that digital investigators feel at home in the courtroom.
Surely the role of the expert in court should not be limited to that of a translator of technical speak?
A good question may be “Tell me what is your understanding of the ACPO good practice principles and did you apply them to this case?” The answer to this would take a barrister’s advocacy skills down a much more productive road.
Not that I would question the integrity of any forensic professional at face value, but how can you be sure that they have given the best explanation of what they have done? An independent expert serving the court would be the ideal solution. In most cases experts will concur, but if the digital evidence is the key to winning or successfully defending your case, it is an important consideration.
I may be opening the door on my court experience becoming more challenging, but my time in the box has been relatively easy; in the interests of justice, it probably should not be.
Colin Smith heads up the Digital Forensics team at Monitor Quest and is available as an expert witness in Digital Forensics for all cases.
csmith@monitorquest.com
Colin Smith looks at the issues arising when using digital evidence in court
How often is it now that none of the evidence in a case is digital? That a case has no information from a computer, mobile phone, company server, laptop? Digital evidence is all around us, but why does it often evade the robust challenging it probably deserves?
Any information that has come from digital sources must be treated diligently if the evidence is to prove reliable and strong. This is well known to digital forensic examiners. Being one myself I became very used to being reminded of the principles of forensics early on, which has resulted in me religiously maintaining the forensic standard of my evidence.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
