Ultimately, it comes to the lawyers, through cross-examination of the forensic professional in the box, to test the evidence to the point at which it can no longer be questioned. After all, this is the meaning of “forensic” investigation, and with nearly all cases containing digital evidence, it should be a basic skill for barristers.
The ACPO Good Practice Principles
Any digital forensic investigator should be intimate with the ACPO Good Practice Guidelines for Digital Evidence. These guidelines are developed by the Association of Chief Police Officers E-crime working group and are constantly reviewed and updated. They are intended for use by law enforcement officers, but in practice, they have become the de facto standard for all digital forensic investigations, whether conducted in the public or private sector.
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Principle 1 deals with the changing of data on the original device being examined. This may sound like it is a given, and as far as a forensic professional is concerned, it normally is. We are a fiercely passionate bunch that will potentially become violent towards anyone so much as breathing on our data. However, this does not apply to all in that evidence chain.
On occasions (more than I’d care to mention) I have seen evidence where Police have seized, say, a laptop and have “had a quick look” before it is bagged and tagged. The forensic examiner will spot this almost straight away, the last accessed times associated with the data will show a time AFTER the time of seizure or warrant execution. Most would not offer this information willingly in a forensic report. This will, however, be recorded in the working notes of that examiner. Such a severe impact on the evidence is easily overlooked.
Principle 2 deals with occasions where the evidence is changed due to unavoidable circumstances. With hard drive encryption fast becoming the norm for investigation, it becomes inevitable that the contents of a hard drive will be altered during the investigation process. An examiner at the scene may have to switch a computer on in order to remove the encryption and capture an image of the hard drive. This action should be well documented with concise notes, capable of standing up to scrutiny in the courtroom.
Principle 3 is tested using an independent forensic expert. Here, the initial examiners’ working notes are disclosed and followed meticulously by the expert. If they do not come to the same conclusion, then this should be queried by Counsel. Otherwise it highlights weaknesses in: a) the first investigator’s reliability; and b) the evidence itself.
Equally, the examiners’ working notes remain as unused material and never see the light of a courtroom. A copy of the Police Officers pocket notebook is disclosed and reviewed as standard, why not treat a forensic examiners working notes the same way?
Finally, principle 4 is a safety net for the forensic examiner as the ultimate responsibility falls squarely with the person in charge of the investigation. In reality, there is a duty of care for the forensic experts to make others aware of principle 4. This being said, most forensic issues are typically caused by ignorance rather than an intention to skew the evidence, but this is of course not for the concern of those testing the evidence in court. The intention of principle 4, I believe, is to ensure that investigators turn to forensic professionals for extracting the digital evidence rather than “having a quick look” themselves.
Therefore, it seems reasonable for Counsel to ask the question “Have all the ACPO principles been adhered to in this case?” It fact, it should be a necessity, since the evidence is severely weakened if there is deviation from these principles at any stage in the investigation.
If you are managing a defence case then here you should consider calling upon an expert to review the digital evidence. Your expert should be well equipped to point out where the ACPO principles have been adhered to or breached.
In the courtroom
To date most of my court time has been spent explaining technical terms, such as describing what a hard drive is using my trusty ‘Filing Cabinet’ analogy. This is an essential part of the court proceedings, however it should be queried whether this constitutes testing the evidence. On the one hand it is not an easy task to present digital evidence, and phrases such as ‘unallocated clusters’ or ‘MD5 Hash Values’ will often require lengthy explanations. However, being an expert in the field, and the only person in that room who knows what we are talking about, I am certain that digital investigators feel at home in the courtroom.
Surely the role of the expert in court should not be limited to that of a translator of technical speak?
A good question may be “Tell me what is your understanding of the ACPO good practice principles and did you apply them to this case?” The answer to this would take a barrister’s advocacy skills down a much more productive road.
Not that I would question the integrity of any forensic professional at face value, but how can you be sure that they have given the best explanation of what they have done? An independent expert serving the court would be the ideal solution. In most cases experts will concur, but if the digital evidence is the key to winning or successfully defending your case, it is an important consideration.
I may be opening the door on my court experience becoming more challenging, but my time in the box has been relatively easy; in the interests of justice, it probably should not be.
Colin Smith heads up the Digital Forensics team at Monitor Quest and is available as an expert witness in Digital Forensics for all cases.