±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35390
New Yesterday: 0 Visitors: 127

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Misinterpretation of Evidence - An underlying issue?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

redcat
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 30, 18 08:41

- tootypeg
So should we not be examining content with the legislation in mind then


No, I don't believe that we should. You might have some specific areas you are looking for - if investigating a complex fraud would it be worth focusing on carved graphics files or would you pay more attention to various document/office artefacts? Of course, you extract everything, and it should all be reviewed. It might be that your alleged white collar criminal is also into IIoC too and should serve time for that as well.

- tootypeg
.........is the whole problem here based on a lack of rigorous peer review of our work which would prevent such information even getting into a statement in the first instance?


Not the whole problem, but there is often a lack of oversight.  
 
  

jaclaz
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 30, 18 09:01

- redcat

I think that you and I mean different things by 'administration of justice'. To me, it means presenting accurate, provable facts in their correct context from digital devices in a readily understandable format for a jury of 12 ordinary people to be able to comprehend (and an ancient judge who has possibly never turned on a computer). These facts might contradict the prosecution, they might support it - it makes no difference to me. If the facts are there, they will be heard and considered by the aforementioned individuals, and endlessly twisted by QCs and so on.

Well, OK, you have a perfect standing Smile you were using "administration of justice" in a much wider (most probably very correct from a legal point) way:
www.duhaime.org/LegalD...stice.aspx
than what I believe is commonly intended, more like:
en.wikipedia.org/wiki/...of_justice

In England, the administration of justice is a prerogative of the Crown. It may be exercised only through duly-appointed judges and courts.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

UnallocatedClusters
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 30, 18 10:31

I have been taught and mentored that my work should be:

1. Independent, meaning my answer will be exactly the same regardless of who is asking me the question.

2. Scientific, meaning 100% of my work must be able to be replicated by a qualified peer.

3. Plain English - I will assume the judge and jury are all brilliant, but just not in my field, so to the extent the judge and jury do not understand my testimony, it is a direct result of a failure on my part to explain my opinion in plain English.  
 
  

tootypeg
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 30, 18 11:49

Lets throw this into the mix as well - clearly conveying DF results


specifically...

One of the most hotly debated issues in forensics science is howto convey forensic results to decisions-makers most effectively.Many forensic practitioners use categorical conclusion scalesincluding multiple levels, such as ‘definitely’ and ‘probably not’.



Do we really do this? surely our decision making is binary ( Very Happy ) in that its either 'this' or no its not. I cant think of any scenario where something is 'probably not' something?

That site was browsed/searched for etc..... I cant think of a single scenario where i would suggest that a site probably hadnt been browsed./searched? We can fully determine a URL on system. It gets there via determined methods.

In terms of 'certainty scales' - say for example : unlikely, moderately sure, sure, probably, definitely.

Do such things have a place in this field?  
 
  

jaclaz
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 30, 18 13:27

- tootypeg

Do we really do this? surely our decision making is binary ( Very Happy ) in that its either 'this' or no its not. I cant think of any scenario where something is 'probably not' something?

That site was browsed/searched for etc..... I cant think of a single scenario where i would suggest that a site probably hadnt been browsed./searched? We can fully determine a URL on system. It gets there via determined methods.

In terms of 'certainty scales' - say for example : unlikely, moderately sure, sure, probably, definitely.

Do such things have a place in this field?


Why not?

You find in a sector belonging to unallocated space this exact string (for the sake of the example followed and preceded by 00's or 20's):
Code:
https://www.forensicfocus.com/Forums/viewtopic/t=16680/postdays=0/postorder=asc/start=14/

1) How (exactly) that bytes sequence was written? (i.e. typed, copied, etc., or if you prefer was it before being unallocated part of a .txt or similar file, part of a memory dump or part of a temporary system file, a cache or *whatever*)
2) By which (exact) program was it written?
3) When (exactly) was it written?
4) Who (exactly) was logged in at the time ir was written?

You have no way to answer properly to any of the above questions, still you have that byte sequence that seems unlikely to be a randomly generated string, actually resolves in a browser (to this very thread, 3rd page).

What do you do next?

a. Ignore that string because you have no way to answer the 4 above question
b. Since it cannot be random, nor "digital garbage" you state that probably the string is the result of either typing or copying/pasting and since that string is almost exclusively present in the browser address bar when accessing:
www.forensicfocus.com/...c/t=16680/
and clicking on the blue 3 in top right, it is highly probable that one user of the computer, some time in the past, accessed this thread through a browser. And, you could even state that this happened very likely no earlier than "Wed May 30, 2018 2:41 pm", i.e. the time post #15 was posted, thus creating page 3.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

redcat
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 31, 18 00:40

- jaclaz
Well, OK, you have a perfect standing Smile you were using "administration of justice" in a much wider (most probably very correct from a legal point) way


To strip it right down, I view successful administration of justice as the guilty being brought to account for their actions and the innocent walking free.

I don't feel comfortable with the idea that my work could help to convict an innocent person and keep that in mind when giving evidence.  
 
  

passcodeunlock
Senior Member
 

Re: Misinterpretation of Evidence - An underlying issue?

Post Posted: May 31, 18 00:45

Validating the results of an examination with other tools or manually is always a must! It should be done by another forensic expert, who has larger experience in the field.

Making prosecutors, judges and lawyers to actually understand what is behind the IT terms of forensic analysis results is a big problem worldwide. Misinterpretation can occur unfortunately Sad
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next