has DF ever had any...
 
Notifications
Clear all

has DF ever had any high-profile fails?

10 Posts
9 Users
0 Likes
905 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad. Would Operation Ore be an example (although is this more procedural as opposed to digital evidence misinterpretation?)…

would really like to gather some examples if anyone has any?

 
Posted : 13/06/2018 11:02 am
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I'm not aware of any where the digital forensics was wrong, in the sense that data capture, or processing, or analysis led to a miscarriage of justice. I am aware of cases where no digital expert saw the data and material was produced for court when it should have been used for intelligence use only.

Cases which could fall into this category were not failings of a digital forensic method, or through incorrect interpretation by an expert.

Jobs that could fit into this category would include R v Porter in 2006 but this was not a digital forensics issue. The CPS prosecuted Porter for being in possession of child abuse images on the day of arrest, when they had been deleted previously. Evidence showed he had been in possession of these images previously but it was incorrect to charge possession on the date of arrest when they had been deleted and were not recoverable by the user without specialist knowledge and tools.

The recent cases breaking down as a result of disclosure appear to be for a number of reasons, including but not limited to;

new evidence coming to light that in some cases the police didn't know about (online and social media material),

evidence that had been assessed as not relevant at the time of disclosure but when a later defence statement was received the disclosure officer didn't re-evaluate all of the data already marked as not relevant'

material that was searched through using keywords but without knowing if variants, spelling errors, abbreviations or slang terms were used and so messages, emails might not have been found,

disclosure officers had no idea what to look for and produced what they produced in good faith, but without any direction from the defence, it wasn't the right (or right amount of) data,

and so on….

The number of experts representing the defence has diminished in recent years and I think this is a bad thing.

I think against the backdrop of cuts, with ISO 17025 taking up money and focus but not really delivering anything that will improve digital forensics, with more digital data and more complex data, it's only a matter of time before there start to be miscarriages of justice.

The question is, without experts available to the defence, will these come to light?

Steve

 
Posted : 13/06/2018 12:39 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

Further to the above I probably could mention Op Ore, having worked on a significant number of jobs in Ore.

I am aware that some police forces charged suspects based solely on the presence of their card details being found on the Landslide computer. Examination of their seized devices did not find any child abuse images. As far as I am aware in the Metropolitan Police area nobody was charged unless material was found on their devices, or they admitted to having paid to access it.

There was a lot of mud thrown by certain individuals around how reliable the information from the Landslide computer was. A number of articles were written in the press giving the impression that card details were present because of fraudulent activity. There was even a Radio 4 programme where a former expert in this field spoke about the data, calling into question everything the police were relying on.

The reputation of the police was damaged by Ore and the public were given the impression that the data on that system was wholly unreliable.

On the basis of evidence provided by some of the most technically competent digital experts I know, the High Court were shown how that expert was incorrect in his analysis of the data and eventually ruled that the evidence on the Landslide computer was reliable, and the decision to investigate those whose card details appeared was correct.

The reputation of the police was still tarnished and those publications that had criticised the police, based on incorrect information, never published a redaction or a correction following the High Court's findings.

Steve

 
Posted : 13/06/2018 1:05 pm
(@jerryw)
Posts: 56
Trusted Member
 

There was the Casey Anthony trial in the US where the prosecution claimed that the suspect had searched for incriminating terms on multiple occasions.

Subsequent work showed that was an incorrect interpretation of the browser artifacts. There is more information on the Digital Detective website.

 
Posted : 13/06/2018 1:43 pm
(@deltron)
Posts: 125
Estimable Member
 

There was the Casey Anthony trial in the US where the prosecution claimed that the suspect had searched for incriminating terms on multiple occasions.

Subsequent work showed that was an incorrect interpretation of the browser artifacts. There is more information on the Digital Detective website.

A&E keeps running a commercial for some special and "the entore firefox history was deleted before casey was arrested " is now just stuck in my head from it airing every commercial break.

https://youtu.be/epf36g7txAc

 
Posted : 13/06/2018 2:25 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Don't know if this counts but

Spoke to a guy in law enforcement few years ago, he told me a story about logs that were generated by a function and multiple users could generate the same events using the service, there were nothing tying a specific user to an event generated by the function and the court were unable to tie one specific event to either the user directly before the event or after it had happened due to latency.

While this is more a failing of design, it is also a failure of interpreting the evidence and checking how the function worked.

 
Posted : 13/06/2018 4:23 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad. Would Operation Ore be an example (although is this more procedural as opposed to digital evidence misinterpretation?)…

would really like to gather some examples if anyone has any?

You haven't heard of the Turkish Sledgehammer and Ergenekon cases, or you are looking for cases specific to the UK? Sledgehammer and Ergenekon are probably the best examples (by far) of what can happen when electronic evidence tampering is combined with multiple rounds of inadequate digital forensics. Digital forensics reports with seriously flawed conclusions were used to support the indictments and continued incarceration of well over 500 individuals in those cases. We have done our best to document the technical aspects of one of these cases (specifically, the portion of Ergenekon involving the media organization Odatv) as we have time between casework and software development. There is an enormous amount of information we haven't published yet, simply due to lack of time, but Google will keep you quite busy until we get there.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 13/06/2018 6:18 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

I suppose it depends upon your perspective. On a number of occasions the forensics did not produce the "desired and expected" evidence the powers-that-be wanted.

Personally I don't call that a fail, but some very powerful people disagreed.

 
Posted : 13/06/2018 7:24 pm
(@athulin)
Posts: 1156
Noble Member
 

I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad.

Your restriction on 'high-profile' seem to limit the moment when 'it turned out to be bad' to very late in the judicial process, and probably at a time when the process had become public.

I suspect that in many cases points of contention are discovered and avoided as early as possible possibly ambiguous digital evidence is replaced with definite evidence for something else. It simplifies the case, as long as the remaining evidence is strong enough.

It would, thus, be interesting (from a 'meta-forensic' perspective) to understand when that has happened, and with what effect. Particularly if the digital evidence was partially flawed in some respect.

However …

The Pirate Bay case in Sweden (2008) had a very surprising moment, when something like half of the charges were dropped (those related to copyright infringement?), because the prosecutor could not show that torrent files in evidence actually used the PB tracker. (I may misremember actual details of what was dropped – but there certainly was major moment of surprise early in the case that caused a lot of discussion.)

It probably doesn't fits the 'crucial' restriction completely, as the case went on.

 
Posted : 13/06/2018 7:25 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I guess what im curious here is, unlike DNA and finger marks, I dont seem to be able to find any high-profile cases where DF evidence has been crucial and it turned out to be bad.

This goes right along with some things I've been looking at myself over the past few years.

While not "high profile" cases, I have to wonder, particularly in the private/commercial sector, who determines "quality" in a DFIR report?

Again, not "high profile", but when a consulting organization responds to an incident or performs even a small modicum of DF analysis (one image, or just logs), who determines 'quality'? If logs are sent to an expert for analysis, who determines the quality of the findings or report?

Over my career, I've seen a number of reports where, once I get past issues of spelling and grammar, I can see that everything was done poorly from the beginning…data collection, analysis, documentation of findings, reporting…all of it.

Yes, I know that in the private sector especially, there are instances where the analyst has little say over the data that they're provided; however, I have seen a number of cases where analysts have either run a data collection script, or sent it to the client to run, and that script is where things start going 'bad'.

So…who determines the "quality" of a report?

 
Posted : 14/06/2018 1:00 pm
Share: