It’s not always what you find…

by Sam Raincock, IT and telecommunications expert witness

In digital forensics we are often asked to determine the presence of evidence. However, what happens when we do not find anything? How do we prove something wasn’t there? Proving something is present is generally a trivial problem – you find it, it’s there. Of course the complex part is explaining how it came to reside on a digital device and the circumstances surrounding it….that’s what the field of digital forensics is all about. However, proving something isn’t there and/or was never there are also questions we are asked to comment on. Take the following for example:

· Examine this laptop and establish if it has accessed the website http://www.forensicfocus.com.

· Examine this mobile telephone and determine if it sent a text message with the content “Forensic Focus”.

Let’s look at the first example. In the event there is “no evidence of access to http://www.forensicfocus.com found”, what remains is proving (or commenting on) a negative. However, just because you do not find any evidence of connections to the site, does this imply no connections ever occurred?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

There are three main possibilities to consider. Firstly, the techniques used in your examination did not facilitate finding the evidence even though it is present. For example, if we simplistically relate this to an examination where only the live Internet history is examined initially, it is possible that a subsequent examination could determine some deleted Internet history and further evidence may be established.

Secondly, you did find the evidence but were unable to determine how to interpret it so you didn’t establish its meaning. For example, you found a partial registry file in deleted space but did not have the knowledge to interpret it and extract the evidence.

Thirdly, there is no evidence on the device of any connections occurring to http://www.forensicfocus.com. So no connection ever occurred?

Even given the last situation, with a computer, often the absence of any evidence is not evidence that it was never present. This is due to the fact that on a computer, data can be deleted and overwritten. Hence, it is possible that an event occurred but evidence of it is no longer available.

It’s not what you find, it’s what you don’t find

In the process of reviewing evidence reports, I often see statements made about something not being present or the inability to do something:

1. No video files were stored on the mobile telephone.

2. It’s not possible to determine how the files found in Shadow Copies came to reside there.

3. At 15:00 no activity was occurring on the computer.

4. There is no occurrence of the word “Forensic” on the memory card.

What do these statements actually mean? And more importantly, how will they likely be interpreted by a legal professional?

Let’s look at the first statement. “No video files were stored…..” It’s a strong statement that in its current wording would likely be interpreted as factual by a legal professional i.e. there are no video files. What happens when another examiner analyses the device using a different examination technique/software finding video files? It would give rise to an interesting case conference!

Let’s also consider points 2 to 4 from the above list:

· “It is not possible to determine how the files found in Shadow Copies came to reside there.” So why is it not possible? Because in the past, we didn’t know how to do it! However, it was not impossible – it was just that the writer did not know how to interpret the evidence they were examining.

· “At 15:00 no activity was occurring on the computer.” This statement may be true if you can prove it wasn’t switched on. However, what about a computer that is running, but you have not found any evidence (yet) around the time of interest? In this example, what would happen if a user was editing a Word document that they created at 13:00 and finished working on at 17:00?

· “There are no occurrences of the word “Forensic” on the computer.” What about if you search for “ForensicFocus”? Will the search terms you use return different results? In this example, depending on the search heuristic being implemented, will your results differ?

Dealing with a negative finding

The ability to deal with a negative finding is what is important. It is my belief that the report produced should use appropriate language to describe what is meant by not finding something. This makes it clear to the reader the significance of a negative finding as well as protecting the writer in the event their original statement is disproven. To do this you firstly need to consider what your negative finding means. Why have you not found the evidence? Could you examine the device further and find a partial file? Could someone else? Are the search terms you used the reason why you have not found what you were looking for? Do you trust the completeness of any scripts you are using?…

Let us take a case scenario where an examiner is asked to find sound recordings on a mobile telephone. Furthermore, let us say that the telephone was examined and it was concluded that it did not contain any sound files. The telephone was then re-examined by another examiner who, using different techniques, concluded a deleted sound recording was present but it is not possible to date its creation. Another examiner analyses the evidence and finds the sound recording and determines it was possible to date the original sound file. If the first two people have concluded a negative – they have both been disproved. What happens now to the evidence originally presented by the other two examiners?

So how can things be phrased to protect the examiner and also to provide a more objective view?

“I did not find any occurrences of ForensicFocus” may become “The searches X, Y, Z I performed using A did not find any occurrence of ‘ForensicFocus’.”. You could explain the search process in your background information section so that it is clear what this process may or may not find.

“No activity was recorded on the computer at 15:00” may become “The examinations I performed did not find any evidence of activity at 15:00. However, it should be noted that the way in which a computer operates means that……”. You could discuss how the absence of information does not prove an event did not occur – perhaps give an example that people can relate to, something like the editing of a Word document and the evidence this may produce.

There is nothing to see here, please move on!

Two things I personally consider before starting any statement: 1) there are people smarter and more knowledgeable than me, and 2) very few things are impossible – we just don’t know how to figure them out yet. I then start writing……

After that, my advice is to review the meaning and ensure the avowals you make (or are present in your report templates) are not open to misinterpretation.

So, the next time you are asked to consider if a device contains anything of evidential value and your examination fails to uncover anything of interest, would you really write “Nothing of evidential value was present on this device” in your report?

Click here to discuss this article.

Read Sam’s previous columns

Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.

Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, sam@raincock.co.uk or http://www.raincock.co.uk.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 16 hours ago

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles