—–As a query about forensic reliability and accuracy
.
- During the acquisition process and the harvesting of the data acquired is there/ has there been anything lost in translation of the data itself at first instance? If the IMSI you have recovered from flash memory is presented along with call logs etc, how do you know that those call logs relate to that IMSI and not another IMSI?
.
As a query about evidential weight and value
.
- What weight can be given to the recovered IMSI being directly associated with those call logs? Moreover, what value is there in using such potentially uncorroborated evidence assigned to the recovered data being presented as evidence?——
I know there may be some use for doing it but does this mean that it is still the same playing field,in that, the deleted data from mobiles is all well and good showing ones skills and know how in retreiving such material but there still has to be a very measured consideration as to how much emphasis this material brings to the case?
I still remeber a practitioner telling me that he did a chip off and other such wizardry and found all sorts of phone numbers and parts of text messages along with other IMSI numbers,and I thought then (as I do now) so what! my defence to this could be (along with many other excuses) that the IMSI at this point in the read out cannot be properly laid to some sms's further down the read out and they could actually be aligned with another IMSI altogether which has not been recovered here.
What evidential weight can be properly put to a court and does anybody have any good examples for/against.
I know of a colleague of mine who spent the best part of a day examining and (finally ) producing a report which included several pictures that he thought could be important to the job, however he couldnt answer some important questions as the hex dump wouldnt tell him,how the pictures got onto the device as it will not display the path etc,-bluetooth?wi-fi? took the picture himself?.
nor could the hex tell him how long the pictures were on the device,when they went on,when they were deleted,with no identifying features in the photograph they ended up as simply unused.
I appreciate with some photos it could be beneficial but multi IMSI's, text strings etc….I'm not too convinced