First, the defense is entitled to examine witnesses, evidence, etc. If the prosecution introduces evidence obtained through the use of tools which are only available to LE, I would submit that a good case could be made to exclude this on the basis that the defense has no ability to question the reliability of the tool or of the process by which the evidence was obtained
I can never understand this argument. First of all I cannot think of any evidence that could be produced using one tool that could not be obtained either manually or by another tool. Surely say for example I produce evidence using Encase that is (lets pretend) only available to Law Enforcement then a Defence examiner could examine that same data and confirm or refute it using say FTK. The fact that evidence is produced using a tool you cant get should be irrelevant. There are many ways to confirm it is right (or wrong). If this was to be taken to the extreme what happens where an examiner who uses Linux based tools (or indeed self produced programs) is asked to report on a report produced using Windows based tools. Does he have to go out and buy the same tools as the initial examination to confirm or refute the evidence?
Friends of mine are L.E. and they have an opinion that Digital Forensics should be a restricted area, because they think "bad guys" should not advised with tricks to prevent detections in digital crimes. Hence, lots of tools, such as COFEE?, should be restricted from public.
I am an LE examiner and most of my time is spent doing CP. When I conduct an examination I act as an independent examiner. I do not just look for evidence to prove the suspect committed the offence but I also look for evidence to say he/she didn't. I have no time at all for Child abusers but my role is the administration of justice. Can you think of anything worse than being branded a paedophile when you are not just because somebody couldn't be bothered to do their job right and was only interested in data that said you had this stuff on your computer and didnt bother making sure it was you who put it there. I get as good a feeling proving someone innocent as proving someone guilty.
As for defence experts. I have never yet come across one who was less than honest and told the truth. In the majority of cases this means confirming the evidence produced as correct. To support this I can say that in 10 years as an examiner, dealing with approx 75 CP jobs a year I have never actually had to go to full trial as where disputes have occurred, following discussions with the defence we have always had Guilty pleas ( and no cases were dropped before you ask)
I personally cannot see any problem with letting both sides have access to all tools. At the end of the day if the evidence is there it is there. If its not its not.
As for a defence expert who produces a report ignoring evidence of guilt and reporting only evidence to dispute allegations and cloud the issue with the intention of getting a client off regardless of guilt or not well thats up to them to live with.
The only way to be is open and truthful whether that be good for the prosecution or bad for the prosecution, good for the defence or bad for the defence or am I living in my own little dream world?.
Totally agree what mark777 posted. D
I think all ethical forensics examiner should produce the same report disregarding his capacity. Remember a good professional should be independent and tell nothing but the "Truth"….Right?
This is a favourite dispute of a lot of university lecturers. Let the students discuss it and see if there is an easy answer. I'm of the opinion that ALL expert witnesses (regardless of expertise) should be appointed by the court. One computer forensic expert per case appointed by the court should stop help to confusion later on. It would also help to stop competitive behaviour, the expert putting his/her own selfish interests of 'winning' above that of those in the case.
I know that this is the exception rather than the rule but I don't see why tax payers should foot the bill for the prosecution work and then for the defense work, essentially paying out twice. What a waste especially with some of the rates I've seen some experts charge…
This is a favourite dispute of a lot of university lecturers. Let the students discuss it and see if there is an easy answer. I'm of the opinion that ALL expert witnesses (regardless of expertise) should be appointed by the court. One computer forensic expert per case appointed by the court should stop help to confusion later on. It would also help to stop competitive behaviour, the expert putting his/her own selfish interests of 'winning' above that of those in the case.
I know that this is the exception rather than the rule but I don't see why tax payers should foot the bill for the prosecution work and then for the defense work, essentially paying out twice. What a waste especially with some of the rates I've seen some experts charge…
special masters ftw!
First, the defense is entitled to examine witnesses, evidence, etc. If the prosecution introduces evidence obtained through the use of tools which are only available to LE, I would submit that a good case could be made to exclude this on the basis that the defense has no ability to question the reliability of the tool or of the process by which the evidence was obtained
I can never understand this argument. First of all I cannot think of any evidence that could be produced using one tool that could not be obtained either manually or by another tool. Surely say for example I produce evidence using Encase that is (lets pretend) only available to Law Enforcement then a Defence examiner could examine that same data and confirm or refute it using say FTK. The fact that evidence is produced using a tool you cant get should be irrelevant.
Sorry, but I disagree and I think that the Courts might as well. I would agree that in most cases, the same data could be obtained using multiple tools, but not always. For example, at least one product which is currently only available to LE is a software package that identifies anti-forensics tools on the basis of their signatures. Now, on the basis of the output of that tool, the prosecution claims that they found a signature for an anti-forensics program but they cannot disclose that signature because that information is only available to LE. How can the defense respond?
Supposing that two investigators using different tools come up with different hashes or a different total byte count during acquisition (this has actually happened due to flaws in either software or in the hardware device acquisition tool). I claim that the fact that your byte count is lower or your hash is different is an indication of spoliation but you can't verify (or dispute) my findings because you can't replicate what I have done. In a civil court that is one thing but in criminal court if I were an expert for the prosecution, I would expect the other side to argue adverse inference.
I was actually involved in a case where one side presented what they argued was a "fingerprint" for disk wiping activity, based upon a statistical analysis of the pattern of bits on the drive. The judge took the position that the output of the tool was the witness, not the expert, and that I had the right to examine the tool and attempt to replicate the findings, myself, or the testimony would not be admitted.
A researcher from Princeton has developed a number of tools which aid in the detection of whether digital images have been altered. To be fair, the theoretical basis for these tools has been published and the tools are not restricted to LE, however, if they were restricted to LE and if the output of the tool is not raw data but a computer generated statistical probability that the image had been altered, I'd advise my clients to either demand the opportunity to validate the tool or move to exclude the evidence.
Suppose I have a tool which, I argue, can break any encryption scheme so I sweep an area of UA on your computer, run it through my software, and come up with documents on how to make WMDs but you aren't allowed to test the reliability of my software on documents that you have encrypted because the use of these is limited to Gov't or LE?
These are just a few practical examples (I can think of others), where it may be important to verify that the tool was used properly and properly configured
There are many ways to confirm it is right (or wrong). If this was to be taken to the extreme what happens where an examiner who uses Linux based tools (or indeed self produced programs) is asked to report on a report produced using Windows based tools. Does he have to go out and buy the same tools as the initial examination to confirm or refute the evidence?
If there is no disagreement between experts that the output of one tool has been replicated using another tool, fine. What I am saying is that I have been involved in cases where two experts disagree not simply on the conclusions, but the underlying data.
This is a favourite dispute of a lot of university lecturers. Let the students discuss it and see if there is an easy answer. I'm of the opinion that ALL expert witnesses (regardless of expertise) should be appointed by the court. One computer forensic expert per case appointed by the court should stop help to confusion later on. It would also help to stop competitive behaviour, the expert putting his/her own selfish interests of 'winning' above that of those in the case.
I know that this is the exception rather than the rule but I don't see why tax payers should foot the bill for the prosecution work and then for the defense work, essentially paying out twice. What a waste especially with some of the rates I've seen some experts charge…
This would be like the court only allowing one attorney per case. Would he just argue with himself?
The reason you need two experts is to balance the scales. The prosecution always has an expert. The defense has to figure out how to get one on their side and get them paid. I have no idea what experts charge in the UK, but I do know as an independant expert, someone has to pay for me to stay in business. I would be willing to bet that the state is paying more for the prosecution expert per hour if you figure out the true cost of maintaining a staffed forensics lab. I would imagine the hourly rate would be about the same or higher than a "hired" expert.
Here's how to figure out your true cost for a state expert Take the total cost of the lab, including the building, utilities, staff, benefits, etc to get the fully loaded cost, multiply the total number of staff that actually works as an examiner times 2080 hours per year. (don't include non examiners in the hours since they are part of the overhead cost), extract out the total number of vacation and sick hours allowed)
Now take the total overhead cost / (the actual available working hours for examiners * .85 for 85% efficiency).
So if you have 4,160 hours available less 360 hours for sick / vac days, you could bill 3,800 at 85% efficency or 3,230 billable hours. If your fully loaded cost is 300,000 then 300,000 / 3,230 is 93.00 per hour just to pay for overhead.
Of course that number is unrealistic since you can't really even be 85% efficient unless you can run multiple workstations per examiner. Other wise you spend a lot of time waiting for the computer to process and you can't bill for that. At least most examiners don't. I would venture that 50% efficiency is a more realisitc number.
This is how it is done on the private side, except that you have to put in enough to pay taxes, advertising and provide a return on investment for the money put into the business.
So you have to almost triple it to get to where you are making a modest profit at 250.00 per hour in this instance.
And that is assuming you have enough cases and enough workstations to be able to bill 85% of your working hours.
That is why outside experts appear to cost so much on an hourly basis.
seanmcl
Sorry, but I disagree and I think that the Courts might as well. I would agree that in most cases, the same data could be obtained using multiple tools, but not always. For example, at least one product which is currently only available to LE is a software package that identifies anti-forensics tools on the basis of their signatures. Now, on the basis of the output of that tool, the prosecution claims that they found a signature for an anti-forensics program but they cannot disclose that signature because that information is only available to LE. How can the defense respond?
I can see what you mean but would it not be possible for the defence to obtain these anti forensics tools and conduct there own examination to determine the signatures by other means? The main benefit of being allowed access to the same tool would be speed of the examination. If your examination disagreed with the prosecution findings you would have the data to form a basis for argument, if it agreed with the prosecution findings you would be validating them.
I dont know the system in the USA but in the UK if we told a Court we had evidence that the suspect was guilty but we were not able to disclose it so they would just have to believe us then that evidence would never be allowed to be heard anyhow in which case the actual tool used would be useless anyhow.
I was actually involved in a case where one side presented what they argued was a "fingerprint" for disk wiping activity, based upon a statistical analysis of the pattern of bits on the drive. The judge took the position that the output of the tool was the witness, not the expert, and that I had the right to examine the tool and attempt to replicate the findings, myself, or the testimony would not be admitted.
I agree with the Judge on this
Suppose I have a tool which, I argue, can break any encryption scheme so I sweep an area of UA on your computer, run it through my software, and come up with documents on how to make WMDs but you aren't allowed to test the reliability of my software on documents that you have encrypted because the use of these is limited to Gov't or LE?
Theoretical scenario surely but I think the response from the Courts should be the same as the previous quote.
A researcher from Princeton has developed a number of tools which aid in the detection of whether digital images have been altered. To be fair, the theoretical basis for these tools has been published and the tools are not restricted to LE, however, if they were restricted to LE and if the output of the tool is not raw data but a computer generated statistical probability that the image had been altered, I'd advise my clients to either demand the opportunity to validate the tool or move to exclude the evidence.
Again a theoretical point as the tools are available and the theory behind them is published but again I agree with your comments re the opportunity to validate.
What I am saying is that I have been involved in cases where two experts disagree not simply on the conclusions, but the underlying data.
Was this case one where one of the tools was found to be wrong or was it a difference of opinion and interpretation by two different experts. I think its fair to say that if you have for experts examine the same data you will get at least two different opinions.
From your previous posting
Finally, and most importantly, there is a great deal of information which is simply not published and through the exchange of knowledge acquired from forensic examination and experimentation, our profession is constantly enhancing its knowledge base. This knowledge comes from both the LE and private sector forensics communities and I'd venture to say that neither community would be as successful without contributions from the others. The benefit of this open exchange of knowledge, I believe, far outweighs the risks of such knowledge being used for nefarious purposes, IMHO.
Absolutely agree one hundred percent. This is the main reason I personally think these open forums are such a great place where both "sides" can communicate and share knowledge. Like I mentioned previously
Just need to point out that I wasn't disputing how much experts charge, all I was saying is that the overall cost of cases is very high and this could be one way to stop tax money being "needlessly" spent.
I also agree with the whole 'balance' issue but if only one expert was assigned, appointed by the court, who was under no pressure one way or the other, surely they would produce a report that is free from any bias (intended or unintended).
I honestly don't see what the problem is seeing as expert witness' first duty is to the court, not the client.
I honestly don't see what the problem is seeing as expert witness' first duty is to the court, not the client.
Yes, but most expert witnesses are human and as such are fallible. The reason we use the adversarial system is because it's been found to be very effective at testing theories/ stories/ interpretations. I welcome critical review of my work, it makes me a better examiner.
Yes, but most expert witnesses are human and as such are fallible.
Most? LOL.
I agree, its important to have critical reviews of one's work but the adversarial nature of expert witnesses is as damaging as it is beneficial.
The other thing that I've been looking at recently is for some kind of CF arbitration process for private cases. Although this won't affect LE it is still something that I think will be worth looking at in the future to help companies avoid lengthy disputes in the court over computer evidence.