This has devolved into a flamefest…
I'm not sure I'd agree we're there yet but certainly we all need to make sure it doesn't develop in that direction. I actually thing this is a very interesting discussion and welcome further input from all involved.
Jamie
U2bigman,
I didn't see this turning into a flamefest until you started disparaging LE and I think you did unfairly disparage a lot of good people. I don't know how many LE examiners you have talked to or dealt with, but your impression of them generally is far different than my experience. I've worked with about a dozen and every one of them has been a true professional as interested in finding the truth as me. I have never seen a holier-than-thou attitude or been talked down to. Yes, there have been times when they were sure about something and testified to that effect but when shown conflicting proof which they could duplicate, they have corrected themselves. They are humble and deserve a bit more credit than you are willing to give them.
The technology is complex and we can argue all day about the esoteric possibilities of how a sophisticated hacker could frame someone and fool the average LE examiner. You have to remember, these are people who spent the greatest part of their lives learning investigative procedures, evidence handling and presentation, application of the law, interrogation techniques, etc. rather than computer science. They are migrating into this field and are learning as much and as fast as they can, but they will be the first to (humbly) admit they don't know everything and we can't expect them to.
Based on my experience, I know LE examiners want to learn as much as they can and be better examiners. I know they don't like being fooled or to accuse an innocent person of a terrible crime. That is why I'd rather see it that instead of disparaging the character and attitude of these people as a whole, we assume the majority wants to learn and be better at the technology. And we should all, on both sides of the fence, share our ideas and knowledge on this forum to do just that.
"The technology is complex…"
That would appear to be the core problem. I would even go so far as to label it insurmountable. How long would it take to transform, say, a master guitar-maker into a professional LE type? Varies, probably, but it for sure would take more than a few courses and two or three years OJT.
Now, let us take an experienced peace officer– at whatever level– who has spent decades performing the tasks oldtech listed. Put him through a series of classes, let him play around with EnCase or other forensic products, then turn him loose.
Our newly-minted forensics agent might be forgiven if he viewed the output of EnCase as being assumptively identical to (for example, I claim no expertise in this area) forensic accounting. "We can show that the defendant syphoned money from client accounts and used that money to fund evil things." The totality of all such circumstancial tidbits adds up to a conviction.
Yet… and THIS is the issue… digital "forensics" is not forensics in any sense of the term. EnCase produces impressive reports but these reports are predicated on, well, something other than irrefutable facts. Put it another way every single number, byte, action producted by "digital forensics" can be modified, sometimes with next to no effort. Unlike bank records, or fingerprints, or whatnot "digital forensics" can offer at best a guess. Perhaps an educated and good-faith guess but still a guess.
And that is what I never see LE admit. Has any LE examiner ever testified under oath something like "Digital forensics reports that the defendant downloaded and stored on his personal laptop, 2412 images of CP… however, our profession's code of integrity requires that we state that no one can prove that the defendant did in fact download these images. Nor that he even knew of their existance. There are methods such as [fill in the blank] which would account for the presence of these files on the defendant's laptop."
Of course it could be argued that this not the prosecution's job. The defense attorney is supposed to advocate such facts. But if LE knows their testimony to be other than absolute does testifying under oath not look a lot like perjury? Then, who is the Bad Guy? And to break the law to enforce it is, well, ask the Soviets how that worked out.
These are only my thoughts. Some buddies and I have been kicking around the idea of a forensics consulting business. We have the money for a nice lab, our tech skills are pretty good– read none of us has a life– but we want to be sure we are grounded in the realities before we start spending money.
Thanks for all your input.
u2bigman,
Your point that bits and bytes can be manipulated with the necessary skill/toolset is perfectly reasonable. The suggestion that digital forensics is not "forensics" in the sense of other forensic sciences is less easy to support.
As I understand it, your main concern is that digital forensics cannot prove beyond any doubt whatsoever that (for example) a particular person did a particular thing at a certain time. I think that's an undertstandable concern if we believe that such a conclusion is typical of those reached in other forensic disciplines. In reality, I don't think that's the case, not is it the standard of proof required in court. Without the ability to travel in time and space we have to accept that forensic work is necessarily interpretation of evidence and conclusions as to the likelihood of past events based on that interpretation.
Take two common areas of forensic work outside the digital sphere for example fingerprinting and DNA. We don't need to dig too far into the past before accepting that neither of these disciplines necessarily provide proof beyond any doubt of a particular sequence of past events (take the cases of Shirley McKie and Madeleine McCann for example). Now, you might counter "Hold on, those cases are examples of procedural flaws or misinterpretation of evidence, the underlying science is bulletproof", yet that still doesn't mean that we can know for sure in all cases exactly what happened in the past. Just because my fingerprints or DNA are found at the scene of a crime does not mean that I beyond any doubt left them there, you could argue that planting such evidence is actually much easier to do than manipulating bits and bytes to implicate me electronically.
Of course, the standard of proof required in the courtroom is not beyond any doubt but is typically on the balance of probabilities or beyond reasonable doubt depending on the type of case and jurisdiction. Were we to wait for cases to be proved beyond any doubt whatsoever the legal system would be a very different beast.
I don't want to be seen as dismissing your concerns entirely - I suspect most of us know where you're coming from and depending on where we happen to find ourselves on the planet share similar concerns to a greater or lesser degree. Certainly there is legislation out there which makes me uncomfortable and I think you're right to question/criticise it when you see the same thing. There are also examiners who fail to appreciate the nuances of forensic work and deserve to be criticised for the type of mindset you've described. With that said, painting examiners with such a broad brush is unfair (in my experience) to the vast majority.
It's sometimes tempting to look at the precision of digital evidence, the fact that at the lowest level something is either a one or a zero, and assume that conclusions drawn from that evidence can be equally as certain. Most examiners know that's not the case and appreciate that any evidence found needs to be seen in the light of the electronic crime scene as a whole, as indeed does digital evidence need to be seen in the light of the entire case.
Digital forensics is a process which sets out to reach reasonable, rather than definite, conclusions based on the evidence and it seems to me that's a goal shared by all forensic disciplines. It might not provide certainty in the absolute sense, but it is forensics.
Jamie,
Very, very well said!
U2bigman and others considering getting into computer forensics,
Can an average person, say a patrolman or computer tech, be made into a master computer forensics examiner? Yes, but the key requirement is infinite interest and passion. If the techie person thnks they might like to do it because it looks "interesting" or if the patrolman thinks they'd like to learn it because it will give them something to do after they retire, they will not become the masters like you expect. A few hours of training and turning loose with Encase or FTK won't cut it for anyone. In order to do well in this field, you have to constantly want to eat, sleep, breathe, read and experiment anything to do with computers and forensic examinations. Granted it's easier if you have some programming or computer background, but anyone with sufficient determination and intelligence can learn it. But, regardless of your background, you must have a passion and insatiable desire to learn everything about it.
I'm a private pilot too and there is a saying amongst pilots, "A good pilot is always learning." That is especially true for computer forensic examiners. Unless you are passionate about the field, and willing to constantly learn as much as you can about it, you shouldn't get into it whether LE or private. But once you get into it, we need to help each other learn as much as possible and support each other.
Jamie, thanks to you and the whole Forensic Focus team for providing us this forum.
As an examiner who specializes in defense work, I work opposite LE examiners a lot. I have found all of them to be very competent and cautious individuals who are doing their jobs quite well.
I have even developed friendships with my counterparts in some cases and I am at least on a cordial basis with all of LE I have worked opposite.
If you are wondering about working on the defense side, I suggest you read my blog.
As far as the "Ukrainian wiz kid who bots the computer." read my post and also Harlan's post on his blog regarding the Trojan Horse Defense.
Being a forensics examiner is far more than knowing some IT or hacker stuff. And anyone who depends only on what the automated tools can produce as "evidence" should not be practicing on either side of the aisle as they are doing people harm.
u2bigman,
Your reference to the previous quote "The technology is complex…" and your observations on this statement show that your main interest in the subject is financial. The term 'forensic' means pertaining to law and I see no logic in your statement that digital forensics is not forensics in any sense of the term. If an examiner stood on the stand and mitigated their findings by adding the disclaimer you propose, they would indeed be acting in a non-forensic manner, as this would not be assisting the court to understand the evidence.
Digital forensics is a very complex but exciting area to work in, I for one am pleased that the complexity of the subject means that most people are not attracted to the job for the money but rather for the challenge and the sense of worth gained when your efforts contribute to expanding the knowledge base of the subject. Your insinuation that all forensic examiners are guessing in good faith is frankly ridiculous. If this is the case, I think you should start a company that has one agenda, to prove that no case can be proven using digital forensic evidence.
Thanks for your input,
Neddy