How long will Compu...
 
Notifications
Clear all

How long will Computer Forensic Standards Last?

29 Posts
14 Users
0 Reactions
2,333 Views
(@trewmte)
Noble Member
Joined: 19 years ago
Posts: 1877
Topic starter  

How long will Computer Forensic Standards Last?

A police officer switching ON a device that is already switched OFF at a potental crime scene should be an absolute no-no, according to Forensic bibles, case law etc. Indeed, even the Police's official release version of ACPO Guidelines categorically states for Crime Scenes Page 8/66

"• Do not, in any circumstances, switch the computer on."

Why does this matter? It is a flagrant breach of that principle when we see on "Cops on Camera" ITV 3 Saturday 8pm 4th July 2010 patrol car police stopping a car in Lewisham, questioning the driver about drug related matters (ok, to this point) and then the officer opens the boot of the car and in it he sees a laptop. Did the officer put the laptop in an evidence bag? Oh no, he switches ON the laptop.

The programme clearly demonstrated a major pyschological flaw in the thinking of those who are generating evidential rules vis-a-vis evidential standards. The actions of the Police officer, who I do not think is to blame, actually, because you see the way he went about the task displaying little regard for the rules - which probably means he doesn't know them or they are not enforced properly.

Moreover, it certainly highlights the redundancy of ACPO Guidelines, because what is the point of promoting good practice principles and expect them to be followed in the Lab and at Scene of Crime, yet when it comes to devices in cars or people walking along the street with devices then a wild-west approach of anything goes to deal with the evidence occurs.

Furthermore, it undermines s129 Criminal Justice Act 2003 reliability to seek overt declarations of change to data by ignoring the use of this wild-west approach and reduces the reliability of evidence to nothing more that speculative assumptions. This certainly reveals the slippery slope Lord Steyn raised when as Steyn HHJ R v Minors [1989] 1 WLR 441 he said “if computer evidence cannot be used, much crime would be immune to prosecution also”? For computer evidence to be used it has to be as reliable as possible, at first instance, and reflect the behaviour of the defendant, not the world and his wife who have also had a go at the computer.


   
Quote
(@braveheart)
Eminent Member
Joined: 16 years ago
Posts: 31
 

Adherance to the Forensic Standards is immensely important. I agree with trewmte on what was shown on ITV's "Cops on Camera" is ofcourse a complete disregard and flagrant breach of forensic principles. It must be an eye opener towards the urgent need for proper education and training of all personnel and most importantly the enforcement of standards.

In the enthusiasm to establish the ownership of the laptop, the officer not only switches "ON" the laptop but surprisingly asks the driver to input the login password which he fails after few tries. It is clearly evident from the officer's action here that he is mostly concerned with dealing with the prevailing situation, i.e. to establish the laptop's ownership.

Let us imagine a scenario for example, this particular laptop is indeed owned by the driver and has been used for some criminal purpose and contains digital evidence as well as anti-forensic programs. On the pretext of proving the ownership, the driver after gaining access to the system triggers anti-forensic programs that destroys and wipes out vital digital evidence. From the officer's point of view, the ownership is established and case solved. But imagine if the said laptop goes on to become a vital form of digital evidence somehow and requires digital investigation. In such a situation a forensic analyst is only left with indirect circumstantial evidence that could be put to rigorous questioning, compared to a good strong direct circumstantial evidence that can be a far more reliable basis on which to determine a verdict.

In scenarios such as the above one, it is possible to have sometimes more than one logical conclusion, inferable from the same set of circumstances. In such cases where one conclusion implies a defendant's guilt and another innocence, the "benefit of the doubt" principle would apply.

So, adherance to forensic standards will not only be helpful in acquiring more strong reliable digital evidence, but at the same time it will reduce the time and effort and the resultant outcome will be a just verdict.


   
ReplyQuote
harryparsonage
(@harryparsonage)
Estimable Member
Joined: 20 years ago
Posts: 184
 

Whoa there chaps!

Dealing with every computer on a "what if" basis is no way to manage digital forensics let alone any aspect of policing. If we were in a theoretical environment in which every enquiry could be conducted to the nth degree then that would be fine, but we are not.

I didn't see the program so I am talking in broad terms, but if a police officer seized a laptop in such circumstances suggesting it "might" be stolen and asked if we could examine it forensically my initial response would likely to be no (my default as it happens!).

So a risk-based decision on the part of the officer to switch it on and see if he can ascertain if it belongs to the person in the car is not an unreasonable risk-based decision. If it was found to be stolen for example, the fact it was switched on would be unlikely to affect establishing ownership.

H


   
ReplyQuote
(@ravalert)
Eminent Member
Joined: 20 years ago
Posts: 21
 

my take will be (for such an instance, unable to proof ownership, unable to give proper account of the laptop, etc)
- so long the actions are justified (if you can convince the judge/jury) and every act is documented and preferably conducted in the presence of the suspect. (No No to allowing the suspect to handle the laptop.)

This is my response for such a situation without any "what ifs" and without considering any legal factors that would say otherwise.

of course, it will be better if the law allows you to detain him on suspicion of theft and get hold of an examiner to "preview" the information therein back in station. Again, justification is the word.

I believe that documentation and justification are very important, other than following protocols and procedures, be it computer related or not, in some scenarios, protocols and procedures may not be of top priority.

my 2 cents


   
ReplyQuote
(@trewmte)
Noble Member
Joined: 19 years ago
Posts: 1877
Topic starter  

This discussion has generated differing views as to how people view computer forensics. So thanks for the replies guys.

RavAlert, I can see where you are coming from. I see the point being made by Braveheart about dead-man's trap. I also see Harry's viewpoint. Given the 'patrol stop' lead to the Officer dealing with a potential drugs issue was fine; the Officer handled the matter very well. But the laptop could have been connected with drugs, too. The Officer didn't really know. OK, today it is all hurry hurry hurry as people want results and find the quickest way to achieve it and it all looks very pragmatic to do this sort of thing.

However, as equally pragmatic, putting a laptop in an evidence bag is not asking the Officer to work to the nth degree. If the Officer had picked up a knife from the suspect's car, would the Officer then ask the suspect to put the knife in his hand, thus putting the suspect's fingerprints on the knife? No. The Officer would have put the knife in an evidence bag straigtaway and to link up ownership later. Putting the laptop in an evidence bag without the Officer switching it ON is not difficult, it is not rocket science. But as I said I do not think the Officer is at fault here. Most have seen the programme and it clearly looks like the Officer was unaware of good practice. I don't mean to labour the point, but if the evdience bag was unnecessarily restrictive on the Officer doing his job, could he not have been taught to radio to the Nick indicating he had got a laptop and any advice before switching it ON as he, the Officer, had probably cause to establish ownership?

If its the case that in the forensics arena we must refine our thinking and approach to good practice, then so be it. But it has been well over a decade now for computer forensics and it is the case no one has thought about varying scenarios that can occur during seizure and to have properly recorded them? And, if it has been thought about and recorded, why has that NOT been clearly set out in ACPO Guidelines previously?

The world wont come to an end because of this matter, but for us to remain silent or not openly challenge bad practices it could be that that style of conduct may be seen by others as tacitly agreeing with bad practice being used. That leads to dilution in, and maybe dissolution of, standards.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

I agree with Harry and had already posted something on my blog.

A bit of common sense is called for and we patently cannot send every single bit of digital media to a lab. If it was simply determining ownership then I think in some circumstances it is entirely appropriate and proportionate to turn the computer on just as it might be to look through his SMS history. Put it another way, if they were to bag and tag the computer, should they have also dusted the car for finger prints and stripped the potential subjects and sent the clothes of to be analyzed for drugs traces.

Likewise turning a computer on is not the end of the world - Over the 17 years I have been in this field I have seen quite a few that have been turned on by over zealous officers and in not one instance has the actual evidence been contaminated such that the case has been lost (the actual evidence being the drug dealers client list for instance). Yes it has meant that additional steps must be taken to determine what had happened, but in the same way as we can see whether the evidence on the computer supports a case for dealing we can also see if the evidence supports the officers account - e.g. something like "I switched the computer on and looked at the profile name". If the computer also shows that the officer went on the internet then this can be questioned.

As for thinking about different scenarios I was involved in training at Bramshill about 15 years ago where the students went into a mock up house and were presented with varying scenarios (including a computer connected to the internet with someone at the other end about to run a wipe command if the computer was not disconnected quickly enough).

The issue seem to be one of training and we should not be castigating the UK police force based on the actions of a single officer - who in your own words "went about the task displaying little regard for the rules".

Given the amount of computer material seized the incidence of this sort of issue is tiny.

Storm in a teacup?


   
ReplyQuote
(@joeltharas)
Trusted Member
Joined: 16 years ago
Posts: 53
 

Very Good Discussion.

Joe.


   
ReplyQuote
(@pbeardmore)
Reputable Member
Joined: 18 years ago
Posts: 289
 

Paul, I agree with all your comments.
We have had several devices that have been accessed by enforcement staff and, as long as all the options are covered, it has not led to a change in the case outcome.

But surely, the following issue is that, if ACPO go to the effort of researching and publishing a Good Practice Guide on Computer based Electronic Evidence, it's very hard to then go back and support the use of common sense to say when those guidelines apply. The danger is that, if discretion is given to the guys at the sharp end on when the guidelines apply and when they dont, its very easy to get "slippage". Is common sense too flexible a concept to apply to the analysis of digital devices? Is it possible for front line staff to make an accurate appraisal of when the guidelines should be followed or not? and is it asking too much of them to make those decisions?

And, Harry, just to add to your point, I completely understand your point about not having a full forensic exam of a laptop to establish if it has been stolen or not. But, again, the slipery slope is to say that the Guidelines only apply for more serious offences and for minor ones, it's OK for the fronline staff to carry out their own, non forensic examination. I am not sure if this is the road to go down. Imagine if this principle was applied to other areas of forensic science.


   
ReplyQuote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

"Rules are for the obedience of fools, and the guidance of wise men."
- Douglas Bader


   
ReplyQuote
binarybod
(@binarybod)
Reputable Member
Joined: 17 years ago
Posts: 272
 

Storm in a teacup?

Yes.

In the UK (where the ACPO guidelines originated) the ultimate arbiters on this at court are the Judges who will weigh the probative value of any evidence against it's prejudicial value and rule it unfair or not depending on the circumstances as per S. 78 PACE.

The ACPO guidelines are there to help this decision and in so doing help inform those who have to apply the guidelines to any given practical situation.

It matters not how serious the case is, anyone flouting the guidelines runs the risk of having any evidence subsequently obtained ruled unfair and thereby losing it. This is a risk management decision. The more extreme the action the greater the prospect of losing the evidence - simple.

Breaching the guidelines is not unlawful so there's no need to blow a fuse if some officer decides to turn a laptop on to see if he can determine the owner. It is a matter for the officer to answer any questions as to why it is that POTENTIALLY valuable evidence MIGHT be lost. Don't forget that it is just as likely that he MAY discover valuable intelligence that he MIGHT use to prevent a serious crime. I've stressed all the variables at play in the scenario to show that these decisions are very much in the hands of the officer on the scene and we should perhaps hesitate to rush to judgement.

Paul


   
ReplyQuote
Page 1 / 3
Share: