legal definitions o...
 
Notifications
Clear all

legal definitions of forensic terms  

  RSS
tootypeg
(@tootypeg)
Active Member

When providing evidence in court, does anyone have a standard set of definitions (external source/organisation) from which to rely on regarding the description of technical terms? Or is it very much your own definitions?

My reason for asking is, is there significant differences in the way that DF experts define technical terms and evidence. For instance, I presume experts all explain the process of say file deletion
or what unallocated clusters is differently?

Obviously different jurisdictions have their own methods, but most will have set definitions which are accepted and reused. But would I be right in saying that this is missing in our field? If so, would this not be a serious concern that factually, the same concept may be being explained in various different ways, some more accurate than others?

Quote
Posted : 31/07/2017 4:16 am
(@jaclaz)
Community Legend

Obviously different jurisdictions have their own methods, but most will have set definitions which are accepted and reused. But would I be right in saying that this is missing in our field? If so, would this not be a serious concern that factually, the same concept may be being explained in various different ways, some more accurate than others?

Or maybe not ? , this seems the first step to the advent of AI (and world domination and stuff wink ).

I always thought that there was a written report submitted to the Court and that what the expert witness did in court was only briefly illustrating the methodology and answering to specific questions the parties or the Judge asked about it and the way the data was collected.

Since the questions asked would be impromptu or ex tempore I would presume that the expert witness needs to be able to adapt the answers (besides answering to the actual question asked and not to something else) also to the "perceived level" of the question and more generally to the "perceived level" of the judge (and jury).

I don't think that the same terms and explanations will fit *any* case (Civil or Criminal) or *any* Court in *any* Country.

But do you mean something *like* this
https://www.forensicfocus.com/Forums/viewtopic/p=6536153/
or something *like* this
https://www.forensicfocus.com/Forums/viewtopic/t=9374/
?

jaclaz

ReplyQuote
Posted : 31/07/2017 3:22 pm
tootypeg
(@tootypeg)
Active Member

I see what you mean but what I mean is say for example, in a witness statement, an expert notes that a file has been recovered from unallocated. How do they then recall and describe what unallocated is. Should it not be the case, that there is 1 defined and globally accepted and used definition so that everyonbe, regardless of of where you are, is working off the same page. Ive been looking back at some journals and court transcripts and every definition of say Unallocated is different, some slightly, some major. Surely, Unallocated is what it is. If we all agreed on a clear and accurate definition, there can be no deviation and misunderstanding. Standardising this would then lead to greater reliability. For example, the concept of 'possession' in English law is a concept which is defined and re-cited in every instance, the definition is not re-developed at every instances.

Surely such glossaries like those from The Scientific Working Group on Digital Evidence (SWGDE) or ACPO need to be evaluated and then a case made for global acceptance. In this instance, an expert might elaborate on what deletion might involve for purpose of understanding, but the underpinning definitions remain consistent. It may even lead to no need for such elaboration, if the definition is sufficiently clear and detailed.

ReplyQuote
Posted : 31/07/2017 6:08 pm
(@minime2k9)
Active Member

Seeing as Unallocated Clusters used by some forensic tools and others call it "free space" or other definitions, how would you create a definition for something that is named differently by different tools.

Where does a file come from if its deleted but the MFT entry is still there, technically is is recovered from unallocated/free space but would usually be named as a deleted file with a filename and path.

I honestly think these overarching definitions are dangerous in that the brief description is usually to vague to be useful and to cover all eventualities requires a thesis length document. It also depends on the file's relevance and the circumstances as to what the description contains.

ReplyQuote
Posted : 31/07/2017 6:25 pm
(@jaclaz)
Community Legend

@tootypeg
I gave you expressly a link to an attempt to make a "rigorous" definition of "slack"
https://www.forensicfocus.com/Forums/viewtopic/t=9374/

See how it went
1) jdeas/proposals
2) betterings/refinements
3) edge and unusual cases addition
4) discussion on details
5) some bickering about some wording (but without valid alternative proposals)
6) hey, look! A squirrel! 😯

That is just one definition and besides the lack of a conclusive definition of the item we don't even have an agreement on the words used.

I am not even sure that we have the base definitions of disk, drive, volume, filesystem (besides and before forensics) JFYI
http//reboot.pro/topic/13676-the-boot-process-a-step-by-step-approach-to-booting/?p=123056

The concept of "possession" in English Law is IMHO different.

First thing it is part of the Law (the Law is not - or at least was not originally - the output of a Commission of "experts" agreeing on something). It was the direct emanation of the Sovereign will. And it is now, in the best case, a bunch of elected people that discuss the matter and since they cannot ever agree all on something put it to votes. So, it is rare that there is a universal agreement on it, it is more likely that the majority prevails.

Second the concept is as old as humanity and even if we take the specific English Law it is the same since several centuries during which Judges, Solicitors and Lawmakers disputed in thousands of cases what the concept means, refining it.

Third it is a generic "prime" concept, not a specific detail of a niche of technology.

Now you find and show me the accepted definition for the tool used to measure the flux of oil for the lubrication of the shafts of the hydraulic pistons that operate a bascule bridge (excluding the Tower Bridge that probably has an own name for that) and you'll have a point.

BTW, in German that would probably be a single word. wink

jaclaz

ReplyQuote
Posted : 31/07/2017 7:25 pm
tootypeg
(@tootypeg)
Active Member

Seeing as Unallocated Clusters used by some forensic tools and others call it "free space" or other definitions, how would you create a definition for something that is named differently by different tools.

Where does a file come from if its deleted but the MFT entry is still there, technically is is recovered from unallocated/free space but would usually be named as a deleted file with a filename and path.

I honestly think these overarching definitions are dangerous in that the brief description is usually to vague to be useful and to cover all eventualities requires a thesis length document. It also depends on the file's relevance and the circumstances as to what the description contains.

Very valid points! It could be argued that this could be a reason for pursuing standard definitions. Just because tools call UA/free space/something different, fundamentally is this not a reason to come together and standardise the practice. Even if a vendor differs their terminology,if the process/concept is the same, by referring to it /sanitising the description, would this not be beneficial?

Also your MFT point raises another point, maybe terming something a definition implies that everything can be summarized in a sentence for example. Maybe what we need is a set of santised 'descriptions' and accepted, accurate analogies to effectively inform someone of a concept? That way the intricacies (not every eventuality though) could be tackled. I guess what Im trying to suggest is that what ever is used, we all should be using it?

There will be some instances that can be covered but we have a lot of core functions/concepts which arguably we could come together and hone?

ReplyQuote
Posted : 31/07/2017 7:30 pm
tootypeg
(@tootypeg)
Active Member

@tootypeg
I gave you expressly a link to an attempt to make a "rigorous" definition of "slack"
https://www.forensicfocus.com/Forums/viewtopic/t=9374/

See how it went
1) jdeas/proposals
2) betterings/refinements
3) edge and unusual cases addition
4) discussion on details
5) some bickering about some wording (but without valid alternative proposals)
6) hey, look! A squirrel! 😯

That is just one definition and besides the lack of a conclusive definition of the item we don't even have an agreement on the words used.

I am not even sure that we have the base definitions of disk, drive, volume, filesystem (besides and before forensics) JFYI
http//reboot.pro/topic/13676-the-boot-process-a-step-by-step-approach-to-booting/?p=123056

The concept of "possession" in English Law is IMHO different.

First thing it is part of the Law (the Law is not - or at least was not originally - the output of a Commission of "experts" agreeing on something). It was the direct emanation of the Sovereign will. And it is now, in the best case, a bunch of elected people that discuss the matter and since they cannot ever agree all on something put it to votes. So, it is rare that there is a universal agreement on it, it is more likely that the majority prevails.

Second the concept is as old as humanity and even if we take the specific English Law it is the same since several centuries during which Judges, Solicitors and Lawmakers disputed in thousands of cases what the concept means, refining it.

Third it is a generic "prime" concept, not a specific detail of a niche of technology.

Now you find and show me the accepted definition for the tool used to measure the flux of oil for the lubrication of the shafts of the hydraulic pistons that operate a bascule bridge (excluding the Tower Bridge that probably has an own name for that) and you'll have a point.

BTW, in German that would probably be a single word. wink

jaclaz

Haha, you do provide some very good responses. Regarding your 6 points, what I guess im trying to say is that if we did come together and 'argue it out' could we not develop and effective definition for use. Even if we all dont 100% love it, if its accurate and usable, then adoption of it could be valid?

Would people be willing to scrutinise and contribute to some attempts at determining a set of term? This is something that has intrigued me for a long time now and have toyed with determining some concepts to be put to the review of practitioners. I dont think it would be easy to achieve and adoptions of it large scale would be probably impossible, but I would like to attempt it i think.

Maybe we haven't done it yet because we have not had these debates as you noted above about terminology and what people like?

ReplyQuote
Posted : 31/07/2017 7:36 pm
(@jaclaz)
Community Legend

Haha, you do provide some very good responses. Regarding your 6 points, what I guess im trying to say is that if we did come together and 'argue it out' could we not develop and effective definition for use. Even if we all dont 100% love it, if its accurate and usable, then adoption of it could be valid?

Sure "we" could. (of course we will need first thing to remove the possibility of squirrels - or anything else of similar distracting nature).

Then we will probably need a roadmap, a definite base proposal, a deadline for comments, establish the criteria for the admission of members, elect a supervising committee, nominate a third party arbiter in case of disagreement, etc.

The risk is that before or later "we" will either come out with the UEFI specifications (2200 pages of it, i.e. something that noone, even if willing and trying hard will ever be sure to be respecting) or with a "vague" ISO-like norm which 10 or at the most 20 pages covering all the human activities (that will give the possibilities of writing endless treaties on how to apply them and consultants inventing their own interpretations of them).

Please understand how both the one and the other have been or are in the phase of being "accepted" ONLY because they were forced down our throats by either making them an "industry standard" by stopping producing the "previous" hardware or by mandating them by Law.

Would people be willing to scrutinise and contribute to some attempts at determining a set of term? This is something that has intrigued me for a long time now and have toyed with determining some concepts to be put to the review of practitioners. I dont think it would be easy to achieve and adoptions of it large scale would be probably impossible, but I would like to attempt it i think.

Maybe we haven't done it yet because we have not had these debates as you noted above about terminology and what people like?

I don't know, maybe we haven't done it yet because noone attempted it hard enough, or maybe simply members don't care or - as a matter of fact - actually *like* to have some "lack of precision" or "fuzziness" because this allows them to better manage the matter personally on a case by case basis.

jaclaz

ReplyQuote
Posted : 31/07/2017 9:21 pm
tootypeg
(@tootypeg)
Active Member

Then we will probably need a roadmap, a definite base proposal, a deadline for comments, establish the criteria for the admission of members, elect a supervising committee, nominate a third party arbiter in case of disagreement, etc.

I would like to attempt the base for this, but the points you raise here are very interesting.

I would like to evaluate and define a base-line. But then, that raises the next couple of issues which I am yet to solve but will have a think about.

1) who would I get to form the panel/ arbiter / general committee to oversee the process? I do wonder if anyone on here would volunteer to be an overseer etc.
2) what platform can I use to engage with practitioners to facilitate discussion and revision of proposed terminology descriptions etc. I did think maybe a 'Google Classroom' and share access on here, but we shall see

ReplyQuote
Posted : 04/08/2017 10:12 pm
(@jaclaz)
Community Legend

Some hairy reasoner's statistics
Members of this board Overall 32497
People that replied to your topic 3

Out of them
Number of English mother tongue practitioners 1
Number of non English mother tongue practitioners 1
Number of non English mother tongue non practitioners 1

A ratio roughly 110000 which might be a nice scale for a map, but not a sign of overwhelming interest and participation. roll

Of course this is blatantly unfair 😯 , the thread had only 599 views right now, so a more realistic measure of interest would be 1200

BUT
Number of English mother tongue practitioners seemingly favouring your proposal 0

So right now the 0200 ratio does not seem like particularly a good start. cry

jaclaz

ReplyQuote
Posted : 04/08/2017 11:35 pm
tootypeg
(@tootypeg)
Active Member

unfortunately I think your right, it is unlikely that there will be sufficient interest to get this off the ground and see it through to the finish

ReplyQuote
Posted : 05/08/2017 12:43 am
Share: