….does this often happen?
It depends upon the experience and intelligence of the SIO/DSIO/case officers and the digital forensic practitioners, and the quality of the digital evidence review.
I have been passed numerous requests for evidential high tech reports with 'relevant' data flagged as being critical to the prosecution which, when viewed in any kind of context is clearly spurious. I have some experience of the electronic disclosure world and when the keyword lists often used in law enforcement are compared to this discipline, they are laughably poor. This undoubtedly leads to meaningless conclusions because 'there were x number of hits on this search term, which means the defendant searched for this x number of times and is obsessed with it'. The search term is usually far too short and totally ambiguous, but if you start talking about regex to a case officer they will rapidly glaze over and insist that you search for 'rob' or whatever. Better training for these police officers and staff would definitely help, they are usually overworked, under-resourced and lacking in training in this area so can't take all the blame by any means.
Part of the issue that my department has is that some of the younger and/or less experienced digital forensic investigators may lack the courage and confidence to stand up to a pushy SIO or whoever and say that such-and-such spurious and out of context data isn't going into my report because it is my report - my name goes on it and I have to (potentially) stand up and defend it. Our duty is to the court and the administration of justice.
So should we not be examining content with the legislation in mind then. For example, if we know at the examination stage what falls within the bounds of an offence (actions, evidence types), then we would have a clearer line regarding what to report.
…..yet I feel uncomfortable even writing that as its blurring the boundaries and roles and raises even more issues surrounding disclosure and process. 😯 😯
………is the whole problem here based on a lack of rigorous peer review of our work which would prevent such information even getting into a statement in the first instance?
Our duty is to the court and the administration of justice.
I understand that you mean well ) , but, to be picky, in theory as a forensic investigator you should be completely agnostic about administration of justice, and just express your opinions (as an expert) on evidence to prove or establish facts and events and who did what (and when).
The consequences that these proved, established or only reasonably and very probably happened facts and events may have should be outside the scope (or if you prefer beyond your horizon).
Not completely unrelated, a previous discussion
https://www.forensicfocus.com/Forums/viewtopic/t=9275/
jaclaz
Our duty is to the court and the administration of justice.
I understand that you mean well ) , but, to be picky, in theory as a forensic investigator you should be completely agnostic about administration of justice
I think that you and I mean different things by 'administration of justice'. To me, it means presenting accurate, provable facts in their correct context from digital devices in a readily understandable format for a jury of 12 ordinary people to be able to comprehend (and an ancient judge who has possibly never turned on a computer). These facts might contradict the prosecution, they might support it - it makes no difference to me. If the facts are there, they will be heard and considered by the aforementioned individuals, and endlessly twisted by QCs and so on.
So should we not be examining content with the legislation in mind then
No, I don't believe that we should. You might have some specific areas you are looking for - if investigating a complex fraud would it be worth focusing on carved graphics files or would you pay more attention to various document/office artefacts? Of course, you extract everything, and it should all be reviewed. It might be that your alleged white collar criminal is also into IIoC too and should serve time for that as well.
………is the whole problem here based on a lack of rigorous peer review of our work which would prevent such information even getting into a statement in the first instance?
Not the whole problem, but there is often a lack of oversight.
I think that you and I mean different things by 'administration of justice'. To me, it means presenting accurate, provable facts in their correct context from digital devices in a readily understandable format for a jury of 12 ordinary people to be able to comprehend (and an ancient judge who has possibly never turned on a computer). These facts might contradict the prosecution, they might support it - it makes no difference to me. If the facts are there, they will be heard and considered by the aforementioned individuals, and endlessly twisted by QCs and so on.
Well, OK, you have a perfect standing ) you were using "administration of justice" in a much wider (most probably very correct from a legal point) way
http//
than what I believe is commonly intended, more like
https://
In England, the administration of justice is a prerogative of the Crown. It may be exercised only through duly-appointed judges and courts.
jaclaz
I have been taught and mentored that my work should be
1. Independent, meaning my answer will be exactly the same regardless of who is asking me the question.
2. Scientific, meaning 100% of my work must be able to be replicated by a qualified peer.
3. Plain English - I will assume the judge and jury are all brilliant, but just not in my field, so to the extent the judge and jury do not understand my testimony, it is a direct result of a failure on my part to explain my opinion in plain English.
Lets throw this into the mix as well -
specifically…
One of the most hotly debated issues in forensics science is howto convey forensic results to decisions-makers most effectively.Many forensic practitioners use categorical conclusion scalesincluding multiple levels, such as ‘definitely’ and ‘probably not’.
Do we really do this? surely our decision making is binary ( D ) in that its either 'this' or no its not. I cant think of any scenario where something is 'probably not' something?
That site was browsed/searched for etc….. I cant think of a single scenario where i would suggest that a site probably hadnt been browsed./searched? We can fully determine a URL on system. It gets there via determined methods.
In terms of 'certainty scales' - say for example unlikely, moderately sure, sure, probably, definitely.
Do such things have a place in this field?
Do we really do this? surely our decision making is binary ( D ) in that its either 'this' or no its not. I cant think of any scenario where something is 'probably not' something?
That site was browsed/searched for etc….. I cant think of a single scenario where i would suggest that a site probably hadnt been browsed./searched? We can fully determine a URL on system. It gets there via determined methods.
In terms of 'certainty scales' - say for example unlikely, moderately sure, sure, probably, definitely.
Do such things have a place in this field?
Why not?
You find in a sector belonging to unallocated space this exact string (for the sake of the example followed and preceded by 00's or 20's)
https://www.forensicfocus.com/Forums/viewtopic/t=16680/postdays=0/postorder=asc/start=14/
1) How (exactly) that bytes sequence was written? (i.e. typed, copied, etc., or if you prefer was it before being unallocated part of a .txt or similar file, part of a memory dump or part of a temporary system file, a cache or *whatever*)
2) By which (exact) program was it written?
3) When (exactly) was it written?
4) Who (exactly) was logged in at the time ir was written?
You have no way to answer properly to any of the above questions, still you have that byte sequence that seems unlikely to be a randomly generated string, actually resolves in a browser (to this very thread, 3rd page).
What do you do next?
a. Ignore that string because you have no way to answer the 4 above question
b. Since it cannot be random, nor "digital garbage" you state that probably the string is the result of either typing or copying/pasting and since that string is almost exclusively present in the browser address bar when accessing
https://www.forensicfocus.com/Forums/viewtopic/t=16680/
and clicking on the blue 3 in top right, it is highly probable that one user of the computer, some time in the past, accessed this thread through a browser. And, you could even state that this happened very likely no earlier than "Wed May 30, 2018 241 pm", i.e. the time post #15 was posted, thus creating page 3.
jaclaz
Well, OK, you have a perfect standing ) you were using "administration of justice" in a much wider (most probably very correct from a legal point) way
To strip it right down, I view successful administration of justice as the guilty being brought to account for their actions and the innocent walking free.
I don't feel comfortable with the idea that my work could help to convict an innocent person and keep that in mind when giving evidence.