Misinterpretation of Evidence - An underlying issue?

Validating the results of an examination with other tools or manually is always a must! It should be done by another forensic expert, who has larger experience in the field.

Making prosecutors, judges and lawyers to actually understand what is behind the IT terms of forensic analysis results is a big problem worldwide. Misinterpretation can occur unfortunately (

Hi,

Many years ago senior management at many police forces wanted to move to a more triage forensic process, partly because of the increased demand and the lack of resources. At the time all of the practitioners I know expressed serious concerns over this approach.

We were assured this would be a triage process to prioritise and that full examinations would still be done before evidence was produced for court. Clearly we felt that was extremely naive and that officers would end up producing material for court without an expert having seen the exhibit, let alone the data. This is the situation we are now in.

I realise we have finite resources but from my position I can see huge savings in terms of supplier contracts, third-party preferred business partners, administrative costs and so on. These should be the first things to look at because any way of saving money with no loss of service must come first.

I have seen occasions where jobs were at court, or were at the last plea hearing, on evidence that had been produced without an expert seeing it. Having been asked to check and/or intervene at that point, I can name cases where evidence showed considerable more culpability by the defendant than was first thought and more disturbingly, cases where the evidence simply did not support the charges.

One job involved a defendant at court on the first day of the trial, facing charges of making child sexual abuse images and the evidence being produced did not support those charges at all. It was all about the context of the evidence found. He may still have committed the offence but no other evidence had been produced by the prosecution and so he should not have been there. He left court a free man that day.

Here is where costs come back into it. He could have sued the police, he may have, but I am not aware of it. What if he had been convicted of the offence and then sued? Prosecution, prison and compensation costs in the tens or hundreds of thousands of pounds.

There's how much money is spent on a prosecution? Investigation is the cheap part of it. Once you get to Crown Court with a senior judge, a jury, all the court officers, witnesses and so on, we can be talking five figures per day.

More than the money, this approach is in my opinion risking miscarriages of justice. People's lives can be irreparably torn apart.

The other end of the scale are the people who were not prosecuted, the evidence was there and then they go on to offend again.

So there's the risk, then there's the cost issue. By spending £500 on digital evidence instead of maybe £1500, we only need to see a few cases go to court which wouldn't have gone to court and the British taxpayer could be worse off.

In my experience, when a defence expert challenges the prosecution expert's evidence, it is always around what didn't you find or report on that provides mitigation, or more commonly, it is interpretation. Could it also be because……happened?

When you look at one of the biggest new costs coming into digital forensics, ISO 17025, I don't see this as helping. Ultimately it will lead to more triage processes, more kiosk only evidence, fewer experts, examining fewer exhibits, for less time and this is where the problem lies. It isn't going wrong at the how we got the data off stage, it is going wrong at the what does it mean stage.

I do also think that the quality management aspects of ISO 17025 will probably demonstrate that 17025 doesn't work. This is because experts will begin recording what, where and how it went wrong. I think this will demonstrate it's not about the tools and processes but needing to have competent experts spending more time looking at the data.

The wholly inadequate funding levels for experts under legal aid means independent experts and micro businesses cannot afford to accept defence work and many solicitor's firms are notoriously slow payers. ISO 17025 will drive more experts out of the defence field and so this further compounds the problem.

The idea that neither a prosecution or defence expert has looked at digital data being relied upon concerns me greatly. Those words don't really convey my level of concern but I hope you get the picture.

I think it is up to digital experts on both sides of the fence to express our concerns because I've been here before and when people don't do that, change takes longer and questions are then asked of us, saying, 'why didn't you say anything?' A response like 'you wouldn't have listened if I had', is then dismissed quickly.

Whenever there are opportunities to contribute to justice select committee open consultations, or regulator open consultations, I think we should. I don't feel my concerns have been recognised or taken seriously and I know of someone who wrote to his MP and the FSR expressing concern and was pretty much completely fobbed off. I still think it is the right thing to do. I'd rather try and fail than accept it is a lost cause for now.

Sorry if you've aged more than expected whilst reading this post.

Steve

….does this often happen?

This sort of thing, yes.

It baffles me how in the text above someone has argued something is a search term where (based on the article content), there was no indication of it being so. What on earth has happened there then?

I was attending a conference presentation several years ago, and the speaker stated that he'd hung a finding that had a significant impact on the client on a single piece of data, which it turned out was incorrectly understood. As such, this was presented to the client as extending their "window of compromise" back several years.

I spoke the speaker separately, but of course, by then it was too late. The report for the engagement on which the presentation was based had already been sent to the client. Unfortunately, in past employment, I saw this same artifact being misinterpreted on a weekly basis, leading to incorrect "findings" being shared with the client.

How do you prevent / protect against that sort of stuff happening as surely someone has gone outside of a statement/report there and decided to take it upon themselves to interpret results?

Peer reviews, and engaging with each other in a non-threatening (applies to both sides…don't be threatening, but also don't feel threatened every time someone asks you a question) process.

We all can't possibly know everything, but we can learn from each other…*if* we're willing to do so.

There has been a few references made in posts adding to this discussion about evidence and presentation of it, such as

Lets throw this into the mix as well - clearly conveying DF results

Here is publication which maybe helpful to know for those presenting evidence at court

DIGITAL FORENSICS TRIAL GRAPHICS
Teaching the Jury through Effective Use of Visuals
JOHN SAMMONS / LARS DANIEL

https://www.elsevier.com/books/digital-forensics-trial-graphics/sammons/978-0-12-803483-5

Quick book review
http//journals.sagepub.com/doi/pdf/10.1177/192536211700700304

I have been taught and mentored that my work should be

1. Independent, meaning my answer will be exactly the same regardless of who is asking me the question.

2. Scientific, meaning 100% of my work must be able to be replicated by a qualified peer.

3. Plain English - I will assume the judge and jury are all brilliant, but just not in my field, so to the extent the judge and jury do not understand my testimony, it is a direct result of a failure on my part to explain my opinion in plain English.

Sounds ok, but it is not so simple, and… let me ask you some questions

* You find one artifact, product of one software [program].
* This artifact shows illegal activities, or "bad" file's name inside, but you are unable to bind this artifact in anyway to the PC owner's activities.
* The software, which product this artifact is MISSING- not installed, not history to be installed, not piece of him anywhere. More- if the software is uninstalled, the origin of your artifact must be missing too- the software delete the directory, in which your origin of the artifact is located.

What you will wrote then in your report? evidence of "evidence tampering"? Unknown to me artifact? I do not know, how this goes there? omits the fact??

Please - be aware- if you mention this piece of useless info in front of the jury, or judge- they automatically CONNECT this to the defendant [like evidence of intent] whatsoever you trying to explain to them. And YOU, by your hand, make the defendant guilty, INVENTING INTENT.

Your principles are very good, and true, but do not forget- in SOME EU countries, even an official Forensic Lab is unable to produce forensically sound forensic copies of the confiscated evidences!

Our duty is to the court and the administration of justice.

I understand that you mean well ) , but, to be picky, in theory as a forensic investigator you should be completely agnostic about administration of justice

I think that you and I mean different things by 'administration of justice'. To me, it means presenting accurate, provable facts in their correct context from digital devices in a readily understandable format for a jury of 12 ordinary people to be able to comprehend (and an ancient judge who has possibly never turned on a computer). These facts might contradict the prosecution, they might support it - it makes no difference to me. If the facts are there, they will be heard and considered by the aforementioned individuals, and endlessly twisted by QCs and so on.

Sounds too good , but …

* Peoples, unable to understand even what HDD is, ARE UNABLE to understand anything more. Or they will "understand" like they WANT to. One architect is unable to do gynecological operation, whatsoever you try to "explain" to him [i.e. how to use the scalpel].
* Forensic oversimplifications are always problematic and aggravate immensely the defendant's position.
* When someone present facts in court, it is always obligatory to provide any info, which contradict the artifact, or put in doubt his meaning [if a such info is available].

Judge, or jury, unable to understand digital forensic in THE MOST simple words, are unable to judge the case. It is simple like this- and the rest, is a travesty of justice. They are unable to understand you anyway, and always "understand' your words by deteriorating the defendant's position.

Unless specialized court are formed to judge digital forensic cases, jury in forensic cases is also travesty of justice, and kangaroo court.

…but if you cant explain something whether that be because there is only partial data or testing can't produce a sound answer, then in a fact finding report, should people really be including such content in a report which facilitates people making their own judgements?

If you are producing a report based on fact, then should you really be reporting non-facts in there?