It goes without saying that digital forensics is a high stakes area, and it is therefore crucial for both data and methodology to be as rigorous as possible. Errors in process or in information can be catastrophic – but what is meant by ‘error’ in this context? A new paper unpacks this question. Dr Graeme Horsman’s Sources of Error in Digital Forensics (Forensic Science International: Digital Investigation Volume 48, March 2024) examines the nature of error: both the concept itself and its sources within the DF investigative process.
Dr Horsman begins by noting an uncomfortable fact: error is inevitable in forensic practice. It is, he says, ‘realistically unachievable’ to eliminate it, however hard we try. Accepting that this is the case allows practitioners to address the issue as robustly as possible, looking at as many potential sources of error as possible. Yet what does ‘error’ actually mean?
What Does ‘Error’ Mean?
An error is not the same as a mistake: errors result from ignorance but mistakes result from deviating from existing knowledge and process. To assess whether something is a mistake entails an understanding of the underlying procedure and what it means for that procedure to be correct. The performance of a task might not be restricted to one single outcome: there might be multiple outcomes, for instance. Hence a sound evidential basis and a reliance on scientific methodology are critical, not just for avoiding errors but for dealing with their impact when they occur, learning from them and identifying their causes, and developing strategies for avoiding those mistakes in future.
For instance, systematic errors may result from processing issues, such as the implementation of a particular algorithm by a tool. Also, negligent errors may arise from fault on the part of the operator. Horsman cites Schiffer that ‘a lack of data regarding sources of error has been observed across all forensic fields.’ Also worryingly, he states ‘there is no empirical understanding of how frequently error occurs in the discipline.’
Sources of Error in Digital Forensic Investigations
The article defines the digital forensic investigation process as running from crime scene to court, and identifies the main stages of the digital investigation process, such as incident response, data acquisition, analysis, and presentation. These represent only some of the steps within an overall 10-stage process. The following errors are identified:
- Client errors
- Wider investigative/forensic team errors
- Practitioner errors
- Tools/instruments errors
- Method errors
- Trace errors
The impact of each of these errors on the course of an investigation is evaluated, including the possibility that an error made at one of the 10 stages of an investigation can affect that investigation in its entirety. Mapping errors to assess potential impact is crucial and must itself be a process that is subject to continuous evaluation and review: digital forensics is a fast-developing field of considerable complexity and new sources of error will inevitably arise. Processes that actively look for, and even better, predict errors must be developed: Horsman acknowledges that this will be a resource intense exercise, but it is nonetheless an essential one.
