Hans Henseler discusses his research at DFRWS EU 2018.
Hans: Yeah, welcome this morning and thank you. I think the keynote for me was very lucky, a public prosecutor from Italy, and now I will tell about educating judges, prosecutors, and lawyers in the use of digital forensic experts.
Thank you, [Marie Angela], for the introduction. I have many different heads, and one of them is working at the Netherlands Register of Court Experts. The paper that’s in the proceedings I wrote together with Sophie van Loenhout, who was working with me at the Netherlands Register, but she left last year actually, but her colleagues are here, joining us at this conference also. Even though they are not very technical, they are involved in this registration process, and I will try to explain to you what we did.
And it occurred to me that besides the fact if you are in your country using a regulation for forensic court experts or not, it still might be useful for digital forensic experts, because I think most of you are digital forensic experts, to see how you can deal with maybe judges and prosecutors and lawyers, to help them with the kind of questions they might ask. Even though they are not experts, you might give them some comfort in having a discussion in court, asking … them asking you about how you performed your work. And I think what we did in trying to establish a set of standards illustrates that. It can help you address this topic in your own country, maybe come to a registration, but at least I think you can learn from how we are doing this, how you can work in your country with people that do not understand digital forensics, basically help them address the issues that may be very, very relevant in court.
Because I think most of the time, what we see here is of course acquiring the evidence, analyzing the evidence. It’s a very technical job. But there is one more important aspect to being a forensic expert in court, and that is the fact that you have to be able to explain what you have done. You have to be able to report what you have done to a judge, to a lawyer, to a prosecutor. And this is a different skill, and [we] are finding people that are very skilled, very technical, but maybe not so good at explaining what they have done. So, in that case, you might not be such a good court expert after all – which is not a big deal, but it is a skill that you need to have, we think, in the Netherlands.
I’ll tell a little introduction about the Netherlands Register of Court Experts, I’ll tell about the working methods, who we are, [a bit about the status], how we’ve come to demark, perform a demarcation of the area. Being a court expert is often also very much about knowing your own limitations. So, demarcation is an important aspect of setting standards in this field. And finally, I also give some questions that judges, prosecutors, and lawyers can ask to an expert when he is in court or she is in court.[What happened in Netherlands] is there was a criminal case [law and] a Register of Court Experts. So, in 2010, there was a new law that actually said that court experts in the Netherlands need to be registered to be able to testify in criminal cases. And since that, there was a legal basis. Some people have asked me, “How do you succeed in doing that?” Because Netherlands seems to be one of the few, maybe the only, country where we have done this. Basically, it’s a very simple explanation – some things went very wrong in the years before. We had a couple of very big miscarriages in trials. So, somebody thought, we have to do things differently, we have to be able to set a standard to … if we register as court experts, we have to meet a certain minimum standard before they can actually become a court expert.
So, if you start doing that, and then you are talking about certification and registration, there are a number of very logical things that you need to do, but you need to do them. So, there needs to be a code of conduct. For every field of expertise, you need to establish standards. There needs to be [process for assessing] an expert. So, an expert will apply to become registered in our Register, and there needs to be a process for doing the assessment. And one of the important things is that we also learned from those miscarriages of trial, and we decided that this is not for a lifetime. So, once you become an expert, at this moment, every five years, you have to be assessed again. So, you have to show again that you are able to perform this work.
This is basically the organization that we are part of. I am a member of the board, and the board is seven people from the justice community. And very simply said, we have a judge, a prosecutor, a lawyer, a former [or our] active police commissioner, and we have three scientific seats. So, I have one of the scientific seats. My background is digital forensics. We have a professor who is a professor in criminology and one who is a professor at forensic psychology. With the seven of us, we basically are responsible for the registrations. We all do this part-time. So, the judge who is chair of this board, he does it let’s say one day a week. Or, sorry – yeah, so … [0.2 FT]. The other members of the board, like myself, we do this one day a month on average.
But besides that, we have the bureau. The bureau is about nine full-time equivalents, but it’s part-time also, so maybe 12-14 person, who are actually going through the administrative part of doing the registrations. In this register is not only Dutch experts. We also have non-Dutch experts.
And just let me try to explain how this works. There is not just one field, there are multiple fields. And the bureau can only do so much work at the same time. As the number of fields increases, it becomes difficult to add fields that are high-frequency, because you have to maintain the current fields as well. But it’s a very simple approach. First of all, there’s an expert meeting. The idea is, for example, we want to have a register of digital forensic experts. We will keep a whole-day expert meeting where we invite experts to have a discussion to see, is there a body of knowledge, is there consensus in this field of expertise? And you can do this for DNA, you can do this for shotgun residue, for fingerprints, footprints, etc. So, first, this expert meeting kind of establishes, do we want to do this, can we do this? Because if you are a finding in the expert meeting there is not a consensus, there is a lot of different opinions about what a field is, it may be very difficult to come to a common set of standards.
If there is a ground for doing that, then the next step is to set an Advisory Committee for Standards, the ACS. And this is actually the committee that also consists of experts, and maybe part of the people that were in the expert meeting – again, not only Dutch, also people from other countries – and they draw up draft standards, and they give an advice to the boards. But before it’s [delivered] to the boards actually, given for consultation to the field. And some of you may remember that I joined the board in 2014, and 2015 actually we had this draft set of standards for digital forensic experts. And we had a workshop, very similar to the ones we had yesterday, but at the [DFWS] in Dublin. We had a workshop on these standards and we got feedback from people asking some questions, and there were some modifications based on the consultation that we did there. But this was not the only consultation. We put it on our website, we asked people for feedback, it’s in the newsletter of the Netherlands Register of Court Experts. So, we tried to generate feedback. We had a publication, a Dutch journal … so that’s how we tried to get feedback from the field.
We collect all these comments, we process them, and then, in the end, it’s finalized and presented to the board, to the seven members of the board. In this case … so, I was personally not part of this committee for setting the standards. I did meet with the people at the expert meeting, but I’ve tried to keep an independent position, so that in the end, when the standards are presented to the board, I could also discuss at the same level with my other colleagues, and just check … because you can imagine that the board, they don’t know every detail of every different field of expertise. So, we are testing and checking if the procedures have been followed. So, even without knowing all the technical details, we can still validate if the steps that we agreed to have been executed and if there’s a common [09:53], and that at least there’s a broad representation from the field of expertise that have agreed on these standards.
It might change from that point, but then finally, it’s adopted, it’s published, so now, if you go to the website of the [10:11], you can actually download the standards as they have been established using this process. You can do this for every other field that has been established.
This process we implemented was actually based on the law. And if you look at the standards, there’s a couple of shared elements in every standard, independent from the field that is addressed. It specifies what are the core activities, what are the boundaries, and in some cases, as digital forensics, there may be sub-fields. And some fields may be too complicated for a single expert to master all by himself or herself. So, then we identify sub-fields. For example, in forensic psychiatry, we have this for minors and for adults. We consider them as two different fields of expertise.
Not only do we have subject matter experts in this assessment, but actually … so the next step, once we have set the standards, we have the process of people applying for becoming a registered expert. And an application is evaluated or assessed by the committee for the assessments. We’ve defined a package, that if you are a court expert and you want to register yourself, you have to put in your package your resume; a list of case information – that’s very important that you have cases, have performed cases that you can be evaluated based on those cases, and that might differ per field of expertise, how many there are; evidence of your competence – so that might be collegial review or it might be the fact that you have attended [DFRWS] or other conferences in your field, maybe published articles in scientific journals … in the Netherlands we have a government-delivered certificate of good conduct, which is necessary, and you have to sign a declaration or a statement that you adhere to the code of conduct, etc. You deliver the package that is based on the fact that this is really reflecting your resume, your professional development, etc., that you performed the cases, etc.
Then we have a form, advisory evaluation form, it’s very structured, and the assessment committee uses this to evaluate the application. This is the same form for every field. So, it’s a very structured way. Typically, the assessment committee has three persons. We are looking now if we are going to re-certify an expert, maybe we can have two persons, and it’s a subject matter expert and a legal person reviewing that. It’s I think eight sections or seven sections, and each section is scored – you have to have sufficient grades on each section. If there’s an insufficient grade, it might be a reason to give you a temporary renewal, a two-year registration. But if everything is okay, then you get a five-year registration.
So, this ACA, those are the subject matter experts. What we do is, as a board, every month, in our meeting, the first thing on the agenda is always to review the new applications, to see … we leave it to the chair to review all of them in detail, but at random, there will be a number of ones picked out, and we will review them as a board together, and we will comment and see if we can find weak spots, if we think that the assessment committee should have been more informative or been more precise. Because if we reject a person, there is also a procedure to go and object. There is a way. So, applicants, if they’ve applied and if we’ve rejected, they can object to the rejection and then go into a new process.
So, we have to make sure that once we make a decision, it’s well-founded, that the reasons for doing that … and often, if there’s doubt, it’s not only basically an examination of all the submitted … of the package … but then they will also do an oral examination. So, actually, they will invite the expert and maybe answer a number of questions to see if the weak spots that have been identified, maybe it was a misinterpretation. So, by doing this oral examination, you get a better idea of what the expert is really doing. Although I have to say, sometimes, the reports that have been reviewed are not up to the standard that we require, and then orally, they can explain very well. But still, we think that as a court expert, you should be able to produce a written report – that is very clear. Because most of the time, your opinion is evaluated based on a report and not based on an oral testimony in court. So, that’s important to understand. So, the evaluation of the written material I think is the most important part of this registration process.
The bureau again checks if all the administrative things have been performed. Because some of the requirements are purely administrative. You can do that, and then finally, in the monthly board meeting, we will finalize the decision on the new registrations or the renewals of the existing registrations.
So, where are we? I think, at the moment, we have nine fields that have been standardized. Currently, the bureau is working on DNA Activity Level, and we were in 2015 the eighth area. So, in total, we had … the [NRGD] had more than 1000 applications, and out of those 1000 applications, 20% is about rejected. To give you an idea, #3, Forensic Psychiatry and Forensic Psychology I would say is the main bulk of experts. To give you an idea, those are the experts that testify in court. If a perpetrator or a suspect was of a sound mind – because if you’re not of a sound mind, then there may be a treatment instead of putting you in jail, or a combination of jail and treatment. So, that’s a very important and often-used expertise in the courts. So, many of those 1000 applications are related to field #3.
Maybe interesting for you to see the committee that made the standards for digital forensics. And while [Erin van Eijk] is in the room, unfortunately, [RJ Mora] couldn’t make it this time, but normally he’s always present. But we had … in the five, we had [Shell], University of Utrecht from the legal side; Fox-IT, it’s a well-known firm in the Netherlands with expertise; police was involved, High-tech Crime Unit; but also Professor Sommer from the UK. And now, with the people that are actually testing the applications, we have also people from other countries. So, for example, [18:04] who is here is a member, and he is evaluating applications, and we hope actually that he is becoming an expert himself. So, he will register himself also.
So, it’s important to understand that the people who are setting the standards or who are evaluating the applications do not necessarily have to be an expert that was registered themselves. One of the reasons for that is you may be very well at identifying standards [about] evaluating, but if you do not have practical experience, if you do cannot show like four reports a year, then you cannot become registered. We require experts to be active in the field. You should not be a theoretic expert.
And we have people from the Dutch Public Prosecution Service, as kind of consulting members.
So, in the paper, I’ve explained in more detail what the standards look like. You can also download them, read them in full. So, in that sense, part of the paper is a summary of the standards that have been published on our website. But most important parts I think are demarcation, the requirements for meeting the registration, and then the assessment procedure. And the assessment procedure is very similar to the other ones that we use. So, this is the page for download, but if you go to the website of the [NRGD], it’s easy to navigate there, and shouldn’t be too difficult to find.
First step that the ACS made is kind of give a general description of the forensic process. And I think if you look at [literature], everybody will agree on it. We first have to preserve and collect – so, collect electronic stored information. Create a forensic copy. The next step is you’re going to do a reconstruction of this information. You’re going to extract it from your archives, from your mailboxes, or from your forensic image. Maybe you’re going to do some culling – so you have scope based on a start and an end time, date. And then, the third stage is analyze. So, you’re going to interpret the data – connecting the dots. So, those are roughly the three stages in every investigation. And there’s many different models that make it maybe a bit more precise, but roughly, this is what we have agreed to. And it’s helpful to understand and to interpret some of the next steps.
The next step actually was digital forensics … and you’ve seen the people in this ACS … and I’ve been working at the NFI even though it was a long time ago. Once you are in the field, you have to specialize. Because computer forensics in itself is just too big. So, it’s the eighth field at [NRGD], and the ACS actually looked at literature, and they found a good article by [21:06] that has an ontology. It is a [deep] ontology. But the ACS used actually the next level to identify six areas.
So, it’s computer forensics – I think you all have an idea, operating system, Windows, Mac, they’re kind of open, because they are well defined, you know what you can look for. You can become an expert in Windows. But even in some cases, you might be a Windows expert, and if there’s a really deep case on Macintosh operating system, you might even say yourself, “Even though I’m registered as a computer forensics expert, that may be too tough. I’d rather have somebody else look at it with more detailed knowledge about Apple OS,” for example, iOS.
Software forensics – being able to explain what a software does. We’ve take this … been considered as a separate field of expertise. And just to give you an idea, you can be an expert in two or three fields. You have to show relevant reports for each sub-field. We think it’s unlikely that you will be an expert in all six areas, at least be able to produce reports of those areas.
Then there’s database forensics – and it could be database forensics in the sense of explaining what a database does, but also think about the transaction logs. Can you recover deleted information from a database? Can you say something about how that was performed? It is a field in itself, and these days, you have different kinds of databases, not only relational database – you have graph databases. So, it can be very complex, if you have to do a deep dive there.
Multimedia forensics – well, yesterday we had two very nice workshops on this topic. In some sense, you might say, “Well, is it really digital or not?” I think the examples we’ve shown yesterday, may be image improvement … I’m not sure if that would be really something that you need an expert in and that you need to testify. But certainly, saying something about has this image been manipulated? Is it original or not? I think with the amount of evidence that is coming from bodycams, from CCTV cameras, if it becomes challenged in court, if lawyers are getting their heads around it and they are seeing possibilities to defend their client in a criminal case, then there will be a bigger demand for this kind of expert.
Fifth one, device forensics – think about, well, the devices, the mobile phones. Everybody here knows, it’s so complex, with the apps, special software to extract information. We had some iOS workshop yesterday. If you want to be an expert in that field, it takes you a lot of time to just make sure you remain an expert, because developments are going so fast.
And then finally, network forensics – lot of things happening there.
You might argue, maybe we should have more areas than just six. Maybe some areas become obsolete. I think the ACS has tried to come up with six areas that we feel will be relevant for at least the next five years. And that if there are new topics, you will be able to put them under a certain category. But my own PhD was on [neural] networks. We now have a revival of deep learning. So, if somebody is going to challenge in court, how did the deep learning network of this self-driving car work? I’m not sure if you would put it under software forensics or something else. So, I’m sure that at some point, we need to review these standards and maybe add new areas or come up with another idea. But I think for the next five years, we should be good.
And this is the reference to the journal from 2014.
I’m getting a signal that I need to wrap up.
You can read those registration requirements, so I’ll not read them for you. And there’s the basic requirements that are for all of the standards, the documents that you have to submit. So, what I’d like to do is use my remaining five minutes to go through some of the example questions, because those will be useful I think if you talk in your own country with judges, with prosecutors, with lawyers, to make them understand some of the challenges, and not having to explain how you did it, but maybe you have to explain or talk to them about the forensic soundness of your approach.
If you talk about this “preserve and collect” phase, it’s very much about: Did you do a forensically sound collection? Was it secured in a correct way? So, talk maybe about [26:00], what tools did you use to make the copy. And maybe you didn’t do it yourself, maybe you are an expert and somebody else did it, but you should be able, as an expert, we feel, be able to understand what happened, and to judge if the acquisition of the evidence was performed in a correct way.
If you bypass the code, how did you do it? Did you have to change? Did you have to put up a bootloader [for change]? Maybe not really a big problem, as long as you can explain what happened to the device. So, you can actually explain what has been added and that the data that is being used as evidence is not part of this manipulation.
If it’s from complicated systems like industrial control systems, you might also have to explain how you obtained this data. In general, we have stated in these standards that often, we see that experts are really [an expert], because at some point they will get to a situation where no tool is working, so they have to make their own tool or their own script. So, in that case, an expert should be able to explain how the tool is working, what it is doing, and should explain to another expert how to evaluate the tool that she or he made. In that way, even if there is no standard tool, you still should be able to validate your new tool.
For the next stage, the “extract and examine”, it can be about date and time – so what data concerning the crime [that is on the identification] can be found on an exhibit, and what is the location of the data and by what means can it be retrieved or extracted from the data that was collected? When was it accessed, modified, or changed? That could be … you might say it may be interpretation or analysis, but in effect, it’s also part of the extraction and the examination in the second phase.
Are you sure that the retrieved data was stored on that carrier? Did it really come from that location? And if you talk about the extraction, you could talk about … maybe the [suspect had also software] that is available to the data. Could he have manipulated that data? Was he responsible for that data ending up on the device? If you recovered deleted information, how did you do that? What tools were you using? Were they common tools or did you develop your own tool? You don’t need to know how this person, how the expert did it, but you might want to question if the methods that he used in this particular function were good.
The exchange of data, [was it] captured in a network, was it correctly made visible? We know it can be very complex to get all of the different bits and bytes from a [28:58] file. Are you sure that this is in the right order? Is it relevant to the evidence?
The next one, the data analysis phase, it’s very much about the reconstruction. So, did we find any evidence? We gave you a computer or a phone – was there any evidence in the end? And was it relevant to the defense or to the prosecution? Maybe tell a bit more about the nature of the material, of the evidence? So, was it pictures or was it data from a [log] file, was it deleted information? It’s more about giving some general information about it. Or, maybe, you can say something about how did the material end up on this device? Was it something that was actively done by the suspect or was it some artefact that is created during an activity that’s completely something different? It could be … or maybe, even, he was hacked, as the defense might say, and it was put there by somebody else. Those are very relevant questions that I think an expert in court may be asked to testify about.
And if you talk further about the interpretation, if there’s a scenario and you’re doing the reasoning kind of reporting … there’s a scenario … does it support a scenario or does it support an alternative hypothesis? Very important for the experts to answer. And given the alternative hypothesis, can you say something about it? Also relevant to [you as] the expert. And I think we had in [30:39], we had a very nice presentation of [DFIWS] about those cases. It’s going on in other fields of expertise, so for digital forensics I think it’s something that will happen as well.[That’s a web application].
And then, there may be follow-up questions, more qualitative. So, not saying yes or no, or a number, but maybe saying interpretation about what happened. How much knowledge and skill in the field of digital technology is required in order to achieve a result? Because if you have a very advanced adversary, he might have actually performed anti-forensics, or manipulated evidence. In that case, it’s really becoming important that an expert gives an opinion about [was this manufactured], can I find any trace that this was planted here or that the suspect maybe wiped some evidence? How difficult was it to create that? How unlikely was it to create that?
So, those are example questions, and I think the questions help you to discuss what is a digital forensic expert’s … what kind of questions can you ask him?
I want to conclude with the status of the current Register. We have the six fields. At the moment, we have only [NFI] registered experts, and some of them have multiple fields of expertise. But I’m happy to announce that we haven’t had anybody yet for [field 8], multimedia forensics. But we have an Italian application that’s pending, and I hope it’s being dealt with soon, and that we can also say that we have at least one registered expert on the multimedia forensics.
I would also like to call on anybody that would like to meet these standards and want to become a registered expert in the Netherlands – we are open, actually we are organizing a workshop in September. And what we did last time, we actually invited people to come over to the Netherlands. We explained, we [had … there’s] a discussion, and you get … you will be assessed by the assessment committee. And there is also then room for [oral] examination. Because in September, our ACA members will be in Holland, they will be able to go through applications. So, if you register or apply for becoming registered before September, we can take you into account, and it will be great to add you to our Register. If you are not familiar with Dutch law – because that’s one of the requirements – that is not a problem, in that sense that we have an English course on the Dutch legal applications. And if you take that course – and other experts have done that – you have also qualified for that part of the requirements.
So, thank you for your attention. Happy to answer any questions, and I hope that we can take this further, and I will try to report on this on future conferences as well.[applause]
Host: Floor is open for questions for Hans.[silence]
Host: No? Everything clear.
Host: They already know it. [laughs]
Host: Okay, thank you very much, Hans.
End of transcript