Friday, January 16, 2009

Obfuscation - Challenging Computer Evidence The Wrong Way.

From our friends over at

I was reading an article the other day in Forensics Magazine by Don Lewis, a Forensic Computer Analyst with the Lakewood, CO Police Department, titled, "The Hash Algorithm Dilemma – Hash Value Collisions "

What struck me was his telling of an experience he had while testifying in a case where the defense attorney asked him about this subject.

Try not to let your eyes glaze over as you read the following excerpt from the article:

"When I testified recently a defense attorney brought this subject up. The testimony went something like this.
Q. “Mr. Lewis, are you aware that the MD5 algorithm has been compromised?”
A. “Yes, I am.”

Q. “So, its use to authenticate evidence is no longer valid!”
A. “No, the use of the MD5 algorithm is still a valid function for authentication.”

Q. “Why is that?”
A. “There are multiple uses for hash algorithms. One is cryptography (encryption), another is identification, and another is authentication. In digital evidence forensics, we use hash algorithms for known file identification and evidence authentication, which differs from its use in encryption.”

The questions and answers went on while the eyes of the jury glazed over. At the conclusion of the trial, the jury provided feedback to the District Attorney, and indicated that this line of questioning got too complex for them to understand and did not seem relevant to the case being tried."

No kidding!

When I see examples like this, I am wondering if the defense attorney had the good sense to consult with an expert of his own. If he did and the advice he got was to use this line of questioning, then the attorney should make sure to drop the expert from his list of people to call.

The first thing that jumps out is that by asking this type of question, it appears the defense had no defense regarding the computer evidence in the case.

Attempting to obfuscate the issue is not going to endear you or your client to the jury. In fact, it is my opinion that it would only weaken your case. By the time the expert gets done answering this line of questioning, you have probably lost the jury for any further questioning regarding the computer evidence.

Of course, the alternative explanation could be that the defense attorney was attempting to discredit the prosecution expert by asking this obscure and irrelevant question. The danger in this is twofold: First, you better know the correct answer if you are going to do this. Why? Because if they get it wrong, you need to be able to demonstrate the correct answer if you are planning to try to use this to discredit the expert's subject matter knowledge.

Second, if they get it right, as Mr. Lewis did, was it a gain or a loss for you?

I think this is dangerous ground unless you already have good reason to believe that you can discredit the expert's knowledge. Attempting to discredit the expert is, in my mind, the last thing you should do. Meaning, that you have no other avenue of challenging the evidence presented.

Maybe the defense in this case really had no defense for whatever computer evidence may have been presented by the prosecution. There is no way to know from the excerpt above.

Perhaps the strategy was to so confuse the jury regarding the computer evidence that they would ignore it in considering their verdict. Seems like a pretty weak strategy if you ask me.

Having testified in cases where complex computer evidence needed to be challenged and explained to a jury so they could use the information in making a verdict decision, I can tell you can the last thing you really want to do with a jury is obfuscate.

Unless of course, you have no other defense.

No comments:

Post a Comment

I have moderated my comments due to spam.