Thursday, February 12, 2009

Challenging Computer Forensics Evidence

Not to be confused with defeating computer forensics.

What is the difference?

Defeating computer forensics is an attempt to prevent data from being recovered and used in a criminal or civil case.  The idea is to make it impossible for a computer forensics examiner to find evidence by doing something to a computer or hard drive to make it unrecoverable.

Challenging computer forensics can occur when an examiner does recover evidence and it is used as part of a civil or criminal case.

There are two significant reasons to understand the process of challenging digital evidence:

1. As the primary expert examiner, you must understand how an opposing expert goes about challenging your findings.
2. As the opposing expert, you must understand how to go about challenging the findings of the primary expert.

Many people might think that evidence equals facts and therefore, how can you challenge facts? It is or it isn't there.

While that is true in a sense, the question that must be raised is whether or not those facts really apply to the issue at hand.

Probably the number one mistake I see people make is assuming that if the other side does not find incriminating evidence, that there is no need to use an expert examiner in a case.

However, that completely overlooks the possibility of that same set of evidence providing exculpatory facts that can be used to challenge the other side's case, independent of whether or not they plan to introduce digital evidence.

As one of the very few defense experts out there, I spend the majority of my time challenging the findings of law enforcement examiners.

Every case has something I call challenge points; Steps in the overall processing of evidence have specific points where mistakes are commonly made by the person executing that particular phase of an investigation.

However, beyond that, in many cases I work, law enforcement may not have found anything on the computers to support their case.  Defense attorneys I work with will still get the computers for me to examine to make sure that there isn't something there that will support the innocence of their client.

On the other side of the fence, where I am the primary examiner in a civil case or in a domestic case, being aware of those challenge points makes me focus on being a better examiner.

In civil cases, rules are not as stringent as they are in criminal cases.  However, properly doing an examination to the same standards as a criminal case makes it much harder for my findings to be challenged if the other side has an expert of their own.

And since you never know when a civil or domestic case will turn into a criminal case, your standards must be at a level that they are defensible by you in a court of law.

My point is that you should never make assumptions about a case where computer or cell phone forensic evidence is part of the case.

Just because the other side didn't find something to use, you may  find something that can be used to provide a challenge to the overall case.

2 comments:

  1. "Every case has something I call challenge points; Steps in the overall processing of evidence..."

    Interesting...it's about the PROCESS. If you thoroughly document what you do, you can correct and improve your process...if you don't document what you do, what is there to improve?

    ReplyDelete
  2. Totally reinforces my statements that Forensics is debate and discussion, as opposed to Forensic Science.

    Any examiner (or analyst) of evidence must be prepared to be challenged by the other side. They must be prepared to debate their findings, their process, and their tools. They should also engage in a validation of their own processes and tools ... in essence, challenging themselves.

    Great post. Keep up the good work.

    Jim Hoerricks
    Forensic Image Analyst and author of Forensic Photoshop - a comprehensive imaging workflow for forensic professionals and the forensic photoshop blog.
    www.forensicphotoshopbook.com
    forensicphotoshop.blogspot.com

    ReplyDelete

I have moderated my comments due to spam.