In the world of medicine, a good physician will generally use initial test results as a starting point for diagnosis. They will use their experience to interpret those results in the context of the medical history, lifestyle and environment of the patient and will move on to further examination and questioning of the patient. They will probably order further tests prior to forming their diagnosis, and only then will they devise an effective plan of treatment.
An effective detective will assess the initial evidence and then establish what further enquiries are necessary, often hitting “dead ends”, but will continue until, hopefully, all the relevant evidence that can be obtained has been obtained.
In neither case would it be considered appropriate to simply accept the initial findings and call an end to the matter.
The same principle is true in most areas of forensic practice. Bare physical or electronic evidence may appear to a layperson, using “common sense”, to be incontrovertible, particularly if it is presented as simple fact. Science is not like that. Things are not necessarily as they appear and establishing the context of an artefact may be every bit as important as locating the evidence itself.
The examples in this article are drawn from Computer Forensics - because I am writing it and that is the field in which I specialise! If you view the “News” section of the Keith Borer Consultants’ website, you will find many further illustrations from fields as diverse as (but not limited to) fingerprints, biology, toxicology, chemistry and fire investigation.
A trained technician may be competent in locating material of potential evidential significance, but that is only the starting point. It is at this juncture that the investigation of the recovered material should begin.
An even moderately used computer will contain a very large quantity of individual items of data – some of those items will be immediately apparent as comprising potential evidence, others may be placed in reserve. The term “placed in reserve” as opposed to “discarded” is highly relevant. These may become of great value in the long run.
Once the obvious evidence has been identified it may be possible to build a basic framework of the events that led to the presence of the core evidential material. It is, however, sometimes the case that by exploring of the “nooks and crannies” of the evidence a very accurate picture showing the way material has been created, manipulated, or accessed on a computer can be established, and, in particular, whether there is any evidence of user knowledge or intent.
A significant proportion of the prosecution reports that we see cease at the stage of the identification of evidence, a greater proportion address a basic framework, and very few provide the full and accurate picture of events. It is fully recognised that prosecution examiners are often working under great pressure and with limited resources, but that is of scant consolation to a client for whom a solid defence would be available if a case had been fully investigated.
A significant proportion of our work is in regard to indecent images of children or extreme pornography, but also extends to investigations of social media communications, email, electronic document analysis, alleged terrorist materials or improper disclosure of sensitive commercial data – in fact, anything relating to potential evidence on a PC or Mac computer (computing) or on mobile telephones, tablets, or other small electronic devices (mobile investigations).
Case Study: The investigative nature of our work is demonstrated in a recent case of a rather unusual nature. The client was charged with the possession of a very small number of Prohibited Images of a Child and the importation from China of an obscene article, alleged to comprise a “Child Sex Doll”. Our initial instruction related only to the image content, which was found to be questionable both in relation to whether the images could be confidently assessed as representing children, and on the accessibility of the images within a web browser cache. During the analysis of the Internet History, however, Internet activity relating to sex dolls and a possible alternative interpretation of the evidence was identified.
The main thrust of the prosecution case was the size of the doll, 100cm tall. There was no argument as to whether the item had been imported (though it had been intercepted by the authorities). Examination of the client’s computer identified searches for sex dolls, and the ordering of, and payment for, such an item. None of the searches related in any way to the seeking of a doll that in any way had the characteristics of a child. Following consultation with the instructing solicitor, the website from which the doll had been ordered was visited. It was found that, whilst potentially unlawful items were available on the site, none of those pages had been visited by the client. The pages that were visited featured dolls with exaggerated adult female characteristics, available in a number of sizes, presumably for the purposes of portability. The case was withdrawn.
In this case, evidence was located that exonerated the client of the charges. The evidence was found because the case was treated as an investigation, and not simply as an exercise in the repetition of work done by the prosecution examiner. It should be clearly stated, though, that when potential further avenues of investigation beyond the original instructions are identified, these will only be further pursued following consultation with the instructing party.
The Role of an Investigator
Historically, prosecution computer examinations were undertaken by experienced criminal investigators who had subsequently been trained in computer technology. Now, in many cases, examinations are performed by technicians who tend to be highly competent in the extraction of evidence but may lack the investigative experience and background knowledge of the relevant legislation and case law to fully interpret the extracted material, or to identify further avenues of inquiry.
The findings, in the form of a brief SFR, will be passed to an officer who may have significant investigative experience and an understanding of the legislation, but may lack the facility to fully appreciate the relevance of technical issues of the report presented.
The case will then be submitted to a prosecutor, who will have a detailed knowledge of legislation and case law, may be in a position to suggest further avenues of investigation but, again, may not be fully “up to speed” on the technical issues involved.
Each of these three individuals are likely to be highly competent in their own field, and no criticism of them is implied, but it becomes apparent how potentially unsound cases can find their way to Court.
Keith Borer Consultants brings together technical and investigative expertise with the experience to interpret our findings having cognizance of the relevant legislation. Furthermore: we work as a team, both during an investigation and, through our peer review process, in identifying any stone that may have lain unturned during an examination – and causing that stone to be turned.
Steve Guest, Forensic Computer Expert