The dual role of a digital forensic practitioner as a computer expert and a digital detective
Forensic practitioners not only recover and analyse evidence, but they also present and interpret its meaning to investigators, lawyers, and, ultimately, to the jury. Being a sound analyst is of course a fundamental requirement, but practitioners must also be able to communicate with clarity their findings and professional opinion to the non-specialists.
Evidence is blind and cannot speak for itself, so it needs an interpreter to explain what it does or might mean and why it is important to the case, among other things. A good comparison is raw statistics, without the help of a statistician it is virtually impossible to make sense of facts and figures. This is because they have to be put in their correct context otherwise we will risk misinterpretation and misunderstanding. Digital forensic examiners spend a fair amount of time explaining technical matters to the legal teams and juries to ensure that they have a clear understanding of the evidence — a rewarding task when the penny eventually drops!
The unique privilege of providing expert evidence and opinion
Under normal circumstances, hearsay evidence is not permitted in courts, and the opinion of witnesses is distinctly prohibited. Expert witnesses and scientific experts, however, may provide opinion based on their extensive practice and research, provided it is restricted to the evidence presented. These privileged witnesses may share with the court any inferences they have made from the evidence they have observed, if it is within their sphere of expertise.
Digital forensic experts are expected to provide information that may help the court form its conclusion, and the expert’s subjective opinion may be included. However, it is the court’s obligation to form its own opinion or conclusion as to the guilt or innocence of the defendant is based on the testimony provided. The digital forensic practitioner, when acting as a forensic expert, should do no more than provide scientific opinion about the information to help the court to reach a judgement.
Experts must avoid providing final opinions themselves since sometimes, expert knowledge is not completely certain. Across a range of legal jurisdictions, courts expect forensic practitioners to possess sound understanding of computer technology so that their testimony can have credibility.
The United Kingdom’s Civil Procedure Rules (1998) require compliance by all expert witnesses, and Part 35 stipulates that the expert (practitioner) has an overriding duty to help the court and maintain strict impartiality and not to support the engaging party. The rules stipulate that:
1. The facts used in the expert’s report must be true.
2. The expert’s opinions must be reasonable and based on current experience of the problem in question.
3. When there is a range of reasonable opinion, the expert is obligated to consider the extent of that range in the report and to acknowledge any matters that might adversely affect the validity of the opinion provided.
4. The expert is obligated to indicate the sources of all the information provided and not to include or exclude anything that has been suggested by others (particularly the instructing lawyers) without forming an independent view.
5. The expert must make it clear that the opinions expressed represent the practitioner’s true and complete professional opinion.
In 2008, the Council for the Regulation of Forensic Practitioners reiterated these stipulations and added further conditions expected of practitioners:
· They must disclose all material they have had access to.
· They must express their range of opinion on the matter in question.
· They must explain why they prefer their view to a different view.
· They must provide the evidence based on which their opinion is offered.
· They must not give evidence outside their field of expertise.
The United Kingdom’s guidance booklet for experts, Disclosure: Experts’ Evidence, Case Management and Unused Material, published in 2010 by the Crown Prosecution Service, emphasised the need for practitioners to ensure that due regard be given to any information that points away from, as well as toward, the defendant. The booklet stresses that practitioners must NOT give expert opinion beyond their area of expertise. The booklet also addresses the independence of the practitioner as well as reiterating the requirement to examine and share exculpatory evidence with the court and other parties.
Digital forensics practice rules in the UK versus certain regulatory obligations of experts in the United States
Case prosecutors in the United States, are required to disclose materials in their possession to the defence based on the Brady Rule (Brady versus Maryland, 1963). Under the Brady Rule, the prosecutor is required to disclose any evidence to the defence, including any evidence favourable to the accused (exculpatory evidence), notably “evidence that goes toward negating a defendant’s guilt, that would reduce a defendant’s potential sentence, or evidence going to the credibility of a witness.”
If it were shown that the prosecution failed to disclose such exculpatory evidence under this rule, and prejudice ensued as a result, the evidence would be rejected and suppressed by the court, irrespective of whether the prosecution knew the evidence was in its possession or whether the withholding of the evidence was intentional or inadvertent. However, the defendant would have to prove that the undisclosed evidence was material and show that there was a reasonable prospect that there would be a difference in the outcome of the trial if the prosecutor had shared the evidence.
This is something the digital forensic practitioner must constantly be aware of and comply with during case examination and evidence presentation in the US. Known factors detrimental to the disclosure of digital evidence include the knowledge of exculpatory evidence that would challenge the evidence of an inculpatory or incriminating nature. Digital forensic practitioners may be employed by the prosecution or defence, but ultimately, they have an overriding duty to the courts to present all relevant facts for or against their clients. It may be a poor legal strategy to disclose information that hurts your own case, but the courts do expect an open and honest exchange of evidence between the parties involved.
Digital forensic experts must resist common pressure from courts to provide opinion on the probability of guilt or innocence and persist with the contention that their statements of opinion cannot substitute the opinions of the courts. It is common knowledge that jurors tend to be influenced by practitioners who exude confidence but whose testimony is sometimes biased and mistaken.
How can inadequate or flawed processes affect digital forensic investigations?
In the beginning of any forensic examination, practitioners are usually confronted with determining the type of acquisition processes required, then locating the data required to complete the examination, and, most importantly, selecting the appropriate evidence analysis process. In such circumstances, practitioners need to be provided with the correct balance of case background information to assist them with filtering voluminous case information, which may otherwise prove overwhelming.
The examination of larger datasets may make it difficult to characterise the evidence of a crime and clearly define the scope and goals in the absence of tools, standards, or structured support processes. Regrettably, current digital forensics tools sometimes fail to provide adequate investigatory support to practitioners and may be described as first generation without incorporating any decision support to aid the practitioner. The rapid pace of technological advancement together with the changeability of software applications and hardware have in effect compounded the challenges computer forensic practitioners face nowadays.
Because of the great number of inherent, technical complexities, it is often impractical for digital forensic practitioners to determine fully the reliability of computer devices or network systems and provide assurances to the court about the soundness of the processes involved.
Sometimes during digital forensic examinations, the practitioner may be required to revisit portions of the evidence to determine its validity, which may require new lines of investigation and further verification of other evidence as circumstances dictate. It is often a tedious process, and frequently, an inordinate amount of time and resources is required to collect and analyse digital evidence. The sheer volume of the cases and the time required for investigation can negate the efficacy of practitioners to reconstruct and provide an accurate interpretation of the evidence.
However, from a pragmatic perspective, the amount of time and effort involved in the digital forensic process should pass the acceptable “reasonableness test”, meaning that all possible effort shouldn’t be put into finding all conceivable trace evidence and then seizing and analysing it. This is especially becoming more challenging to practitioners as the volume of data to be analysed becomes enormous and crosses over many networks.
What are the principal qualities of the digital forensic practitioner?
Digital forensics, also known as cyber forensics and computer forensics, is generally considered to consist of three roles in one: that of a cyber analyst familiar with the working of computer devices and networks, a detective with knowledge of investigating crime, and a lawyer with a sound understanding of the law and court procedures. There is a growing cottage industry of self-claimed cyber forensic experts as well as a tendency for mediocrity in the industry. Self-qualified “experts” bamboozle the legal system and are not always challenged, and the truth of their evidence is seldom sought. However, there are basic standards of practitioner professionalism and experience required by computer and information security bodies, the courts, governments, and corporations. Forensic practitioners involved in the examination of digital crime scenes must assume command of the situation and identify all relevant digital evidence, which must be collated and compiled into a professional report for presentation to the lawyers and ultimately the courts. It is most important that to satisfy a court of law, a digital forensic examination must be legally well founded as well as convincing in the everyday sense. The practitioner must use sound and well-established processes for recovering data from computer storage media and processes that validate its accuracy and reliability.
What are prerequisites to become a proficient digital forensic practitioner?
Having a background in computer science combined with a curious, inquisitive and investigative mind certainly is a good start. Also, it is expected that a digital forensic investigator has some general legal knowledge specifically rules and regulations governing acquisition, preservation, analysis and reporting of digital evidence collected from various digital devices. As such, a prospective digital forensic examiner should also demonstrate some proficiency in computer systems and have a good knowledge of their workings. This includes a fair knowledge of operating systems such as Windows, MacOS, Android, iOS and different flavours of Linux. It must be stressed that the role of a forensic examiner and an investigator are often interchangeable, and usually considered combined roles. Among other qualities of a digital forensics examiner, one can enumerate tenacity and perseverance in the face of challenges, complexities and drawbacks as well as a great eye for detail. Another major quality is never being afraid of asking questions at every stage of the investigations while not overlooking the necessity of being creative in digital investigation process.
