When bringing an offence committed involving a digital device such as a computer before the criminal court system of England and Wales a strategy must be drawn up by the prosecution to prove beyond all reasonable doubt that the defendant is guilty of the crime.
This strategy is heavily dependent on the findings of the forensic examiner who has the immense responsibility of examining the exhibits for signs of evidence.
Procedure is everything
As important as the examination of a digital device is the procedure followed to do that examination. Surprisingly, there are no agreed standards, rules or protocol for the handling of computer evidence. Any technical processes applied to digital evidence 'does not have to pass any formal test' for it to be placed before a court.
There are, however, best practice guidelines on the recovery of digital based evidence. One of the essential ingredients of a witness statement (hereafter referred to simply as a statement) is to explicitly state that these guidelines have been followed.
The guidelines were laid down by the Association of Chief Police Offices (ACPO) of England, Wales and Northern Ireland and were discussed briefly in a recent article and are reproduced here for convenience:
- Principle 1: The data held on an exhibit must not be changed.
- Principle 2: Any person accessing the exhibit must be competent to do so and explain the relevance and the implications of their actions.
- Principle 3: A record of all processes applied to an exhibit should be kept. This record must be repeatable to an independent third party.
- Principle 4: The person in charge of the investigation has responsibility for ensuring that the law and these principles are adhered to.
Any actions performed by the examiner that could be deemed to alter the data held on the original exhibit must be described in enough detail to demonstrate these principles have been followed.
Thus in creating a forensic copy of a hard disk, for example, it must be stated that suitable precautions were taken to prevent any data being written to the disk. Typically, this would be the use of a hardware write-blocking device.
Arguably the most important area to cover when presenting evidence to a court is that of continuity. It is absolutely critical to be able to account for what happened to an exhibit such as a computer from the moment it was seized to the moment it was examined by a forensic examiner.
Any gaps in this chain of evidence could mean that one or more unknown persons could have had access to the exhibit and thus have potentially interfered with the integrity of the exhibit.
It is not enough to simply produce an unbiased and technically accurate document describing the outcome of a forensic examination. The primary purpose of the statement is to assist the court in evaluating the admissibility and weight of any evidence found on the digital devices examined for the case.
Statements are submitted to the Crown Prosecution Service (CPS) and copies are distributed to both the prosecution and defence counsel. The statement aids the understanding of the examiner’s findings and assists in deciding the strategy and the legal points to prove.
Under UK law each offence has what are known as 'points to prove'. For example, under Section 3 of the Computer Misuse Act 1990 a person is guilty of unauthorized modification of computer material if it can be proven that he or she:
(a) does any act which causes an unauthorized modification of the contents of any computer; and
(b) at the time when the act was performed he or she has the requisite intent and the requisite knowledge to do so.
These two points demonstrate what in legal terms is called the actus reus (guilty act) and the mens rea (intent/knowledge) of the individual.
Issues affecting how to present
From a prosecution angle, the objective here is to provide strong evidence for each legal point to prove for a given offence. The challenge for the forensic examiner is that the technical complexity of such cases frequently surpasses the technical knowledge and experience of the court.
Unlike a written document, raw computer evidence must be presented with an accurate interpretation, which clearly identifies its significance in the context of where it was found. For example, the hard disk of a computer contains raw binary data.
Ignoring more complex data types, this may be encoded as simple binary, binary coded decimal or as hexadecimal data. The value encoded may represent a numeric, alphanumeric, date/time or logical value. Even dates and times can be encoded in a number of ways employing, for example, a big endian or little endian approach.
This interpretation must be undertaken by a suitable qualified person and then presented in a human readable form for consumption by a court. Over-simplification is dangerous as it could lead to the data becoming open to interpretation.
Any doubt as to the interpretation of a single item of evidence can often be correlated with other evidence such as logs files, internet history, link files, and so forth.
A particular area of difficulty is the communication of risk and probability. The court ultimately has to make a clear judgement on such matters and it is not always possible to give black and white answers to questions.
Using terminology such as 'indicative of' and 'a common cause of', it is possible to present such evidence with a possible cause and an indication of its associated probability.
It may come as a surprise to learn that the jury do not always get to see statements supplied to court. In cases involving indecent pictures of children the pictures themselves are rarely viewed in open court owing to the distressing nature of the exhibits themselves.
A description of the picture is generally supplied to court and in some cases the prosecution and/or defence counsel will ask to view the material (usually along with the judge) either at the judge's bench or in his or her chambers.
When the jury do hear the evidence of the forensic examiner it is through the interpretation of the prosecution counsel. Thus it is absolutely essential to liaise with counsel prior to going to court to check their understanding of the facts.
Such meetings, when they occur, usually happen just prior to going into court and often only hour at most after they have first seen your statement. Where appropriate, counsel is offered a carefully selected analogy to assist in the comprehension of such data.
There is a school of thought that juries in such cases should be selected from among suitable technically qualified people. The BCS have proposed such a measure on a submission paper. Such a radical measure would need a careful study of the current system and how successful it is.
The problem though, as identified by section 7 of a report by House of Commons Science and Technology Committee is that 'section 8 of the Contempt of Court Act 1981 and the related common law assures the confidentiality of a jury's deliberations and precludes research into these deliberations'.
Planning for a defence
One of the responsibilities of the forensic examiner working for the prosecution is to identify and examine possible areas of defence that may arise. Probably the most common defence identified at the police interview stage of an investigation is that of a Trojan or 'pop-up' being responsible for the presence of any illegal material.
A recent article discusses a process that may be followed to counter such a defence. Another line of defence is that such material was unsolicited and was 'pushed' to them via MSN, a peer to peer application such as Kazaa or perhaps email.
By demonstrating that the defendant had in fact sought such material by signing up to a service using a credit card, searching within Kazaa or by entering keywords in an internet search engine such a defence can be countered before it is raised.
Sheer quantities of material and periods of exposure spanning weeks or even months can also be used to counter any defences relating to 'curiosity'.
Aside from pinpointing who had access to a digital device and when, the other main area of defence is that of procedure. By keeping contemporaneous notes of all actions performed, particularly in relation to the technical processes followed, it is possible to demonstrate that an empirical approach has been taken to the examination of an exhibit and data contained within it.
Although such notes will not find their way into a statement in their entirety they should include any areas of the ACPO guidelines that need to be evidenced.
Thus, when capturing a forensic copy of a hard disk for example, it should be recorded that the process was performed using a hardware write blocking device (ideally) together with the manufacturer, model and serial number.
If there is a significant difference between the total number of sectors on a hard disk indicated by the label and that which is reported by the analysis tool an account for this difference should be provided in the statement. Without this the defence could argue that the evidence that vindicates their client is located in this 'missing' area.
Finally, when the evidence presented is so damning some defence counsels have been known to attempt to attack the credibility of the examiner who undertook the work.
By challenging his or her level of experience and perhaps even competence the attempt is made to show that the second ACPO principle (competence) has not been followed by the prosecuting team.
- Parliamentary Office of Science and Technology, Postnote (Accessed: 26 September 2006)
- Association of Chief Police Officers of England Good Practice Guide for Computer Based Evidence (Accessed: 27 June 2006)
- Kennedy IM, The Electronic Autopsy - Part 1
- Johnston D and Hutton G, Blackstone’s Police manual, Evidence and Procedure, 2004, Oxford University Press, p133
- BCS, Expert Panels: Legal Affairs Expert Panel, Submission to the Criminal Courts Review, Lord Justice Auld, 2000
- House of Commons Science and Technology Committee, Seventh Report, 2005
- Kennedy IM, It was a big wooden horse, your Honour (Accessed: 27 September 2006)