Computer forensic investigations often unearth a plethora of evidence that the analyst will collate in order to compile their report. This evidence often takes the forms of documents, pictures, Internet browsing history and communications data, both live and deleted, to name but a few. However, when the investigation finishes and the findings are scrutinised by the client or legal counsel, are the most crucial evidential artefacts actually being used to serve justice?
Stating the facts
It can be very overwhelming and time consuming for anyone to read a long and complex report. In computer forensics, both acknowledging and understanding all of the data that has been presented, as well as building a picture in your mind as to the credibility of it all can be a daunting challenge.
Some time back, I carried out a criminal investigation that involved the examination of a computer belonging to an individual who had been allegedly viewing indecent pictures. Having identified and extracted a multitude of artefacts from the system (including indecent pictures), the most relevant artefacts were actually the search terms recovered from the computer’s web browser searches. My report was reasonably lengthy, over 25 pages in total, and detailed all of the findings, first explaining the web browser search terms that had been identified, and their relevance.
Understanding the facts
A few days after the trial had ended, I spoke to the prosecuting barrister. He stated that believed, upon inspection of my report, that the evidence was damning and that he was confident of a conviction, yet the argument was not in his favour.
As it transpired in this case, the indecent images (pictures) that were found had been deleted on the computer, and were located in an area of the hard disk that made it impossible to attribute them to a specific user, or give any credibility to the argument that the defendant had knowledge (and therefore possession) of them. The prosecuting parties who had viewed this forensic evidence report had seemingly overlooked the other evidence as possibly, in their minds, the pictures were the crux of the matter, deleted or not…
The search terms, however, were very damning, as over 20 search criteria that were manually typed into a search toolbar on the web browser had been recovered. The nature and context of these search terms were irrefutable and the location of this evidence on the hard disk showed both the user account logged on, and the times and dates when these searches were carried out. This evidence would have gone a long way to proving Mens rea (latin for “guilty mind”) and almost certainly would have helped the prosecution’s argument.
I explained to the barrister that a forensic report should always draw attention to the best evidence first, and refer to it as such, as was the case in my report. By presenting the best evidence first in executive summaries, opening paragraphs, whatever the format is, the chance of it being overlooked due to the visually daunting and often technical nature of the content, is greatly reduced.
Changing the way of thinking
In this case, the collective mind of the prosecution seemed to have misunderstood the evidence to the point where a fight was entered into that almost certainly couldn’t be won. By explaining why, the evidence that is presented may contradict the normal way of thinking. This leads to a clearer understanding for all parties involved. I find that it is also good practice to follow up an investigation with a phone call to the client, both as a courtesy and to ensure that the documented findings are fully understood.
A saying from the novelist Anatole France springs to mind, “It is better to understand a little than to misunderstand a lot”.
Author: Will Hunt – 7Safe Computer Forensic Consultant & Training Course Manager.
To find out more about computer forensics, or how 7Safe can provide evidence-based analysis of your data, contact us .