Digital evidence in criminal court cases. The fallacies and misunderstandings and how they can destroy lives and reputations.
Digital evidence is now a permanent part of our lives. Unless you have zero digital footprint, you own and use no digital devices, you will always have digital evidence of anything you do, and eventually of everything you are, following you. Even if you are off the grid, there will always be a digital footprint of you, created by third parties.
In criminal cases, we used to have the classic forensic evidence: fingerprints, blood types, DNA, shoe prints (I still remember my professor, emphasising that it is shoe prints and not footprints), ballistics, firearms forensics, autopsies, tox screens etc.
Today, digital evidence is providing with a plethora of new sources of information that both prosecution and defence teams can use. Of course, both sides have their own advantages. The prosecutors (and the police) are the custodians of all seized evidence, and they are the ones who make the ultimate decision on prosecuting a case. The defence team are the ones that use expert witnesses and investigators that can think outside the box and look for additional information, and use it, if that fit their narrative. After all, the defence in most of the western world does not have to disclose anything to the prosecutors: the burden of proof lies with the one that accuses.
In my years as an expert witness, I have worked in several cases, criminal, civil, employment, family. The criminal ones are usually the most challenging, because it involves different parties working on different protocols and usually not understanding each other.
In my presentations I often give an example of how digital evidence is misunderstood and often ignored. I ask which of the following crimes does not contain digital evidence:
a. Online Fraud
b. Industrial Espionage
c. Cyber Stalking
d. Cyber Bullying
e. Defamation
f. Stealing lead from a church
The most common answer is “f. Stealing lead from a church”. Then I come to explain why that is not the case:
If you want to steal lead from the roof of a church you will probably start your research with Google Maps or Google Earth or Bing Maps, looking for churches their surroundings and the best point to climb on the roof without being seen. Then you will drive at the locus (or walk) and your car’s satnav, your Google Maps app and any other navigation app will record your whereabouts and time. Then you may take some photos (that may as well include GPS metadata). Then during the actual criminal act you will have your mobile phone with you that will place you in the vicinity of the surrounding masts or exactly at the church if your GPS is enabled. Last but not least you will have Googled something like “who buys scrap lead near me”. That is at least 6 possible sources of incriminating evidence.
So here are some of the challenges with Digital Evidence:
- Education and training
Although forensic scientists usually had a relevant degree, that did not seem to be the case for “computer forensics” staff. I heard often stories, from police officers (and retired ones, even some with an OBE or an MBE for their services) about how the first cyber crime staff were recruited: internally from departments including traffic officers. That was of course at the time that not many people had a digital forensics degree; still a lot of IT educated people around to choose from.
Emphasis was given on fast tracking training; which meant mainly vendor training. To date, when one looks at the credentials of the police officers in joint reports, many only have vendor training to list. And that training sometimes account to 1–3 weeks of formal training. In a recent case, the lead investigator only had this kind of vendor training that amounted to not more than 6–7 weeks of training in ten year. Surprising, the second investigator whose work was to monitor and concur, had more than four years of formal training. Interestingly the prosecutor, that obviously had not evaluated anyone’s credentials in that trial, asked the lead investigator if my 7+ years of education and training were as good as his 6–7 weeks. It was an embarrassing moment and an uncomfortable one (as I perceived it) by the said investigator who had to answer it. No mention of the junior investigator that has way longer formal education and training.
2. Who writes and who reads digital forensic reports.
Another problem I see constantly is the language barrier between police and prosecution. And I do not mean the English language. The people who create the reports, have a policing or/and technical background. They write a technical report, that is given to prosecutors. The prosecutors are lawyers, and they are not trained to understand what the reports say.
So for example a police report may say that : A URL was recovered of a video file at the following location:
C:\Desktop\Downloaded Videos\Porn\12yo.avi
Then the police report says something along the lines of : “The file was deleted and the content could not be recovered”.
Often prosecutors will take it that this constitutes evidence of a video referring to a 12 years old child. However that is obviously no evidence, no matter what one can infer from the filename. Nobody knows what the actual content was. Often in cases of indecent images of children I see the charges of taking, allowing to be taken or sharing the images, even when the police report explicitly states that there was no evidence of sharing and that they provide no evidence of taking the images.
And sometimes the police report will say that they found indecent images but they were not accessible! What does that even mean? It actually mean that there are copies created by the system; often thumbnails of very small size and low quality, and with a lot of metadata lost, meaning the images are now out of context. An context may make or break a case.
3. Sometimes … there are no reports.
One of the most disturbing occurrences is when a constable at a police station will take screenshots of some texts, put them in a report and pass them over. Surprisingly judges often provide search warrants on the basis of that, without the cyber crime units extracting, preserving and analysing the evidence. And in one case, the constable told the complainer to go home, take screenshots and email them to the police. And a search warrant was issued on that basis.
The constable in question had obvious no training on dealing with digital evidence, but neither did the prosecutor and their deputes, when they took action.
4. Mishandling and compromising of evidence.
In my very first case where I examined police held evidence, at what was then the Dumfries and Galloway Constabulary, I discovered that 4 pieces of evidence were compromised. I asked the forensic examiners to repeat the extraction from a Nokia (Symbian) mobile, and then I would compare the original and the new set. It turns out they were not able to repeat the experiment and come to the same results.
The table above shows the results of the two examination. The column dated 8/5/2009 was the set of data produced during disclosure. The second column (12/01/2010) was during my visit to the police lab.
It turned out that there were two issues that the examiners were unaware: first there was a glitch with CELLDEK, the tool used, and secondly the mobile phone had a default setting to wipe out call records after 30 days, so when they powered it on again they compromised the evidence. There was no physical extraction of the handset, only the logical one.
The main issue however was not the people: they were following protocol. The issue was the process. Their tool had a glitch, and the two officers performed two independent extractions (one bye each officer). As a result they just repeated the same error and ended up with the same erroneous results. The correct process would be to examine with two different tools and see if the two data sets are the same.
5. Schedules and Chain of Custody
One other issue with criminal cases is the chain of custody. It is often a good way to check that there are no gaps in the custody of the evidence that would have allowed for the evidence to be compromised.
Schedules of all seized devices is something that should also be always provided to the Expert Witness working the case. And I found the value of that, when in one case there were 7 devices seized, only two were in the report and no mention of the other five. Good practice is that the others are mentioned with a comment like “nothing of evidential value” or “the device was not accessible”. It turned out that neither the police nor the prosecutors could account for these pieces during the trial. Five out of seven, is 71% of the devices unaccounted for.
6. Proof of concept.
The police investigators will always work under strict guidelines, often not made by them, and probably established many years earlier.
I found out that (in some cases only) a proof of concept helps explain to the judge and/or jury things better.
In one case from Greenock a few years ago, a Procurator Fiscal dropped a case because of my report which was simply a proof of concept, with no actual evidence in it. All I had to prove that SMS messages and calls could be spoofed, and at the time, with lack of corroborating evidence (no records were kept by the telecom provider for two years after the alleged offence) the case had to be dropped.
In another case I used a proof of concept to prove a point on how images are uploaded on Google Photos and how they are listed there, where the police report and its author could not explain the significance of the recovered metadata of the images in question when asked by the judge. The judge was not impressed!
7. Third party data
Often investigations do not involve a physical device. In cases involving the location of a handset or corroboration of messages and calls, the records from the telecom providers are the main source of information. These are provider by someone with a title of Police Liaison or Court Liaison, and they will provide the data sets together with a signed statement. These data sets are considered unadulterated by both the prosecution and the defence. They are often used to establish the whereabouts of a device. And although that does not prove that the user was with the device, the onus of proving the opposite, lies always with the prosecution.
8. Backlogs and old methodologies.
I remember when I started my career in digital forensics, at a cybersecurity conference at the University of Strathclyde, held by my professor George Weir, Strathclyde Police’s cybercrime unit at the time had one year backlog. That meant that something seized would be examined a year later and then would be possibly prosecuted. That meant that people had to wait too long to find out if they would be prosecuted but also they were deprived of access to their computers and mobile phones that could be detrimental to their professional and personal lives.
Today there is no really a reason to keep most devices in custody: the police can image them straight away in the presence of a defence expert, provide with a hash value of the device, and analyse them later. The items can be returned (with the exception of indecent images of children and maybe terrorism), and a joint agreement by the imaging officer and the defence expert, concurring the hash value of the device, would be enough to ensure the evidence would not be compromised.
9. Onus probandi (burden of proof)
It is my experience that many criminal cases involving digital evidence, are lost because the prosecution did not properly assess what the police forensic report presented.
Lack of training, misunderstandings and biases would lead to prosecutions when these would be condemned to be lost, or they would not have been in the public interest. A tremendous amount of public money and work hours are lost annually because of this lack of understanding of digital evidence.
Conclusions
Digital evidence is a challenging new world. Lawyers and prosecutors were not trained to deal with that and the police forces (around the world) were not ready to deal with the volumes of investigations. In traditional forensics (biology, chemistry, anthropology etc.) the labs were for decade employing scientists, with university degrees, masters or even PhDs. But in “computer forensics” they would source officers from whichever departments, people who “knew how to use a computer” to provide the with a few weeks of vendor training and rename them digital forensics examiners or investigators. But that meant that these people had technical awareness but were not forensic scientists. Unlike later recruits with formal digital forensics and cybersecurity education and certifications. However that generation is partially buried under the old guard of more senior officers, often just concurring what their superiors did.
The problem then is with the prosecutors. They take face value police forensic reports, without doing any due diligence as to the quality and accuracy of the report. This can easily lead to unnecessary prosecutions, waste of time and money, and damage in the reputation of the prosecution services. A second expert opinion never hurt anyone.
Possible solutions:
In my opinion there are ways of improving the handling of digital forensics in the legal profession:
a. Introduce Digital Evidence as a standard module in Law Schools. This can be an independent module or an addition to an existing Evidence course. Law Societies have a vital role to play here.
b. The prosecutors could employ defence experts to give them an opinion before prosecuting. To avoid conflicts of interest, these experts should be excluded from working on the defence of that case. That would allow prosecutors to better evaluate the chances of winning a case, due their due diligence, and thus decide if it is in the public interest to prosecute. A process like this can save thousands of work hours by the prosecutors, by the courts, and huge amounts of money for all of the above plus Legal Aid. It would also reduce backlogs and delays in accessing and delivering justice.
c. Introduce awareness certification for existing (practicing) lawyers on Digital Evidence.
d. Lawyers should instruct their Expert Witnesses as soon as they accept a case. Often things are left for a later date and that is never good. Give your experts time to dig deeper, to be more thorough and to have the time to properly audit the work of the police.
If you are interested to hear more about digital evidence in criminal cases, join me this week, on the 23rd June, on a webinar organised with The Law Society of Scotland, to talk more about digital evidence, digital forensics, expert witnesses and criminal prosecutions.
#DigitalForensics #DigitalEvidence #LawSocietyofScotland #CriminalProsecution #ComputerForensics
