Image

Note: No matter what actions have been taken, what has been acquired, and what the implied burden of proof is, if process is broken, it can (and will) serve as the ‘Achilles Heel’ to challenge and diminish the value of what is presented, seeking to make it inadmissible, or to reduce its weighting to the case.In essence, over the years, the very foundation of scene-of-crime management has not really changed, apart from one exception, which arrived in the guise of the digital footprint (DF): digital evolution. Here we are looking to the era of technology, people with tilted heads, walking down the street staring into the palm of their hand, the quick-jerk fingers of the lady on the train as she complies a text manage or email, right down to the case of the Soham Murders of Holly Marie Wells and Jessica Aimee Chapman in 2003 committed by Ian Huntley – all of which have one thing in common = 'DF'. In the case the Soham murders, the presence of the ‘DF’ was one key area of evidence supporting the prosecution, as whilst Huntley denied being in the vicinity of the crime, his cell phone inferred a different story as ‘it’ had registered in, or close to the edge of the radio-cell, and thus played an important part in placing, or inferring the suspects cell phone (and by association Huntley) had been close to, or in attendance at the scene.
Image

Locard's Exchange Principle
When considering the digital artifact, Locard's Exchange Principle is equally applicable to the world of bits and bytes in that the perpetrator of a crime will bring something into the crime scene and leave with something from it. For instance, consider the following as applicable to a Digital Footprint:"Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibre’s from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value."Here, it is also important when considering digital forensics not to suffer tunnel vision on the digital element only, as the physical nature of the artifact may also provide proof of the act in both mens rea (guilty state of mind), and actus reus (the act).
Robustness of Standards
Given the importance of this digital science, it may be asserted that it cannot be left any longer to an approach based on chance, best endeavours, or a have-a-go approach, as the resulting implications, and the prospective impact(s) on both investigator, and suspect carry the potential of real world impact, which could manifest in woeful, damaging, and life changing implications. For instance, take the case of an ‘expert witness’ who provided testimony in support of the prosecution in a case of medical malpractice which focused on a key email artifact. However, our expert in this instance only passed judgment on what could be seen as lexical content within the body of the communication, and took the ‘To’ and ‘From’ as prima facie facts, and did not follow through with any further corroboration of the email headers – leaving the interpretation and assessment of the acquired artifact open to error – something which should have been subject to challenge.ISO/IEC 17025:2005
It is for this reason why the application of the ISO/IEC 17025:2005 is so very important to drive the intrinsic expectations of competence, experience, and skill to assure that professionals who are engaging in this scientific practice meet the expectations of the discipline. For example:- Was the digital evidence tainted or compromised regarding how it was collected and where it was stored? [1/2]
- Is the chain-of-custody complete and accurate? [1]
- Is on-the-job training alone sufficient to qualify the examiner as an expert? [2/3]
- Are documented, verified/validated procedures available for review? [4/5]
- Is the case file documentation complete and detailed such that another examiner can recreate the results of the examination(s)? [1/2/3]
- Were the examination results peer reviewed? [4/5]
- Is the examiner competent to perform the examination(s)? [2/3]
- Was the examiner proficiency tested? [5]
- How are the forensic computers and forensic software maintained and updated? [6/7]
- Are the software tools used legitimate, licensed, authorized versions? [7]
- Were the software tools performance tested prior to their use? [5/6]
- Did the software or hardware alter or change the original digital evidence? [1/2/3]
- Were scientific principles followed during the examination(s)? [1/7]
Process | 1 |
Training | 2 |
Proficiency | 3 |
Documentation | 4 |
Review | 5 |
Maintenance | 6 |
Legal | 7 |
Image

Image

Image

Hardware, Applications and Tools
When it comes to the hardware and applications in support of the digital forensic mission, whilst home-grown systems may well provision a level of service, they may not be of a proven ability, or accepted as trusted instruments to support the criticality of a serious investigation. Thus choosing established, and proven tools from the stables of access data in the form of FTK, EnCase, or the cost effective solutions from Paraben can go a long way to satisfying the provision of robust solutions – with the caveats that:- They are maintained with the most current updates
- They are in the hands of proficient, and trained operators
Fit for Purpose Operations
It may be that for some organisations consider the gravitas which is applied to the technological requirements of such a critical service are beyond the internal capabilities and resources of the internal team, and that running a fully blown and robust internal digital forensics team within a commercial organisation may be cost prohibitive, and not represent a solid investment or ROI (Return on Investment). However, this should not bar any company from provisioning an in-house first responder capability (FRC) in the form of a first touch, first response/engagement element whilst at the same time recognising the implied limitations of the team. So, here, one may consider:- Creation of policies to cover the objectives of the service offering
- Establish processes which may be applied to support the first responder engagement
- Define clear Terms of Reference (TORs) for the first responder team
- Provision an adequate base level of training to underpin their areas of anticipated expertise and responsibilities
- Recognise limitations
- Have an established contract in place with an external professional provider of such a service