FOR MANY YEARS lawyers knew exactly what to do when they took on a case involving computer crime – call in the forensic computing experts.
A rare breed, their skills were held in high regard and shrouded in mystique, and they often appeared to be performing miracles. Armed with just a few software tools and years of hard-earned experience, they could deliver compelling evidence by piecing together a few fragments of deleted files recovered from various hard drives or email servers.
They were expected to deal with anything associated with computer examinations – from investigating fraud to digital piracy, internet pornography and hacking.
For a long time, this system worked fine, but nowadays digital crime has become so sophisticated and spread over so many different devices – even satnavs are being used to hide child abuse images – that it is no longer enough to hire any old forensic computing expert. In future, lawyers may have to employ a ‘pick-n-mix’ strategy of selecting a combination of ‘digital’ computing experts to best prosecute – or defend – the case in question.
For example, intellectual property theft may involve evidence on PCs and mobile phones, and it is unlikely that the best mobile phone forensics expert is also your first choice for intellectual property theft experience. Similarly, an expert in the relatively new satnav technology may not have much experience in the devious mindsets of those who view child abuse images.
When you think about it, it’s not rocket science: in the field of traditional forensics you would not ask the guy dabbing the fingerprints to give his opinion on the ballistic evidence on a used bullet.
But, unlike almost any other forensic professional, a digital forensic analyst must combine a deep understanding of a number of wildly disparate elements in order to provide a thorough, impartial and compelling analysis of the data being examined.
Among those elements are:
- The technologies involved.
- The sociological behaviour of the owner of the media being examined.
- The volume and storage mode of data.
- The legal framework under which the analysis is being conducted.
Suppose you call an independent digital forensics expert regarding a case of internet bullying that involves an HDD (in this case the NTFS format) and the Calypso email host.
He’s handled bullying cases before but only by using Outlook: much better to use a full services, integrated consultancy which has all those skills under one roof.
Andrew Sheldon, managing director and principal consultant at one such company, Evidence Talks, said: “The world of computer forensics has never stood still. But the pace of change has become extraordinary in recent years.
“However, more often than not a single digital forensics expert is called upon to examine varied items of media, to provide expert testimony regarding the data under review and to draw conclusions regarding the interpretation of that data.
“Sometimes there will be an expert representing each side in a case but, often, it is on the evidence of a single expert that a court or tribunal will base its decisions.
“This practice of grouping all aspects of digital forensics into one technical ‘bag’ needs, I believe, to be addressed when selecting an expert.”
So, apart from the core principles of forensic preservation of evidential material, evidential continuity and domain expertise, your ‘experts’ should also be abreast of all the latest structural changes in the global IT infrastructure. Time may be running out for the single ‘computer forensics expert’.