Pick a case – any case – and ask where the evidence to substantiate your client’s claims is likely to be. The answer, almost every time, will be on a computer or mobile phone.
That’s not very surprising considering that computers can be found in around 80% of UK households[1] and more than 40 million Britons own a mobile phone.[2] What is surprising is that so much potential evidence is overlooked simply because it is held on some digital device. Yet that evidence could prove to be absolutely crucial in court.
Why does this happen? Experience shows that there are two main reasons: firstly, lawyers seem to assume that their clients will automatically produce the right evidence to support their argument; secondly, lawyers expect to think about the legal issues involved in their cases, leaving other aspects to external experts.
The problem with this style of approach is that it leaves too much to chance. When it comes to things digital, clients rarely know what the best evidence is or where it might be stored. Likewise, not all external experts are equal. They may be more or less helpful. They may show more or less interest in the specifics of the case. To get the best result, a lawyer will need to be informed about the technologies concerned and will have to take more of the initiative in deciding what evidence is the right evidence for the case in hand.
Before the techno-phobes run away screaming, no-one is suggesting that lawyers should suddenly become digital experts. All they need to be effective is enough information on the subject to put the correct questions to both their clients and their intended experts. This article aims to present that information, in a nutshell, for the benefit of all concerned.
So. Digital evidence. Where do you begin? Let’s start with the Bad News. The Bad News is that:
• digital evidence is extremely fragile – it is easily lost, destroyed or contaminated
• digital evidence may be transient – it may only exist in the short term.
What this means is that evidence must be preserved both quickly and cautiously. It also means that people need to think of all the places the evidence might be before it disappears into the ether. One example is mobile phone call records – they may only be retained by the service provider for a few months. Another example is back-up tapes – a worrying proportion of companies reuse back-ups after a very short period (eg one week). The chances of vital data being overwritten and/or obliterated are therefore extremely large.
Now for the Good News. Digital evidence is:
• likely to be stored in multiple places
• if you can find where it’s stored, it’s probably retrievable.
That weasel word ‘probably’ applies more to computers than to mobile phones. On PCs running Microsoft Windows, the chances of retrieving data are actually very good indeed, even if the data has been deleted, even if it’s been put in the recycle bin and the recycle bin has been emptied and even if special data shredding software has been used. One particular employment dispute which came through our lab provided a spectacular example of the latter – I was able to locate enough evidence to fill 300 pages of appendices despite the suspect having used at least 10 different data shredding programs on his office machine. Needless to say, on sight of the report, he agreed to leave the company involved without a squeak.
The situation is very different with phones. The truthful answer regarding phones is quite a big ‘maybe’. How much data can be recovered is entirely down to the make and model of the handset. Beware, therefore, the forensics company which immediately says ‘yes’ to a request for data recovery from a mobile without asking what type of phone it is. There is a high likelihood of ending up with very little for your money. Exactly what can be recovered from a mobile can also depend on which forensic tools the appointed analyst is using and, axiomatically, his/her level of expertise.
By far the best news when it comes to gathering digital evidence is that, these days, the majority of people walk around with pocketfuls of gadgets. They are extremely likely to have copied the same information onto a number of these. A few obvious places where the evidence might be in any given scenario would therefore be:
home computer
laptop computer
personal mobile phone
office computer
office mobile phone
USB memory sticks
USB connectable hard drives
portables such as iPads, iPods and small gaming devices
DVDs and CDs.
It is important to understand that any digital media is capable of holding information. An iPod or MP3 player, for instance, has internal memory. It does not care what is stored in that memory – whether it is music, documents, spreadsheets or pictures makes absolutely no difference at all.
Ideally, of course, a lawyer’s chosen digital forensic expert should suggest such sources of evidence, plus a few more besides. Many experts, though, do not indulge themselves in lateral thinking. A large number will simply expect to be shown or sent the ‘relevant’ piece of digital equipment. This is one reason why I believe it is important to ascertain, from the outset, whether the expert approached can fully engage with your particular case and will personally see it through, from start to finish.
Having gathered the best evidence from one’s own side, it is as important to get the best evidence from the other side. The other side will have sent us stuff, but is it the right stuff? Might we ask them for more or even something completely different?
In a recent blackmail case, for example, I was asked whether it was possible to analyse a DVD. Of course. But what was on it? It was video, captured surreptitiously by a complainant, where threats were alleged to have been made. The dates and times of the recordings were therefore fundamentally important to the case. The DVD was probably going to be useless, I pointed out. In the act of copying, the dates and times of the video files were likely to have changed. This, in fact, proved to be the case. I asked how the videos had been made. The answer turned out to be via a camcorder attached to a laptop. We therefore asked for the laptop. The analysis indicated that the videos were modified in some way after capture. Beside the defendant’s own protestation of innocence, this was the sole evidence which stood between him and a long jail term. Thankfully, it introduced sufficient doubt to persuade the court to acquit him.
So getting the right digital evidence can be pivotal. Brainstorming these issues, as well as the legal issues, needs to be part of a lawyer’s brief if he or she is to do the best for the client. Choosing the right expert to support the process is of equal importance. The following are some of the questions which should be asked during the search:
• Will your case be assigned to a designated individual or to a team?
• What are that individual’s qualifications in digital forensics and who trained them ?
• How current is their skill set? What can they show in the way of CPD?
• How long have they been performing forensic examinations?
• Have they experience of the hardware & software involved?
• What tools will they use and have they been properly trained to use them?
• How do they propose to deal with the exhibits?
• Do their procedures comply with ACPO[3] guidelines?
• Will they maintain a full chain of custody?
It should be stressed that having qualifications in the correct field is fundamental. A person may be very bright and well educated but that doesn’t make them a forensic analyst. Equally, someone with long experience in the field, gained, for instance, in law enforcement, should not be discounted because they have no degree. Experience is highly desirable. Even more desirable are up-to-date skills, especially in a specialism as fast paced as digital forensics. This makes ongoing training and CPD a must.
Jan Collie is a Digital Forensics specialist and Expert Witness. She is the Managing Director and Senior Forensic Investigator of Discovery Forensics Ltd, a London-based company which provides digital forensic services and consultancy as well as consultancy on IT Project and Intellectual Property disputes: detective@computer.org
[1] http://www.neurope.eu/articles/93089.php
[2] http://technology.timesonline.co.uk/tol/news/tech_and_web/article722629.ece
[3] The Association of Chief Police Officers’ Principles of Computer Based Electronic Evidence.