forensic

Getting the right question

Posted on April 22, 2015. Filed under: business, forensic | Tags: , , , |

One of the biggest challenges for anyone who offers a consulting service is getting the client to ask the right question. All too often, the client already has an idea of what they think the answer is and produces a question around that answer.

An example:

On a forum that I frequent, one of the members asked about where to get a PDF editing program. Lots of people threw suggestions at him, some free, some very expensive, some somewhere in the middle and all were dismissed as too complicated for what the asker needed. So I asked a simple question – “What are you actually trying to achieve ?”.

It turned out that his company had a temporary problem – the document feeder on their scanner wasn’t working properly and they were getting blank pages in between the scanned pages because they had to feed them in manually. He didn’t really need a PDF editor, all he needed was a way to get rid of the blank pages. I suggested that what he should do was load up the files produced by the scanner and then re-print them to PDF, setting the output options to skip every second page. Job done. Free, easy and using a system he already understood and had readily available.

The same thing happens in forensic science, especially in the digital forensic world. People make assumptions about the evidence they need or think they can get, instead of describing the problem they are trying to solve – defining the investigative requirement. The crucial skill for the forensic scientist is not in the realm of technical solutions, but in old-fashioned requirements elicitation.

That’s why I have a rule that I won’t start work until I’ve had a proper discussion with the client and got the answers to “What are you trying to achieve?” or “What problem are you really trying to solve?”.

Read Full Post | Make a Comment ( None so far )

ByeSO

Posted on April 20, 2015. Filed under: business, forensic, iso | Tags: , , , |

Last week I had to step down from my role as the UK’s Principal Expert on Digital Evidence to ISO/IEC JTC1 SC27 WG4 (to give it the full title – with incorrect punctuation before any reminds me).

It wasn’t something I particularly wanted to withdraw from, but the economics of it just didn’t make sense any more.

Since 2011 I’ve been attending editorial meetings, in various cities around the world, twice a year and also attended numerous meetings of BSI committees in London. The cost of doing this has come out of my business, with occasional (infrequent) small contributions from government agencies.

I’ve had to allocate at least 2 months a year to this, and it’s cost something in the region of £5k to £10k each year to support it.

It was a worthwhile activity. I’ve met and worked with some great people to develop some really useful standards, and I’ll miss them and that whole process – but the lack of support from the UK has just become unsustainable.

Unlike many of the participants, I’m from a micro-business. If I’m not doing or bringing in the work, the cash isn’t coming in either. So, I’ve had to take my accountant’s advice and stop donating to commercial bodies (the publishers and assessors make profits from the resulting standards) for standards development.

It’s a shame. Standards are genuinely useful things, especially for small businesses as they let us show that we are, at least, equivalent to the big boys. If only we could find a way to fund small businesses’ participation in standards development, instead of relying on the big multi-nationals to do it all for us.

Meanwhile, if you want to know the true intent behind ISO/IEC 27041 and 27042, please do get in touch – I was editor for them during most of the development time and I know what the words really mean (ISO English, as I may have mentioned before, is not what you think it is.)

Read Full Post | Make a Comment ( None so far )

Research, funding and reputation

Posted on March 20, 2014. Filed under: Education, forensic | Tags: , , , , , |

I had an interesting conversation, last night, with some fascinating figures from the world of forensic science. Since the whole event was under Chatham House rules, I’m not going to disclose who was present or even what most of our discussion was about, but there was one thing we touched on where I have a fundamental disagreement with at least one senior figure. That area is academic research in forensic science.

The view taken is that the problem lies in funding – in order to stimulate forensic science research, money needs to be available. Well, great – yes, that can help and I’m delighted that FoSciSIG is looking at this. I was certainly lucky enough, during my academic career, to be awarded some EPSRC funding for a project on Cyberprofiling, and I think we did achieve something, but we had a bigger problem. We really struggled to get our results published and to be taken seriously.

Our problem was that, at that time, there was no well-recognised journal for digital forensics, so we had to either target more mainstream computing & info. sec. journals, or go for more general forensic science. In the case of the former, we had problems because our research was very much applied research and hence didn’t have quite the level of generality and “blue sky” content that was expected, and for the latter, we were up against reviewers who were more familiar with “conventional” biology, chemistry and physics type forensic science. In either case, we had to consider the “reputation” value of where we were going to publish too. It’s been a common problem for forensic science researchers for years and it has a nasty knock-on effect.

In order to get published, you often have to seek out a journal for the scientific area, rather than the forensic, and modify your writing to suit that journal. Pressure is often brought to bear to get your work in something with a high “impact” rating rather than the most appropriate channel for dissemination. As a result, your work can be categorised under the more general science, and the forensic nature is often missed. When research managers look at your output, you are no longer a forensic scientist, so the department doesn’t see any benefit in supporting forensic science and that message spreads. Don’t believe me ? Look at the Research Assessments.

The net effect is that, contrary to what senior academics might say, forensic science can be seen as something which is a spin-off from other research, something of an accidental side-effect which just happens because of good science, not something that deserves to be a discipline in its own right influenced by the needs of investigators and courts, so departmental management don’t encourage it, and without their backing there’s no call for funding bodies to take it more seriously.

Out in the practitioner world, one message we all receive very quickly is that the forensic sciences cannot stand on their own – we have to work in teams, with results from different sciences being integrated and influencing the investigative strategy. Heck, that’s even a fundamental message in most degree programmes now.

I was lucky enough to be a computer scientist in a department full of biologists, chemists, physicists and crime scene specialists once. I learnt a hell of a lot from and it changed my approach to digital investigations. If we could just achieve something similar in the research world, we might do something really significant.

As always, I’d love to hear your thoughts. Please do share them in the comments.

Read Full Post | Make a Comment ( 5 so far )

Bugs

Posted on June 8, 2012. Filed under: forensic | Tags: , , , , , , , , |

Well, it’s been an interesting couple of months since I last posted. We’ve been keeping busy with a couple of contracts from the Home Office. One is, of course, on digital evidence standards – but the other was a little bit different.

We were lucky enough to be awarded the contract to produce the entomology standard for the forensic science regulator. Since this isn’t part of our usual skillset, we did have to bring in a couple of the UK’s leading forensic entomologists to help with it. Fortunately, our network of contacts is big enough that we found them quickly enough and had the pleasure of working with both the Natural History Museum and Met. Police as a result.

Aside from technical content, the new standard isn’t that different to the others that the regulator already has in place. Most of the new material is designed to help interpret the “master” standard (ISO/IEC 17025) for applications relating to creepy-crawlies without specifying exactly how to do anything (this is a commonly misunderstood aspect of this whole regulatory system – the supplier and the customer are supposed to agree what will be done and how. In the whole, the regulators and assessors just want to see evidence that such an agreement has been reached and that things have been done that way).

Anyway, we delivered ahead of schedule and on budget. Something which some people seem to consider unusual for government contracts. But then, when you’re dealing with quality systems, can you afford not to hit the targets ?

For more information about standards development, regulation or uses of forensic science, please contact us via http://www.n-gate.net/

Read Full Post | Make a Comment ( None so far )

Time to think

Posted on March 29, 2012. Filed under: forensic | Tags: , , , , , , |

I’ve just spent the day at the RSA running a workshop as part of a project I’m engaged on for a major client. The theme was, unsurprisingly, based around digital forensic standards, processes and scenarios.

Lots of good stuff came out of it and there’s been a huge amount of support, but the disappointing thing was the response from just one organisation. Asked to participate in the project by coming to a one-day workshop and letting me visit them to observe their methods, they responded  (paraphrased)  :  “No. Too disruptive, no time, we have too much of a backlog”.

It seems to me that if you spend all your time trying to use your current methods to reduce a backlog of work, and failing, perhaps a bit of disruption and time off might pay dividends in the longer term.

What are your thoughts ?

Read Full Post | Make a Comment ( 2 so far )

Excellent news

Posted on November 29, 2011. Filed under: All, Education, forensic | Tags: , , , , , , , , , , , , |

Yet again, other activities have kept me away from this blog for far too long. Personally, I think that’s probably a good thing. A mix of casework and research commissions means I can afford to eat properly again (and those who know me will know how important it is that I maintain my physique – particularly in the current high winds).

The major projects that are keeping me busy are on a new website : Forensic Excellence where work on two of the three major elements of “forensic” quality systems is underway. The other bit of news is that I have an interview for funding of some work on the third element, and hope to be able to kick that work off towards the middle of next year.

Onwards and sideways!

Read Full Post | Make a Comment ( None so far )

Nothing else of significance…

Posted on July 31, 2011. Filed under: forensic | Tags: , , , , , , , |

This week I was approached to quote for a defence case. Helpfully, the solicitor sent me a copy of the prosecution statement so I could prepare a realistic quote. Unfortunately, for the “other side”, I’ve spent most of the week working on a couple of proposals for new ISO standards – including something on content of reports for various purposes – so was particularly sensitive to languages issues.

As soon as I saw the source of the statement, I knew I was going to find a phrase that troubles me – and there it was, near the end “Nothing else of significance was found”.

The report details the material upon which the case is based, but gives little in the way of context or other material found. It builds the case for the prosecution solicitor nicely, but doesn’t allow anyone else to form an opinion about the significance of the material because it doesn’t actually give any detail of anything except the “significant” material as determined by the report’s writer.

It’s a format and form of words that I’ve seen several times over the years, and every time I see it, it sounds an alarm.

I’ve always been told that my responsibility as an “expert witness” is to the court (or whoever is going to make a final judgment based on all the reports submitted), and is to state the facts and my interpretation as best I can based on the information available to me. If I find evidence of guilt, I should state it, if I find evidence of innocence, I should state that. I also believe that I should try to make as much information as possible available so that a proper judgment can be made.

To this end, I don’t just list things of “significance” but I try to give an indication of the context in terms which a non-practitioner can understand.

For example, if an email relates directly to the case, I don’t just list that email. I give the total number of emails found and the number found which involve the same people in the “significant” one. If illegal images are found, I try to determine how they have been downloaded, whether they’ve been deliberately saved or just cached, and whether there’s a pattern of searching or browsing that relates to them.

I try never to build a case directly myself but I will, quite happily, poke holes in someone else’s case – especially if they are concealing, deliberately or accidentally, useful information behind statements like “nothing else of significance was found”.

In my book, saying something like that is almost tantamount to dissembling. A digital evidence examiner rarely has the full facts and circumstances of the case available. A prosecution examiner or first responder will have no idea of possible defences or excuses. Limiting the report to the most damning evidence doesn’t help anyone.

Well – it doesn’t help anyone except the “other side”. A good independent examiner will read that sort of report and realise that there’s a lot more work they could do, and SHOULD do, to determine if a proper rebuttal can be produced – and that means more time and bigger fees. I’m not a fan of the use of Bayesian ratios in reports because I know how few people really understand them, but I know why some forensic disciplines use them – they force the reporting scientist to think about the evidence and alternative explanations, resulting in a closer examination of “insignificant” material at times.

At a time when pressure is on to reduce spending on legal aid, perhaps it’s time someone looked more closely at standard reports coming from both sides to see if they are really fit for purpose ? The better those reports are, the less work needs to be done performing re-examination, re-analysis and re-interpretation.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

Valid conclusions?

Posted on July 12, 2011. Filed under: forensic | Tags: , , , , , , , |

WARNING : Initial thoughts on a recent situation ahead – incomplete  – more to follow, eventually !

Recently, the Casey Anthony trial in the USA has been a source of discussion in many fora, but most recently a bit of a “spat” seems to be in danger of breaking out between the developers of two of the tools used to analyse the web history.

Leaving aside the case itself, let’s start by looking at what the two developers have to say about the issue that came up during cross-examination :

http://blog.digital-detective.co.uk/2011/07/digital-evidence-discrepancies-casey.html

http://www.cacheback.ca/news/news_release-20110711-1.asp

No preference is implied by the ordering of those links, by the way, it’s just the order in which I became aware of them. I don’t use either tool – I have my own methods for doing these things when necessary.

Two issues arise from these two posts, for me :

i) Both developers admit that there were possible problems with their tools which may have resulted in incorrect results and no-one was aware of this until the two tools were run side by side

ii) Neither tool seems to have been validated for the case in question. I’m sure they were verified (i.e checked for conformance to design/specification) but not convinced that they were tested against the requirements for the case.

Here comes the repetitive bit : as far as I’m concerned under the requirements of current and proposed ISO standards, neither tool could be considered reliable. There is no clear documentation about errors nor is there evidence that either has been subjected to a proper structured validation process. Dual-tooling is not validation. It merely compares two implementations of methods designed to solve the same problem as the developers understand things. At no point does anyone check that the results are correct, just how similar they are. Two implementations of the same wrong algorithm are more likely than not to come up with the same wrong results.

This is typical of the issues we will see more and more of in the digital forensics world – we depend too much on third-party tools which use algorithms developed through reverse engineering and have not been completely tested.

I’m not suggesting that every tool needs to be tested in every possible configuration on every possible evidence source -that’s plainly impossible – but we do need to get to a position where properly structured validation is carried out, and records which document that validation – including areas which have NOT been tested – are maintained and made available.

An examiner should always be free to use new methods, tools & processes, but should be personally responsible for choosing them and justifying their use. Information about usage limits & limitations on testing are vital and any competent examiner should be able to carry out additional validation where it is needed.

Let the flamng (of this post) begin…

 

P.S. – I’ve been doing a lot of work on models & systems for validation recently – they’re currently commercially confidential but if you’ld like to discuss the issues more please do contact me via n-gate.net

Read Full Post | Make a Comment ( 10 so far )

Juries vs. the Internet – time for a change ?

Posted on June 13, 2011. Filed under: forensic | Tags: , , , , , , , |

This story caught my eye this morning : http://www.telegraph.co.uk/technology/facebook/8571855/Juror-in-Facebook-contempt-prosecution-after-contacting-defendant-during-trial.html

It highlights one of the problems we have with jury trials in the age of pervasive technology. It is only natural for someone involved in deciding the fate of another to want to obtain as much information as possible so that they can be sure they’ve made the right decision. No matter how often a judge reminds a jury not to discuss the case and not to attempt to carry out their own research or to make contact with anyone else involved in the case, the temptation to “break the rules” must be almost overwhelming.

This is particularly true when complicated scientific or business evidence is involved. Much of it can be so obscure to the uninitiated that they feel they cannot hope to understand it without help, but that help is not provided to them, so they go off and do their own research – using untested, unapproved and unvalidated sources. Either that, or they believe what they’ve seen in the mass-media and we get the results of the dreaded “CSI effect” creeping in.

Perhaps its time we revised the jury system – not to abolish them, and not to have expert jurors only, but to give them access to court-approved sources of information in the jury room. Independent advisors, completely isolated from the trial materials, who can speak on the underlying principles of the technical evidence, seeking permission from the court before commenting and keeping rigorous notes of everything they discuss so that all parties can be fully aware of the issues being raised by the jury. Of course, jurors might need to be kept in isolation to prevent them seeking the extra information anyway, but perhaps having a source “on tap” in the jury room could help speed up their deliberations by giving them confidence that they know the whole story.

Of course, it might lead to longer trials, but that could be a price worth paying if we  can eliminate uncertainty and reticence to make a decision introduced by jurors who feel they need more information or worse, hurried decisions made by those who already think they know it all.

Read Full Post | Make a Comment ( None so far )

It’s the little things

Posted on June 8, 2011. Filed under: forensic | Tags: , , , |

A while back I was asked to help out with a fraud case. The investigators had done a pretty decent job of extracting relevant information but a critical aspect of the hinged on the dates when a couple of letters were written. We had some issues around the way a disc image had been captured which meant that everything except the “last modified” date was considered unreliable.

These letters had been written in word and the timestamps in the filesystem were about 2 years AFTER the dates in the text in the documents. The meta-data in the documents agreed with the filesystems.

The defence experts, quite rightly, put forward a suggestion that the computer used to create the documents could have had an inaccurate clock, possible even set to a future date. Unlikely, in my opinion, but possible and probably enough to create “reasonable doubt” if the evidence came to court.

However, as we explored the issue further and got further and further into the niceties of Windows XP clock synchronisation using NTP when connected to the Internet something in my subconscious prodded me.

Just out of curiosity, I ran the GNU “strings” program against one of the documents and out popped a couple of JPEG JFIF headers. so – I carved out the two JPEGs and checked the EXIF data. Both contained dates which matched the filesystem – hardly surprising and not much help countering the “clock was wrong” argument – but they also contained a signature from the program used to produce them. It was a version of photoshop which wasn’t produced until at least 18 months after the dates in the letter text.

Either the suspect had been indulging in time travel, or the letters as printed must have been created some time after the date he claimed.

Sometimes, we forget that there’s more to timeline analysis than just the clock data. Knowing when a piece of software or a file first appeared can be very helpful too.

http://www.n-gate.net/

 

Read Full Post | Make a Comment ( 2 so far )

« Previous Entries

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: