It is not often that a purchasing decision is made on price alone. Normally a variety of factors are combined by individuals in making the choice of day-to-day services, including builders, who may be employed on recommendation, specific skills and cost, the garage chosen to service a car or even which lawyer to represent you.
However, price is currently the main deciding factor for the instruction of an expert witness instructed in serious criminal cases, whether that expert has been recommended on the quality of their work or not. When price and therefore, time, is the deciding factor it can mean that important pieces of evidence go unnoticed.
A forensic copy of a computer or a mobile phone can contain tens of thousands of files, including those automatically generated by the system containing records of user activity (e.g. windows and Internet access history) as well as those created by the user including documents and images. Many thousands of those files may contain information that can prove or disprove an allegation.
Therefore when providing a quote to carry out forensic work an experienced examiner should know the approximate amount of work involved, based on a review of the requirements of the client, including how long it is likely to take to complete that work and, most importantly, the best line of investigation to suit the instructions and this work may take a little longer than a generic review of the evidence, however, would be specific to that particular case.
Alternatively, to ensure that the quote is kept as cheap as possible, the lines of investigation specific to the requirements of the case may be, either intentionally or unwittingly, left out of the intended work and a particular point then not explored which is especially likely when the requested work has not been considered by someone with experience in investigating computer evidence.
Though much lower in cost to achieve, a computer examination should not be reduced to a generic automated process particularly when dealing with specific issues and complications that are normally involved in such evidence. However this line of examination is becoming more prevalent due to the continual drive by the LAA to find the cheapest option of expert.
In order to highlight this, we can consider a computer case involving unlawful images.
The majority of cases involving unlawful images, the majority involve identifying the source of the images, the point of storage of them and, most importantly, whether they had been created knowingly or unwittingly by a user and whether that user was the Defendant.
To determine this, the first aim to attempt to establish is the point of creation of the image. Depending upon the location of the image this process may be obvious, for example if it is a unique file with associated specific time/date stamps. However, if it cannot be quickly identified then it can involve a significant amount of work to ascertain, for example if the relevant image is contained within a file that contains many other images (a Google Chrome cache file for example).
The next issue is likely to be who was using the computer at the relevant time. It is uncommon to be able to put ‘a bum on a seat’ and determine exactly who it was that had been sat at a computer at a specific point when an image had been created, however, it is frequently possible to build a picture of the identity of a user at a certain time.
As an example, the log on and use of an email or any social media account, Facebook, Twitter etc, the access of other Internet based accounts on websites, the viewing of certain files on the computer, the connection of USB devices, the use of remote access software may all contain evidence to suggest the use of the computer by a specific individual at a specific time.
Identifying the source of an image can be relatively straight-forward, for example, the location of it alone can answer the question immediately, however, to confirm that source, as well as within less clear cut cases, further investigation and searching of a device may be required.
One source of images frequently encountered are those stored during Internet browsing. However, the presence of an image stored in this way does not necessarily confirm that the user sought or deliberately accessed the page(s) containing it with prior knowledge that it was likely to contain such material.
To establish if the page had been deliberately accessed or whether it had been inadvertently encountered normally involves establishing which web sites/pages were visited prior to the relevant page as well as tracing the route taken by the user in order for the visit to have occurred.
If the website was accessed as a result of a ‘click’ by the user then it may be important to identify what, if any, clues were present on the preceding page to suggest that the next would contain unlawful material. It may also be that the preceding page contained a script that automatically sent the user to the next page without their deliberate action.
Whether the page containing the image had been accessed deliberately or not, another point to establish may be the general content of that page, for example, identifying whether it contained several images.
If the page contained multiple images, it is also possible to establish the location of the relevant image on the page, including whether it was at the top or further down than would have been immediately visible to the user, meaning that that they would need to have scrolled down for the image to have been displayed (whether or not the image had been displayed, the image would have been automatically stored to the computer).
The presence of multiple images on a web page that contains a relatively small number of unlawful images often provides a rather different perspective to the assumptions made within any previous report.
Therefore, in the example of an image created during web browsing, that initially may have been identified by the Prosecution through the use of software that simply scans a device for specific images and lists them, more investigation may establish the time/date of storage of the image, the user likely to have been sitting at the computer, the specific source of it, the path taken, the number and nature of other images present on the same page and whether the image would have been displayed on the screen.
Another, quicker and cheaper approach in reviewing that evidence, that is more likely to be granted approval by the LAA, would be simply to identify that the image(s) had been created as a result of Internet activity and not to consider the point further, however, that would have removed the context from which the image had been stored, including any evidence to suggest that it had not been deliberate.
At the end of October 2017, the forensic regulator has introduced attempts to increase the standards of forensic expert witnesses within criminal proceedings by requiring any provider for the Prosecution is accredited to the ISO 17025 standard.
However, whilst a company may be able to achieve an ISO standard, it is ultimately an individual within that organisation that provides the statement and attends court to explain the evidence identified.
It is also the individual, rather than the company, that puts forward their interpretation of the data which is heard by the court. That interpretation is no more reliable than a combination of the experience, ability and accuracy of understanding of the individual who makes it as well as the time allowed in order for that person to consider the evidence involved in the case. Clear and accurate findings are also likely to save further significant cost at the court.
Therefore, perhaps accreditation should be focussed more so towards the individual rather than the company that employs them. This could not only increase the standard of work of expert witnesses in the courts, it could also balance the playing field between those companies employing more experienced staff who adopt a bespoke service to each case and those with less experienced staff who use more automated generic processes at a lower cost.
For the same reason that most would not employ an accountant or any other professional service based on cost alone, the use of the cheapest expert witness in serious cases, where it is often not possible to identify the correct answers in the shortest amount of time possible, is a false economy.
The normal way to improve a service is rarely to continually select the cheapest provider of it, particularly when the service available can differ greatly and the effect to a Defendant can be life-changing.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.