A Digital Forensics investigation requires that an examiner completes an analysis of data present on a device for evidence. The evidence can be required in relation to legal proceedings or as part of an investigation, including internal company matters.
In order for this evidence to be identified, it is often the case that automated software processes are conducted over a hard drive or handset that identify potential evidence and that material is reviewed manually by the computer forensic examiner. The manual review is required to ensure that the potential evidence identified by the software is actual evidence rather than an anomaly.
Several Police Forces as well as other Computer Forensic companies have adopted the C4P software as a measure in identifying relevant material in indecent and extreme image cases. This software scans a computer hard drive for images of relevance. The software is able to identify a relevant image as a hash value of it will be stored within the software database. The database is built up by images that have been identified within previous cases. An image may have been identified by the examiner themselves or another within the Force or company.
Since the introduction of this software, it has been found to increase the throughput of work by an examiner, as they no longer need to conduct manual reviews of large quantities of images, often 100,000’s, as the software identifies any relevant material for them. Therefore, backlog’s have been greatly reduced within Police Forces, where previously in some instances, they were up to 18 months waiting time. However, whilst the process of identifying material has become quicker and simplified there is a need to carry out some manual tasks:
- The need for an examiner to review the material identified to confirm its relevance.
- The need for the C4P database to be accurate and correct.
- The images present on a hard drive still require review or material not contained within the C4P database will not be identified.
Without these tasks being completed, irrelevant and/or duplicated material is identified. What our computer forensic examiners have noticed in Athena Forensics involvement in these types of cases is that reliance is placed to firmly on simply identifying the images using this process, rather than assessing the content of the data, the manner in which it has been created or its location on the hard drive. As a result of this, our computer forensic examiners have encountered cases where the evidence is duplicated, corrupted or unidentifiable. Very few cases that we now encounter have been investigated initially beyond the identification of images, meaning that most have been the subject of data processing.
Normally the identification of evidence requires that any evidence has been investigated (i.e. how it got there and who was responsible) to determine its significance. If the Defendant accepts to them having put it there, then the case may appear to be resolvable relatively quickly, however, with the use of this software, it is becoming common (more so than previously) for large numbers of images to be removed from the charges once they have been more thoroughly assessed (i.e. are they duplicated, were they contained within areas of the hard drive that were inaccessible). On occasions many thousand images are reduced to a few hundred.
With news that databases are now going to be shared nationally across UK based Police Forces, any inaccuracies will be quickly duplicated unless routine maintenance and review of them is not undertaken.
The introduction and increased use of C4P; when used in the manor that it is currently being applied, has allowed an increase in the throughput of computer forensic examiners reviewing cases of this type and has also allowed for a reduction in time spent on a case at a time when budgets of Police Forces and businesses are being cut. However, Computer Forensics is the examination and investigation of digital media for evidence, the identification of images in cases of that type being only one part of that process and, therefore, frequently, only a small part of the story is being told.
Director, Senior Forensic Consultant and Expert Witness