I appreciate the opportunity to discuss this topic on your blog. I find that my opinion would vary from yours to some degree.
While science and experiments are a vital and necessary part of digital forensics a large part of the evidence uncovered during an exam does not necessarily require an application of science or an experiment. The people who originated the term “Computer Forensics” could have picked a better phrase to define the discipline. I prefer to think of most of the work I do as a “forensic search” of a piece of evidence. I preserve the evidence, the image, in such a way that it is not altered and anyone can duplicate my work from that image and then I search it just as a detective would search a house for a gun, narcotics etc.
The vast majority of evidence that I have located in exams has come from allocated space. In my report I document the file, its dates and times and its location on the storage medium. As an example I had a case where I was requested to examine a Blackberry for evidence which might link a given suspect to a bank robbery. On the micro SD card in the phone I recovered a photograph of the suspect holding a version of the MAC 10 machine gun. Statements from the witnesses and the video show one of the suspects holding a MAC 10. The prosecutor and the jury found the photograph amusing. My testimony consisted of stating that I found the graphic on the micro SD card. I did not testify that it was a real gun or to any other fact other then I found the picture and where.
Using the image of the SD card the graphic could be located by any forensic tool available. Since the report provides the location of the file I could even clone the image to another SD card. The card could be put in a media reader and anyone computer literate could navigate to the same evidence I found. It was nothing special and anyone could have done the same.
I read the report from the National Academy of Sciences and came out with a slightly different idea of what they found distressing. I believe the central complaint in that report is not that the science in the disciplines is lacking but that the opinions expressed by the experts in court tend to go beyond their literal/explicit findings assuming they bother to do an exam at all.
In a recent discussion in a college class I asked the question if a computer examiner could state that passwords held any evidentiary value. My position was that they hold none except in very limited circumstances. As an examiner I can determine that a password exists or does not exist and I may even be able to determine what it is but that is it. From an exam I cannot tell who in the home or office that the device was recovered knew the password. I cannot tell if someone walked away from their computer etc. In short I cannot testify as a computer examiner to what other people know. It was interesting that many of the students insisted that you might be able to associate a password with a user if they used something personal like a date of birth or used the same password for multiple things. They completely over looked the fact that they would be testifying to information not in their forensic exam but their personal opinion of someone’s computer habits.
Ego can be a problem when testifying. As an “expert” there is a temptation to be willing to provide an opinion to whatever question you are asked on the stand. Judges and attorneys often do not help as they frequently regard anyone with computer knowledge as an all knowing expert on all subjects involving computers. It is up to the examiner to let the attorney/judge know that he or she does not have that knowledge or expertise. It is very difficult to tell people looking up to you as the source of all knowledge that you don’t know. I would say that the science is not lacking in forensics but the willingness of experts to provide opinions outside of the literal results of their findings is the actual problem.
Please don’t get the impression that I believe that science and research have limited value in digital forensics. I do believe that experiments and research are of use and necessary in digital forensics. I have engaged in them from time to time in particular when dealing with files recovered from unallocated space or fragments of files. Determining what program generated the file or fragment, determining the evidentiary value or lack there of, has most of the time required experiments and research. I do believe that much of my work is simply a search which identifies information of value.
Posted by:
Sgt. Kevin Stenger
Orange County Sheriffs Office
Orlando Florida