Duty of Experts
October 28, 2016
Categorised in: Computer Forensic & Cyber Applications
In general terms, experts have a duty to present the objective, unbiased truth of the matter before the court.
It is not their role to advocate for one side; that burden is on the attorneys.
The UK Criminal Procedure Rules (CPR) specifically address this issue with the following statements:
1. An expert must help the court to achieve the overriding objective by giving objective, unbiased opinion on matters within his expertise.
2. This duty overrides any obligation to the person from whom he receives instructions or by whom he is paid.
3. This duty includes an obligation to inform all parties and the court if the expert’s opinion changes from that contained in a report served as evidence or given in a statement.
There are many factors that can divert experts from their duty, despite the best intentions. It is the human condition to have emotional reactions, harbor prejudices, and be subject to other subtle influences.
However, to be an effective digital investigator and expert witness, it is necessary to be more self-aware and resistant to subtle influences like bias, emotion, and greed.
Digital investigators are often pressured, both subtly and overtly, to concentrate on specific areas of inquiry and to reach conclusions that are favorable to a particular party.
Some cases and the nature of the evidence uncovered (digital or otherwise) will take digital investigators to emotional limits, testing their resolve.
Members of law enforcement who conducted an investigation to apprehend a defendant may be required to present digital evidence objectively in court and may have the duty to identify weaknesses in a prosecution case.
Computer security professionals in the private sector often have to investigate longtime coworkers and cases in all sectors can involve brutal abuse of innocent victims, inciting distraught individuals and communities to strike out at the first available suspect.
The effectiveness of the investigative process depends
upon high levels of objectivity applied at all stages.
A good digital investigator must resist such influences and remain objective in the most trying situations.
Clients, whether they are individuals or companies, will believe firmly in their cause and may present their position stridently.
When a client tells a digital investigator how dishonest the other party is or presents the case in a way that is intended to garner sympathy, the digital investigator must resist any urge to form opinions about the case based on these emotional factors.
Attorneys have a responsibility to build the strongest case for their client.
Therefore, it is to be expected that attorneys will ask a digital investigator whether a conclusion that is favorable to their client can be supported by the evidence.
Digital investigators must be extremely firm on what conclusions the evidence supports to avoid being swayed by an attorney trying to push the
limits of the evidence.
Digital investigators can also be influenced by the pressures of their peers.
Certain organizations prohibit their members from working for the defense in criminal cases.
The refusal to perform criminal defense work shows a clear bias that is not based on evidence in a case.
As a result, digital investigators who accept this restriction will have difficult defending their objectivity when challenged in the courtroom.
AVOIDING PRECONCEIVED THEORIES
Trained, experienced investigators will begin by considering whether a crime or infraction has actually occurred. For instance, when log files indicate that an employee misused a machine but he adamantly denies it, a digital investigator should carefully examine the logs for signs of error.
Similarly, when a large amount of data is missing on a computer and an intruder is suspected, digital investigators should determine if the damage is more consistent with disk corruption than an intrusion.
In one case, a suicide note on a computer raised concern because it had a creation date after the victim’s death.
It transpired that the computer clock was incorrect and the note was actually written before the suicide.
When an investigator has ruled out innocent explanation, the focus shifts toward determining what happened, where, when, and how, who was involved, and why.
The process by which digital evidence is uncovered and applied to these issues involves several steps, each employing strict protocols, proven methods, and, in some cases, trusted tools.
The success of this process depends heavily on the experience and skill of the digital investigators, forensic analysts, and crime scene technicians who must collaborate to piece the evidence together and develop a convincing account of the offense.
Individuals with inquiring minds and an enthusiasm for apprehending offenders may begin to form theories about what might have occurred the moment they learn about an alleged crime, before examining available evidence.
Even experienced investigators are prone to forming such preconceived theories because they are inclined to approach a case in the same way as they have approached past cases, knowing that their previous work was upheld.
As experience increases and methods employed are verified, the accuracy of these “predictions” or “investigator’s intuition” may improve.
Conjecture based upon experience has its place in effective triage but should not be relied upon to the exclusion of rigorous investigative measures.
The investigative process demands that each case be viewed as unique, with its own set of circumstances and exhibits.
Letting the evidence speak for itself is particularly important when offenders take steps to misdirect investigators by staging a crime scene or concealing evidence.
The main risk of developing full hypotheses before closely examining available evidence is that investigators will impose their preconceptions during evidence collection and analysis, potentially missing or misinterpreting a critical clue simply because it does not match their notion of what occurred.
For instance, when recovering a deleted file named “plyr5.gif” depicting a crime-image, an investigator might impose a first letter on the file that indicates “plyr5.gif” rather than “blyr5.gif”.
Instead, if the original file name is not recoverable, a neutral character such as “_” should be used to indicate that the first letter is unknown.
This caveat also applies to the scientific method from which the investigative process borrows heavily.
At the foundation of both is the tenet that no observation or analysis is free from the possibility of error.
Simply trying to validate an assertion increases the chance of error—the tendency is for the analysis to be skewed in favor of the hypothesis.
Conversely, on developing many theories, an investigator is owned by none, and by seeking evidence to disprove each hypothesis, the likelihood of objective analysis increases (Popper, 1959).
Therefore, the most effective way to counteract preconceived theories is to employ a methodology that compels digital investigators to find flaws in their theories, a practice knowns falsification.
SCIENTIFIC TRUTH AND LEGAL JUDGEMENT
Generally, in the prosecutorial environment, theories based upon scientific truth are subordinate to legal judgment and digital investigators must accept the ruling of the court.
For instance, in common law countries, the standard of proof for criminal prosecutions is beyond a reasonable doubt and for civil disputes it is the balance of probabilities.
Legal judgment is influenced by ideas like fairness and justice, and the outcome may not conform to the scientific truth.
In a trial, the object is to assess the case as a whole to determine whether there is sufficient proof of guilt.
The decision on the facts is specific to that trial. In “science,” we are trying to identify rules that are universally true.
In nearly all trials, scientific and technical evidence is only part of the total picture.
A court may convict an individual even if the case is weak or some evidence suggests innocence.
Most forensic scientists accept the reality that while truthful evidence derived from scientific testing is useful for establishing justice, justice may nevertheless be negotiated.
In these negotiations, and in the just resolution of conflict under the law, truthful evidence may be subordinated to issues of fairness, and truthful evidence may be manipulated by forces beyond the ability of the forensic scientist to control or perhaps even to appreciate fully.
Digital investigators must generally accept an attorney’s decision not to proceed with a case or not to disclose certain evidence.
However, in some instances, investigators will face an ethical dilemma if they feel that a miscarriage of justice has occurred.
An investigator may be motivated to disclose information to the media, or to assist in a follow-up investigation, but such choices must be made with great care because a repeated tendency to disagree with the outcome of an investigation or become a whistleblower could ruin an investigator’s credibility and even expose him/her to legal action.
Employment of a rigorous investigative process may uncover unpopular or even difficult to believe truths that will be rejected by less objective people.
Digital investigators may be confronted with a difficult choice—of renouncing such truth or facing the consequences of holding an unpopular belief.
It is the duty of investigators to unwaveringly assert the truth even in the face of opposition.
This is not intended to suggest that science is infallible.
The fact is that science is still advancing and previous theories are being replaced by better ones.
For instance, DNA analysis has largely replaced blood typing in forensic serology, and although the technique of blood typing was valid, it was not conclusive enough to support some of the convictions based upon evidence derived from that analysis alone.
This weakness can be shown in dramatic fashion by the existence and success of the Innocence Project,2 which is using results of DNA analysis to overturn wrongful convictions based on less than conclusive ABO blood typing and enzyme testing.
When preparing for the final step of the investigative process (the decision or verdict), it is important to keep in mind that discrepancies between legal judgment and theories based on scientific truth may arise from a lack of understanding on the part of the decision makers.
The court process differs from scientific peer review, where reviewers are qualified to understand and comment on relevant facts and methods with credibility.
When technical evidence supporting theories based on scientific truth is presented to a group of reviewers who are not familiar with the methods used, misunderstandings and misconceptions may result.
To minimize the risk of such misunderstandings, the investigative process and the evidence uncovered to support prosecution must be presented clearly to the court as discussed at the end of this chapter.
A clear presentation of findings is also necessary when the investigative process is presented to decision makers who are in charge of civilian and military network operations.
However, investigators may find this situation easier as decision makers in these domains often have some familiarity with methods and tools employed in forensic investigations for computer and network defense.