Friday, January 28, 2011

Vogon International's Forensic Bulletin

Playing "Hired Gun" in Computer Forensics - "Boot Disk" or "Boot Hill"

Preparing forensic evidence for a court can be open to disaster, as we have all observed in recent weeks.

Sooner or later playing the "hired gun" for prosecution or defence work will see you come unstuck - no matter how good you consider your skills to be, there will be people who are more thorough, more professional and a lot faster on the draw.

We face "hired guns" in many cases and originally would feel satisfaction when the opposition withdrew a case, the charge was dropped or reduced prior to trial or we were able to demonstrate the opposing evidence had no provenance.

 Was this actually success for anyone? The answer must be a resounding NO. Thinking back to these cases now shows that the cases actually attempted abuse of the court system - since it now seems that our opposition had in fact no credible evidence and was embarking on a trial based on digital fudge.

In the recent high profile and well-publicised case (see R -v- Stevens) one of Vogon's long-term competitors, appeared for the defence against the prosecution expert.

 On the first day of the high profile prosecution of a Police Officer for child pornography, the prosecution attorney had to state that upon receipt of the defence expert's analysis of the defendant's laptop, that the prosecution expert, a Brian Underhill, had made several serious mistakes and there was no case to answer.

 A withdrawal, or change of charge prior to the trial would have been bad enough, but for the Crown Prosecution Service's barrister to have to announce the failures of their expert in open court was beyond belief.

The prosecution expert concerned claimed to have worked on over 600 UK police prosecutions associated with Operation Ore - the highest profile UK police operation involving child pornography.

Additionally he and his co-director of their 'investigations' company claim to have worked on 1,022 police prosecutions.

To compound the issue each Operation Ore prosecution describes the collection of the original evidence in the USA from the US Postal Service by the same two men, from the servers of the company known as Landslide in Texas.

 Indeed the Landslide servers are the origin of over 6,000 names of suspects being followed up by the UK police. It is believed that around 1,600 investigations have been undertaken as a result of this original evidence.

The matter throws the entire area, surrounding prosecutions associated with any evidence generated by these two men, into question.

 To anyone who works or has worked in this area it creates immense confusion over what to do next and raises issues which can only be handled by the highest levels of the Crown Prosecution Service and possibly ACPO (the UK Association of Chief Police Officers).

Bar the defence expert and barrister - there is no glory for anyone in any of this mess and we can only hope that in the post- mortem analysis there is something that can be learned.

 It is a disaster for all concerned, especially for anyone subjected to unsafe evidence, and is equally disastrous if someone escapes prosecution through the incompetence of the prosecution work which would perhaps leave or put children at risk.

It is also a complete waste of police, prosecution and defence resources, all of which are funded by the taxpayer.

Before you, the reader and perhaps a fellow computer forensics practitioner, become too complacent - we are aware of other individuals and organisations, throughout the UK and in other countries such as Canada, USA and Australia who are no better than the prosecution expert involved in this UK case.

 This type of situation almost guarantees a trip to the computer forensic "Boot Hill".
I have always been vociferous regarding poorly resourced and unskilled practitioners, since without a true peer group and serious technical backup, then there is no way that they can provide their clients with any credible work on cases which stretch their skills to their limits.

 At Vogon our forensic investigators have serious backing, with access to our team of hardware and software engineers, who include our developers of our own forensic tools. They have access to hundreds of years of experience that they can call on.

Our consultants and engineers have many notches on their guns and have no intention of heading to "Boot Hill" quite yet - through either "hired guns" or indeed friendly fire.

The nature of computer forensics is that we need peer reviews of our work to avoid error and continue the development of our staff and products alike.