Digital information can be damning, says Julian Parker, but misinterpreting it can be easy


Without proper analysis, it is all too easy to misinterpret or misrepresent technical information, especially where limited traces appear to indicate guilt. A single item recovered by forensic examination, perhaps a credit card number or trace of a website visited, should not necessarily be considered proof positive in isolation.



This point has recently been made in relation to the high-profile police investigation of alleged paedophiles, Operation Ore, where their investigations have been triggered by the recovery of credit card details from illegal websites. In an era when 'card not present' fraud and identity theft are rife, the presence of credit card details alone should hardly be deemed substantive proof of wrongdoing.



Furthermore, visiting some websites may trigger activity unknown to and unseen by the user, not least trojan code and other such malicious programs. Users can also inadvertently download lists of newsgroups from the web, for example, without being aware of their content. Such lists will remain on the user's computer and can include extremely prejudicial-sounding groups.



An investigator finding one of these must be careful not to misinterpret it or the reason why it is there. The presence of the list on the machine does not, of itself, indicate that the user is interested in or has visited any of the specific groups listed. Similarly, a single graphic found in unused areas of the hard disk (that is, currently unsaved by the user) indicates little about why or how it got there.



Basic errors are made all too often - take a fraud case, for example. The investigation might produce records showing that a suspicious purchase order was created by the suspect at 11.24am on a Sunday morning, and subsequently deleted. It looks like someone is working unusual hours and covering their tracks.



Ask yourself though: was the time correctly set? What time zone was it in? Is your software taking into account differences between time zones and daylight savings? The purchase order may have been created on the suspect's PC, but did anyone else have access to their account or user ID? Was the deletion caused by the user's intervention or by the computer's operating system?



Because electronic evidence can be so damning, opposing counsel will take every opportunity to try and discredit it. Testing any assertions fully is the only viable way for an expert to be able to confirm and accurately report their findings.



The unwise forensic examiner may think that, in the absence of any other explanation, his findings indicate that a user copied certain files, for example. But if the examiner tests this assertion by undertaking the same process and noting the results, they might well find that another explanation makes itself clear.



The expert who prejudges their findings, and fails to fully explore and test the material they are given, risks having their evidence discredited. You have been warned.



Julian Parker is a director of specialist computer forensic investigation firm Data Genetics International