|Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.|
When evaluating computer forensics cases the tricky part is often not just evaluating what is found but determining how it came to reside there.
"It was downloaded via a web browser because I identified it in Temporary Internet Files..."
"I reconstructed the webpage and the image was downloaded as part of the page presented as SR1..."
"There is also evidence in the Internet History to support the proposition that the image was downloaded as part of the webpage..."
"Access to this website occurred after use of the search term 'Forensic Focus'...”
However, sometimes computer forensics isn’t just about what happened and proving intent, it’s also about proving whodunit and ensuring the correct person is prosecuted for the crime they committed.
In the simplest of scenarios, it may be that an organisation has a policy (or not, as the case may be) of sharing user accounts or that the computer is used in a location where multiple people have access to it. In these situations, it may be that the perpetrator alleges that someone else is responsible or that there is doubt about who is the culprit.
Beyond Reasonable Doubt?
If a case is not investigated fully, it could fall at the first hurdle no matter how strong the evidence is of the crime. Ultimately, in a Criminal Court in the UK, the Prosecution needs to prove that the case against an accused is deemed to be beyond reasonable doubt. There are books written on the meaning of this phrase and suffice to say I am neither qualified nor knowledgeable enough to comment on its full meaning. However, in essence, it is built upon the fundamental principles that a person is innocent until proven guilty and that a Judge/Jury/Magistrate must be sure that the person is guilty (and if not, they should return a verdict of not guilty). Hence, this may present a problem for prosecuting computer cases where it can be clearly shown other people were accessing the computer...
Read more at http://www.forensicfocus.com/sam-raincock