A scale of confiden...
 
Notifications
Clear all

A scale of confidence for digital evidence

29 Posts
11 Users
0 Likes
1,756 Views
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

In the past I've started threads about proving everything at a factual level…..I think those days have passed and I am now looking into confidence scales as some research. You guys gave me some great help with my previous framework idea research and I guess I am after starting a debate on this topic now.

So, Im looking at developing a scale of depicting how much confidence a practitioner has in their findings to support jury decision making. Such scale are commonly in used in other forensic disciplines like fibre and footwear marks.

Curious to start a debate around how we quantify and measure confidence etc which in itself poses a number of issues…

Here is my initial thoughts-

1. Conclusive Fact- The current set of data on a device, following testing and validation cannot be interpreted any other way than that which is presented.

2. Compelling- Digital data is as a result of a known and validated process initiated by known actions. (Example, internet history found in a browsers typical log file)

3. Persuasive- Information deviates from standard formats but can be logically tested, verified and explained. (Example, a carved Internet History record)

4. Feasible- Digital data is capable of explaining a suggested hypothesis but 1 or more core requisites are missing in order for a scenario to be fully validated with available digital data.

5. Implausible- Digital data is unlikely to be as a result of the proposed hypothesis. Core requisites are missing in order to rely upon the understanding offered. (For example, suspect says A happened, but for A to have happened the digital data needs to show B and C. Neither are present.)

6. Impossible- The proposed scenario is not possible in the current situation and digital device being examined.

7. Insufficient Information- The scenario is possible but there is not enough information available to fully validate the hypothesis.

 
Posted : 24/01/2019 8:49 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

1. Validated fact taken from the device, which can't be interpreted any other way than that, which is presented.

The rest has nothing to do with digital evidence, it's only a game of lawyers.

 
Posted : 24/01/2019 9:43 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

If you are asked to give your expert opinion on something though? Whilst there may be some factual content, there are bound to be variables which mean your confidence is <100%? At this point, how do you convey your confidence level to a jury?

 
Posted : 25/01/2019 9:27 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I perfectly convey my confidence level for any digital evidence to a jury it is a 100% yes or 100% no, based on my previous post.

If it is not 100% yes, then it is a NO! You can't play with others life and put somebody in jail based on any kind of presumptions, no matter how small they are!

No matter on your level of confidence, the lawyers, the jury and the judge will do (or at least they should do) what they consider the best. It's their game, digital forensics it's just a brick of the wall.

 
Posted : 25/01/2019 2:54 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

IMHO your scale is "wrong".
7 (insufficient information) should be "middle ground", not an extreme OR -IMHO even better - be taken outside of the scale completely and be intended as the basic pre-requisite.
I.e. IF there is enough info, THEN there can be a scale, otherwise the grade is not 1 to 6 but rather "a suffusion of yellow".

jaclaz

 
Posted : 25/01/2019 3:49 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Jaclaz - i hear what you are saying. But if someone asks a specific question regarding the scenario and your findings, then there may be case for insufficient information? For example, did X open folder A. If there are no shellbags etc etc no other artefacts, is it a no? I dont know if you can say that for certain. If someone clears ALL the log content (i know, unlikely but bear with me), then I would argue there is not enough available digital information to tell if it was opened or not. I dont think I could 100% say no.

Passcode - interesting points. What about if someone asks did A visit website B after you recover a deleted history record from unallocated? You can surely state certain things as 'fact' - the string is structured as a URL etc etc, but could you say A visited B with certainty or no certainty. surely this leads to a grey area where things like device access may play a role and whether the URL was part of a webpage visited etc - Surely at this point, a series of things builds up your certainty to a level but not a fact?

just throwing it out for a debate

 
Posted : 25/01/2019 4:52 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

While I can appreciate the concept and intent behind this, my immediate thought was "Oh Gawd No!"

First off the whole idea of numbering leads to someone deciding that they can use it as a scoring mechanism. This in turn leads to results along the lines of, "The procedure was nearly perfect at 99% success, but the patient died." I have seen scoring used in security evaluations where the score was excellent despite the giant gaping failure mechanism that wasn't addressed.

More importantly is human nature and technical understanding. Nothing is absolute and unassailable. Fingerprints do not match, they have a number of points of similarity with statistical likelihoods. Even DNA doesn't match for the normal forensic use because it's not a full sequence, just high probability significance portions.

It's up to the legal process to interpret the importance of evidence, and unfortunately sometimes they get it wrong. In general, you don't have the the complete facts outside of the digital forensics. You may not know if the device was taken from a secure shielded lab or a publicly accessible kiosk. You may not know if the suspect is a strung out junky or a Bruce Schneier.

 
Posted : 25/01/2019 5:07 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Yep, i totally get there are loads of issues with this and where some forensic disciplines have statistics to back up their findings we dont. But at some point an expert might be asked to give their opinion on some set of circumstances within a case as an expert. Without some form of scale how are the jury to know how certain you are about the information you present? I dont think everything is as binary as 'fact' or 'false'.

 
Posted : 25/01/2019 6:25 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Jaclaz - i hear what you are saying. But if someone asks a specific question regarding the scenario and your findings, then there may be case for insufficient information? For example, did X open folder A. If there are no shellbags etc etc no other artefacts, is it a no? I dont know if you can say that for certain.

I think the correct answer is to say that you did not find evidence to support the contention that X opened folder A. That doesn't mean it didn't happen, but you don't have evidence of it. Absence of evidence is not necessarily evidence of absence.

There are times when there are multiple possible explanations or where connections are circumstantial. The best approach is to be honest and acknowledge competing possibilities without trying to lock into a 100% yes or no answer if you don't feel comfortable doing so.

 
Posted : 25/01/2019 6:28 pm
(@tootypeg)
Posts: 173
Estimable Member
Topic starter
 

Would this not bring you back to use of a scale though?

I mean, is there scope for a scale in digital evidence or do they just not work? I think when ever you are asked to give an opinion, there must be a scale and evidence of opinion in an expert capacity exists in DF just like any other forensic discipline?

 
Posted : 25/01/2019 6:35 pm
Page 1 / 3
Share: