±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35770
New Yesterday: 2 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

A scale of confidence for digital evidence

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5  Next 
  

tootypeg
Senior Member
 

A scale of confidence for digital evidence

Post Posted: Jan 24, 19 21:49

In the past I've started threads about proving everything at a factual level.....I think those days have passed and I am now looking into confidence scales as some research. You guys gave me some great help with my previous framework idea research and I guess I am after starting a debate on this topic now.

So, Im looking at developing a scale of depicting how much confidence a practitioner has in their findings to support jury decision making. Such scale are commonly in used in other forensic disciplines like fibre and footwear marks.

Curious to start a debate around how we quantify and measure confidence etc which in itself poses a number of issues...

Here is my initial thoughts:-

1. Conclusive Fact:- The current set of data on a device, following testing and validation cannot be interpreted any other way than that which is presented.

2. Compelling:- Digital data is as a result of a known and validated process initiated by known actions. (Example, internet history found in a browsers typical log file)

3. Persuasive:- Information deviates from standard formats but can be logically tested, verified and explained. (Example, a carved Internet History record)

4. Feasible:- Digital data is capable of explaining a suggested hypothesis but 1 or more core requisites are missing in order for a scenario to be fully validated with available digital data.

5. Implausible:- Digital data is unlikely to be as a result of the proposed hypothesis. Core requisites are missing in order to rely upon the understanding offered. (For example, suspect says A happened, but for A to have happened the digital data needs to show B and C. Neither are present.)

6. Impossible:- The proposed scenario is not possible in the current situation and digital device being examined.

7. Insufficient Information:- The scenario is possible but there is not enough information available to fully validate the hypothesis.  
 
  

passcodeunlock
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 24, 19 22:43

1. Validated fact taken from the device, which can't be interpreted any other way than that, which is presented.

The rest has nothing to do with digital evidence, it's only a game of lawyers.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 10:27

If you are asked to give your expert opinion on something though? Whilst there may be some factual content, there are bound to be variables which mean your confidence is <100%? At this point, how do you convey your confidence level to a jury?  
 
  

passcodeunlock
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 15:54

I perfectly convey my confidence level for any digital evidence to a jury: it is a 100% yes or 100% no, based on my previous post.

If it is not 100% yes, then it is a NO! You can't play with others life and put somebody in jail based on any kind of presumptions, no matter how small they are!

No matter on your level of confidence, the lawyers, the jury and the judge will do (or at least they should do) what they consider the best. It's their game, digital forensics it's just a brick of the wall.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

jaclaz
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 16:49

IMHO your scale is "wrong".
7 (insufficient information) should be "middle ground", not an extreme OR -IMHO even better - be taken outside of the scale completely and be intended as the basic pre-requisite.
I.e. IF there is enough info, THEN there can be a scale, otherwise the grade is not 1 to 6 but rather "a suffusion of yellow".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 17:52

Jaclaz - i hear what you are saying. But if someone asks a specific question regarding the scenario and your findings, then there may be case for insufficient information? For example, did X open folder A. If there are no shellbags etc etc no other artefacts, is it a no? I dont know if you can say that for certain. If someone clears ALL the log content (i know, unlikely but bear with me), then I would argue there is not enough available digital information to tell if it was opened or not. I dont think I could 100% say no.


Passcode - interesting points. What about if someone asks did A visit website B after you recover a deleted history record from unallocated? You can surely state certain things as 'fact' - the string is structured as a URL etc etc, but could you say A visited B with certainty or no certainty. surely this leads to a grey area where things like device access may play a role and whether the URL was part of a webpage visited etc - Surely at this point, a series of things builds up your certainty to a level but not a fact?

just throwing it out for a debate  
 
  

watcher
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 18:07

While I can appreciate the concept and intent behind this, my immediate thought was "Oh Gawd No!"

First off the whole idea of numbering leads to someone deciding that they can use it as a scoring mechanism. This in turn leads to results along the lines of, "The procedure was nearly perfect at 99% success, but the patient died." I have seen scoring used in security evaluations where the score was excellent despite the giant gaping failure mechanism that wasn't addressed.

More importantly is human nature and technical understanding. Nothing is absolute and unassailable. Fingerprints do not match, they have a number of points of similarity with statistical likelihoods. Even DNA doesn't match for the normal forensic use because it's not a full sequence, just high probability significance portions.

It's up to the legal process to interpret the importance of evidence, and unfortunately sometimes they get it wrong. In general, you don't have the the complete facts outside of the digital forensics. You may not know if the device was taken from a secure shielded lab or a publicly accessible kiosk. You may not know if the suspect is a strung out junky or a Bruce Schneier.  
 

Page 1 of 5
Page 1, 2, 3, 4, 5  Next