±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35244
New Yesterday: 3 Visitors: 218

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

A scale of confidence for digital evidence

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 12:25

Yep, i totally get there are loads of issues with this and where some forensic disciplines have statistics to back up their findings we dont. But at some point an expert might be asked to give their opinion on some set of circumstances within a case as an expert. Without some form of scale how are the jury to know how certain you are about the information you present? I dont think everything is as binary as 'fact' or 'false'.  
 
  

tracedf
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 12:28

- tootypeg
Jaclaz - i hear what you are saying. But if someone asks a specific question regarding the scenario and your findings, then there may be case for insufficient information? For example, did X open folder A. If there are no shellbags etc etc no other artefacts, is it a no? I dont know if you can say that for certain.


I think the correct answer is to say that you did not find evidence to support the contention that X opened folder A. That doesn't mean it didn't happen, but you don't have evidence of it. Absence of evidence is not necessarily evidence of absence.

There are times when there are multiple possible explanations or where connections are circumstantial. The best approach is to be honest and acknowledge competing possibilities without trying to lock into a 100% yes or no answer if you don't feel comfortable doing so.  
 
  

tootypeg
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 12:35

Would this not bring you back to use of a scale though?

I mean, is there scope for a scale in digital evidence or do they just not work? I think when ever you are asked to give an opinion, there must be a scale and evidence of opinion in an expert capacity exists in DF just like any other forensic discipline?  
 
  

passcodeunlock
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 13:05

- tracedf
I think the correct answer is to say that you did not find evidence to support the contention that X opened folder A. That doesn't mean it didn't happen, but you don't have evidence of it. Absence of evidence is not necessarily evidence of absence.


This is right, as I said, it is only one option. You never deny something didn't happen, you just say that you can't find evidence to prove it did. Also, if you have doubts, as a forensic investigator, you can always refuse the task. It's better giving back the task then having bad conscience because of your unsure answer.

The so named "gray zone" with unsure answers is the debate for lawyers.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

jaclaz
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 25, 19 14:17

@tootypeg

Quick: how many fingers are these? Shocked

Choose one:
1) I don't know, I cannot see your hand, NOT ENOUGH INFORMATION.
2) I presume one or more, however no more than five, however, since you used the plural "fingers" I would expect two or more and still no more than five.
3) My guess is three.

jaclaz


pǝɥɔʇǝɹʇs sɹǝƃuıɟ 9 ƃuıploɥ ɯɐ puɐ lıʇɔɐpʎlod ɐ ɯɐ ı ʍʇq puɐ ʇɔǝɹɹoɔ sı ⇂#
:ɹǝʍsuɐ
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 26, 19 15:21

- tootypeg
So, Im looking at developing a scale of depicting how much confidence a practitioner has in their findings to support jury decision making. Such scale are commonly in used in other forensic disciplines like fibre and footwear marks.


While the scale may be useful (fixing terminology is always useful: the ISO OSI model has done a lot of good just by defining the terms to use), the metrics must also be in place: the results must be possible to replicate. If one FA says 'conclusive' and another says 'persuasive' there's something wrong.

Add to that the behaviour noted by incompetent FA's, for example the examples provided in the chapter on arson (Case Study: Cameron Todd Willingham) in 'Forensic Science Reform' or that of fingerprint evidence (Case Study: Brandon Mayfield), in which one or more forensic analysts end up stating 'conclusive' evidence for what was lack of knowledge in one case, and faulty processing in the other.

1. Conclusive Fact:- The current set of data on a device, following testing and validation cannot be interpreted any other way than that which is presented.


Considering that a majority of Intel computer systems have had AMT systems (remote out-of-band management of personal computers) for many years, potentially allowing something very like backdoor access through a separate path, there is always at least one alternatively interpretation that someone else did it. The technical possibility is there, it's a question of 'how can we tell if AMT was used or not? Can we exclude that it was used?'

2. Compelling:- Digital data is as a result of a known and validated process initiated by known actions. (Example, internet history found in a browsers typical log file)


Don't understand what you're saying. The first sentence reads is if there are some parts missing.

3. Persuasive:- Information deviates from standard formats but can be logically tested, verified and explained. (Example, a carved Internet History record)


And again, not certainly. On a system, running virtual machines, some of which have been deleted, you can't necessarily say if a carved history record comes from the main system or from one of the virtual systems. This very probably affects interpretation.

4. Feasible:- Digital data is capable of explaining a suggested hypothesis but 1 or more core requisites are missing in order for a scenario to be fully validated with available digital data.


Disagree. A core requisite must be present: if it isn't there, it's not a hit. Minor factors could possibly be absent, without affecting the core interpretation, but if a core requisite is absent, and it leads to 'feasible' (a weak *positive* result) it may become ground for false convictions. (And those core requisites must be on *very* strong scientific grounds. Shaken Baby Syndrome had three core requisites ... but they were not based on good science. True, a little beside the point in this case, as SBS did not go so far as to declare 'feasible SBS' if one of the triad elements was not present -- but if it had, the damage in false convictions would have been appalling.)

Drop this one entirely, I think.

5. Implausible:- Digital data is unlikely to be as a result of the proposed hypothesis. Core requisites are missing in order to rely upon the understanding offered. (For example, suspect says A happened, but for A to have happened the digital data needs to show B and C. Neither are present.)


From here on, I see no real value in the scale. Why grade negative results?

Missing entirely is grading based on absent forensic research. Imagine that there is no research at all, yet someone has create a process and claims that provide input X, Y, Z, perform process p1, p2, p3, and output will provide The Answer. A bit like microscopic hair comparison as foundation for identifying people.

Those who bought into the idea, won't question it. Hopefully, someone will say 'junk science' --- but then, they did that over SBS, and very few listened.

A Junk Science forensic analyst will provide appropriate confidence levels to his results ... but as he can't be trusted in the first place, what use are they?

Hopefully this is an unmentioned prerequisite for the use of the scale of confidence.  
 
  

trewmte
Senior Member
 

Re: A scale of confidence for digital evidence

Post Posted: Jan 27, 19 02:59

- tootypeg


1. Conclusive Fact:- The current set of data on a device, following testing and validation cannot be interpreted any other way than that which is presented.


The fact of your finding may not be 'conclusive' neither might it support the use of compression of the word 'fact' by the use of an adjective; your qualifying state is only based on 'current' understanding and not necessarily of things to come or (new) discoveries to be made.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 

Page 2 of 5
Page Previous  1, 2, 3, 4, 5  Next