Chapter 4: The Investigative Process


Overview

Eoghan Casey and Gary Palmer

...the law and the scientific knowledge to which it refers often serve different purposes. Concerned with ordering men's conduct in accordance with certain standards, values, and societal goals, the legal system is a prescriptive and normative one dealing with the "ought to be". Much scientific knowledge, on the other hand, is purely descriptive; its "laws" seek not to control or judge the phenomenon of the real world, but to describe and explain them in neutral terms.

(Korn 1966)

The goal of any investigation is to uncover and present the truth. Although this chapter will deal primarily with truth in the form of digital evidence, this goal is the same for all forms of investigation whether it be in pursuit of a murderer in the physical world or trying to track a computer intruder online. As noted in the Introduction, when evidence is presented as truth of an allegation it can impact on whether people are deprived of their liberties, and potentially whether they live or die. This is reason enough to use trusted methodology and technology to ensure that the processing, analysis, and reporting of evidence are reliable and objective. This chapter describes such a methodology, based on the scientific method, to help investigators uncover truths to serve justice. This methodology is designed to assist in the development of case management tools, Standard Operating Procedures (SOPs), and final investigative reports. This methodology has grown out of experiences and discussions in the field, and is believed to be complete and sufficient in scope. However, every investigation is unique and can bring unforeseeable challenges, so this methodology should not be viewed as an end-point but rather as a framework or foundation upon which to build.

The investigative process is part of a larger methodology most often associated with courts of law shown in Figure 4.1. The process of determining if wrongdoing has occurred and if punitive measures are warranted is complex and goes beyond investigative steps normally referred to as "forensic." By forensic we mean a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).

click to expand
Figure 4.1: Overview of case/incident resolution process.

The simplified methodology depicted in Figure 4.1 is provided to help investigators see the placement of their activities relative to other necessary events. The investigative process begins with an accusation and progresses through evidence handling to a clear and precise explanation of facts and techniques in expert testimony. This linear representation is useful for structuring procedures and a final report that describes each step of an investigation to decision makers. In practice, investigations can be non-linear, such as performing some basic analysis in the collection stage, or returning to the collection step when analysis leads to additional evidence. Before delving into this investigative methodology in detail, there are some fundamental concepts that must be understood.

Trained, experienced investigators will begin by asking themselves a series of questions aimed at deciding if a crime or infraction has actually occurred. The answer to these questions will help determine whether or not a full investigation will proceed or if valuable and limited investigative resources are better applied to other matters. For instance, when log files indicate that an employee misused a machine but he adamantly denies it, a digital investigator should carefully examine the logs for signs of error. Similarly, when a large amount of data are missing on a computer and an intruder is suspected, digital investigators should determine if the damage is more consistent with disk corruption than an intrusion. In one case, a suicide note on a computer raised concern because it had a creation date after the victim's death. It transpired that the computer clock was incorrect and the note was actually written before the suicide.

When these questions are answered affirmatively, the focus shifts toward determining what happened, where, when, how, who was involved, and why. The process by which digital evidence is uncovered and applied to these issues is composed of several steps each employing strict protocols, proven methods, and, in some cases, trusted tools. More importantly, the success of this process depends heavily on the experience and skill of the investigators, evidence examiners and crime scene technicians who must collaborate to piece the evidence together and develop a convincing account of the offense.

The effectiveness of the investigative process depends upon high levels of objectivity applied at all stages. Some cases and the nature of the evidence uncovered (digital or otherwise) will take investigators and forensic examiners to emotional limits, testing their resolve. Computer security professionals in the private sector often have to investigate long-time coworkers and cases in all sectors can involve brutal abuse of innocent victims, inciting distraught individuals and communities to strike out at the first available suspect. A good investigator can remain objective in the most trying situations.

The very traits that make a good investigator or forensic examiner may lead us to depend on experience in place of individual case-related facts, resulting in unfounded conclusions. Individuals with inquiring minds and an enthusiasm for apprehending offenders begin to form theories about what may have occurred the moment they learn about an alleged crime, even before examining available evidence. Even experienced investigators are prone to forming such preconceived theories because they are inclined to approach a case in the same way as they have approached past cases, knowing that their previous work was upheld.

Hans Gross, one of this century's preeminent criminologists, put it best in the following quotation:

Nothing can be known if nothing has happened; and yet, while still awaiting the discovery of the criminal, while yet only on the way to the locality of the crime, one comes unconsciously to formulate a theory doubtless not quite void of foundation but having only a superficial connection with the reality; you have already heard a similar story, perhaps you have formerly seen an analogous case; you have had an idea for a long time that things would turn out in such and such a way. This is enough; the details of the case are no longer studied with entire freedom of mind. Or a chance suggestion thrown out by another, a countenance which strikes one, a thousand other fortuitous incidents, above all losing sight of the association of ideas end in a preconceived theory, which neither rests on juridical reasoning nor is justified by actual facts. (Gross 1924, pp. 10–12)

As experience increases and methods employed are verified, the accuracy of these "predictions" may improve. Conjecture based upon experience has its place in effective triage but should not be relied upon to the exclusion of rigorous investigative measures. The investigative process demands that each case be viewed as unique with its own set of circumstances and exhibits. Letting the evidence speak for itself is particularly important when offenders take steps to misdirect investigators by staging a crime scene or concealing evidence.

The main risk of developing full hypotheses before closely examining available evidence is that investigators will impose their preconceptions during evidence collection and analysis, potentially missing or misinterpreting a critical clue simply because it does not match their notion of what occurred. For instance, when recovering a deleted file named "σorn1yr5.gif" depicting a naked baby, an investigator might impose a first letter of the file that indicates "porn1yr5.gif" rather than "born1yr5.gif". Instead, if the original file name is not recoverable, a neutral character such as "_" should be used to indicate that the first letter is unknown.

This caveat also applies to the scientific method from which the investigative process borrows heavily. At the foundation of both is the tenet that no observation or analysis is free from the possibility of error. Simply trying to validate an assertion increases the chance of error - the tendency is for the analysis to be skewed in favor of the hypothesis. Conversely, by developing many theories, an investigator is owned by none and by seeking evidence to disprove each hypothesis, the likelihood of objective analysis increases (Popper 1959). Therefore, the most effective way to counteract preconceived theories is to employ a methodology that compels us to find flaws in our theories, a practice known as falsification.

start sidebar

Generally, in the prosecutorial environment, scientific truth is subordinate to legal truth and investigators must accept the ruling of the court. Similarly, investigators must generally accept an attorney's decision not to take a case. However, in some instances, investigators will face an ethical dilemma if they feel that a miscarriage of justice has occurred. An investigator may be motivated to disclose information to the media or assist in a follow-up investigation but such choices must be made with great care because a repeated tendency to disagree with the outcome of an investigation will ruin an investigator's credibility and even expose him/her to legal action.

end sidebar

As an example, as an investigation progresses a prime suspect may emerge. Although it is an investigator's duty to champion the truth, investigators must resist the urge to formally assert that an individual is guilty. A common misdeed is to use a verification methodology, focusing on a likely suspect and trying to fit the evidence around that individual. When a prime suspect has been identified and a theory of the offense has been formed, experienced investigators will try to prove themselves wrong. Implicating an individual is not the job of investigators - this is for the courts to decide and unlike scientific truth, legal truth is negotiable.

For instance, in common law countries, the standard of proof for criminal prosecutions is beyond a reasonable doubt and for civil disputes it is the balance of probabilities. Legal truth is influenced by ideas like fairness and justice, and the outcome may not conform to the scientific truth. A court may convict an individual even if the case is weak or some evidence suggests innocence.

Most forensic scientists accept the reality that while truthful evidence derived from scientific testing is useful for establishing justice, justice may nevertheless be negotiated. In these negotiations, and in the just resolution of conflict under the law, truthful evidence may be subordinated to issues of fairness, and truthful evidence may be manipulated by forces beyond the ability of the forensic scientist to control or perhaps even to appreciate fully. (Thornton 1997)

Galileo Galilei's experiences provide us with an illustrative example of the power of the scientific method in discovering the truth and the cost of ignoring the reality that scientific truth may be subordinated to other truths. By observing the motion of stellar objects, Galileo gathered evidence to support Copernicus's theory that the Earth revolved around the Sun. Although Galileo was correct and was widely respected as a scientist and mathematician, he was unable to dislodge the heliocentric conception of the Solar system that had persisted since Aristotle proposed it in the fourth century B.C. It seemed absurd to claim that the Earth was in motion when anyone could look at the ground and see that it was still. Also, the most vehement opponents of the idea felt that it contradicted certain passages in the Holy Scripture and thus threatened the already wavering authority of the Catholic Church (Sobel 1999).

The issue came to a head in 1616 when Pope Paul V appointed a panel of theologians to decide the matter. Despite its widespread acceptance and Galileo's efforts to present supporting evidence, the panel concluded that certain aspects of Copernican astronomy were heretical. In essence, scientific truth was subordinated to a religious truth. Although Galileo was instructed not to present his opinions about the Solar system as fact, he was not specifically named as a heretic, one of the most grave crimes of the time. Almost twenty years later, by claiming that he had abandoned his belief in the Copernican model as instructed but wanted to demonstrate to the world that he and the Church fully understood all of the scientific arguments, Galileo obtained permission to publish his observations and theories in Dialogue of Galileo Galilei. However, the Dialogue quickly generated outrage and, in 1633, the book was banned and the 70-year-old Galileo was imprisoned for heresy and compelled to formally renounce his belief that the Earth rotated around the Sun.

There are a few valuable lessons here. The employment of a rigorous investigative process may uncover unpopular or even unbelievable truths subject to rejection unless properly and clearly conveyed to the intended audience. Investigators may be faced with a difficult choice - renounce the truth or face the consequences of holding an unpopular belief. It is the duty of investigators to unwaveringly assert the truth even in the face of opposition.

This account of Galileo is not intended to suggest that science is infallible. The fact is that science is still advancing and previous theories are being replaced by better ones. For instance, DNA analysis has largely replaced blood typing in forensic serology, and although the technique of blood typing was valid, it was not conclusive enough to support some of the convictions based upon evidence derived from that analysis alone. This weakness can be shown in dramatic fashion by the existence and success of the Innocence Project,[1] which is using results of DNA analysis to overturn wrongful convictions based on less than conclusive ABO Blood Typing and enzyme testing.

While preparing for the final step of the investigative process (the decision or verdict) it is important to keep in mind that discrepancies between scientific and legal truth may arise out of lack of understanding on the part of the decision makers. This is different from scientific peer review, where reviewers are qualified to understand and comment on relevant facts and methods with credibility. When technical evidence supporting a scientific truth is presented to a set of reviewers who are not familiar with the methods used, misunderstandings and misconceptions may result. To minimize the risk of such misunderstandings, the investigative process and the evidence uncovered to support prosecution must be presented clearly to the court. A clear presentation of findings is also necessary when the investigative process is applied to support decision makers who are in charge of civilian and military network operations. However, investigators may find this situation easier since decision makers in these domains often have some familiarity with methods and tools employed in forensic investigations for computer and network defense.

[1]http://www.innocenceproject.org




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net