Expert Witness Corner: The Importance of Computer Forensics in Criminal Law

In many instances old, or conventional crime is perpetrated using new approaches that are reliant on technology. Postal fraud, for instance, has evolved to employ electronic communication channels, giving rise to waves of emails seeking to defraud recipients with promises of money and fictitious prizes (commonly known as ‘419 scams’ as many of such notes tend to originate from the African continent and 419 is their penal code for wire fraud).

Studies into the cost of cyber-crime, commissioned independently by the Department of Trade and Industry (DTI) reveal alarming trends in the abuse and misuse of technology. The average cost per security incident has risen to over £160,000 and nearly one in four businesses in the UK have suffered a serious hacker attack or virus outbreak. The impact of an information security breach can be so devastating to business operations that one in ten never actually recover and the shutters close permanently. To counter this growing threat, security and law enforcement agencies have adopted fresh approaches for dealing with high technology crime.

Forensic Computing is a relatively young science when compared to contact forensics such as fingerprint recognition which have roots that can be traced back to Edmond Locard, who in the early 1900s famously postulated the theory of evidence being left as ‘mutual exchanges of contact’. Whilst various descriptions exist in relation to this practice, the international survey undertaken by Hannen has been taken as the de-facto definition: ‘Processes or procedures involving monitoring, collection, analysis… as part of ‘a priori’ or ‘postmortem’ investigations of computer misuse’. It is important to appreciate that this definition takes a wider view than the conventional reactive description, where forensics was regarded purely as an incident response function. Hannen considers digital forensics as also taking a pro-active role in security, where it can be combined with intelligence and operational planning.

As a serious field of research, forensic computing studies only started to take real form in the early 1990s when, faced with ever increasing numbers of computers being seized at crime scenes and the potential for crucial evidence to be stored on a PC, various government agencies came together to host the International Conference on Computer Evidence (ICCE). Here many of the challenges facing law enforcement communities were aired and agreements forged to cooperate towards finding effective solutions.

Two years later, in 1995, the International Organisation for Computer Evidence (IOCE) was formed, and a further two years later the member states that comprise the G8 subscribed to the mission of IOCE, pledging support for the organisation. This was the catalyst required to stimulate research and development, and since then great advances have been made in all spheres of digital evidence management. When working on a matter where the case will rise or fall on the strength of digital evidence, for example where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. This places the evidence into the wider context of the offence and enables barristers to make directions to the court based on a fuller appreciation of matter.

Assuming material has been seized by the authorities, the state will usually conduct their own forensic assessments (typically undertaken by the regional police hi-tech crime unit), the results of which will be provided to legal representations. The mechanics of this process involve the ‘imaging’ of the ‘target media’ – the process of making a forensically sound duplication of digital materials of interest (e.g. the computer hard drive). During this duplication process a ‘write-blocking’ device will be employed to ensure the target media is not affected or corrupted in any capacity whilst its content is read and mirrored. The actual forensic analysis is then made upon the duplicated material, with the original placed into secure storage and maintained in the state in which it was seized. The forensic analyst will then peruse the imaged copy to identify materials of potential evidence value, extracting copies as necessary to form the basis of the expert report.

Looking at this from a defence perspective, a number of questions should be posed in relation to the digital evidence (based on the Daubert threshold test that evaluates the competency of evidence in the United States):

• whether the theories and techniques employed by the scientific expert have been tested;

• whether they have been subjected to peer review and publication; • whether the techniques employed by the expert have a known error rate;

• whether they are subject to standards governing their application; and

• whether the theories and techniques employed by the expert enjoy widespread acceptance.

Putting abuses of technology on a statutory footing, Britain has a suite of legislation that can be invoked, from the Computer Misuse Act 1990 to the Regulation of Investigatory Powers Act 2000.

Today digital forensics is an accepted science, and evidence duly secured in relation to best practices (in the UK these guidelines are outlined by the Association of Chief Police Officers) can be served in a court of law. Digital forensics are providing breakthroughs in all manner of high profile cases around the world, helping security and law enforcement agencies to catch offenders and secure convictions.

In the US, for example, the notorious BTK serial killer that had a reign of terror lasting over twenty five years in the Wichita areas, was ultimately tracked down after he sent a disk to a local radio station gloating at the police’s inability to catch him. Unique digital footprints embedded within the files were extracted by forensic specialists, and like a lone fingerprint, investigators now had a powerful lead – all they needed was to match the file to the computer that had created it (much like having a fingerprint but not a suspect’s hand to match it with). Wichita Police then conducted a house to house search, taking file samples from every computer encountered. Back in the laboratory, the file footprints were compared to the sample disk posted by the BTK killer, eventually finding a match. This tied the floppy disk to Dennis Radar’s PC, a virtual smoking gun as far the prosecution were concerned. This digital evidence became a pivotal element of the State’s case and ultimately helped secure a conviction.

In the UK the 2002 murders of Holly Wells and Jessica Chapman in Soham, Cambridgeshire, also saw digital forensics play a crucial, but largely unknown, role in the investigation. Technical analysts examined one of the girl’s mobile phone to identify where it was located when it had been turned off. Information on the nearest network communication tower tends to be stored in a phone’s memory and when the signal coverage of that tower is plotted, it is possible to identify the rough area (typically a few square kilometres) in which the phone was located when it was switched off. Having extracted this information from the handset, authorities had a rough idea of where to base their search; which ultimately led to the recovery of the two girl’s bodies.

Speaking in an interview several years after his pioneering research on the Manhattan Project where atomic reaction theory was developed, scientific visionary Oppenheimer explained that ‘the scientist is free to ask any question, to doubt any assertion, to seek for any evidence’. This thinking holds especially true when applied to the discipline of forensic computing in a legal context. Here experts may be instructed by either the prosecution or the defence, however, in either instance, they have a higher duty to the court. They are instructed as experts, but experts for the truth. It is important therefore to ensure that the experts instructed are duly qualified, experienced and independent.

Commenting on the nature of digital evidence, John Brown, Partner at Hogan Brown Solicitors, explained how the fragile nature of digital evidence can pose serious challenges to the investigator: ‘digital material is extremely volatile – perhaps more delicate than its physical counterparts. It can be copied, amended, and transferred without almost any trace – only experienced and qualified specialists should be employed to work in a digital forensic environment if the subsequent findings are to withstand the scrutiny of a court of law’. When working on a matter where the case will rise or fall on the strength of the digital evidence, perhaps where an allegation of possession of indecent images has been made, it is important to commission an independent forensic examination of all evidence and digital materials. It is also important that lawyers, when they try to find an expert witness choose someone with the necessary skills who is not only able to prepare an objective, unbiased report but also deliver oral testimony if required.

Forensic computing and the securing of digital evidence is a powerful tool in today’s fight against increasingly technically-savvy criminals. It is a discipline that continues to evolve and should remain high on the radar for both legal practitioners and law enforcement authorities.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Find More Expert Witness Articles

Expert Witness Corner: Forensic Analysis of Mobile Telephones – A Brief Guide

Mobile Telephone Handsets – The Essentials:

Modern communication devices of this form comprise of three distinct components: a finger-nail sized chip known as the ‘Subscriber Identity Module’ (SIM) that is responsible for service with the telecom network provider, the handset, which provides the user interface and memory capacity to store information, and removable memory modules that facilitate simple exchange of information and markedly improve the data storage capacity of the phone.

Many specialists argue that the mobile phone has become the new fingerprint – a case in point being Ian Huntley’s conviction for the Soham murders  in the U.K which was based partly on crucial mobile phone evidence.

Digital Evidence:

Mobile phones employ what is known as ‘flash memory’ to store data and settings. Unlike the ‘Random Access Memory’ (RAM), which is found within computers, flash memory can continue to store information even in the absence of a power source.

As mobile communication devices continue to evolve, with features like word processing and photo imaging applications becoming commonplace, the memory storage areas have become increasingly important silos of digital evidence.

The following materials can be recovered from the handset and can greatly assist in case preparations:

• Logged Incoming & Last Dialled numbers
• Text & Multimedia messages
• System Settings (including date/time/volume)
• Stored audio/visual materials
• Saved computer and data files
• Calendar and Alarm notifications
• Internet settings and websites accessed.

Common Questions:

Q: Where does evidence reside – on the handset or on the SIM?

A: Materials of evidentiary value are stored on both the SIM4 and within the handset memory. Therefore it is recommended that comprehensive evaluations of both are undertaken. The SIM will tend to contain valuable user-specific information such as network identity, whilst the handset will contain large amounts of information relating to calls made/received, texts sent/received, images/video clips created etc.

Q: Can obscene images/material be stored on a handset?

A:The prevalence of high resolution cameras on most mobile telephones has led to an increase in the number of offences being committed in relation to creation, or attempted creation, of obscene images. Assuming a standard handset with 32MB of memory, close to 500 still images could be taken and stored.

Q: Data deleted six months ago – can it be recovered?

A: Dependent upon a number of factors, such as whether the information has since been over-written, it is possible to retrieve even the oldest materials committed to the phone – including material that were never saved by the user. In most cases a surprising amount of information can be retrieved, often going back several years.

Q: Does locking the handset keep information private?

A: Personal Identification Numbers (PINs) and pass codes can be used to restrict access to the handset, but forensic assessments typically bypass such controls by interrogating the memory module directly5. At this time encrypted file-systems and data storage areas are not available in standard retail handsets.

Q: What else can the handset tell us?

A: Aside from digital evidence the presence of DNA traces on the keypad, earpiece and mouthpiece can tie a user to device. Similarly, ‘Call Data Records’ (CDRs)6 can be retrieved from the network provider, providing near post-code location information as to where and when the device was used.

Q: How do you identify the International Mobile Equipment Identity?

A: The IMEI is a 15 digit Code used to identify the phone to the network. Whilst this code can be retrieved during a forensic examination, a quick way to force the handset to display onscreen the code is to enter *#06# on the keypad7. Caution: this approach to identifying the IMEI may affect valuable evidence in storage.

Q: OK, I’ve got the basics, but where can I find the right expert to help my case?

A: There are a number of expert witness directories available, particularly online, where you can find an expert witness with the relevant experience to help you. If you can find someone recommended by a fellow professional who has used the expert before, so much the better.

Did you know?

New mobile telephones have as much as 32 megabytes of internal memory – enough to comfortably store a document with over 2,000 pages of text!

Telephone handsets will typically store user defined words that are not in a normal dictionary. Names of individuals and places are therefore often stored in this archive – a potentially valuable source of intelligence for investigators.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Expert Witness Corner: The Value & Limitation of Mediation In Child Contact Cases

“Every fight is on some level a fight between differing ‘angles of vision’ illuminating the same truth” 

Mahatma Gandhi


In recent times there have been a large number of experts who have advocated the increased use of mediation or ADR (alternate dispute resolution). In fact it has been suggested by Lord Woolf that litigation be considered an option of last resort in Civil Courts. One is prone to agree with this view whether or not mediation of ADR is ultimately successful in resolving, or making just decisions, between disputing factions. While I personally agree with this view, in the case of family problems, mediation can frequently result in failure rather than success.

Unfortunately, ADR, although it should be attempted, frequently fails in achieving a desired end result, especially with family problems such as contact disputes following implacable hostility barring the way to success.  This is most likely to be the case when an absent parent, (mostly fathers), have difficulty in obtaining good contact with their children due to the hostile custodial parent (usually the mother).

A distinction is sometimes made between mediation and arbitration. The result of arbitration is binding in that all parties involved agree to abide by conclusions reached. Psychologists acting as expert witnesses frequently prefer this approach to mediation. This is because no such demands are made with those who participate in mediation such as following the conclusions reached by the mediator or arbitrator. It is in this area that the author has had considerable experience with the Family Courts who have reached certain considerations which are not shared by everyone.

This is that mediation without the “sword of Damocles” hanging over those in dispute is valueless. It must be understood that mediation can only be effective if those in dispute sincerely seek to find a solution and are not intransigent in holding on to their views without considering other points of view. Co-operation and understanding also needs to be sincere, especially in family disputes, that is, contact issues. By this I mean that there needs to be considerable pressure on those in dispute to reach a decision, or be helped to accept a decision, which is then made by the mediator (or perhaps even better by the arbitrator) to be put forward to the Judiciary. The important factor is that some kind of decision needs to be reached. This can be best achieved by the expert witness, having studied those in dispute, putting forward a point of view and providing reasonable arguments for the point of view advocated to the Court.

Steps during the family mediation consist of each party making statements giving their position and why they hold this position. The mediator/arbitrator indicates his independence by noting and acknowledging the individual positions, and by interviewing the individuals in dispute separately, and working toward finding some area(s) of agreement. The areas of disagreement should also be noted and suggestions made as to how these can be changed toward being more  positive . Eventually, after such explorations the parties will be seen together dealing firstly with the areas of agreement. Areas of disagreement, should lead to negotiating the possibility of compromises being reached. Unfortunately this is not always possible in families who harbour implacable hostilities based on emotions such as feelings of anger, rejection, jealousy, selfishness etc. This fact must eventually be reported to the court who must then make the ultimate decisions, hopefully based on what the mediator has found through his efforts.
Hence, “mediation” becomes somewhat of a substitute for justice via litigation because the requirement for mediation is to in some way is to fetter the individuals concerned once they have access to justice. It must be accepted that mediation is not a panacea but should often be tried first before turning to litigation, or to be part of the litigation process. This however, should be complimentary to justice. It cannot ever be a substitute for justice. This  is because one must admit however reluctantly, that with family disputes mediation most often fails. This is because family disputes are caused by powerful, entrenched emotions, especially in contact disputes.
The implacable hostilities between the parties result in efforts to manipulate children and expert witnesses to oppose contact with an absent parent as illustrated by the example which follows. This leads to a “power struggle” with a multitude of trickery being displayed where the children become a ‘weapon’ used by a custodial parent, usually against the non resident parent.
The carrying out of the process of mediation to combat such implacable hostility requires that the mediator communicates to the Court the underhanded and often insincere practices used by the alienator against the alienated parent. Sofly, softly mediation approaches should be used at the beginning of the process. These approaches however, must give way to more firm tactics.

Hence, the frequently underhanded tactics of the hostile alienator must be revealed to the Judiciary who have the final decision to make. These decisions must curb the alienator by providing a true account of the situation, which an often non residential parent has to face. The Judiciary must consider the following:

1.  The long term effects of preventing a loving parent from having good contact with his/her children.
 (a)  Its impact on the absent parent.
 (b)  Its impact on the children caught in the middle.

2.  The long term effects the successful manipulative parent may learn, i.e. has he/she learned that injustice has won the day and implacable hostility has been successful?

The expert witness mediator/arbitrator, being intimately involved with the case, should be able to make suggestions to the court on how to achieve true justice and hope that the Judiciary will both listen and act accordingly. Alas this is not always the case.

The mediator/arbitrator in his/her report to the Judiciary must put forward to the Court the views of the disputants and state where they have found areas of agreement if any, and where they cannot agree and why this is so. The mediator/arbitrator also needs to point out to the Court if any of the disputants have been seen to agree with the possible solutions eventually proposed by the mediator/arbitrator. Let us illustrate this by an actual case, sufficiently disguised for the sake of anonymity.

Case illustration:

Mr and Mrs X have been in dispute over 7 years. At present Mr X has for some time experienced difficulties in having any contact with his two daughters aged 8 and 10. There was implacable hostility between the mother and father, mainly on the mother’s side. She had been given custody after an acrimonious divorce.

The two girls had been imbued over the years with the view that their father could be a danger to them as allegedly he had been to the mother. They had witnessed the father and mother in the past showing extreme hostility towards one another. This even involved physical violence on occasion by both parents towards one another.

All the father wanted was regular contact with both his daughters. He was not opposed to the mother having custody of the children providing she would make it easy for him to see his children by encouraging the two girls to have good contact with him. This the mother professed she had done and claimed that the two girls did not wish to see the father. This was despite the fact that they both had had a good and warm relationship with their father before the parents parted.

The Court ordered that the expert witness (a Psychologist) carry out assessments of the
warring factions. The expert witness found that the mother, while professing she encouraged the two girls to have contact with their father was actually alienating them against the father. The mother claimed that she could do no more with the girls to get them to meet their father. The report by the expert witness to the Court revealed the true nature of events. Five mediation sessions were recommended by the expert witness to the Court to try to resolve the situation and this was accepted. Following the required mediation sessions, the expert witness reported that the father co-operated fully by supporting the mother and her role as the custodial parent. Mother however, was intransigent, admitting to the expert witness about her reservations in forcing her daughters to have direct unsupervised contact with their father. The mother was not co-operative with the expert witness during mediation and made all kinds of problems including the fact that the expert witness had behave improperly towards her during mediation. This only illustrated her devious nature to those involved in the case.

The Court ordered that the girls be able to see and be with their father and the mother very reluctantly agreed. The mother made a number of demands such as that the girls should phone her regularly “to see how things were going and to make certain that they were safe”. Mother also insisted that the girls not eat the food that the father prepared for them.

Father bought his two daughters clothes and toys and took them on outings to museums and other places of interest. The children were interrogated closely by the mother on each occasion they returned to her from seeing the father. They reported that they enjoyed being with the father and wanted to continue seeing him. This did not give the mother a great deal of joy and she plotted to destroy the contact that the children had established with the father. Problems manipulated by the mother followed during the handover of the children to the father. When one of the girls returned home to the mother with a bruise on the arm due to a ‘rough and tumble play’ at the father’s home, in which other children were involved, the mother contacted the police immediately. She also contacted her Solicitor and Social Services. The mother actually knew the truth of the source of the injuries but ignored this as she saw the opportunity to manipulate matters against the father and reported that he personally was a danger to his daughters.

All contact ceased and Police and Social Service investigations took place. The mother lied about what the children had told her about how the bruise had occurred. The father produced witnesses who had seen the boisterous games that were played and which the two girls were seen to enjoy. Despite the girls explaining matters, the Court as a result of a report from Social Services held that the father should cease having contact with his two daughters due to this incident. This was despite the fact that the expert witness after having completed his assessment and mediation sessions, considered that the best course of action, due to the mother’s manipulative and dishonest nature, was for the father to have custody of the two girls rather than the mother as the mother was working totally against any kind of way of rehabilitating the father with his daughters.

The expert witness felt that the decision by the Judiciary was totally unjust when the Judiciary decided that father should for the time being have no contact with his children. The father had done nothing wrong to warrant such a decision. The Judge was undoubtedly influenced strongly by the Social Worker who considered it in the best interest of the children to be in the care of their mother without their father being involved. He also felt that the animosity between the parents affected the children adversely. The Social Services also felt that there may have been an element of doubt as to whether the children were actually safe in being with their father on the basis of the minor injury one of the children suffered when playing at the father’s house.

It was clear to the expert witness that the Judge failed to have the courage to transfer custody of the children to the father, with whom the children began to resume a good relationship. Manipulation, deceit and injustice, as well as implacable hostility had won the day.

The case highlights the difficulties facing lawyers too. It’s one thing to find an expert witness with the necessary expertise to help your client but another thing entirely to get the just result, and this applies even in court-appointed cases.

This is but one example of injustice committed in the Family Courts. The current expert witness believes that the presence of a well-balanced Jury could do much to provide better justice than is currently the case in the Family Courts.

Dr Ludwig Lowenstein is an experienced clinical, educational and forensic consultant psychologist based in the South East of England. You can view his profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

More Expert Witness Articles

An Abundance of Inspiration Quotes in Quote Corner

Quote Corner is a website containing a collection of various quotes, proverbs and sayings. This website is currently featuring 17,823 different proverbs, passages and sayings. It offers a wide variety of quotations ranging from those that contain ideas about common themes such as love, friendship, wisdom, happiness and success. Not only this, it also has quotations about specific subjects like beauty, money, work and education. It features philosophies of popular figures like Abraham Lincoln, Oprah Winfrey, Mahatma Gandhi, and Martin Luther King Jr. and Albert Einstein. The website also contains famous speeches given by different historical figures. It includes the complete citation of the speeches and details such as the author and date the speech was given.

The website has been operational for a whole year and was launched back in March 22, 2011. The team behind this website is based in the Netherlands and they are responsible for constantly updating the items in the site. Quote Corner is a growing website, with a net worth of $ 1,910 USD and advertising revenue of about $ 1 USD per day. It has a generous amount of daily visitors and page views.

The simple layout of Quote Corner allows for easy access to its contents. The different quote categories are well-organized, making them easy to read and locate. The website uses basic colors like black, blue and white which makes its overall appearance viewer-friendly.

In terms content organization, the website offers a no-nonsense layout that allows visitors to conveniently search for relevant quotations by choosing from the detailed categories in the homepage. A search bar is located below the site logo. Key in a topic and the website will automatically show a list of related searches. Below the search bar are the different quote categories. The category Top 10 quotes include a list of ten most searched quotations on subjects of love, life, and friendship and from authors like Lao Tzu, Oscar Wilde and Mark Twain.

The category of authors includes a list of sayings from different historical figures. The website also classifies proverbs, passages and sayings by general subject. Click on a subject and it will automatically show quotations about that subject with the corresponding author for each of them. A list of numerous proverbs from different countries can also be found. The fifth and last category is that of famous speeches which offers a list of historical speeches given by famous figures. Each of these five categories conveniently indicates how many items can be found in each classification of subject and author. In addition to this, items are arranged alphabetically so it isn’t hard to locate a certain classification.

There is a certain power that words possess. A beautiful arrangement of a few well-chosen words can inspire millions. The message of a five-minute speech about success and positivity can transcend many generations. This is why many people enjoy reading quotes. Be it a quote that one needs to put in a thank you card, a sweet passage to tell a loved one, a motivational adage, or just simply a saying to ponder upon, Quote Corner will definitely satisfy those quotation needs.


Are you looking for more information regarding quotes? Visit today!

Find More Expert Witness Articles

Expert Witness Corner: A Fire Investigator?s Qualifications

Whether an attorney instructs a fire investigator to carry out work or is facing one across the courtroom it is essential that the lawyer satisfy himself or herself that the expert is properly qualified.

It is a young science and has evolved greatly of the last several years. Due to advances in the science of fire investigation certifying bodies and the courts are paying close attention to who qualifies and how. Investigations are conducted for various reasons ranging from those conducted by public fire departments to identify origin and cause, and whether or not any criminal activity was involved; to those privately financed by insurance companies and individuals to attempt to assign blame and recover loss. This article will discuss the range of education, training, experience, and certifications involved.

Education and Certifications

Formal education various greatly. The National Fire Protection Association (NFPA) 1033 “Standard for Professional Qualifications for Fire Investigator” is a standard for minimum requirements. The NFPA 1033 dictates in general that at a minimum, the investigator must be at least 18 years old and possess a high school diploma or equivalent. In general most will have various educations beyond this minimum. Formal education often varies from an associate’s degree in fire science to bachelors, masters, or doctoral degrees in engineering or other technical sciences.

There are numerous certifications available to demonstrate the minimum levels of competence. The two most recognized associations in the United States that certify are the National Association of Fire Investigators (NAFI) and the International Association of Arson Investigators (IAAI). NAFI offers three certifications that act as entry-level certification and documentation of education and experience. These certifications can be obtained upon completing various amounts on-scene training and completing varying amounts of training, often obtainable by attending various directed conferences. Upon meeting the applicant requirements, all of these certifications require passing a comprehensive written examination.

NAFI offers three different certifications; these are the Certified Fire and Explosion Investigator (CFEI), the Certified Fire Investigation Instructor (CFII), and the Certified Vehicle Fire Investigator (CVFI).

The IAAI offers two certifications which are the Fire Investigation Technician (IAAI-FIT) and the Certified Fire Investigator (IAAI-CFI). The IAAI-FIT is this association’s entry-level certification and requires a minimum of 18 months of general experience and a minimum of 44 hours of tested training. There is then a comprehensive examination. The IAAI-CFI has a much more rigorous application process that must be completed and approved before an applicant may sit for the certification examination. The requirements of the IAAI-CFI include a minimum of 4 years of full time experience, certain testimony experience or training requirements, education and training, and various other requirements that are set up on a point system. The applicant must complete the application meeting all the points requirements and include verification of every item listed.

Other agency specific certifications exist, but the most recognized may be the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) Certified Fire Investigator (ATF-CFI). This in-house certification applies scientific and engineering technology training in a 2-year training program. The ATF special agent must undergo a minimum of 6 weeks of classroom training and gain hands on experience of at least 100 fire scenes under the direct mentorship of an ATF-CFI.

Public Sector Fire Investigation

The public sector F.I is usually one employed by the government, such as fire department, state fire marshal’s office, etc. The range of education, training, experience, and certifications varies greatly in this category. Fire department investigators are often fire fighters that have moved into the fire investigations unit. They often receive in house training that is passed down from colleagues. Their background often includes an associate’s degree in fire science related to fire fighting with some training. Often, fire department fire investigators will work in this position for many years however the department’s budget is often limited when it comes to sending employees to outside training and conferences which is a requirement for independently recognized F.I certifications. The lack of funding for outside training can lead to not only a lack of certifications, but also a lack of awareness of the advances in the science. Fire departments will often send at least their lead investigators to the Fire Academy and to locally sponsored conferences.

Often, fire marshal F.I’s have transferred from a different position. The F.M’s office often has a less restrictive budget with respect to providing training. F.M.I’s often have or are on path to acquire various certifications.

The next level comes from federal agencies such as the Alcohol, Tobacco, and Firearms (ATF). ATF investigators go through a rigorous two-year training program to obtain the ATF’s Certified Fire Investigator Certification (ATF-CFI).

Private Sector Fire Investigation.

Private sector investigators are those that do not conduct work for government agencies, but are hired by insurance companies, attorneys, or other individuals to determine the origin and cause of fires. They range from ex-public sector fire investigators to engineers, chemists, and other technically degreed individuals whose careers have led them into fire investigation. They normally have more flexible budgets for attending conferences, seminars, and other forms of continuing education, which tends to become a job requirement in order to comply with the recertification requirements of the various certifications they may hold.

Attorneys should therefore always bear in mind when they are trying to find an expert witness that the person they eventually use must have impeccable credentials and qualifications that cannot be challenged by their opponent.

Cale Robertson began his career as an engineer, obtaining a bachelors of science and a master’s degree in mechanical engineering and holds all of the key qualifications discussed above. You can view his Profile and find an expert witness at X-Pro, the innovative expert witness directory.

Find More Expert Witness Articles

Expert Witness Corner: Inflicted Childhood Neurotrauma (Shaken Baby Syndrome)


Previous evidence has suggested that the shaking of a relatively heavy head about the neck causes such inertial forces within the brain tissue that shearing takes place with rupture of meningeal vessels and diffuse axonal injury, resulting in subdural haemorrhage and neurological damage. The retinal haemorrhages are generally thought to be due to the same shearing mechanisms at work within the vitreoretinal interface. There is a correlation between intra-ocular bleeding, anterior optic nerve haemorrhage and subdural haematomas. When looking at the relative positions of subhyloid haemorrhages at post mortem, it was found that the frequency of position of these haemorrhages coincided with the areas of maximal vitreoretinal adhesion, that is the ora serrata and the optic disc.

Post mortem findings of vitreous traction at the apex of retinal folds and the edge of dome shaped haemorrhages and retinoschisis gives some supporting evidence that vitreous forces may cause this shearing damage. There is no adequate model to test this experimentally, so this remains hypothesis, not established fact. In the situation of isolated intraocular haemorrhage with or without accompanying subdural haemorrhage there continues to be disagreement regarding the possibility of an accidental injury such as a short fall in the domestic setting being responsible for the clinical findings in the absence of other evidence to support non-accidental injury.

The Royal College of Ophthalmologists Working Party concluded in terms of the force required to cause retinal haemorrhages : “ absolute values can be given for the angular acceleration forces required to produce injury but there is good evidence that they must be considerable..”

In 2003 ‘Brain haemorrhage in babies may not indicate violent abuse’ appeared as a headline in the BMJ following a not proven verdict in the case of a child minder accused of murder at the High Court in Edinburgh. During this case research was presented which purportedly cast doubt that the injuries could only have been due to violent shaking.


Geddes and colleagues, in a series of papers presented their findings that the most common pathological finding was of brain swelling and hypoxic ischaemic encephalopathy with a significant number of cases having focal axonal damage in the lower brainstem rather than diffuse axonal injury as previously thought. They hypothesized that damage to the brainstem, by hyperextension–flexion (shaking) injury at the craniocervical junction may cause focal damage, resulting in apnoea, and a cascade leading to hypoxic ischaemic encephalopathy, brain swelling, raised intracranial pressure and death. (This has been referred to as the ‘unified hypothesis’.) They further suggested that hypoxia-related leakage of blood from veins both inside the dura and in the subdural space was the source of the subdural haemorrhage rather than traumatic rupture of bridging veins and that in the immature brain hypoxia alone is sufficient to activate the pathophysiological cascade which culminates in altered vascular permeability and extravasation of blood, so that the subdural and retinal haemorrhages were a secondary phenomenon and not due to shearing forces. This led to the conclusion that “ may not be necessary to shake an infant very violently to produce stretch injury to the neuroaxis…”

These comments related to those difficult cases in which there was little or no external evidence of injury but there were retinal and thin film subdural haemorrhages.

Other researchers have similarly reported the finding of hypoxic ischaemic damage rather than diffuse axonal injury but have not drawn the same conclusions regarding the forces involved.

However in terms of ocular examination there is no description of the retinal haemorrhages, they were either present or absent and they do not mention whether the optic nerves were examined. In the first paper they comment that “…a discussion of the aetiology of retinal haemorrhages…is beyond the scope of this paper. Later in their third paper they discuss the possible cause of retinal haemorrhages;

“ ..retinal haemorrhages can be explained by rises in intracranial pressure and central venous pressure, with and without hypoxia; they are also seen in a proportion of normal infants at birth, as well as in premature babies . In the setting of inflicted infant head injury, it has never been proved that retinal bleeding is directly caused by shaking; rather, it is widely assumed that it results from the shearing forces of the injury, which simultaneously cause retinal and subdural bleeding and diffuse brain damage. However…most infant victims…show very little ..traumatic pathology in the brain, it is appropriate to re-evaluate this assumption….”

Geddes’ pathological findings add little new evidence to the knowledge of retinal haemorrhages in shaken baby syndrome. In evaluating the latter Professor Luthert, an ophthalmic pathologist reviewing the various theories of causation (shearing forces vs other rheological mechanisms), timing and nature of injury concluded:

“….I consider it premature to consider that the eyes are in some way an independent arbiter of mechanism or severity of injury…”

The Geddes publications drew much attention particularly from those involved in child protection because of there conclusions. Punt published a lengthy rebuttal the main thrust of the which suggested intrinsic flaws within the research and a lack of evidence to support the unified hypothesis.

Geddes recently replied to Punt seeking to clarify their hypothesis explaining that whilst some had severe corticospinal pathology a few had strikingly little axonal damage:

“…In other words, in terms of numbers of axons injured, such an injury was trivial and totally survivable. What was not trivial was the child’s response to that injury…we do not know the minimum force needed to stretch the neuroaxis…..” .

Yet again they extrapolate this time from the fact that only a few nerve fibres may need to be damaged means only minimal force may be required to cause this small amount of damage but that the response was catastrophic, and that the damage to a small number of axons would be in itself survivable. This sounds plausible and intuitive, but just because only a few nerve fibres are damaged (and in some cases no obvious axonal damage in this area was found) does not prove that it does not require much force to cause this damage. It would seem that it is not that in terms of the number of axons damaged that determines that it is a trivial injury and survivable but it is the location of that damage.

The main scientific finding of Geddes in the first two papers was that in cases of retinal haemorrhages with thin film subdurals and in the absence of other injuries that the pathological finding is more commonly that of hypoxic ischaemic encephalopathy rather than diffuse axonal injury. This seems to have been lost in the subsequent arguments over the forces required to produce these findings.


The cause of retinal haemorrhages, including the biomechanics of vitreo-retinal traction, raised intracranial pressure, changes in vascular permeability all remain unproven hypothesis as does the suggested mechanism of haemorrhage from Geddes. We are trying to make informed decisions on the basis of necessarily incomplete observational data, using inadequate mathematical, anthropomorphic and animal models which do not reflect the true nature of the normal infant nor the forces involved in shaking. The minimum forces required to cause such haemorrhage are not known and given that previous assumptions have been based on calculations relating to the generation of diffuse axonal injury, the use of the finding of retinal haemorrhages in isolation as a surrogate measure for the forces involved becomes dubious.

Regardless of the recent debate the observational evidence to date remains that children with non accidental injury may have no visible retinal haemorrhages, whilst non accidental injury and birth are the only circumstances in which multiple retinal haemorrhages in differing layers of the retina have been accurately documented.

This small albeit difficult group should not divert us from a willingness to evaluate the literature critically, participate in reasoned debate and in further research and certainly not detract from the main message… DON’T SHAKE THE BABY!

As a postscript, I would urge any lawyer who has a client who is facing accusations of child abuse, particularly those involving SBS, to instruct an experienced expert witness who can deliver an unbiased, objective report and, where appropriate, oral testimony. As can be seen from this article, the issues involved are extremely complex and are not without opposing views.

William Newman is an experienced Expert Witness and Consultant Ophthalmologist based at Alder Hey Children’s Hospital, Liverpool, UK. You can find an expert witness and view his profile at X-Pro UK, the innovative expert witness directory.

Related Expert Witness Articles

Expert Witness Corner: SIM Card Data Retrieval – The Essentials

The Importance Of SIM Cards:

There are more mobile telephones in the UK then there are people – this pervasive technology impacts on almost all areas of industry and life. Unsurprisingly, mobile communications have enabled old crime to be effected in new ways and mobile telephones are increasingly forming a part of criminal prosecutions, where linkages between individuals or evidence of being at the scene of the crime is provided by an analysis of the digital evidence available within the mobile phones.

At the heart of every mobile telephone is the Subscriber Identity Module (SIM), a small fingernail sized chip, responsible for service with a telecom network provider.

Digital Evidence From SIM Cards:

Despite limited memory capacity, the SIM contains a wealth of information that, when considered in context, can greatly aid lawyers in their case preparations:

• Stored telephone numbers/contacts.

• Listings of ‘Last Dialled Numbers’.

• Text messages received, sent, drafted or deleted.

• General location information from last use.

• References to overseas network providers that have been used.

Common Questions:

Q: Could the SIM card have been cloned?

A: SIM cards produced after June 2002 employ the COMPv2 algorithm which provides a number of technical and security safeguards to prevent unauthorised modification. Despite media reports, the cloning of modern SIM cards is an extremely rare practice.

Q: Can my PIN code be cracked?

A: SIM card information can be locked using a four digit ‘Personal Identification Number’. RIPA contains provisions to force disclosure of passwords, however, it is usually easier to request a ‘Phone Unlock Key’ (PUK), enabling PIN settings to over- ridden, from the Data Protection Officer (DPO) at the relevant network provider.

Q: PAYG SIMs are untraceable!

A: With ‘Pay As You Go’ (PAYG) there is no formal contract with a network provider (e.g. Orange) to enable a customer look-up, however, ‘Call Data Records’ (CDRs) are still available from the network provider, providing information as to patterns of communication, calls to/from, time/dates etc. By mapping this information to known acquaintances of the defendant, considering the evidence in the context of other material (such as messages recovered from the telephone handset) and undertaking Cell Site Analyses (CSAs)3 it is possible to prove/disprove ownership of a handset.

Q: Does the SIM reveal who I’ve been in touch with?

A: Even without the disclosure of Call Data Records (CDRs) from the network provider, the SIM provides a plethora of useful information relating to contacts in the form of ‘Last Numbers Dialled’ (LND) and sections of the ‘Contacts Directory’. Numbers that haven’t been saved may still show up in the LND.

Q: Can a telephone handset be uniquely identified?

A: Mobile phone handsets are assigned unique 15-digit numbers, known as the International Mobile Equipment Identifier (IMEI), which is passed to the network provider before communication services can be utilised. This serial number allows specific handsets that have been stolen or blacklisted to be blocked from a network irrespective of what SIM card is inserted. Defences suggesting that a given handset has been ‘found’ and is not owned by the suspect are unlikely to hold water if Call Data Records (CDRs) show a pattern of usage that indicate the owners identity.

Q: What about sending anonymous texts?

A: They are not really that anonymous… If they are being sent via an internet service, there is typically a log retained by the site provider as to the computer IP address that sent the specific message – this can ultimately be tied by to an Internet Service Provider (ISP), and in turn a specific subscriber. If anonymous texts have been sent from a mobile telephone – typically a PAYG handset/SIM – the uniquely assigned International Mobile Subscriber Identifier (IMSI) code embedded in the SIM can be used in concert with CDRs to provide compelling evidence as to the sender identity.

Q: Can deleted text messages & numbers be recovered?

A: Data content (especially multimedia formats) is primarily stored on the handset or on a removable memory stick. The general rule of thumb is that any data that has been deleted can be recovered, however, if it has been over-written it does make the process more complex and the chances of success reduce with every over-write.

Q: Is possession of multiple SIM cards indicative of wrongdoing?

A: Not at all – many individuals are discovering that they can benefit greatly from the free text and talk allowances granted on mobile phone contracts by having two or more SIMs (typically with different network providers). Adapters are available to connect multiple SIMs to a handset simultaneously.

Did you know?

The SIM card will often contain a reference to the last network base station that it communicated with before being disconnected from the telecoms network.

If the SIM card has been used overseas, it is possible to retrieve a reference code from the card that will indicate which national/regional network provider was used.

Language preferences can be stored on SIM cards – useful intelligence for investigators which can open up new avenues of enquiry.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Find More Expert Witness Articles

Expert Witness Corner: Maximising Quantum – A Physiotherapist’s Role

Traditionally, personal injury cases involve a report from an orthopaedic consultant or general practitioner to help establish the nature of the medical condition and its causation and prognosis. An experienced clinical physiotherapist can offer a complete understanding of the whole process from first injury right the way through to recovery. Armed with this knowledge, a more thorough and wide-ranging report can be provided that will accurately reflect the extent and timing of patient recovery – essential when considering issues of quantum and future care costs.

Soft tissue injuries are injuries not involving bony damage such as fractures. They are often incurred as a result of whiplash or repetitive strain and, as the name implies, only involve damage to muscles, tendons, ligaments, fascia and nerves. The damage is usually invisible on x-rays and scans and can be detected only by skilled examination. Torn muscles, ligaments, nerves and cartilages may require a surgeon’s skills. But once this primary care has been administered, the client will invariably be referred to a physiotherapist. A physiotherapist can provide specific and individually tailored treatment aimed at assisting the body’s natural healing and restoring full function.

Examples of relevant soft tissue injuries include:

•Muscle strains
•Lifting injuries
•Lower back pain
•Carpal tunnel syndrome
•Whiplash injuries
•Work-related upper limb disorders.

When examining issues of quantum and future costs, it is essential that a lawyer receives the whole picture: the exact nature of the injury, detail of treatment, likelihood of full recovery, timing of recovery, and an indication of future care costs, if any. An experienced physiotherapist in clinical practice has a wealth of relevant expertise.

A clinical physiotherapist is usually involved with a patient from presentation of the injury through to the end of rehabilitation. Treatment can be broadly divided into four stages:

1: Conducting a detailed specific examination to identify the body structures damaged and any loss of function.
2: Devising a treatment programme.
3: Implementing the treatment programme.
4: Seeing the patient through to the end of rehabilitation – hopefully back to ‘normality’.

The ‘hands-on’ nature of the patient–therapist relationship, plus the inevitably regular patient contact, give physiotherapists an enormous advantage when it comes to diagnosing and treating a complex soft tissue injury. In addition, the wealth of knowledge relating to rates of recovery from the various soft tissue injuries means that when it is applied to cases requiring an evaluation of quantum and likelihood of recovery, the lawyer receives an opinion from an expert with an understanding of the whole rehabilitation process.

Client history:

Any comprehensive account of the background to an injury (particularly where it is work-related) should include information about the claimant’s regular daily activities, whether in a work environment or home situation. A physiotherapist is accustomed to observing and assessing the impact of a client’s environment on his or her injury. This is an essential consideration when seeking to restore full function.

Case Example:

Mr T had been using an improvised workstation and subsequently incurred severe soft tissue injuries. The physiotherapist identified how the postural stresses on the body had resulted in the patient’s symptoms. Excruciating pain along the spine – relieved only by lying flat – and severe pain and tenderness of the forearms were the consequence of sitting for 3 months of intensive work on a laptop.

Client Examination:

Soft tissue injuries are difficult to assess accurately, with x-rays and scans rarely providing useful evidence. Even nerve conduction tests are of little value when assessing damage to nerves subjected to excessive stress. What is required is an evaluation of any adverse mechanical tension within the nervous system which may be restricting movement.
Physiotherapists are used to palpating and testing specific structures within the body to diagnose exactly what has been damaged, i.e. whether it is a tendon, a tendon sheath, muscle, fascia, a nerve or any combination of these. A physiotherapist can help in differentiating between whether the client’s condition is constitutional and has been aggravated by work or trauma, or is caused by work or trauma.

There is a growing acknowledgement of the need for a biopsychosocial assessment when examining people, and this is the approach traditionally taken by a physiotherapist. Social history and status, mental and emotional states, as well as working situation and lifestyle, can all contribute to how the patient reacts to and copes with symptoms.

There are many standard tests that can help with the assessment of the physical condition. One such example is the straight leg raise. The test involves the patient lying comfortably relaxed on his back. The examiner places one hand under the Achilles tendon and the other above the knee. The leg is lifted perpendicular to the bed, with the hand above the knee preventing any knee bend. The leg should be lifted as a solid lever moving at a fixed point in the hip joint.

This is a simple biomechanical test that has been recognised for hundreds of years as a way of identifying lumbar spine (lower back) problems. However, it is of limited value only. When the leg is lifted in the manner described, many structures move – the hamstring muscles, the lumbar spine, the hip and sacro-iliac joints and fascia, as well as the nerves. Pathology of any of these structures may affect the client’s reaction to the test.

An experienced physiotherapist will combine such tests with detailed palpation and observation of functional movements to arrive at the all-important specific diagnosis. In addition, the patient’s posture and manner of movement will be analysed and the results added to the overall assessment.

Case example:

Mrs B was secretly videoed by an insurance company while shopping. A physiotherapist was able to identify how the client had become so used to coping with her injuries that she avoided a lot of the normal, potentially painful, actions employed by other women shopping, e.g. standing upright with arms by her side most of the time, avoiding heavy or bulky items, loading carrier bags lightly, and using both hands to carry each bag.

Expert opinion:

An experienced clinical physiotherapist possesses an unrivalled knowledge and comprehension of how the body works under normal conditions and when coping with a disability or soft tissue injury. With regular and prolonged experience of treating soft tissue injuries, a physiotherapist can offer a valuable and meaningful opinion about all aspects of treatment and recovery.


An essential component of any medico-legal report is a prediction of future developments on a balance of probabilities basis. A clinical physiotherapist sees large numbers of similar injuries from first contact through to recovery, and can thus give a reasoned prognosis based on experience. This should include the likelihood and anticipated timing of resolution, the need for further treatment and any possible long-term disability.


When a lawyer is trying to find an expert witness that can help with soft issue PI cases it is worth considering an experienced physiotherapist can bring a unique and valuable perspective in any personal injury case involving a soft tissue injury. Experience of patients from first injury right through to recovery gives such specialists the widest professional knowledge when it comes to assessing future treatment and costs thereof, and arming the lawyer with the necessary detail to fully assess quantum.

Rosemary Quinn is an experienced physiotherapist based in the North West of England. You can view her profile and find an expert witness at X-Pro, the innovative expert witness directory.

Expert Witness Corner: Computer Counter-Forensics

Digital Evidence Triad:

The fragile nature of digital evidence, coupled with the complexity and skill required to conduct an assessment that will bear the scrutiny of a court of law, makes it important to independently validate and verify the findings of the forensic assessor.

Case preparations involving scientific evidence must consider three core areas in detail, exploring each facet of evidence to assess whether Best Practice and prevailing regulations have been adhered to. This also ensures a full appreciation of the available digital evidence, which can be placed into the context of the allegations and accompanying physical evidence. These three spheres are:

1: Search & Seizure: The means by which the target media (e.g. hard disks and CD’s found on the suspect or at a specific location) were acquired by law enforcement agents and their subsequent preservation through the ‘chain of custody’.

2: Preservation of Evidence Containment and protection of evidence exhibits so as to ensure fragile and volatile digital evidence is neither corrupted nor tainted.

3: Forensic Assessment & Analysis Evaluation of media and raw materials to furnish law enforcement agents with forensically sound evidence that can be presented in a court of law.

Efforts geared towards thwarting or impacting on the forensic computing process are levelled at one or more of these spheres.

Physical Safeguards:

In the context of countering digital forensic practices, physical security is based on the principle that if a computer system cannot be found, then it cannot be seized by the authorities for examination.

Locked cabinets and steel laptop cables will frustrate efforts to remove devices from the suspect’s premises; however, they will be defeated given adequate time and resources.

More advanced approaches towards protecting computing devices include concealing key computer drives or media under the floorboards, in the loft space or in out-house facilities such as a garage. This can afford a degree of security and ensure that devices remain hidden from investigators. Communication with the device can be achieved without telltale cabling, relying instead upon encrypted wireless signals.

Anti-tamper devices, such as specialist alarm units that reside within computer casing, can be used to upset and hinder the search and seizure process. More complex approaches towards asset protection can include integrated ‘anti-seizure’ devices that are attached to the computer drive. These are designed to corrupt the computer drive data should any attempt be made to remove the disk or access the system without the use of a special hardware token and password.

File & Application Security:

Investigators will naturally gravitate towards files and folders that appear to have titles of relevance to the case in hand. Perhaps the simplest approach to concealing files or folders is to rename them to something innocuous and unlikely to arouse suspicion.

A more considered approach to hiding information involves the moving of user data, such as textual reports or financial spreadsheets, into archives which normally contain only files required by the computer for operation (e.g. the system32 or config folders).

Both of these approaches help conceal information from the curious or casual browser, but the material will undoubtedly be uncovered during the course of a comprehensive forensic evaluation of the computer drive.

A different approach involves changing the way in which the computer operating system interprets files. Microsoft WindowsTM, the most prevalent desktop computing environment, identifies files and the program that should be used when they are being opened by the extension associated with the filename. Extensions take the form of a full stop and three letters appended to a filename – for instance the popular.doc extension that indicates a Microsoft WordTM document.

A somewhat crude but nonetheless effective approach to obscuring information is to change the associated file extensions. This could make a Word document (.doc extension) to appear as a bitmap graphic (.bmp extension). If a user attempts to open the file, the default program associated with the file-type, Microsoft PaintTM in this instance, will be invoked. Since the file data is actually in Microsoft Word format, Microsoft Paint will not be able to render the information and will return an error.

Such efforts are likely to help sensitive materials pass under the nose of casual observersand those intent on identifying files of a particular type, such as graphical images which feature the extensions including.bmp or.jpeg.

A more conventional approach towards protection of information is to employ passwords. Starting with Microsoft Office 95, it became possible to password protect office productivity files to prevent unauthorised access. Well equipped forensic laboratories have specialist equipment to allow dictionary and brute-force attacks (trying all possible character combinations) against password protected files and programs, so unless a particularly complex pass-phrase is used the security is likely to be broken fairly quickly.

Most users employ passwords based on words found in the English dictionary or words that have meaning to them, such as the name of their wife or pet. These passwords are not complex enough to thwart concerted efforts to break the security. Passwords based upon non-English words, greater than eight characters in length and using both numbers and non-alphanumeric characters (e.g. exclamation or punctuation marks) provide a level of complexity that is extremely difficult to break.

However, password protection can have serious shortcomings that can be exploited by forensic investigators. Protection of this type usually places a barrier up at the beginning of the file, which means if this safeguard can be by-passed, the actual data contained within can be extracted. A classic example is a forensic examiner using a plain text editor, such as Notepad, to open a password protected document. All controls, safeguards and features that may be in place through Microsoft Word are thus circumvented.

Taking file and application level protection to the next level is the practice of cryptography – the science of securing information through the use of reversible transformations. The word “cryptography” has its roots in the greek terms “cryptos”, meaning secret, and “graphy”, meaning writing. Simple ciphers, known as mono-alphabetic or Caesar systems, involve the substitution of letters. The development of digital computing revolutionized cryptography and made today’s highly complex and secure cryptographic systems possible.

With the introduction of Microsoft Windows XPTM an enhanced security feature known as Encrypting File System (EFS) has become readily available to desktop computer users. EFS is a cryptographic support system that enables files, folders and even sections of the hard disk file system to be encrypted using a variant of the Data Encryption Standard (DES) algorithm.

Attacking cryptographic materials is known as cryptanalysis and requires highly experienced consultants for any reasonable chance of success. Attacks can be levelled against the protocol (i.e. the mechanics of the encryption system employed), the protected file/data, or the interface and environment (i.e. the manner in which the user has interacted with the cryptosystem and/or computer system to create the secured material).

A more complex approach to concealing information involves placing it within or around another open and public source, a practice known as stegonography. Classic examples of stego’ include invisible inks or the use of grilles to cover a written message and reveal only selected words or phrases. In a digital context, stegonography involves embedding the code that constitutes one file, for instance a graphical image, into the code structure of a secondary file.

The use of stegonography can be difficult to detect even with the benefit of specialist forensic tools and when employed correctly can allow suspect material to evade even the most astute investigator. When combined with cryptography, stegonography can be an especially powerful means of safeguarding both the presence and content of information.

Another approach to concealing information is to embed data in special sections of the file system structure. Alternative Data Streams (ADS) was a design feature introduced into the Microsoft WindowsTM operating system with the NTFSTM file system as a means to provide compatibility with the Macintosh Hierarchical File SystemTM (HFS).

The way the Macintosh’s file system works is it uses both data and resource forks to store its contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details. There has been a marked increase in the use of these streams by malicious hackers wanting to store their files once they have compromised a computer. Not only that, it has also been seen that viruses and other types of malware are being placed there as well. The crux of the matter is that these streams will not be revealed using normal viewing methods, whether via a command prompt or using the Windows Explorer.

Whilst data embedded within ADS will remain invisible during all normal operations, forensic examiners can identify such material using complex data analysis tools. When information is encrypted, embedded within other file code (stegonography), and finally hidden in an ADS, it is likely that the material will be safe from even the most astute investigators.

Internet Privacy:

The Internet is an essential tool for business and leisure but is also a compelling resource for those commissioning or researching criminal activities.

Reading email or browsing the World Wide Web (WWW) leaves traces on the host computer that can be recovered by forensic investigators to give an indication as to website visited, terms used on search engines and conversations held in online chat-rooms.

Whilst popular browser applications such as Internet Explorer and Mozilla feature routines to remove personally identifiable information, a more considered approach to eliminating any local traces of online activity would involve the use of a specialist application such as ‘Evidence Eliminator’.

To add a layer of security between the computer and Internet, and thus protect against any potential eavesdropping on the telephone/broadband network, an approach known as Onion Routing may be employed. Developed by American researchers Onion Routing employs a complex series of relays, routers and encryption protocols to ensure anonymity and confidentiality of traffic.

Whilst investigators without the capacity or capability to undertake complex cryptographic evaluations may be at a loss to identify the content of such protected internet content, it may be possible to glean useful information through the use of ‘traffic analysis’. Here the intention is to identify patterns and norms. For instance, it may not be possible to determine what website an individual is accessing, but through cataloguing the traffic it can be possible to say, with certainty, when a user was online. Should this be backed up with physical surveillance that can attest the individual was alone at the premises under observation at a particular point in time, then should further evidence come to light at a later point (perhaps as a result of performing a forensic analysis of the suspect’s computer, following a search/seizure order), it can neatly tie the suspect to the computer keyboard.

Exploiting Forensic Methodology:

Whilst the approaches previously discussed have focused on obscuring or concealing either the physical computer devices or the digital evidence contained therein, the following techniques are geared towards thwarting the forensic process of examination of digital media.

Operations upon files and folders are recorded in timestamps, which provide details as to when the file/folder was created, when it was last accessed, and when the file/folder was last modified. Timestamp data is recorded automatically by the operating system and provides crucial evidence as to actions and times/dates when they occurred. However, appreciating how valuable timestamp data can be to investigators, tools have been created by various Hacking groups to allow manual or automatic modification of timestamps. This technique is known as “fuzzing” and can make attribution of the file – or who was at the keyboard at a specific point in time – near impossible. Furthermore, fuzzing taints the evidence so that the integrity of the timestamps is damaged to a degree that would make them inadmissible in a court of law.

ACPO Guidelines for the seizure of computer devices, suggest immediate disconnection of the power unit, so as to preserve information on the system computer drive(s). This is regarded as Standard Operating Procedure (SOP) by investigators around the world, but it does have one very serious shortcoming. By disconnecting the power, any information stored within the volatile memory (e.g. RAM) will automatically be lost and cannot be retrieved. Hacking tools have evolved to take advantage of this investigative procedure; having scripts and applications that run exclusively in memory so that no traces will survive on the disk should the computer be seized by the authorities. It is considered to be only a matter of time before this counter- forensics technique becomes even more widely adopted by those intent on using computers for the commission or support of criminal enterprise.

Legal Context:

Whilst not a security technique or forensic safeguard, some criminals have shown remarkable forward planning as a precaution if they one day have to stand trial for an offence.

In legal circles there have been a number of high profile cases involving computer abuse/misuse, where the line of defence has been that the computing device had been under the control of an unknown third party. In many cases the assertion is the computer has been broken into by a Hacker, who used the device as a platform for perpetrating their crime. This has become known as the ‘Trojan defence’ and was applied successfully in the case of R v Aaron Caffrey, who was charged with breaking into computer systems owned by the American port authority in Houston.It has been known for criminals to purposefully infect their computers with viruses and malicious code, laying the foundations for just such a defence should the need ever arise.

The technical arguments as to whether computer code, which is what essentially all digital media is, can constitute obscene media have long been agreed in the rulings of R v Fellows and R v Arnold. In matters involving obscene images and media, the recent ruling in R v. Porterhas put flesh on the bones of the argument as to what constitutes ‘possession’ in a technical sense. In this case the presiding Judge gave directions as to whether the jury could consider that deleted images, recoverable only using advanced forensic means, could still be considered in the possession of the owner.

Recently the Home Office announced plans to begin enforcing provisions outlined in Part 3 of the Regulation of Investigatory Powers Act (RIPA). The wording of this act would make it an offence for an individual or entity to refuse or be unable to disclose passwords or encryption keys specifically requested by the authorities in relation to an investigation. One argument against these provisions is that it reverses the burden of proof and makes a party guilty of an offence should they be in a legitimate position to be unable to comply with a disclosure order.

One of the main criticisms of the act, however, is whether or not it will have the desired effect in enabling criminals abusing or leveraging technology to suitably punished. The oft-quoted example is that of an individual arrested on suspicion of possessing obscene images and media. Should the computer drive be strongly encrypted, the authorities may attempt to coerce the decryptions keys via RIPA. However, it would clearly not be in the individual’s best interests to comply, as this would reveal the extent of their cache and almost certainly result in a punishment that would far outweigh that which would be on the table as punishment for non-compliance with the RIPA provisions.

Security vs. Accessibility:

When considering security controls and countermeasures a careful balance must always be achieved, as to how to maintain reasonable accessibility to the data whilst ensuring confidentiality.

A collection of obscene images could, for instance, be grouped into one archive that is strongly encrypted and the resulting code embedded into the file structure of an innocuous file that is in turn buried deep within the computer’s file system. This computer drive may then be concealed within the loft crawl space and communications with the device achieved using encrypted wireless protocols. Clearly this would afford a good degree of secrecy to the material, but does make it increasingly difficult to access or retrieve for any practical purposes.

The accessibility angle is used to the advantage of investigators, who will routinely scan suspect premises for wireless communication signals or follow computer data or power cables to identify any hidden devices.


Criminals and those engaging in offences involving the use or support of information technology continue to use various means to thwart the efforts of investigators to secure digital evidence. Whilst countermeasures range from the crude yet novel (e.g. burying devices under the floorboards) to the highly sophisticated (e.g. encrypting information and concealing the code within redundant areas of the computer file system) – it is clear that defensive practices of this nature are becoming increasingly prevalent. Equally, these efforts are becoming worryingly effective in hindering the efforts of law enforcement and have contributed significantly in the police either training their own specialist investigators or trying to find an expert witness with the requisite skills.

History has taught us that attacks against systems – whether physical or digital in nature – only increase in efficiency and effectiveness over time. It is therefore essential that lawyers involved in these type of cases find an expert witness with the requisite skill set that can deal with the complex technical issues that often arise.

This article is not a ‘how-to’ guide and certain details from both the defensive and offensive perspectives have been intentionally omitted. The techniques described in this article are documented in a variety of public resources and in many instances employed quite regularly by criminals abusing or misusing technology.

It is considered more harmful to the forensic industry to operate under a veil of security and operate with a false sense that the practices employed are above reproach.

It is hoped that by highlighted this disturbing trend some of the challenges and limitations of current forensic computing practice can be appreciated. Furthermore, this can stimulate informed discussions that will lay the foundations for research into fresh approaches for countering counter- forensic practices.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

expert witness accreditation

Related Expert Witness Articles

Expert Witness Corner: The Use of Experts in U.K Commercial & Construction Cases

There is a risk attached to the use of experts in the service of the Tribunal. The expert, the person experienced in the business or techniques of the dispute, can start a cold breeze of logic and common sense blowing through the dusty rooms of the law.

Involve an expert and you involve someone to whom the truth and the facts are more important than the tactics and games. More seriously, you involve someone to whom justice and fairness are more important than the esoteric details of positive law. Someone whose frustration, at the obfuscation found in much modern legal practice, sometimes may result in steps towards the truth being taken much more quickly than billing practice normally would permit.

My lawyer friends should be warned that, by bringing an expert into the service of the tribunal, whether as a member of a tribunal, as a sole arbitrator or as the tribunal’s own expert, they have a tiger by the tail.

Let me recapitulate briefly: I suggest the characteristics of an expert, and for this purpose I mean an expert in fields other than law, to include: knowledge and experience of his or her field – an expert knows what he or she is talking about; the skills of logic and common sense; an ordinary man’s, or woman’s, sense of justice and fairness; skills of communication and exposition, at least related to the field of expertise and often more broadly related – an expert knows how to express his or her findings or opinions.

Disputing parties, seeking a way to resolve or determine their dispute, may well look at those characteristics and think that they are precisely what is required.

That is right and that is, of course, the original purpose, the raison d’être of commercial arbitration, although a modern observer could be excused for thinking otherwise.

That was how arbitration began in commerce, before the modern structure of nation states became what it is today. Merchants would choose one of their peers, preferably one whose prestige and reputation put him out of the hurly burly of immediate competition, and agree to accept his decision. He was the arbitrator- knowledge and experience, logic and common sense, sense of justice and fairness, ability to communicate his findings. It was all that was necessary. Now is not the time to discuss how the need for control by the State has led to a corruption of the process. I have discussed that elsewhere, and the move towards a globalization of trade eventually may mean a return to the standards of the past, as trade once again passes beyond the grasp of nation-states.

My immediate point is that, far from being an exception to the arbitral process, the use of an expert is the natural, the obvious way to determine a private dispute in a specialist area of trade or professional practice.

That is my starting point. Of course there are trade disputes in which there is some obscure point of law; there are others in which a suitably obscure point of law may be invented. My essential proposition, however, is that most topics in trade and commerce are best understood by people in trade or commerce, experts in the field. That must be so, otherwise they would not be able to trade successfully day-by-day, as obviously they do.

That is why the expert plays an essential role in the service of the tribunal.

I will now turn to the principal ways in which that service may be provided. In the limited time available, I will deal with three categories.

First I will touch upon the role of the expert as a sole arbitrator and the ways in which, if necessary, additional legal support may be brought into the room.

Secondly, I will discuss the expert as a member of a plural tribunal, his or her relationship with others, and the possibility of creating a “dream team” to deal with a specific dispute.

Finally, I will look at the task of a tribunal-appointed expert and the relationship between the expert and the tribunal.

Before doing so, however, I would digress for a moment to discuss the relationship between two fields of law. For want of better definitions, I shall call them Positive Law and Natural Law. Positive Law is what it is. Holmes once said, to an attorney in his court, “This is a court of law, young man, not a court of justice.” A great jurist, leader of the American Realist school of jurisprudence, whose definition of positive law is perhaps the most exact that can be found, he was right. To paraphrase something else he said, Law is no more and no less than the prediction of what a court will decide in practice. I would not presume to argue with that; it is unarguable.

As it happens, although I teach in a Law School, I am an engineer. Engineering is variously described as a useful art or the application of science. The aim of engineers, and I quote the Institution of Civil Engineers in London, is the harnessing of the great forces of Nature in the service of mankind.

Please think about that for a moment. No one is beyond the laws of nature. My colleagues and I serve the laws of nature every day of our lives. If the bridge is not strong enough, it falls.

Engineers know well the famous accident to the bridge at Tacoma Narrows and it exemplified what I want to say. Because of a peculiarity of the wind through the gorge, and the design of the bridge – it was a suspension bridge – oscillations were induced in it and became progressively more severe over a period, eventually it broke and sent at least one abandoned vehicle down with it. The incident led to changes in design to take account of the effects of wind. It was not the first instance of a man-made bridge failing in the wind. The Tay Bridge Disaster, in the nineteenth century was another.

Now, there would have been time, once the Tacoma Narrows Bridge started to oscillate, to apply to the court for an emergency injunction to prevent it. I daresay that it would have been easy to persuade the Judge of the public interest.

But, and this is the point I wish to make, the injunction would not, could not have been effective. The bridge would still fall. Canute demonstrated to his courtiers that all his undoubted power could not cause the tide to turn. Galileo admitted to his inquisitors that the Earth did not move around the Sun. It was res judicata, but nobody told the Earth, and still it moves. That is the nature of the law I serve. Unforgiving, inflexible, certain (but only insofar as it is correctly known). A hard mistress and not one whose rules may be changed by statute, by fiat or by a determination of the court. Natural Law.

And Natural Law governs both material and immaterial matters. There are laws of Physics, Chemistry and Mathematics, but there are also Laws of Aesthetics, of Logic, of Morals and of Human Behaviour. We specialise, of course, and we can learn more of some Natural Laws than we can of others, but none can pick and choose which Natural Law to apply. It applies without our intervention.

Now this may seem a little remote from Commercial Arbitration, but it is not. The principles of the Law of Obligations are essentially Natural Law principles. In Contract, they spring from the logical consequences of the ability to communicate ideas and wishes and, in particular, promises. In other areas, tortious obligations, they spring from the twin principles of free will, which makes us responsible for the consequences of our actions, and our duty to one another, a necessary part of social existence. And Arbitration, of course, is a creature of the promise. It has a foundation in Natural Law. That is fundamental and inevitable. International Arbitration is, by definition, universal; the Laws of nation states, the only positive Laws, are not. I am not here discussing state recognition, that is another matter altogether.

I will deal only briefly with the expert as sole arbitrator. The advantages of trusting a dispute to someone who understands the nature of the problem are self evident, as is the moral strength of an agreement to abide by the judgement of a peer in one’s field of work. There are three aspects which need attention. One is the need for such and expert arbitrator to acquire the appropriate procedural skills, for which training is available. Most senior professionals, in every sphere of activity, have experience of managing meetings fairly. Another is the occasional need for the arbitrator to seek legal advice, which has always been a traditional right, although occasions for it are rare. The third is the problem of transparency, which is overcome by the expert arbitrator setting out, for the parties, such personal knowledge as may be relevant, and inviting them to deal with it if they wish. Expert arbitrators may be in a minority on the international scene today, but there are several of them and there may well be a recovery of numbers as training becomes more widely available.

The advantage of at least one or two experts in a multiple tribunal is also, I suggest, self-evident. That is especially so in modern international arbitration, where the party appointed arbitrators are required to be neutral and not to act as a kind of quasi-advocate for their appointers. Non-lawyers are not accustomed to advocacy and do not have the contentious instincts of the professional advocate. That makes them well suited to a neutral role.

I wish particularly to alert you to the enormous opportunity which the parties have to create an ideal tribunal for the problem they have to resolve. I have called it the “dream team” approach. Imagine, if you will, a build-operate-transfer project, to manufacture ethical pharmaceuticals to be marketed in an area where only imported products have been available. Now assume that disputes have arisen, during construction, about the performance and profitability of the plant.

What I suggest is that the parties and their lawyers could put together a tribunal which comprised, say, a chemical engineer, an expert on project finance and a lawyer familiar with the country where the construction was taking place. Not only would those men or women be able to deal with their respective fields. If given the opportunity, they would create a collegiate team which would be able to discuss issues from widely differing points of view, bringing a synergy to the arbitral process. The whole would be greater than the sum of its parts.

That is what I had in mind when I spoke of the relationship between the members of a tribunal. It is a collegiate relationship, between colleagues, not a relationship of contentions.

Now I turn to the service which the expert may give as witness or investigator for the tribunal. I will not deal with experts appointed as members of the legal teams of the parties; others will discuss that role.

Various legislation covers the appointment of a tribunal expert. The English Arbitration Act of 1996 refers to advisors, assessors and experts, but does not differentiate greatly between them. Distinctions between those roles may be somewhat technical; Article 26 of the UNCITRAL Model Law refers only to experts and, I suggest, sets out the natural requirements for the task. An expert or experts may be appointed – no prescription as to the nature of the expert – and, unless the parties agree otherwise, that expert must be available for examination. The Model Law also imposes a duty of co-operation on the parties.

In any reference, the decision as to whether or not to appoint an expert is a decision of the tribunal. Although the parties have the right to agree otherwise, the tribunal’s discretion is complete, both as to whether to appoint an expert and as to who the expert should be. In practice, however, it often may make sense for the tribunal to invite the parties to agree upon an expert.

The expert’s role is defined by the tribunal, in the light of the views of the parties. Ideally, there should be precise terms of reference, which may take the form of a series of questions. The expert can play a useful role in suggesting additional questions and in drawing up the terms of reference, but the final decision will be that of the tribunal.

The tribunal’s expert is an extension of the power of the tribunal to make enquiry. That was brought home to me by a distinguished professor of law who described a mission which arose for a tribunal of which he was chairman. The field of the dispute was esoteric, and the tribunal could not find an expert in the field who did not have connections with one or other of the parties. There were documents to be examined and enquiries to make. Accordingly, the tribunal appointed a gentleman, not from that field of business, but from a generally similar discipline, to examine the documents, to make the enquiries and to report to the tribunal. Almost an agent de police judiciaire, you might think.

One method of proceeding, which I have found successful, is for the parties to give their reasoned answers to the questionnaire before the expert’s enquiries begin. This gives a structure to the enquiries. Then, the first report is given for their comments and the final report may incorporate the comments given by the parties. That may make unnecessary the examination of the expert before the tribunal, but the tribunal may wish to have the expert present to comment upon any further evidence. Because the expert can be examined, he or she may be relieved of the obligation to ensure that both parties are present at any phase of the enquiry. That can save a great deal of time and expense, but the expert must report upon anything he or she takes into account. The principles of Natural Justice are not suspended for the expert, only made a little more practical. Any basis for the expert’s opinion must be made known, and any documents made available to the expert ordinarily should be available to the parties and the tribunal. An exception may be made for trade secrets; the tribunal may order some material to be shown only to the expert, who may then refer to it in a way that protects the secret. It is a procedure that requires care by both expert and tribunal.

Remember, it is so important that lawyers not only

find an expert witness but are able to find one that not only specialises in his chosen field but also has a working knowledge of how tribunals work. That is crucial.

Professor Beresford Hartwell is an experienced Engineer/Arbitrator/Adjudicator. You can view his Profile and find an expert witness at X-Pro, the innovative expert witness directory.