The growth in the use of computers has transformed many criminal investigations and prosecutions, as have advances in computer forensics; but the volume of digital evidence now potentially available creates problems of its own - disclosure, triage, case management - and prompts the need for experienced handling and interpretation.
At the end of the last century it was still relatively rare to find serious computers in the home; those that were found had relatively small hard-disks, a few hundred megabytes, and accessed the Internet via slow dial-up speeds. Examining them was analogous to rummaging in a desk drawer - a complete exam might take only a few hours.
Almost anyone who wants a computer can afford one - a home PC costs the equivalent of 2-3 days’ work at average earnings; one bought in 2015 for about £250 would have had a hard disk of 750 GB capacity or more; the household with several computers and which have been in use for several years is now not unusual. Almost all Internet users have unlimited access broadband - and new-ish applications such as social networking , file downloading, streaming video and Web 2.0 serve to increase usage. The increased availability of Internet facilities has spawned the way in which people use computers - and leave traces of their activities. Individuals often keep years of old documents, correspondence, diary appointments, and photos. Data storage for back-up, on usb sticks, external drives, etc, costs peanuts.
All this has considerably enhanced the importance and value of computer examinations in a very wide range of criminal investigations; evidence can be located which points directly to crimes and their execution , but also to their preparation and planning.
When Peter Sommer began his practice in 1985 he thought he would be concentrating on computer abuse, intrusions and “computer fraud”. In fact he has also had to handle multiple murders, terrorism, harassment, many different sorts of fraud, narcotics importation, people smuggling and various forms of obscenity and indecency.
The analogy of the rummaging in a desk drawer is now replaced with being faced, even in a domestic situation, with a room full of filing cabinets all or any of which might yield useful information. And from the perspective of a defence lawyer, all may need to be reviewed for potential exculpatory material even if the prosecution decide much will remain “unused”.
Since the Criminal Justice Act 2003 it has been possible for the prosecution, subject to certain limits and judicial discretion, to introduce “bad character” evidence (part 11 Chapter 1 ss 98-113). Computers often hold such potential evidence, for example through web-browsing activities. This is an opportunity for prosecutors but also means that defence lawyers need to verify that the supposed bad character evidence is indeed present and not being misinterpreted.
Peter Sommer concentrates on situations where careful interpretation of the contents of computers is required. The main modern forensic computing analysis programs have facilities automatically to generate reports; initially these look impressive but all too often what is produced are vast indigestible lists and print-outs.
Interpretation requires the production of chronologies of events and an understanding of how many different applications work and are used in the real world. It requires a full understanding of how various configuration files and other artefacts can be used to build a proper understanding of what occurred. It also involves the discipline of neutrality: the computer expert’s duty is to assist the court reach a conclusion, not to act as a quasi-advocate for one side or the other .
In addition, the novelty and volume of some digital evidence and the way it is collected, deployed and disclosed can present new legal challenges; Peter Sommer’s legal background and considerable practical experience has been very useful in a number of cases to instructing lawyers.
Disclosure CPIA, 1996 as amended, the Codes of Practice, CPR 21-26 and the associated CPS Manual provide scant specific assistance about the manner and extent of disclosure that should take place where large quantities of digital evidence have been seized, but it is possible to reach mutually acceptable pragmatic ad hoc solutions based on experience. A related problem is that of triage where investigators decide to discard seized computers on the basis that preliminary examination reveals nothing of interest, though there may still be a disclosure obligation to the defence.
Case Management In large cases there are issues of how the quantity is to be managed, particularly if there is reliance on forensic artefacts as opposed to substantive files. How far can one use the originals as extracted from a disk, or PDFs? What is the best practical relationship between the forensic technician and the investigators, or the lawyers? From the defence perspective: where there are multiple defendants, how far can expertise be shared , even if the defence has a “mutual back-stab” element? And what technologies are most usable and cost-effective?
Meetings between experts Under CPR 33.7 the court can order a pre-hearing discussion of expert evidence, or one can take place voluntarily, the aim being to simplify a trial, but few experts have the experience to know how to conduct themselves without compromise.
Intrinsically-Linked Material / Legal Professional Privilege / Confidential Information The forensic disk image is the gold standard in digital evidence preservation. But where legal professional privilege is claimed, or there are other reasons to withhold some aspects of the contents of a disk, problems arise because it is technically impossible to redact sections of a forensic image. The usual route is to instruct an independent barrister to arbitrate. But barristers will nearly always require technical support.