Expert Witness & Digital Forensic Services


Site Contents: © Peter Sommer, 2018   Not to be reproduced without permission

PO Box 6447  London N4 4RX UK




Peter Sommer concentrates on situations where interpretation of the contents of computers, data storage devices such as disks and USB  sticks and smartphones as opposed to their routine examination.

Careful use of data interpretation can provide the basis for making inferences about intentions, planning,  motivations and predilections.   It can also be used to stand-up, or refute, alibi claims.

Data interpretation can involve identifying substantive files but also saying how they came to be on a computer or memory device, when and by whose agency.  
It can also involve various forms of advanced data recovery of deleted material,  but in these instances it is important not only that recovery takes place but that something can be said about the circumstances of deletion and also if there is any associated date-and-time from which inferences can be drawn. (Or in the alternative,  if their absence means that certain assumptions should not be made).  

Data interpretation also provides chronologies of activity on a computer, based on programs recorded as being used at particular times, emails sent and received,  web-browsing and, among other things,  the use of social networking and file-sharing services.   Further sources for data interpretation include configuration and log files, meta-data (data about data embedded in certain files), the Windows Registry,  Windows Restore Points and, in  Vista and later Microsoft operating systems, Shadow Copy.

Data interpretation requires great care and skill.  Personal computers and some business computers were not designed with audit and forensic use in mind.  As a result many of the activities an investigator might wish were recorded are not.  Windows has many hidden facilities which can be turned to forensic use, but they have had to be discovered and their limitations appreciated.    It is all too easy for an analyst to make interpretations which turn out to be partially or even wholly wrong, or at least misleading.  

Peter Sommer can handle all forms of Windows,  Apple Mac OSX and most versions of Linux/Unix.  He can handle cellphones and smartphones where there is an existing logical image or data extraction.  He can arrange for a reliable third party to carry out logical imaging in circumstances where this has not already taken place,  

All of the major generally used software packages for computer forensic analysis are used as well as a series of specialist stand-alone packages. These include both proprietary and open source software.  Where the quality of a particular package is in question a second or even a third one may be used as a check.     Forensic disk images in all the widely-used formats can be handled.    Depending on circumstances it is also sometimes possible to carry out examinations on live running computers, including memory state.

Some use is also made of virtualisation techniques.  The main limitation of conventional computer forensics analysis packages is that it is difficult to visualise the experience of the user - “see what the user saw”.  Virtualisation, where a computer of interest is “run” within a window on another computer and within a “safe” environment is useful both as an examination technique and also for lawyers and investigators who need to understand how a computer has been used - it can also be used in court.

Peter Sommer has the hardware and software facilities to carry out original forensic disk imaging to ACPO Guidelines standards but it is usually not cost-effective to employ him to do so except as part of a larger exercise.  However he can arrange for bulk imaging to be undertaken by reliable engineers.

“Examining and interpreting the contents of a computer shares some of the attributes of an archeological exercise.

 You start off with a series of rumours and expectations of what might be uncovered.  But there are many layers representing different types of activity; some forms of activity have been completely lost, others can only be partially reconstructed.  In some instances older building materials have been re-used to make later buildings.   Sometimes quite extensive inferences have to be drawn from quite small fragments.  

The interpreter of digital data, like the archaeologist,   has to keep an open mind and be prepared to abandon a promising hypothesis once it becomes apparent that there is no longer much basis for it.

However, properly and carefully deployed, sometimes astonishing revelations can be stood up.”