Pointing the finger at digital forensics

The somewhat murky waters of digital forensics, expert witness testimony and the rat race between defense counsel and prosecution were demonstrated during a recent testimony in the piracy battle between iiNet and Dallas Buyers Club LLC.

The so-called expert witness’s integrity and evidence was called into question after cross-examination revealed he had not prepared his own witness statement and didn’t know the technical details related to the log files his own company’s software generated in support of the case. 

The details of this specific case, while interesting, are not really the focus of this post, but it sets the scene nicely for a look into the niche market of digital forensics.

Like all sub-disciplines in the cyber security world, digital forensics is continually evolving, driven forward almost exclusively by the need for prosecutors or litigators to win cases, versus the ability of defense lawyers to successfully get their clients off the hook, either through empirical evidence or technicalities that discredit the prosecutor’s case.

In the US, digital forensics is a well-established profession, with a swathe of companies providing prosecution and defense support in the form of digital forensics investigations and expert witness testimony.

In some US states, forensic investigators need to be registered as private investigators to be able to practice their profession, and in some cases they can’t apply for that license unless they have three years served as a full time police officer.

While this begs a bunch of other questions and poses many issues related to proof of technical competency rather than procedural competency, at least they are attempting to apply some kind of rigour and control over those security professionals offering digital forensics investigation services.

This position has not come about through happenchance - too many charlatans with no knowledge of the legal process were preparing digital forensic reports and expert witness testimony that was thrown out of court by judges after cross examination by the opposing counsel.

When offenders get off on technicalities, it’s time to regulate and impose a minimum set of requirements, qualifications and benchmarks that must be met to obtain a license.

The Dallas Buyer's Club piracy hunt could become a landmark case for Australia. Technical cross-examination on the part of iiNet was used to discredit the expert witness, damaging both his professional integrity and the potential future of the case.

This “expert” had not seen the evidence he was reporting on and admitted he did not know how to interpret the underlying .pcap files generated by the network tools used to gather information about the illegal file sharing activities in question.

iiNet used the expert witness’s lack of detailed knowledge to attack the fundamental technical aspects of the evidence: the crux of the argument was that end user IP addresses often change, therefore the correlation between timestamps and IP addresses in the .pcap files and IP addresses registered to end users cannot guarantee an identification of the user that accessed the BitTorrent file.

This is an old argument, one that has been encountered many times in court situations in the US, UK and elsewhere around the world. 

So, the question remains, why was this chap selected as the expert witness and what credentials did the employers use to justify his place in court on that day?

The simple answer is that he has no credentials to speak of. He didn't hold a university degree but had completed an apprenticeship where he learned the computer programming language Java.

So, he has a technical background and works for the company that wrote the software that generated the evidence file. Does that make him an expert?

London-based legal training company, Bond Solon, suggests that it’s not enough to have the technical certifications and experience in your field, but you should also undertake recognised expert witness training.

This prepares you for the challenges and rigour of the courtroom, such as how to properly prepare your witness statement, how to react under cross-examination, etc. 

The upshot is that this case should send a warning to those employing so-called experts to conduct due diligence on credentials and capability.

Ask for evidence of their ability to do the whole job, end-to-end, not just the technical aspects, and ensure they understand what they are taking on in terms of their ability to follow forensic process, report on the details and make a robust case in front of a jury. 

There are a number of professional bodies in Australia that could support security practitioners in this way: the ACS and AISA, to name two obvious ones.

Clients should be asking industry to assist in professionalising the security market to stop these kinds of debacles happening over and over again. If you want an expert witness, call the ACS or AISA and ask to see their register. Wouldn’t that be a future worth having?

The result is good for industry, good for the professional, good for society and good for the accreditation body.