Q&As

Interpreting Digital Evidence with Richard Boddington

Monday January 22, 2018

Richard Boddington previously served with the London Metropolitan Police, the Royal Hong Kong Police Special Branch and the Australian Security Intelligence Organisation as well as other analyst roles in state and federal government departments. He has an academic background at Murdoch University and the University of Western Australia where he researched and taught digital forensics. He is the principal officer of Forensics Australia which undertakes: Data Recovery from Computer Devices, Digital Evidence Validation, Interpretation and Case Preparation. Richard is a co-director of the Digital Forensics Institute based in Perth, Western Australia undertaking digital forensic research and designing and rolling out a range of specialised digital forensic, online training courses. Richard Boddington

We had the pleasure of sitting down with Richard recently to discuss key challenges and opportunities facing the industry today.

You can find the full Q&A below.

Please tell us what your practice looks like and the types of matters you are currently working on / most interesting case of the last 12 months.

Forensics Australia is coordinated by Richard Boddington who has police, intelligence and academic backgrounds in digital forensics. Forensics Australia has undertaken criminal and civil forensics examinations involving a broad range of cases for both defence and prosecution teams. Its work involves deep analysis of digital evidence linking evidence artefacts to potential suspects using an impartial, evidence-led approach in evidence examination, focusing on enhancing evidence interpretation and understanding by legal practitioners and in presenting expert evidence.

Notable recent cases have involved:

  • Examinations and enhancement of video footage of a murder suspect carrying what appeared to be a knife.
  • Audio enhancement of voice recordings of suspects involved in a homicide.
  • Reconstruction of an email hacker attacks that attempted to defraud real estate agents and their clients exceeding $50 million of settlement fees and the targeting of real estate and lawyers email accounts and trust accounts.
  • Examination of mobile phone pictures presented in a vexatious allegation of sexual assault on a young person.
  • Analysis of the chain of custody of mobile phone artefacts in a drug trafficking case.
  • Recovery of evidence from hand-held devices and laptops in family law cases to assist custody suits and parental drug and child abuse.

Some of the typical issues a criminal lawyer might face when dealing with digital evidence and what trips up lawyers.
Typical challenges confronting practitioners that are evident often include:

  • Lack of technical knowledge and receiving datasets that are not fully intelligible to the layperson and without sufficient explanations of the characteristics, limitations and implications of the evidence.
  • Having no overview story of the evidence to enhance its interpretation and avoid misinterpretation.
  • Incomprehension of the evidence, an inability to ask necessary follow up questions of the forensic examiner.  
  • Asking questions about the evidence and not fully understanding and seeking full explanation of the answer. This often results in lawyers running down rabbit holes that add to their confusion, wasting time and sometimes difficult to extricate from.
  • Accepting what appears obvious when more detailed scrutiny of the evidence may add to or diminish its evidentiary value.
  • Failing to verify the link between the suspect and the user account associated with digital events recovered from a computing device.
  • New and emerging devices, software applications and encryption challenges both examiners and legal teams in recovering best quality evidence stores.

Digital evidence continues to be a contentious are in criminal matters:

  • Non-technical judiciary accept digital evidence presented by the prosecution on face value and its provenance unchallenged

Why has digital evidence come under scrutiny?

  • It is a relative latecomer to the law and many practitioners do not fully understand its characteristics and tend to take it at face value leading to consequences for the parties involved.
  • Relating to computer evidence to more traditional forms of evidence such as documentary evidence has similarities but also differences that present interpretation issues.
  • Digital evidence is circumstantial in nature and often requires some expert testimony to explain its characteristics and its relevance to each case and not all forensic experts are well-trained or sound communicators.
  • The increasing reliance on up-to-date skill sets, limited budgets and heavy workloads of forensic examiners sometimes leads to incomplete evidence analysis and presentation.
  • Digital evidence is fragile and sometimes poor handling and improper use after seizure makes it impractical to tender in hearings.
  • Insufficient evidence recovered may offer a tantalising insight into user activities but may lack corroboration and sufficient weight to assist prosecution.
  • The high cost of independent forensic examiners to interpret prosecution evidence briefs bars some defendants without sufficient means or legal assistance to defend themselves.

How is it different to traditional evidence?
Digital evidence shares many characteristics of other forms of indirect evidence, such as documents and tangible documents but there are number of differences:

  • It can provide file content and metadata such as date and time stamps that assists in event reconstruction.
  • Computer devices and data, including metadata, can be readily compromised by other parties which may result in suspicion being placed on innocent users.
  • Transgressors can exploit innocent users through access to devices locally or through remote exploitation and leave little or no traces of their manipulation of data through various subterfuges and anti-forensics tools.
  • As mentioned – it requires careful scrutiny and professional interpretation to ensure that the truth of a matter may be determined.

Is this the way of the future in criminal proceedings? If so, why?

  • Yes, it is most likely to be the predominant feature of forthcoming criminal proceedings with the massive increase in a growing number of computer devices that store potential evidence.
  • A concomitant use of internet and other communications media are increasingly being used for criminal purposes that often makes it problematic in collecting evidence and prosecuting transgressors located in other jurisdictions.

What’s one tip you can offer younger practitioners starting their criminal law career when attempting to navigate evidential matters (and especially digital evidence) in the courtroom?

For those unfamiliar with digital evidence seek some form of basic IT training to develop an understanding of its characteristics or seek the assistance of an examiner able to shed light on the relationship between digital evidence and other evidence in each case.

Are there any potentially landmark criminal cases or evidentiary issues/ developments on the horizon or legislation that you think practitioners should keep on their radar/keep in mind as a red flag?

Nothing springs to mind but the main issue in all cases is proving links between users and events. Many assumptions of guilt are made about users of computer devices without careful checking to see if the links may be corroborated.

You can hear more from Richard at the 8th Annual Criminal Law Practice, Procedure and Analysis seminar, being held on Thursday 15 March at the Parmelia Hilton Perth, Perth.

Subscribe

"Tremendously helpful. Take away materials which will improve my school practice."

Delegate - School Law Conference , Melbourne, June 2017

 

 

 

 

, School Law Conference

Read more testimonials