Skip to content Accessibility statement

The Trial: Digital evidence excesses

Posted on 24 May 2017

Angus Marshall, Lecturer in Cybersecurity at the University of York’s Department of Computer Science, discusses his work as a Forensic Advisor on Channel 4's The Trial: A Murder in the Family, and the difficulties surrounding an abundance of digital evidence in today's criminal investigations:

"Working as a Forensic Advisor to produce digital evidence for Channel 4’s series The Trial: A Murder in the Family (airing 21 – 25 May 2017), I had an unusual problem. I had to drastically cut back the amount of evidence available.

The problem with criminal investigations in our digital age is that there is often too much evidence, rather than not enough. Any modern criminal investigation, no matter how “trivial” the offence might be, will almost certainly involve several devices.

The vast majority of the population now routinely carry personal technology with them at all times, and the growth of smartphone usage in particular has led to new opportunities for digital evidence. Couple that with the use of digital controllers in vehicles, building control and monitoring systems, and the current trend to connect even the most mundane household devices to the Internet of Things, and a cloud of potential evidence now covers the globe.

For investigators, this creates a number of problems. Firstly, there’s the issue of actually extracting data from wherever it happens to be stored. Increasingly, devices are using strong encryption techniques to prevent personal data falling into the wrong hands if a phone or computer is lost or stolen, but the same encryption also poses significant challenges for those who need to examine the data for legal purposes. There are ways around it, but these can be costly and it often takes a few months for the techniques to be developed. In effect, the investigators have to lag behind the innovators because there is a need for them to show that their methods are robust and reliable.

Volume of data

Potentially worse than that, though, is the sheer volume of data. Now that devices routinely connect to a ‘cloud’ for backups and storage, and because the cost of solid state memory has dropped (in relative terms), a modern smartphone has more storage capacity and capability than a desktop PC would have had just a few years ago.

People are happy to record their whole lives using these pocket sized devices, sharing data with multiple providers in order to get free services, and providing anyone who can read that data with an almost complete profile of the individual involved.

In a typical investigation involving just a single person, it has become common for six or more devices to be seized - each of which may need to be examined, and each of which may connect to several remote storage services. This can mean that there are several terabytes (Tb) of data for just one person.

Investigator challenges

The investigator has a huge challenge deciding which devices to examine and which to set aside as probably less fruitful and therefore not to be examined. The risk is that evidence of innocence may be missed. Even with the use of triage tools, which automate the process of locating and identifying common evidence for certain types of offences, the sheer volume of data threatens to overwhelm investigators and the reliance on “push button” solutions means that some methods may fail to meet the standard required by the Forensic Science Regulator and the courts.

Evidence is also not limited to data stored by the devices, either deliberately or as part of the background recording usually done by the operating system, but also comes from the networks they interact with. Even if a user isn’t communicating with anything else, most of these devices constantly search for mobile and wireless networks and will connect to networks that they’ve seen before, just in case they need to communicate.

Instant messaging programs like Whatsapp, Facebook Messenger and Snapchat will happily check for new messages without user interaction, and email clients are usually configured to check at regular intervals as well. A phone in the pocket of a jacket on the back seat of a car is likely, therefore, to generate a traceable trail of connections records which could be used to track the handset even though the user hasn’t interacted with it for hours.

Ethical conundrums

Another issue arises, as well - there is an ethical conundrum. Just as in DNA work, where the scientist might discover that a profile contains markers for genetic diseases, a digital investigator can uncover additional information about things like marital infidelity, financial irregularities, breaches of company policy, etc. and can face a moral dilemma. When should such information be disclosed? And to whom?

This is especially true if the evidence uncovered is not obviously related to the matter under investigation, and probably not evidence of illegal activity, but may have some value as an indicator of the character of the person under investigation, or their typical behaviours or lifestyle. The answers to these questions are much harder to find."