THE FORENSIC EXAMINATION
Most forensic examiners working for the defence, will come across Police Forensic Reports that are produced as evidence. My first experience with such a report was more than a year ago. The case was brought by the Procurator Fiscal against a Mr Craig MacLean. Mr MacLean was arrested on charges possession of drugs and dangerous driving while he tried to evade arrest.
Once Mr MacLean's car was stopped, before he was arrested, he took the batteries out of his mobile phones and threw it at the back seat. The police officers found the mobiles and the batteries at two different places and bagged them as different pieces of evidence.
PHOTOS: (left) the bag on the left with the battery of the Nokia N95. (right) the Nokia N95 itself
Dumfries and Galloway Constabulary who ceased the evidence, investigated the phone and then kept the handset and the battery in different bags in the evidence locker (of the two mobile phones, the N95 is of interest in this case).
I decided to see how the police investigated the device, so I asked them to perform a second investigation using their own platform (TAP Systems CellDEK).
The forensic team (one civilian, one officer) were very accommodating, replied to all my questions and did not cause me any delay at all. The investigation with CellDEK was initiated, and that is when things started to get wrong. The CALL LOGS could not be extracted. The officer in charge tried again, and again and started trying different settings.
At the end I got the report with all the extracted information except for the call logs. At the first instance we all believed that the loss of the call logs were caused by the disconnection of the handset from the battery for this long amount of time (May 2009-January 2010).
When I got back and started going through the details , I realised that the discrepancies were more severe.
The table above shows the results of the initial examination (8/5/2009) and my examination (12/1/2010).
There are three sets of calls (dialled, answered, missed) that are now missing from the handset. But there is an important discrepancy with the SMS messages. There is nothing missing there ... there are 22 messages MORE. Of course I checked the date and time stamps of all the 700 messages to see if anything was received after 8/5/2009. Nothing was. This means that these messages were not retrieved in the initial examination.
In cases of discrepancies, the burden of proof would lies with the investigator. However, in this case, there was no such burden. The Dumfries Constabulary had handed in a forensic report to the Procurator Fiscal (Public Prosecutor for those not familiar with Scots Law) and now they could not repeat the same processes with the same results and back their findings.
The device (CellDEK) was approved by the Forensic Science Service (http://www.forensic.gov.uk/). I could not get any feedback from either Tap Systems, FSS or ACPO.
WHAT HAD ACTUALLY HAPPENED?
Further study of the results and the possible reasons of what happened revealed the following:
- The call logs were lost because the Nokia phones have a setting for how long they keep records. Most default settings are for 30 days. This means that they would be lost one way or another.
- The extra SMS messages appeared after using a setting called "exclude attachments" which should be irrelevant to text messages. SMS messages only carry plain text.
- The Dumfries Constabulary did not get a hex dump (the equivalent of a forensic image for a hard disk) in order to preserve the evidence. This is in direct violation of the Guidelines issued by ACPO (the Association of Chief Police Officers).
- The Dumfries Constabulary forensics lab, tested the evidence twice. Two different people examined the Nokia handset. The problem is that they examined in the same conditions and with the same platform (CellDEK). This simply means that if there was a problem in the first examination, it would be repeated in the second one as well.
WERE THE STAFF AT FAULT?
The answer is probably NO. The staff were following protocol. A police officer can not just do whatever they want, because they disagree with the protocols. Police protocols are there to ensure things happen in a certain way.
And in this case, this was the problem. The protocol was not up to date. It was not well designed and it had fundamental faults that were repeated and accumulated.
CONCLUSIONS
It is amazing that all these issues were the result of FOLLOWING PROCEDURES. Protocols are there to protect the evidence and in this case it did not. It was obvious that the protocols in place were wrong.
- Bagging a battery as a different piece of evidence from its corresponding handset is not correct. Once you examine them for fingerprints or DNA or any other chemical test, these two items should be put together.
- Double checking a process with the same equipment is not error-proof. Electronic evidence is used to sent people in prison. It is used to make sure innocent people stay free and criminals get sentenced. The police has a duty ensure that the evidence they recover is correct and complete. The best way to avoid such errors, is to have at least two different platforms from different vendors, in order to corroborate any findings.
- The Dumfries Constabulary (in their own admission) did not have the facility to keep copies (hex dumps) of the mobile phones they investigated. This means they did not make sure that the evidence was not altered in the future. This is a direct violation of the ACPO guidelines in their Good Practice Guide for Computer-Based Electronic Evidence. With the lack of legislation on electronic evidence in the UK, these guidelines are widely accepted by all computer forensic experts, and courts. It is a dark day when the police fails to follow its own guidelines.
The police had compromised its own investigation. Officers produced an inaccurate report, based on an officially approved platform and protocols that were in place. No real corroboration of the evidence was in place as well as no preservation of the original data. The police had compromised this investigation twice. There was every possibility that further errors were made, even if they were not apparent to me at the time. My recommendation was to ask the court to disregard the police report.
Every one is entitled to a fair trial, and compromised evidence would never allow a fair trial to take place.
It is imperative for every defence solicitor to question any police report related to their client. Get the right expert and audit every line of every report. Mistakes will be found and they can be used in Court.
Vassilis Manoussos, MSc,PGC,BSc,AAS
Digital Forensics Consultant.
www.StrathclydeForensics.co.uk
email: blog@strathclydeforensics.co.uk