VSJ – November 2003 – Work in Progress

The IAP’s President, Jim Bates, FIAP (Cmpn) has written before in these pages on his work in Computer Forensics. As readers who have not spent the last three months on the planet Zarg will know, he was engaged by the Defence in a recent high-profile court case. Here, he explains the background in more detail.

The furore over mistakes made by the Prosecution’s expert witness in the case of Soham detective Brian Stevens has once again highlighted the need for proper accreditation of people working in such jobs. As usual, the picture presented by various sections of the media is confused and misleading so let’s just look at the facts and chronology surrounding this case.

As part of Operation Ore, Detective Constable Stevens was identified as one of the names associated with credit card numbers recovered by American authorities in their investigation of a company providing (amongst other things) paid access to child pornography Web sites. West Midlands Police were asked to investigate this and visited the address of Detective Constable Stevens. His computers were seized and examined. After a preliminary examination, interest centred upon a laptop machine, on which were found some indecent photographs of children and evidence of Internet access. A civilian expert was employed by West Midlands Police to examine and report upon the content of this laptop.

As a direct result of this examination and report, D.C. Stevens was charged with six counts of possessing, and two of distributing, indecent photographs of children. D.C. Stevens strenuously denied the charges and in due course I was asked to examine and report upon the laptop contents on behalf of the Defence. This revealed that the Police expert had made a number of mistakes, to an extent that completely negated his conclusions about what activity had actually taken place on the laptop. The precise details of these mistakes do not concern us here. However, the general picture was that the recovery procedures were inaccurate and incomplete. Less than half of the stored emails and only about 75% of the available relevant pictures had been recovered. Knowledge of how the email system worked was flawed, producing inconsistent conclusions. Exhibit references had been confused and duplicated, and the final report was biased and incorrect.

An accurate evaluation of the machine content showed that a few (probably no more than 10) indecent pictures of children existed on the machine in a form that showed some of the history of their origin. There was no evidence to suggest who had been responsible for the presence of the pictures.

The Police accepted that anyone could have used the laptop to access the Internet without needing any telephone numbers, passwords or IDs. So the correct advice from the civilian expert to the Crown Prosecution Service should have been that there was insufficient evidence to support charging anyone with the appropriate offences. The investigation could then have concentrated upon who might have had access to the computer at the relevant times through telephone logs, duty rosters and so on. It has been suggested that the investigation had been hindered because BT wiped old telephone logs. In fact, this was hardly relevant since no evidence of connection to any of the Web sites mentioned in Operation Ore was recovered. Even if such logs had been available they could only have shown access from a calling number to an ISP number. Later logs might have been useful but it is not clear whether all of the required information would have been available. So at that time no external (i.e. non-computer) evidence was available to indicate who might have been accessing the computer at the relevant times.

As a normal part of my examination procedure I drew up a list of known access dates and times. The accuracy of these was established by reference to an access billing report provided by the ISP. As soon as the Defence team examined this list, it became apparent that D.C. Stevens had an unimpeachable alibi for at least one of the relevant occasions. Furthermore, on the date in question, the evidence indicated that at least three of the relevant pictures had been received by email and most of the existing pictures had been browsed.

This, of course, changed the whole complexion of the case. Whilst it was still impossible to establish who was responsible for the pictures, we could now pinpoint at least one occasion (involving many pictures) when it was certainly not D.C. Stevens.

The rest you know – the Crown Prosecution Service had no option but to drop the case and was immediately condemned by press and public across the land.  However, give it a little thought and you’ll realise that the fault did not lie with them. They are in the hands of their expert. They must act on his advice and rely upon his expertise. The prime responsibility for this fiasco rests with the civilian expert and, to a lesser extent, with West Midlands Police for employing him without verifying his competence.

So how does this affect the I.A.P. and its members? The Institution has published guidelines for ethical conduct and has in place a set of disciplinary procedures to handle any alleged breaches of these guidelines. The civilian expert in the Stevens case had no formal qualifications or recognition of his expertise by any recognised organisation. His employers therefore had no independent means of verifying his capability for the job in hand. Had he been a member of the Institution, his employers could have been certain that his peers had accepted his experience in the Information Technology field. Any subsequent allegations concerning his competence in the narrow field of forensic computing could have been addressed to the Council of the Institution and acted upon in accordance with the disciplinary procedures and codes of conduct. Genuine mistakes would, of course, be given appropriate consideration. In the real world, no one achieves perfection 100% of the time. But proven incompetence or professional negligence would have been detected and acted upon. The employer would then be aware that the individual concerned was not suitable for the work they required.

Whenever anyone is shown to be incompetent or negligent, there is always a strong probability that public perception will tar the rest of that community with the same brush. The lesson here extends well beyond the narrow and sensitive field of computer forensic work. If you are serious about your chosen profession within the Information Technology industry, get some recognition by an organisation prepared to protect its members against the activity of a few rotten apples. Show the world that you subscribe to accepted levels of ethical behaviour and be proud of your professionalism.

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.