Digital Forensics FAQs

By Admin in Latest News on

Almost all sexual offences investigated by the police will involve some form of forensics. At PCD Solicitors we are managing cases on a daily basis which involve complex and crucial forensic evidence. The vast majority of forensic evidence we see comes from the examination of electronic devices and we see this in almost all alleged sexual offences such as; rape, indecent images of children, sexual assault and grooming offences. Forensic evidence can be crucial in disproving or proving an offence and it is therefore important that it is understood, interpreted and evaluated correctly. We are often approached and asked about digital forensics and what the police can and cannot retrieve from a suspects device, in this blog we have addressed some of the most frequently asked questions by our clients. 

What are digital forensics?

Digital forensics is the science of uncovering and interpreting electronic data. Where electronic devices are seized as part of a criminal investigation a forensic scientist will use specialist tools to extract the data from the device with a view to providing evidence to prove or disprove an allegation. Once the data is extracted from the device the forensic analyst will then interpret the data and provide a report of their findings which would be provided to the police and the Crown Prosecution Service. 

Can deleted data be extracted from an electronic device? 

In short the answer to this question is yes. The police and independent forensic analysts have the tools to recover deleted data from electronic devices. Whether this be messages, images, photos or documents. Every time you “delete” a file from a computer, the file is simply set aside, hidden, and marked as data waiting to be rewritten. Computer analysts use this fact to their advantage and have developed programs that detect these hidden files, allowing them to copy and open the data.

We are often asked about encrypted messaging platforms such as Whats App and Facebook. It is not complicated for the investigators to recover messages from such platforms. End to end encryption is intended to prevent data being read or secretly modified by any one other than the true sender or recipient. However, this is not automatic and chats would only be encrypted where the whats app settings are set accordingly. 

The police can recover data from Whats app and Facebook should they wish to do so. The process is difficult due to WhatsApp and Facebook being a US based company however, the UK signed a treaty with the US in 2019 to make it easier for both the police and US to work together in combatting crimes such as terrorism and child sex offences, one way which they plan to do this is to enable law enforcement agencies to work together in accessing and retrieving data sent and received on messaging platforms which are based outside of the UK. 

Where can evidence be found on a computer? 

There are many types of storage that can be used for media, what we see a lot of at the moment is data stored in a cloud or network. Evidence of the use of clouds and networks can be recovered by police. 

Electronic devices store a lot of information some of which the user will be unaware of having believed that once they have pressed the delete button the information is erased. A forensic examination can usually tell what a computer/device has been used for, what the user has done on the internet and when, and recover much of what the user wrote, read or viewed on the device. 

The police are often able to tell us that although a user is not in possession of a particular document or image, they once were. They can tell us this by following the pathways of certain data which would lead to the record of the download of a particular file. Although the file is no longer in the users possession there are still potential criminal offences arising from evidence that indicates the file was downloaded. 

I download lots of films and music, could illegal material be on my device as a result of downloading legal material using torrents? 

Yes, this is possible. It could be that illegal files are masked by the titles of files which appear to be perfectly legal. However, there is much more to consider when this is raised a defence. Firstly, search terms, the police will usually recover the search terms entered into the internet by the user of the device. A users search terms can indicate whether they have purposely searched for illegal material and therefore, strengthen any prosecution case and undermine a defendant's account that material has come into their possession by accident or mistake and they were unaware. 

In addition to search terms the police can tell us whether a file has been opened, when it was opened and when it was deleted. The opening and viewing of files is usually date and time stamped. There is also a file path created and forensic examinations would reveal what has happened with that file from the date it arrived on the users device. 

What should be included within a forensic report?

Forensic reports should detail a chain of custody. Defence solicitors would expect to see who has handled the devices since they were seized from the user, what has been done with them and any notes taken by each person that has handled the item. A chain of custody can be important where it is suspected that the evidence arising from the examination is unreliable. 

When a case goes to court and the prosecution service are required to disclose their case the defence will receive a streamlined forensic report (SFR). This report is very basic but should include enough information for solicitors to determine the strength of the case against the defendant. Due to the large volumes of data often extracted in these types of cases it is usually contained on a disc. Where a case is disputed this disc would be obtained so that the defence can instruct an expert to review the material and produce their findings. 

Is it possible my internet was hacked? 

Hacking is possible. Your IP address, email account and social media accounts are all capable of being hacked by someone who has the technical knowledge to do this. However, it is not often the police rely solely on the use of an IP address or email address to bring a case to court.

The suspicion of the police which gives them the power to obtain a warrant to search a property and seize electronic devices comes from intelligence provided to them by the National Crime Agency. This intelligence is not evidence. The intelligence is usually related to an email address, IP address or username on a social media platform which is attributed to a person living at a specific address. What the police do with the intelligence is try to turn it into evidence by examining in depth the devices linked to the suspect. 

From examination they will look to see whether the user of the device has inputted search terms indicating purposely looking for illegal material, used social media platforms with the applicable username/email address and whether there is in fact any indecent material on that specific device. This could potentially exclude that the defence that the device was hacked. 

Digital forensic can be complex and where a person is being investigated and waiting the outcome of forensic procedures it is important to seek legal advice. If you are currently facing the agonising wait of forensic examination results and have questions regarding the process, please contact one of our experience lawyers today for initial free and confidential advice.