Defending Against Junk Science Attacks

by Michael R. Anderson

It was an easier job back in the 1990's. Hard disk storage capacities were relatively small and Computer Forensics Specialists were rarely challenged by opposing counsel. It was great because almost anyone that could run a computer easily was qualified as an expert witness. Back then most attorneys and judges were illiterate when it came to computer technology and they seem convinced that the "best evidence" was the printed final draft of a computer created document. However, that all changed when civil litigation attorneys were forced to become more computer savvy during the booming "Dot Com" years when theft of computer trade secrets was commonplace. As a result, civil and criminal lawyers are now much more experienced in dealing with computer evidence issues. Today, it is not uncommon for lawyers to challenge the credentials and expertise of a computer forensics specialist. That was unheard of in the 1990's. Also, "junk science attacks" are now frequently used to challenge the admissibility of computer related evidence prior to trial.

Computer Forensics is a new forensics field and the forensic analysis of computer data is analogous to the archeological dig of a computer hard disk drive. Some liken computer evidence processing to the autopsy of a computer hard disk drive. In either case, computer forensics is not easy and unlike other forensic sciences the field is always subject to change as computer technology changes. Unfortunately, this happens quite often when Bill Gates builds a newer and better mouse trap. Therefore, computer evidence is fertile ground for legal challenges. The legal challenges can come in the form of challenges against the education, training and experience of the Computer Forensics Specialist. This is one reason why NTI has aligned its training with one of the top technology research universities in the United States, Oregon State University. NTI's management saw the need to bolster the credentials Computer Forensics Specialists because most don't have academic training in computer science and/or the field of Computer Forensics.

Many Computer Forensics Specialists are self-taught computer users who may have attended one or more computer forensics seminars and they may have also been trained in the use of one or more computer forensics tools by software vendors. However, judges and juries often expect Computer Forensics Specialists to be formally trained in a disciplined forensics science. Absent such credentials, Computer Forensics Specialists are fair game for junk science attacks against the computer related evidence in their case. This may seem like a doom and gloom scenario concerning computer forensics but fortunately that is not the case. Fortunately, there are several things that can be done to thwart junk science attacks and some of them are listed here for the benefit of Computer Forensics Specialists who anticipate that their computer forensic findings may be challenged in court.

First and foremost the Computer Forensics Specialist needs good training and the more training from different sources the better. The field of computer forensics is very complex and different training course perspectives are valuable in the learning process. The Computer Forensics Specialist should also seek as many college and university credentials as possible that are directly tied to computer evidence processing. If the Computer Forensics Specialist doesn't have a college degree, then consideration should be given to getting a college degree. Those individuals that already have college degrees should ideally supplement them with graduate courses and university level professional development certificates. College degrees in computer forensic science are scarce and the next best thing is graduate level training and university certification in Computer Forensics. Be sure that all training courses, certificates, degrees and relevant seminars are listed on the resume. Also list published articles that are relevant to computer forensics. In this regard, NTI can help get the articles published.

Second, don't rely totally upon any one computer forensics tool concerning your findings. Computer forensics tools should also come from credible and reliable sources. But buying the tool(s) from credible sources is not enough. If the Computer Forensics Specialist relies upon just one tool, then the computer forensics tool will likely be attacked by the opposing counsel. Be aware that some computer forensics tool makers promise to come to the rescue of the Computer Forensics Specialist if he or she gets in a jam at trial. This sounds good on the surface and the software vendors are well intentioned. However, only a fool would stake their reputation and the balance of an important case upon some unknown and untested "expert witness" who has been made available by a software developer. It is always comforting to think that someone will ride into the court room on a white horse and save the day. But, life doesn't work that way. Even if the representative from the software vendor has extensive experience in software development and hard disk drive structures, this doesn't mean that they can convey that expertise to a judge and jury. In reality the Computer Forensics Specialist is left all alone to save the day (and their own bacon).

When it comes to computer evidence findings tied to the use of computer forensics tools, cross validation using different tools and testing techniques is the safest answer. It is all but impossible for a technology savvy lawyer to challenge a computer forensic findings when the findings were duplicated using different tools which were developed by different software developers. NTI covers this cross-validation topic heavily in its computer forensics training courses because this is very important. These cross-validation techniques have helped to overcome junk science attacks in more than one high level national security case. By way of example, NTI's SafeBack bit stream backup software has been recently challenged with junk science attacks. However, the attacks were not successful because the accuracy of SafeBack was validated by separate validation tools.

As you may know, SafeBack is a self-authenticating (evidence grade) backup utility that has been an industry standard since approximately 1990. It relies upon highly accurate internal mathematical hashes to ensure an accurate backup and it also provides several levels of error checking. Processing anomalies and errors identified by SafeBack are fully documented in a detailed audit log. In May 2003, this popular computer forensics tool was upgraded to provide even more accuracy through the use of two separate U. S. government tested 256 bit mathematical hashes. The accuracy of SafeBack has always been good but NTI made it better by a factor of several multiples with the release of SafeBack version 3.0. In spite of this high level of accuracy, NTI hired a separate development team to create DiskSig Pro which is used as a powerful cross-validation tool to verify the accuracy of SafeBack images. NTI also intentionally created a development "China Wall" by keeping the SafeBack developers separate from the DiskSig Pro developers. NTI also went to great lengths to make sure that the source code was unique in each application. This might seem like overkill. However, the point is that separate cross validation of computer forensics tools is essential in processing computer evidence. One separate tool cannot validate itself. The same is true concerning applications that share the same computer code. This is why NTI endorses the use of computer forensics tools sold by its competitors. If findings with several different tools are identical, it makes a successful junk science attack against computer related evidence all but impossible.