Tuesday, 10 January 2012

Datuk Seri Anwar Acquitted: The Importance of Evidence Integrity and Expert Witness

When I read the StarOnline on 10 January 2012 regarding Datuk Seri Anwar’s case, I’m appalled on the court’s verdict. Well, don’t misunderstand me here. I’m not going to comment at all on the verdict (especially on political sentiment) but merely to share on my knowledge and experience in processing and analyzing evidence (digital) to be adduced in the court of law. This posting is considered for academic purpose and a lesson learned!

Now, let us recap the verdict given by the honorable judge.

According to the StarOnline report, Justice Datuk Mohamad Zabidin Mohd Diah said the court could not be 100% certain after going through the evidence that the integrity of the DNA samples had not been compromised.
(Case background info: http://thestar.com.my/news/story.asp?file=/2012/1/10/nation/10233746&sec=nation)

The above finding is quite interesting, isn’t it? Nevertheless, this posting has nothing to do with any of the on going cases but only to share with the readers on the situation and challenges faced by a digital forensics analyst who analyzes the so called “digital evidence”.

In my years of experience as the Head of Digital Forensics Department/Senior Specialist at CyberSecurity Malaysia (until 2010, and I’m on PhD study leave now), we are very particular on the cases that we handled. In fact, when we started providing digital forensics service (the pioneer in Malaysia); apart from the tools, facilities and trainings, first we devised our own Standard Operating Procedure (SOP) on how to process and analyze an exhibit. The chain of custody, analysis preparation, method, tools, legal requirements and whatnot are all being addressed in the SOP. This is to ensure the process integrity which is very important (Digital Forensics Department of CyberSecurity is now ASCLD/LAB accredited, www.ascld-lab.org/cert/ALI-195-T.pdf).

With the SOP, the integrity of the evidence itself is at the same time being protected. E.g. when the evidence is being sent to us, the item is physically assessed on its condition and all the details must be clarified with the investigating officer. It can be seen through this process, the chain of custody is being established which is mandatory if not can be easily questioned during the trial.

No matter on which side a digital forensics analyst is on, both, the prosecution and defense will have their own strategies and plans. But you, as the analyst, must adhere to the SOP and legal requirements in order to protect yourself from being “attacked” or in the legal realm jargon is to "discredit" your work. Thus, the work must not be sloppy and every detail in the SOP must be followed through or you suffer bad reputation as an expert witness.

Whether the evidence is with quality or not is immaterial to you (unless you are assisting at the crime scene to collect relevant evidence, normally the investigation officer is responsible for the evidence collection). I must stress that the quality of analysis is the utmost value to the person who conducted the analysis. Of course, at the end of the day the analyst would want some tangible results from quality evidence.

I must say it is a daunting responsibility and constantly under pressure. It is not an easy job for a digital forensics analyst but challenging and interesting. There are so many technicalities to be considered during the evidence analysis.

Eventually, the digital forensics analyst will be called as expert witness after the submission of report. The difference between expert and lay witness is the former gives opinion evidence and the latter gives factual evidence. Opinion of an expert is based on the facts in a case and must be proved by admissible evidence. This scenario may be related to the issue of admissibility of expert evidence under the Evidence Act. This is on the ground that the courts need a computer expert to testify on the digital forensics evidence tendered in a criminal proceeding.

In Malaysia, acceptance of expert opinion is regulated by Section 45 of the Evidence Act 1950 which provides:
45. Opinions of experts
(1) When the court has to form an opinion upon a point of foreign law or of science or art, or as to identity or genuineness of handwriting or finger impressions, the opinions upon that point of persons specially skilled in that foreign law, science or art, or in questions as to identity or genuineness of handwriting or finger impressions, are relevant facts.
(2) Such persons are called experts.

Some of the preparations in giving expert witness testimony are as follows.
• Understanding of the available acts
• Review and validation of all findings
• Statement taking and your legal standing
• Prosecution approach in the case
• Presentation style in the court
• Court testimonial and cross examination
• Post-mortem analysis

From my readings [1] and meetings, an expert witness in Malaysia is not entirely different from other countries. However, it is difficult to discuss and put everything in this writing. A talk on Digital Evidence Integrity and Expert Witness may possibly at least take a day.

[1] S.C.Schroeder. “How to be a Digital Forensic Expert Witness” in Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), 2005.