Computer Forensics Expert Witness

SRC is able to assess most computer forensic cases including anything from a USB stick to a server.    Sam can review cases involving various types of operating systems including Windows, Mac OS/Apple computers, Linux and Unix based systems.

SRC has access to the latest forensic software and has current licences for the use of Axiom, X-Ways Forensics, Forensic Explorer (including Live View), and Intella as well as other forensic/high level packages.  Sam can also manually review databases, and write computer programs where required to process data/use that may not be provided via commercial software or for which other analysts/experts have been unable to provide opinions.    She can also validate the data present in your case to ensure the evidence presented is accurate and complete with the limitations fully explored.

Sam is a digital forensic expert, so is concerned about answering questions relating to What? has happened, How? it occured, Who? did it, Where? did it happen and Overall opinions in relation to comparing use to allegations and defences.    Sam does not provide data recovery or analyst level services. 

SRC is able to undertake instructions in complex cases involving potential use of WiFi points, routers, and the assignment of IP addresses (and logged MAC addresses).   This may also include evidence that has been gathered via intelligence or otherwise.

Although it may sound reasonable to expect a device to know (and log) its IP address, in practice such information is rarely logged, since a device does not need to know this information in order to function.    This means that in practice, although a location based assessment may examine for this evidence, this information is generally not stored meaning in most cases other types of evidence need to be considered. 

Network forensic cases are often technically complex, and can end up being full of acronyms.   However, Sam will attempt to simplify the concepts using easy to undertand language, while remaining technically accurate.

Sam can review network based evidence in a case on its own, and also including combining  it with computer device evidence and also with respect to mobile devices, location of use and cell site analysis.

SRC can test and consider how applications work in very specific circumstances (including for bespoke systems) and comparing this to the evidence present within cases, as well as evaluating the policies and procedures of an organisation. In the past, this has involved Sam testing/reviewing of bespoke hospital, tax, military, police and large organisations systems and security procedures.

Sam also takes instructions for a range of digital evidence cases involving ‘bespoke’ investigations requiring novel solutions which may not be achievable using commercial forensic software.   

Since 2nd October 2023, computer forensics including at an expert witness level, requires Compliance with the Code of Practice from the Forensic Regulator (362 page PDF Document opened from an external site)    

SRC follows strict procedures in terms of securely reviewing computer cases.   Sam also fully reviews raw data and otherwise to ensure all reports are prepared accurately and does not provide "push-button" forensics.   However, SRC is currently non-compliant with The Code of Practice, and does not have ISO17025 accreditation.   A full discussion of this will be provided prior to estimating, and where the instruction is accepted, the required non-compliance declarations made.   SRC can work within the ACPO Guidelines as is appropriate.

Sam receives instructions in cases where there are allegations of hacking.   She can review the technical evidence of such cases.

SRC also undertakes instructions in cases whereby hacking/viruses and/or third party use are part of the defence case.   She will review fully how material has come to reside on a device and provide opinion-based evidence in relation to if this may have been caused by a virus, hacker, third party or is user initiated (and how).

It is important to note that these cases tend to involve a much more detailed assessment than a simple virus scan - such a scan in Sam's view is limited, since it will only be able to detect what viruses are present at the time the computer/device was seized and not necessarily consider what was present relating to usage in the past.   Hence, it is important that such use is considered fully to ensure the correct assessment is made and that a defence case is fully explored.

SRC is experienced in dealing with a range of illegal to possess materials requiring secure procedures and Memorandum of Undertaking (MOU) to be signed with the police.    When funding is granted and the appropriate permissions are in place, Sam can liaise directly with the police, obtaining the disclosure of this material following the required procedures.

SRC can undertake cases where there are charges relating to terrorism (including articles).   Sam can also deal with the issues and sensitivities involved in rape cases including those that involve minors.

SRC also takes instructions involving alleged indecent images of children, extreme images and prohibited images.   Sam is experienced in reviewing such cases (including assessing the imagery) and is familiar with caselaw and legal requirements in this area.