One of the more important facets of digital forensics concerns how to document
the findings in a formal report. At first glance, this would seem to be rather
straightforward: report what you found. Appearances, however, can be deceiving.
Since
the “look and feel” of every report needs to be the same for
every case, a standardized format is essential. Although not a legal document
per se, reports do end up in court. Therefore, they need to be consistent in
their format and grammatically correct. A poorly written report can have adverse
effects regarding the testimony of the examiner and shed doubt upon the subsequent
results of the examinations. After all, the report does reflect back upon the
agency, the examiner, the methods of examination, and the results themselves.
To ensure that every examiner within an agency uses the same reporting format,
a word processing template needs to be prepared and maintained (usually on
a server or on local computers). Conversely, there are a number of in-house
developed
and commercially available evidence management applications that are programmed
to generate reporting templates. If the agency has one of these applications,
then that is probably the best method to use to generate templates and subsequent
reports. Virtually all of these applications have the ability to insert standard
text phrases (automatically and/or manually) into the body of the report,
which can then be easily modified by the examiner or support staff.
Templates
generally need to include four basic elements: general information relating
to the case, a description of the evidence, examination findings,
and a comments section. Depending upon the agency requirements, there could
be more. Each of these elements will contain specific detailed information
relating to the case. Overall, the report needs to contain sufficient information
to ensure that: (1) the reported results are clear, accurate, and objective;
(2) the report “answers the question” posed by the investigator’s
request for analysis; and (3) the investigator and/or prosecutor can interpret
the results of the examinations. Specifically, every report must minimally
contain or address the following information:
the laboratory’s
name, address, and contact information
date of issuance
whether
or not the report is a “supplemental report”
the name and
address of the investigator and his/her agency
the investigating agency’s
case number
the name(s) of the subject(s) and victim(s)
the
laboratory case identifier
the alleged offense
the date of
receipt of the evidence
how the evidence was received
a clear,
unambiguous description of the items submitted for examination
the
name and signature of the examiner(s) conducting the analysis
the methods
used during the testing (procedures, products, and/or software)
deviations
or additions to the methods used during testing (as applicable to interpretations)
results
of the examinations
identification of results obtained from any subcontractor (if applicable)
a
comment stating that the results relate only to the items examined
conditions
affecting the results (if applicable)
any associations (if made)
the
basis of any opinions and interpretation of results (if appropriate and applicable)
case-specific
information requested or required by the investigator (as applicable to interpretations
or opinions)
a statement of compliance or non-compliance with certain
specifications or other requirements (as applicable to interpretations)
The exact wording for reporting examination findings is critical. For instance,
presume that a number of .jpg images portraying persons engaged in sexual acts
were discovered on the hard drive of a suspect’s computer. How is this
going to be reported? If the report states a definitive conclusion such as “hundreds
of images portraying minors engaged in sexual acts were found on the hard drive,” both
the investigator and the prosecutor clearly know the results and will begin
the legal process. However, the wording will certainly raise some defense questions
at the time of deposition or trial. How does the examiner know that they are
minors? What is the definition of a minor? Does the examiner have training
and expertise in interpreting images to ascertain the age of individuals? Are
the sexual acts real or staged? Are the images of real minors or have they
been “morphed?” Were any databases used to verify the hash values
of the images against known victims? In most instances, the answer to these
and other questions will determine the eventual outcome of the trial. For example,
consider the first question: “How does the examiner know that they are
minors?” The common statement “I know a minor when I see one” is
usually not going to hold up in a court of law. There are too many variables
such as physical development, height, weight, age itself, use of makeup, and
so forth that can influence the determination. Additionally, the majority of
investigators and prosecutors have not had specific training to determine the
age of individuals by viewing an image. Often, the images need to be referred
to a medical doctor or other expert who can render an opinion to the investigator,
prosecutor, and the court.
On the other hand, if the report states “hundreds
of images portraying apparent minors engaged in sexual acts were found on the
hard drive,” the
investigator and prosecutor have reason to pause before going forward. Inserting
the word “apparent” removes the examiner from making any definitive
conclusions and probably all of the questions posed in the above paragraph
would not be raised during deposition or trial. The report states that hundreds
of images were found and implies that minors are involved in sexual acts. Clearly,
the investigator and the prosecutor burden would then be to obtain an expert’s
opinion to determine if the images portray minors. Using the word “apparent” in
the report should in no way affect the jury’s determination of guilt
(or innocence). A medical doctor or other expert will state that they are minors
(if indeed they are).
Another way to report the results would be to state that “images
of potential value were found on the hard drive.” This wording causes
concern and raises some critical questions that have to be answered before
proceeding:
What does “images of potential value” mean? How many images? A
few? Hundreds? Thousands? Do the images depict apparent minors engaged in sexual
acts? Adults involved in sexual acts? Both? Neither? Are the images of any
probative value at all? There is no way the investigator or prosecutor can
interpret the results of the examinations from reading the report or to decide
if the case should be prosecuted. Likewise, if the examiner has to testify
at a later date, or worse, is no longer available and someone else has to testify
to the results, would he or she have any idea what was found? There are some
agencies who report their findings in this manner. However, since the report
does not indicate the results of the examination, it cannot assist the investigator
or prosecutor and is therefore essentially meaningless.
John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida
Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since
1993, John has conducted inspections in several forensic disciplines including
Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia
Evidence,” published by Humana Press in 2007.
