Computational Forensics

Interesting article from IEEE Spectrum:

During two years of deliberation by the National Academy's forensic science committee (of which I was a member), a troubling picture emerged. A large part of current forensics practice is skill and art rather than science, and the influences present in a typical law-enforcement setting are not conducive to doing the best science. Also, many of the methods have never been scientifically validated. And the wide variation in forensic data often makes interpretation exceedingly difficult.


So how might greater automation of classical forensics techniques help? New algorithms and software could improve things in a number of ways. One important area is to quantify the chance that the evidence is unique by applying various probability models.


Computational forensics can also be used to narrow down the range of possible matches against a database of cataloged patterns. To do that, you need a way to quantify the similarity between the query and each entry in the database. These similarity values are then used to rank the database entries and retrieve the closest ones for further comparison. Of course, the process becomes more complicated when the database contains millions or even hundreds of millions of entries. But then, computers are much better suited than people to such tedious and repetitive search tasks.

Posted on December 20, 2010 at 11:48 AM • 16 Comments


Ross PattersonDecember 20, 2010 2:56 PM

Applying actual science to forensics might have prevented the FBI "bullet lead" debacle (

Today's XKCD dovetails nicely. Science works, ... people.

ThomasDecember 20, 2010 3:47 PM

@Ross Patterson

Sounds like they were lacking in math, not science.

I think the problem with computational forensics is that very few people actually know how a computer works, rather than simply knowing how to use one.

By and large this is not a problem. You don't need to know how an internal combustion engine works to drive a car, but you'd hope that your mechanic does (obligatory computer/car analogy).

Providing fancy wizz-bang tools with icons and menus is exactly the wrong thing to do.
Rather than train ambulance crew how to do brain-surgery teach them to stabilise the patient and get them to the surgeon (i.e. preserve the evidence and get it to the experts, don't run WonderForenzixForDummies.exe).

Of course, an education system geared towards churning out lawyers and bankers probably can't provide enough computer scientists.

Clive RobinsonDecember 20, 2010 4:00 PM

The main problem with forensic evidence (other than the CSI effect) in court is "it's not the evidence" but "reports on the evidence" that are examined.

I've said ir before (and yes it's an over generalisation) but Judges understand and judge paper not evidence.

There was a case in Scotland of a police woman's fingerprint supposadly turning up in a crime scene and she was part of the perimiter guard but claimed she did not actually go into the crime scene thus could not account for how her fingerprint got there.

She lost her job it went to court fingerprint experts from the police lab claimed it was a good match etc. The judge accepted their word.

Only the claims where false it was not her fingerprint at all. When it went back to court the forensic people only showed a small part of the print found and her print, but they where not a good match. When the full print found was seen it was obvious to a lay persons eye it was not here print.

To this day the fingerprint service involved will not admit in any way they made a mistake.

And this is the point we don't chalenge the actual evidence only reports on the evidence that are supposed to be impartial and independant (and invariably arn't).

If an expert witness can not show all of the evidence and take a jury through it clearly then it's not evidence because the burden of proof requirment is not met.

But everyday in every country there is this problem of "evidence" that is actualy a "report" being waved through a court because the judge is overly reliant on the expert witness being supposadly independent unbiasd and forthright with the court.

In most cases it probably does not matter but in some it's crucial and for a judge to not allow agressive cross questioning of expert witnesses because "it might confuse the jury" is a very sad state of affairs.

As one judge once put it "there is a golden thread of truth" that runs through every case it should not be alowed to be spun and cast into Gordian knots by unchalleged Expert Witnesses just to save a little confusion of one or both of the tribunals, for if it is justice is not served.

tylerDecember 20, 2010 7:48 PM

One problem with forensics is control of evidence. The police/prosecution store, control, and examine the evidence. They have an incentive to make a conviction and get a case off their books. In the case of computer forensics, how does the defense and jury know that the defendant's storage devices haven't been modified by the examiners to aid in conviction?

aquaregiaDecember 20, 2010 9:44 PM

This is an interesting topic, especially in relation to mobile phones. Zdziarski's technique involves uploading a custom firmware to an iPhone, and while that may be well and good, LE accepts his premise that his firmware does not touch userland, with absolutely nothing concrete to back that up. An iPhone is not a hard drive, merely powering up alters the phone, and is an issue that needs such analysis as mentioned by the previous commentators. On a side note, the iPhone unlockers apparently have a copy of an iPhone LE forensics suite. Whether it's related to Zdziarski is unknown, but the irony would be delicious if an application suite used to analyze an iPhone forensically was used to create an exploit that it turn makes it HARDER for the forensic examiner.

ambalajDecember 21, 2010 5:02 AM

And this is the point we don't chalenge the actual evidence only reports on the evidence that are supposed to be impartial and independant (and invariably arn't).

Jim TurnerDecember 21, 2010 10:10 AM

Grits for breakfast has been covering Texas forensics problems for a long time, including one execution of a probably innocent man due to bad fire forensics.

They did set up a forensics commission but it is tangled up in the political weeds. Sad that so much forensics is guess work with letters after a name behind it.

GDecember 21, 2010 11:05 AM

>In the case of computer forensics, how does the defense and jury know that the defendant's storage devices haven't been modified by the examiners to aid in conviction?

Digital signatures/hashes and chain of custody, even if you're not American and have no legal requirement to do chain of custody - it serves a purpose.

And i agree with Thomas, there will NEVER be a "Computer Forensics for dummies", either you know your stuff or you become IT-consultant nr 1249872331. And COTS software only do what the masses want, sometimes you just HAVE TO invent your own stuff to solve a case.

A good IT-forensics examiner have a varied background as a network tech, a programmer and quite possible some experience with users and their behaviour.

Please note that i did not use the word "Certified", "Certificates" or "Private investigator" in the previous sentence.

o.s.December 21, 2010 3:05 PM

I really hope something comes from this because the US justice system has become a laughable tragedy where the wrong people are constantly going to jail based on bias and prejudice. An open source, public and frequently inspected software program that takes evidence as input and reports on how likely it is a match to the suspect as output would be a monumental step forward in mitigating prosecution and officer misconduct and make sure that the right people really do get locked up for a change.

Clive RobinsonDecember 22, 2010 4:18 AM

@ Tyler,

"In the case of computer forensics, how does the defense and jury know that the defendant's storage devices haven't been modified by the examiners to aid in conviction?"

If you have not taken certain precautions in advance then it's a case of how inept they are and not just how skilled you are but how much time you get to examine the "evidence".

And it is this time factor prosecutors are using. They withold the evidence from the defence untill the last possible moment and as in one case in the UK involving complex financial records across seven companies, tell the Judge that the defence could "examine the books with a calculator over night" and the Judge accepted it...

When you have idiocy of that magnitude on the bench justice will not be in any way served.

And you might be asking why the prosecution was so keen to procead with the upmost unseamly haste. Well it appears that the prosecution did not actually have a case. But under the UK Proceads Of Crime Act (POCA) that they had invoked not only did they strip the defendant of his rights but they where also going to get a significant percentage (about 1/5) of any assets taken from the defendant.

Just another reason to believe that the UK is a "hollowed out country" where those at the top make sure that there is no justice for the ordinary man.

Clive RobinsonAugust 8, 2011 3:15 AM

@ Bruce / Moderator,

I think the above post asking

"how does the defense and jury know that the defendant's storage devices haven't been modified by the examiners to aid in conviction?"

Is "link spam".

Raghupati hanjiAugust 28, 2011 10:23 AM

I would like take this for research topic, can you eloborate more on this.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.