Expert Witness Journal Issue 63 October 2025 - Flipbook - Page 97
Case Study 2 — Chain of custody gap with
cloud
export
Facts: Investigators export a victim’s cloud chat history
(provider self‑service download). A hash is recorded for
the ZIP 昀椀le, but not for the unzipped JSON evidence
before analysis. Defence questions continuity after a
later re‑zip.
Issues: Continuity and integrity of electronic 昀椀les once
unpacked; whether initial handling met good practice.
What the court considered: Handling against **ISO/
IEC 27037** principles (identi昀椀cation, collection,
acquisition, preservation) and use of cryptographic
hashing (e.g., SHA‑256) across each handover, not just
at 昀椀rst download.
Outcome: Court accepted the explanation and
re‑established the chain by hashing the original
provider download (still retained) and the processed
working set; minor weight discount for the gap.
Lessons learned: Hash as early and as often as is
proportionate—at acquisition, at extraction, and
before analysis. Keep the original container read‑only
and record tool versions used to unpack and parse.
Case Study 5 — Non-accredited activity: admissible
but reduced weight
Facts: A provider conducts a niche audio enhancement
not yet in the accredited scope when the FSR Code
comes into force. The expert declares the limitation
and supplies validation summaries.
Issues: E昀昀ect of non‑compliance with the FSR Code
on admissibility vs weight; transparency in expert
declarations.
What the court considered: **CPD 2023 (Oct
amendment)** aligning expert declarations with the
FSR Code; CPS guidance that non‑compliance is not
an automatic bar but requires closer scrutiny.
Outcome: The opinion was admitted with cautionary
directions; court preferred features corroborated by
independent checks.
Lesson: Declare non‑compliance precisely, describe
mitigations, and provide validation data: courts can
calibrate weight accordingly.
Case Study 6 — Hashing algorithms in practice
Facts: Legacy work昀氀ow records MD5 hashes at
acquisition. During review, SHA‑256 is added. Defence
raises the topic of MD5/SHA‑1 collisions.
Issues: Whether legacy hashes undermine integrity;
best‑practice algorithm choices.
What the court considered: NIST guidance on
approved hash functions (**FIPS 180‑4** / Hash
Functions project) and sector positions (e.g., SWGDE)
emphasising preference for SHA‑2/3 for integrity, with
MD5 allowed for deduplication where appropriate.
Outcome: Integrity supported by SHA‑256 computed
on original images; MD5 retained for cross‑tool
matching only.
Practical note: Use SHA‑256/512 as the primary
integrity seal; document why any legacy MD5 remains
in the work昀氀ow.
Case Study 3 — Proportionality and a
victim’s device
Facts: In a sexual‑o昀昀ence investigation, police
request the complainant’s phone for full download.
The complainant is anxious about historic unrelated
content.
Issues: Necessity and proportionality; obtaining
informed agreement; minimising intrusion while
pursuing reasonable lines of enquiry.
What the court considered: Whether investigators
followed the **Home O昀케ce extraction code** and
**College of Policing APP** (clear explanation,
consent, scope limitation), and whether the digital
strategy complied with the **AG’s Disclosure
Guidelines (2024)** on reasonable lines of enquiry.
Outcome: A targeted extraction (date/app keywords)
satis昀椀ed the enquiry without a full device image. Clear
documentation reduced delay and distress.
Takeaway: Targeted, transparent extraction builds
trust and often yields faster, higher‑quality evidence
than broad downloads.
Case Study 7 — Experts’ discussion and narrowing
the issues
Facts: Prosecution and defence mobile experts disagree
on whether a chat was user‑deleted or app‑expired.
Issues: Clarifying the technical basis of opinions;
reducing disputes for the jury.
What the court considered: Direction for a pre‑hearing
discussion and joint statement under **CrimPR
19.6** to isolate agreed facts (e.g., database 昀氀ags) and
genuinely disputed interpretations.
Outcome: Experts agreed the artefact indicated
auto‑expiry; dispute narrowed to timing assumptions.
Jury received a clear, short issue list.
Why it helps: Joint statements prevent technical
debates from overwhelming the trial and surface
uncertainty transparently.
Case Study 4 — Big data disclosure and
early strategy
Facts: A fraud inquiry seizes 10 laptops and 8 phones
from a small business. Disclosure falters months later
because no digital plan exists and search terms were
not agreed.
Issues: Managing volume; documenting reasonable
lines of enquiry; creating Schedules of Unused
Material; engaging defence early.
What the court considered: Duties under **CPIA Code
of Practice** and the **AG’s Guidelines (2024)**; CPS
guidance on experts and digital material (including
the Investigation Management Document (IMD) and
use of technology aids).
Outcome: Court imposed a revised timetable,
directed service of an IMD with prioritised terms,
and encouraged a meeting to narrow issues. Case
recovered; adjournment avoided.
Tip: Treat digital disclosure as a project: who, what,
when, with what tools—and write it down on day one
and stick to the terms agreed.
EXPERT WITNESS JOURNAL
Case Study 8 — Validating a chat parser with
ground-truth data
Facts: A DFU (Digital Forensics Unit of a UK Police
Force) validates a new parser for an instant‑messaging
app using a ground‑truth dataset (devices populated
with known messages, edits, deletes). Initial tests
reveal mis‑interpreted edited‑message 昀氀ags. Vendor
patch issued.
Issues: Method validation, error detection, version
control and change management in live casework.
95
OCTOBER/NOVEMBER 2025
