Home | Data Examination | Expert Evidence | Case Experience | Services | Michael J L Turner | Contact

Registered Forensic Practitioner

The following text of an article by Michael J L Turner published March 2006 in Computers and Law is archived at:

http://www.computerevidence.co.uk/Papers/ComputersandLaw/RegisteredForensicPractitioner.htm

Registered Forensic Practitioner: A New Breed of Expert

Michael Turner describes and comments on a new scheme for the registration and validation of forensic computer specialists

On 1 November 2005 the Council for the Registration of Forensic Practitioners ("CRFP") opened the first UK registration scheme for forensic computer specialists [1]. The first specialists in forensic computing, who join over 2,000 forensic practitioners registered in such diverse fields as Scenes of crime, Fire scenes, Fingerprints, Forensic Science, Anthropology and Archaeology, have now been registered.

What does registration mean?

CRFP registration means that the forensic computing specialist:

  • is committed to high standards of professional conduct, and
  • has been independently accredited as currently competent

In essence the scheme provides the courts and users of forensic services with external validation of a practitioner's current forensic competence against relevant and agreed assessment criteria.

Registered Forensic Practitioners are expected to keep up to date and maintain their competence. Registration is time limited - to four years - after which an applicant can apply for revalidation.

As the courts gain experience of the significance and value of registration, it is to be expected that it will become increasingly important to secure registration.

Scope of the scheme

The CRFP registration scheme applies to computer specialists who give professional/technical evidence or expert evidence in the judicial process; they may work for, or be instructed by, parties in civil cases, by law enforcement agencies or by the defence in criminal cases or by the courts.

CRFP defines computer specialists as "practitioners who are involved in the retrieval, identification, examination and assessment of data held in computing equipment". Forensic fora include the criminal and civil courts and tribunals.

Readers will know that computing is a very broad church. In order to get a registration scheme off the ground, CRFP have chosen initially to limit the scope of the scheme to practitioners who capture and examine hard disks and data media associated with stand alone PCs with an internet connection or to interpreting such data in the context of a case. The present scheme does not include communications data traffic, network investigations or evidence derived from mainframes and minicomputer systems.

The register also does not extend to opinion evidence on computer software and systems in IT contract disputes given by computer expert witnesses. However if such an expert conducts forensic examinations (for example, a software version control comparison in a Compliance with contract specification claim), (s)he would be eligible for registration.

Three Stage model

The scheme is based on a three stage model of the computer forensics process:

  • Data capture
  • Data examination
  • Data evaluation

The CRFP registration process distinguishes between these three stages of work.

Data capture is defined as "the retrieval of relevant data from the subject equipment by a forensically sound process and the creation of check data and logs to permit future verification".

Data examination is defined as "the identification and examination of data that may be relevant to a case and the production of information or exhibits to assist investigators or the court".

Data evaluation is defined as "the assessment of data in the context of other evidence in the case and the past computing environment, the drawing of deductions, construing significances, the consideration of alternative hypotheses, and the expression of opinions, particularly about the actions of users".

Applicants may apply for registration in one, two or all three fields.

What is assessed?

The registration scheme has been carefully designed to allow an applicant's current competence to practise to be assessed fairly and accurately.

An applicant for registration needs to submit:

  • Personal/professional details
  • Declarations on character and conduct
  • Professional referees
  • Recent casework details

The applicant must provide evidence of their identity and relevant qualifications, experience and training; make declarations about his/her past record and commitment to the principles in the CRFP Code of Conduct; and submit references from people who can provide information about his/her professional performance.

However the main focus of the CRFP assessment process is on assessment of the material that the applicant prepares in the normal course of practice - real casework.

Assessment by Peer review

Assessment of the real casework is against agreed essential elements of competence that have been designed to enable anyone doing safe, competent work to achieve registration.

The assessment procedure allows for the context in which the applicant works (for example, whether the applicant works mainly for the prosecution or the defence).

Applicants are required to list their most recent casework, from which the assessor chooses cases for detailed scrutiny. For each case, the applicant provides sufficient (anonymised) case documentation to give the assessor a clear picture of the work done by the applicant. In many cases, the assessor will ask for further information or raise questions with the applicant. The assessor assesses the case material provided against the essential elements, using detailed sector-specific assessment criteria, before recommending that CRFP grant or refuse registration.

Assessors are themselves subject to the same peer review assessment process as other Applicants. The Assessment process itself is subject to scrutiny by process verifiers to ensure that the assessors are consistent.

An Application Pack of all the registration documents is available for download on the CRFP website at www.crfp.org.uk or by email request to info@crfp.org

Commentary

Computer evidence is used every day in the courts and in almost every type of case. The registration scheme for forensic computer specialists heralds a future where such evidence is treated fairly and consistently by the courts. All users of forensic computer services and the courts should welcome the launch of the CRFP registration scheme.

It has been a long time coming. It is 30 years since doubts were first raised about the quality of the forensic evidence in the Birmingham Six case. It is six years since the author recommended to CRFP that a registration scheme for computing be given a high priority.

It is important to acknowledge the scale of CRFP's achievement. Six years ago computer forensics was in its infancy. Practitioners came from highly diverse communities (including computing, computer security, systems administration, software development, law enforcement agencies and forensic science) and there had been a history of bad blood between several of them.

From the inception of this scheme, CRFP have skilfully and successfully adopted an inclusive (for example with representation from ACPO, BCS, DEG, NHTCU and FSS as well as leading practitioners) and consensual approach. A new and systematic classification was made of how forensic computing work is structured. A pilot scheme, described as "a long and winding road", was completed in 2005.

The proof of the pudding will be in the eating. I guesstimate that there are perhaps 500 - 1000 potential applicants in the UK alone. There is considerable interest in the scheme among practitioners, but to be judged a success CRFP will need to translate that interest into registrations. The scheme will of course also require constant maintenance and dynamic updating of the assessment criteria to reflect the state of the art - of both computer technology and forensic computing.

CRFP's experience with computing will undoubtedly pay dividends with other digital evidence specialties, for example forensic imaging and telecommunications.

My only criticism is that the CRFP web database search is very limited - there is currently no way to identify computing specialists in all three computing sub-specialities with a single search.

Postscript

It may also be significant that within weeks of the launch of the scheme a new CPS Disclosure Manual was published that includes a whole chapter on the disclosure obligations of prosecution expert witnesses [2] and it was reported that the CPS had issued a confidential warning to police and prosecutors against a high profile computer expert witness [3]. Taken together with the launch of the CRFP registration scheme, these events may well mark the beginning of the end for the Hired Gun in forensic computing and expert evidence.

Footnotes

[1] CRFP - News Forensic Computing: http://www.crfp.org.uk/news_letter.asp?lid=20

[2] CPS Disclosure Manual - Chapter 36 Expert witnesses: http://www.cps.gov.uk/legal/section20/chapter_a.html#237

[3] The Guardian January 18 2006 - CPS questions credibility of child porn witness: http://www.guardian.co.uk/crime/article/0,,1688682,00.html

Author

Michael J L Turner MA FBCS CITP MAE FEWI RFP is an experienced forensic computer examiner, a Registered Forensic Practitioner and an established independent expert witness on computer evidence. He is also a CRFP Specialty Assessor.

E-mail: michael_turner@computerevidence.co.uk

 

 

© Copyright Michael J L Turner 2006