Browser unable to execute script; please use the site map to navigate the site.

My research interests

I'm primarily interested in questioned digital document examination / forensic digital document examination

Forensic science is the use of science in the quest for justice - in particular in the legal context. The moniker "science" is imbued with notions of truth not present in notions such as expert - even though many legal systems do not explicitly differentiate between forensic and expert witnesses. Truth derives from epistemology; forensic science requires epistemological reflection.

My research agenda for the next few years will still be derived from a quest for justice. In a paper presented at the IFIP WG 11.9 meeting I use an argument (derived from one formulated by Calude and Longo) that uses Ramsey Theory to show that spurious correlations have to occur in big data; deep leaning is bound to find such correlations and be presented as truth. However, this is a resurgence of the age-old debate of deductive versus inductive knowledge, which is often paraphrased as the "law", which states that correlation cannot prove causation. However, we live in an era where the (false) epistemological belief is that correlation is sufficient to obviate (deductive) theory.

I am no longer convinced that the "space" from which truth is required is sufficient to define the discipline. Cyberspace is as poor a delimiter for a forensic discipline as the "natural world" would be. In forensic disciplines the nature of questions the discipline can answer are clearly defined. The report on Strengthening Forensic Science in the United States: A Path Forward was published by the US National Academy of Sciences in 2009; it is colloquially known as the NAS Report. This report describes an early form of digital forensics (which was a new field in 2009 when the report was published). The report states "The goal of most of [digital forensic] examinations is to find files with probative information and to discover information about when and how these files came to be on the computer" (p.181). This depiction is clearly outdated, but a better answer has not yet been provided. In fact, the report notes the origin of digital forensics was not in forensic laboratories, but as an activity carried out "by police officers and detectives who had some interest or expertise in computers" (p.181). It notes three "holdover challenges" that remain from these origins. All three challenges remain a concern; my work tends to focus on the second of these challenges: "some agencies still treat the examination of digital evidence as an investigative rather than a forensic activity" (p.181). This challenge remains a concern in digital forensics: it remains a field where researchers and law enforcement alike occupy themselves with (criminal) investigations rather than (forensic) examinations. Is it possible that, as long as the discipline is defined in terms of a "space", it is natural for researchers to want to investigate matters in that "space" because cyberspace is too broad to derive methods for forensic examination that can be answered with a common understanding of certainty.

I posit that we need to consider subfields in digital forensic science such that each of the subfields may be associated with a small set of clear forensic questions - in the same way that each subfield of physical forensics is associated with a small set of clear forensic questions. Given the specificity of such a subfield, one has a better basis to reflect on the reliability of truth claims made. One example is to think about a subfield such as questioned digital documents. The implied questions are clear: Is a digital document authentic? (Reflection raises many questions about the meaning of authenticity, but available space precludes discussion here; they are addressed by some of my publications on the topic.) Other question relate to the age, origin or other property of a questioned digital document. In the end, such properties may again speak to the authenticity of the document, or they may have evidential value outside the context of authenticity.

There are many other opportunities to reconsider the application domain. Digital ballistics is an example that has already received some attention, albeit with a somewhat different definition from what I would propose. Compromised computing devices have much to learn from medico-legal examinations. Digital toolmark analysis exhibits notions that are present in physical toolmark analysis (with Locard's principle featuring prominently). These are not necessarily new ideas: most, if not all of them, have seen some research. However, the challenge that I want to engage with is to consider the epistemology - and by implication - reliability of truth claims in such a more fragmented, but simultaneously more integrated approach to forensic science.

For more details about my thoughts see my list of publications. The publications are in reverse chronological order; see those at the top for the most recent information. A list of postgraduate students under my supervision is also available; some of their work may also help to clarify some of the concepts noted above.