Background and terminology

The master thesis is a continuation of my preliminary study (N. Sunde, 2016), of which chapters 1.3 (Terminology and background), 2 (The journey from information to evidence) and 3 (Evidential requirements), are included. The chapters are developed further by adding new or updated theory and references. The interviews directed my attention towards

additional topics, and did also lead to further literature review, updates and additional chapters to this part of the thesis. One addition that is worth mentioning is the inclusion of the

identification phase of the Digital Forensics Process, which was not a part of the preliminary study. The interviews revealed a significant amount of interesting aspects in relation to this phase, and this led to the decision of including it in the thesis.

2.1.1 Criminal investigation

The purpose is the main feature that distinguishes a criminal investigation from other police activities. In the words of Myhrer, criminal investigation is described as: “Criminal

investigation is a purpose-oriented process with the aim of collecting information in order to clarify whether there is basis for a criminal reaction against somebody for an act that has been committed” (Myhrer, 2014, p. 14, my translation from Norwegian).

The Attorney General has set three key objectives for the criminal proceedings in the annual circular regulating the objectives and priority of criminal cases from year 2000 and up until today (e.g. Riksadvokaten, 2016a). These objectives are high clearance rate, rapid case

13

processing and adequate penalty. Together, these three objectives form the basis for high quality in a criminal investigation.

The objectives have been discussed by Myhrer (2014, p. 197), who somewhat disagrees with the Attorney General. Myhrer claims that high clearance rate, procedural correctness and objectivity are the three most important requirements of an investigation of high quality, and argues that as quality indictors they are clearly more important than e.g. the speediness of the criminal proceedings. This latter point is of particular interest to digital evidence, where large backlogs have been highlighted as a problem (see chapter 2.4.4).

The collection and analysis of the digital evidence is part of the investigation, and must be carried out in accordance with the Criminal Procedure Code. This means that the DFD, regardless of educational background, must comply with the same requirements as the CD when handling tasks in the criminal case. Each one of the detectives has an individual obligation to safeguard the procedural objectivity requirement stated in Criminal Procedure Code § 226, 3^rd subsection.

2.1.2 Digital Forensics

An important term in this study is digital forensics. According to United Nations Office on Drugs and Crime (UNODC) (2013, p. 159), digital forensics can be described as “the branch of forensic science concerned with the recovery and investigation of material found in digital and computer systems”. When the term ‘digital forensics’ is used in this thesis, it is only in relation to investigation of criminal cases carried out by the police.

The forensic standard when handling digital evidence is the Digital Forensics Process. This process is described in further detail in chapter 2.2.2.

UNODC (2013) divides digital forensics in three categories, depending on the source of the potential evidence. Computer forensics focuses on collecting and analysing desktop

computers and laptops fond in homes or in businesses. Mobile device forensics is collecting and analysing low-powered mobile devices. Network forensics is described as collecting and

14

analysing evidence from online services and cloud storage, and gathering information about network traffic.

For the purpose of the analysis of this thesis, it is not necessary to distinguish between these categories, and the term ‘digital forensics’ will be used further in the thesis.

2.1.3 Law enforcement – categories and roles

According to a report by the Norwegian Police Directorate (Norwegian: Politidirektoratet), the investigation of digital evidence in Norway is handled by police officers with

technological competence, or by civil engineers employed within the police

(Politidirektoratet, 2012). Regardless of background, they will handle many of the same tasks concerning the investigation of digital evidence. Several of the civil engineers are also issued with limited police authority (Norwegian: begrenset politimyndighet). They are thus legally empowered to carry out coercive measures during the investigation, e.g. search and seizure of digital evidence.

In extraordinary situations, there is a need for extraordinary tools, software or competence.

The Norwegian Criminal Investigation Service has a specialized unit of engineers that can provide assistance in such cases (Politidirektoratet, 2012).

The Norwegian Police University College has delivered interdisciplinary training within the subjects law, psychology and police methodologies since 1998 (Myklebust, 2010, p. 87). This implicates that the DFDs with police background have a basic investigative competence. The DFDs without police background would need training to gain a basic level of investigative competence.

Pursuant to Norwegian procedural law, the formal responsibility for a criminal case lies with the prosecutor, whilst the responsibility for the progress and implementation of the

investigative tasks lays with the CD and his/her superior – the senior investigating officer.

The CD normally has a bachelor degree from the Norwegian Police University College as a minium. The prosecutor, the CD and the DFD each have independent responsibility to act in

15

compliance with legal requirements and limitations. They are also responsible for contributing to an adequate progress of the investigation, and an efficient use of resources when

investigating a criminal case.

A police detective, regardless of civil or police educational background, who has digital evidence handling as his/her main task will be named DFD further in this thesis.

The detective in charge of conducting the general criminal investigation will be referred to as the CD. The handling of digital evidence will often be part of the tasks of the general

investigation, but not the main task of the CD.

2.1.4 Evidence – Digital evidence

UNODC defines evidence as well as electronic evidence in the aforementioned report:

“Evidence is the means by which facts relevant to the guilt or innocence of an individual at trial are established. Electronic evidence is all such material that exists in electronic, or digital form.” (UNODC, 2013, p. 157).

Evidence is in Norwegian evidence theory described by Kolflaath (2015, p. 508) as any type of information that directly or indirectly sheds light on one of the themes of proof, or

elucidates the reliability of the information or the credibility of the source of information. In this definition, evidence is related to the trial. The definition does not mention evidence that is seized during investigation, which is the focus in the thesis. Importantly, evidence can have different evidential value, depending on the reliability of the information and the credibility of the source. However, in this thesis the term ‘evidence’ will be used about items or data

collected during the investigation, with the potential to be presented as evidence in court.

This is in line with the more general definition presented by Carrier & Spafford as “any digital data that contain reliable information that supports or refutes a hypothesis about the incident” (B. Carrier & Spafford, 2004, p. 2).

16

Legally, the physical storage medium and the computer data are different objects. For this reason a distinction between seized devices and seized data is made. In relation to coercive measures, the collection of the data is part of a search (of a physical location or a computer system),whereas seizure of data takes place when relevant information is uncovered and documented (I. M. Sunde, 2015, referring to Rt. 2011 p. 296 and p. 1188). In relation to the Digital Forensics Process, seizure of devices - in its legal meaning - is done in the

identification phase and seizure of data, in the analysis phase. Both are coercive measures regulated by the Criminal Procedure Code.

2.1.5 Errors

The errors addressed in this thesis origin from non-technical sources, and are of a different kind than technical. They might be found in many different forms. Examples of errors that may occur in a criminal investigation are misinterpretations of the meaning, value or

reliability of a piece of evidence, a biased decision, or essential evidential information being overlooked.

Errors that occur in a criminal investigation might alone, or in junction with other

circumstances constitute errors of justice. Errors of justice are described as “any departure from an optimal outcome of justice for a criminal case” (Forst, 2004, p. 4). This is a very general and broad definition of errors. In this thesis, the focus will be on the errors that may conflict with the principle of fair trial stated in the European Convention on Human Rights (ECHR) (see chapter 2.2.1) or may lead to such poor quality of the investigation that the rule of law is at stake in the form of both wrongful convictions and acquittals.

In order to detect, avoid or prevent the errors from occurring, the sources of these errors must be uncovered during the investigation. If they stay undetected they might eventually pose a risk towards the rule of law, since there is no guarantee that the errors will be uncovered

17

during trial. In the thesis, a number of non-technical sources of errors that may occur during the investigation will be described and discussed, as well as several countermeasures.

2.1.6 Competence

The terms knowledge, skill, expertise and competence will be used to a great extent in the thesis. To distinguish between the meanings of these terms in relation to this thesis, they should be explained in further detail.

In this thesis, knowledge refers to theoretical competence. The term skill refers to the cognitive or physical ability to carry out a task with pre-determined results. Expertise is characterized by “special abilities that only some people possess, in contrast to others who are not experts – the novices – who cannot perform to the levels of experts” (Dror, 2011, referring to Dror et al., 1993). This definition is quite general, so in the thesis, the term expertise refers to the combination of knowledge and skills on a higher level due to extensive experience in addition to the other components. The term competence is used as a general umbrella term for the terms knowledge, skills and expertise, in situations where distinction is irrelevant. So, when the term technological competence is used, the competence is of technical type, but of undefined “size”. The reason being that distinguishing between different levels of

technological competence is not relevant to solve the research problem of the thesis.