\documentclass[12pt,a4paper,communication]{SACJ} \usepackage{times} \bibliographystyle{sacj} \begin{document} \SACJtitle{Digital Forensic Science: A Manifesto} \SACJauthor{Martin S Olivier}{} \SACJaddress{Department of Computer Science, University of Pretoria} \SACJabstract{ Forensic examination of evidence holds the promise of making claims about the truth of certain propositions with the inherent accuracy and reliability that characterises scientific endeavours. The propositions may relate to the artefacts examined or related artefacts. The nature of propositions about which claims can be made depend on the extent to which given propositions fall within the ambit of scientific knowledge and on the extent to which the examined evidence is suitable for the application of established science. A continuing series of incidents illustrate that in many forensic disciplines that promise is not met --- often because some branch of forensic science happen to not being scientific at all. In fact, serious assessments of forensic science have shown that many (if not most) branches of forensic science are not scientifically valid. Digital forensic science is one of the newest members of the family of forensic sciences. A number of reasons for concern exist that it is following in the footsteps of its more established footsteps and repeating many of the mistakes of those other branches of forensic science. This viewpoint is written in the form of a manifesto that is situated in the current discourse about digital forensic science and practice. If challenges the current developments in digital forensic science by positing a number of demands that digital forensic science have to meet to be deemed scientific. The demands are posited as necessary, but not sufficient to ensure that digital forensic science uses science to contribute to justice. Appropriate responses to the manifesto is a change in digital forensic developments or an informed debate about the issues raised in the manifesto. } \SACJmaketitle \section{Introduction} Most members of the public probably had a rather vague notion of forensic science until various TV shows --- starting with CSI --- carried an image of a forensic utopia into our living rooms on a weekly basis. In general we were impressed --- to the extent that jurisdictions where juries are used had to deal with the so-called new \emph{CSI-effect}: Juries wanted the detailed and authoritative evidence they got used to in their favourite shows in order to make what should have been simple decisions during their deliberations. Unfortunately, the reality did not match these expectations. While many reports suggested that much of the forensic science on these shows was in principle realistic (apart from the speed at which tests results became available) the computer scientists (and some technically inclined computer users) amongst us were usually not impressed when digital evidence needed to be recovered. The ability to type a command or two to trace the exact physical location from which some message was received was often beyond what we could accept as science fiction. However, the disillusion was not limited to the situations where jury members (or victims of crimes) learned that forensic science could often not provide the answers. A more significant problem emerged. In reality, various groups of people knew about these problems for many years, but a wider audience became aware of them as the popular media carried reports about the problem more frequently. The problem was that forensic science was not always as reliable as touted. Actually, it was worse: Much of what was used as forensic science had no scientific basis. These knowledge soon enough made news headlines. Stories of innocent people who were wrongfully convicted based on flawed forensic conclusions and spent much of their lives in prison (or were executed) before being exonerated are indeed stories of human tragedy, and deserve to be told. Such stories also sell newspapers. Unfortunately, such stories cast a shadow of doubt over forensic science in general. The greatest tragedy of all occurs when forensic practice in general deserves such a blanket of distrust. Comparative bullet-lead analysis and microscopic hair analysis are just two examples of `forensic sciences' that were discredited. Currently bite-mark analysis is clinging to straws to regain some of its former reputation. Are finger prints unique? Do we really interpret blood spatter correctly? The simple answer, using science as a yardstick, is \emph{no}. In a September 2016 report (cited below) the US President's Council of Advisors on Science and Technology reconfirmed what is obvious to so many: They found that of the seven forensic disciplines they assessed, almost none could be deemed to be founded on science. (Their study only considered pattern comparison methods.) And yet, we use those methods to send people to jail and (in some jurisdictions) to justify capital punishment. Much research has been done in the field of digital forensics over the past decade. However, where so few of the forensic disciplines --- despite their practitioners' best efforts --- are not scientific, self-reflection is indicated for all disciplines. The document below describes the context and then highlights some course adjustments that should be made if digital forensic science want to be a `real' science. As we move more of our daily lives into the digital realm, and realise that we have not yet (as of September 2016) worked out how to do proper forensic science in the physical world (with some notable exceptions), the need to think about digital forensic science has become imperative. \section{The challenge of a digital forensic science} Forensics is the application of science to determine facts that contribute to reaching a just deciding in a legal case. While the focus is on the law, these insights are also required in some other situations, such as when the root cause of, say, an aviation accident needs to be determined with sufficient certainty to prevent similar accidents in future whenever possible. As a society we often rely on science to make informed decisions about important matters. In the safety and efficacy of medicine, the prediction of severe weather conditions, the safety of new technologies and the determination of the root cause of disastrous accidents scientific answers are preferred over other forms of knowledge; in fact legislation often requires scientific proof of, for example, the safety and efficacy of a new medication before the medicine can be registered and offered for sale. Forensic science, in principle, enables one to make similar informed decisions in courtrooms and elsewhere where the law is to be applied. However, if forensic science is not scientific but a pretence of science, trust in the endeavour is misplaced. Note that even where the word \emph{forensics} (rather that the phrase \emph{forensic science}) is used, the notion of science is implied; almost every academic paper on, for example, digital \emph{forensics} contain some definition that invokes science as an inherent foundation of such forensics. Mistakes (or even deception) occur in all forms of testimony in legal matters. However, mistakes in the context of forensics introduce a systematic bias with far-reaching effects on the justness of the justice system. It is not hard to find extensive lists of examples where forensic evidence was wrong and possibly lead to an incorrect determination that an accused was guilty or innocent. The Innocence Project\footnote{\texttt{http://www.innocenceproject.org/}} is a good starting point to find such examples; it should be noted that they make extensive use forensic science --- in particular of DNA evidence --- to exonerate the wrongfully convicted. Arguably the most thorough critique of forensic science (including recommendations about reforming the discipline) is the US National Academies of Science report \cite{nas} on the state of forensic science. In its assessment of various forensic disciplines it repeatedly finds that the specific discipline is not grounded in science. A more recent report by the US President's Council of Advisors on Science and Technology \cite{obama} finds that almost none of the (selected) forensics disciplines it examined meets the requirements of scientific foundational validity. They highlight, in particular, that ``an expert's expression of \emph{confidence} based on personal professional experience or expressions of \emph{consensus} among practitioners about the accuracy of their field is no substitute for error rates estimated from relevant studies'' \cite[p.6]{obama}. The discourse in digital forensics has only seen limited self-reflection about the use of science (or scientific methods) in its activities \cite{dft}. While some notable exceptions exist, the few published claims that digital forensics is indeed scientific are often based on a limited understanding of science. Interactions in the world in which we live increasingly occur in the digital realm; hence one would expect that criminal activities (and civil disputes) will increasingly rely on evidence obtained from the digital domain. The purpose of this manifesto is to --- in a rather informal manner --- reflect on the inherent qualities that a discipline needs to meet to be viewed as a forensic \emph{science}. For the sake of brevity we simply posit that large parts of work done under the digital forensics label ought not to be considered forensic science. Often a debate about such a statement reveals that different parties in the debate view the notion of science differently. However, while some differences in opinion about the nature of science will always exist, an activity cannot simply be `designated' as scientific based on some notion of science. Both reports referred to above emphatically reject various disciplines claims to be scientific --- despite the strong belief in some of those communities that their work is indeed scientific. Below a number points pertinent to a digital forensic science are raised as a basis for reflection. They are not intended to form a comprehensive argument about the nature of digital forensic science, but are a reaction to some common themes in current research in the discipline; some points provide basic background information; others are introduced to either support or oppose some prevalent lines of thought in the research literature. The manifesto provided in the final section of this paper should similarly be seen as a document situated in the current state of digital forensics and the current discourse of its `scientificness'. It is hoped that the manifesto will have some impact on the future course of digital forensic science --- if not by correcting inappropriate lines of inquiry, then by a deeper reflection of how the discipline ought to proceed. \section{Musings about digital forensic science: Truth, scientific truth and legal truth} \subsection{Some remarks on when and where the `science' is performed} If forensic science is the use of science to help answer disputes in legal and related matters a question that arises is when this science is actually performed. Consider, as a comparative example, the amount of science that underlies the operation of a modern motorcar. However, this does not make the average driver a scientist. Most mechanics won't be deemed scientists. In fact, very few car service facilities or repair shops would employ any scientists. This does not imply that such places and people do not possess extensive expertise in their specific domain. In fact, it will not raise many eyebrows if such a person is called as an expert witness in some case. However, the person will not be able to testify as a scientist. In the realm of forensic science the following scenario is common: After extensive research a test is developed to detect the presence of some substance in, say, blood. Then a device is developed to execute the test. In a particular case a phlebotomist will typically draw blood from an individual, put it in the device and obtain a reading (or printout) from the device. A phlebotomist is not a scientist (and, in particular, not a forensic scientist): In the UK there is no formal qualification required to become a phlebotomist. Very few states in the US require phlebotomists to hold any particular qualification. In a court case they can attest to the fact that they labelled the blood samples correctly and operated the test device according to standard operating procedures. However, they are not qualified to offer any conclusions to the court based on the results reported by the device. Science occurs during the development of the test. Evidence on the interpretation of the result (as well as on the accuracy of the results) will have to be given by a scientist, who knows and understands the operation of the underlying science. In the case of forensic laboratories the report of the test will (officially) be prepared and signed by such a qualified scientist. Note that the example in the previous paragraph does not imply that the actual `testing' in the laboratory never requires a test to be performed by a scientist. The point is merely that many people involved in a forensic science process on a daily basis are not (and need not be) scientists. The process itself (and hence is development) needs to be scientifically sound; the scientific laws that underlie the process needs to be understood (and justified) by the developers of such a process. Checking authenticity of data using a hash function is an example where `science in a box' may be used by a technician in a digital forensic science laboratory. However, if the similarity is disputed --- say due to new results about hash collisions --- the active involvement of the scientist may be required. A hash function, after all, maps an infinite number of inputs to a limited number of outputs --- and hence there will be hashes corresponding to an infinite number of inputs. Hence, using a hash to claim uniqueness is far from obvious and needs an underlying scientific basis before conclusions may be drawn that a given match is unique. \subsection{On the truths} Science is a quest for truth. The law, when considering disputes, often need to determine facts. Facts are claims that are true. It was inevitable that at some point the paths of science and law would meet. As the first step in a project to reassess scientific truth for application in law it is necessary to recognise that two different notions of truth are involved: Scientific truth is truth that helps to explain our world. As we learn more about the world, the truth often needs to be adjusted. But these adjustments are not arbitrary. As an example, science explains how aerodynamic forces impact on a body that moves through air. Such knowledge can be used to design wings that cause sufficient lift to keep aeroplanes in the air. If it is at some point determined that the scientific theories were not perfect when that plane was built, that plane will not suddenly stop flying. The old truth was `good enough'. The new truth is (hopefully) better. (Formally: it has more explanatory power.) Legal truth, on the other hand, is whatever the court decides. Such a truth typically remains a legal truth unless it is changed through some judicial process (such as an appeal to a higher court or a change in legislation). Legal truth is often deemed as absolute (unless changed in such an explicit manner). Case law (that may date back to Roman times) in common law jurisdictions are deemed law until it is changed by a party authorised to do so. When a scientific truth changes, the use of an older scientific truth in legal proceedings is often still `good enough'. Problems arise where the older theory was not `good enough', but where it was wrong. The question to ask when science is used in legal proceedings is not whether that science is perfect, but whether it is sufficiently reliable. Newtonian physics, for example, is adequate to consider the trajectory of a bullet even though such physics is often deemed to have been replaced by relativity theory. In a dispute about the height of some building or the boundaries of some property Euclidean geometry or traditional trigonometry may be used, even when it (in principle) proceeds from the assumption that the earth is flat. On the other hand, to use an old example, the discovery of the (non-existent) planet Vulcan was a mistake (and the theory that `predicted' its existence was corrected by relativity theory). While science does not claim to be infallible; it is not hard to find examples of scientific theories that were incorrect. However, many of the failed forensic disciplines were not based in science. When a `non-scientific' forensic science discipline fails it does not represent a failure of science. It does represent a failure of the legal system which never explored the grounds on which such a discipline made claims that purported to be based on forensic science. To testify, is to express propositions that one believes to be true. The belief that a certain proposition is true may, in the case of an eye-witness, be based on the fact that the witness observed what is being testified to. However, courts limit the nature of the grounds on which beliefs may be based to accept the belief as testimony. Most courts will not accept a belief based on divine revelation as evidence. Similarly, what one has heard from someone else is normally not admissible as evidence and typically rejected as \emph{hearsay}. In some situations knowledge of those who have experience of actions, context or other related matters may share their expertise with the court as expert testimony, which may assist the court to better understand the matter at hand. Forensic science, in contrast, bases its belief in the truth of a given proposition on science. To illustrate, the ballistic trajectory of a projectile will follow after launch is known in physics. It can be calculated based on characteristics of the projectile, the speed and direction at which it is launched, the impact of gravity and a number of other variables. The accuracy with which the trajectory is calculated does not depend on the experience of the person who performs the calculation. It uses theories formulated by people who may have died centuries ago and could therefore be seen as hearsay evidence.\footnote{The first use of scientific evidence in English Law occurred in \emph{Folkes v. Chadd and Others (1782)} (often referred to as the Wells Harbour case). In summary it determined that ``In an action of trespass for cutting a bank, where the question is, whether the bank, which had been erected for the purpose of preventing the overflowing of the sea, had caused the choking up of a harbour, \emph{the opinions of scientific men \emph{[sic]}, as to the effect of such an embankment upon the harbour, are admissible evidence\ldots}'' (emphasis added) \cite[p.157]{harbour}.} The calculation of such ballistic tables (also known as range tables) was a routine component of artillery used in battle. In fact, one of the prime reasons the development of computers became important at the time of the Second World War was to automate such calculations. While such a calculation is relatively simple to perform for application in the artillery context, it may be much harder to perform in the forensic context, where reconstruction may be the aim. In the forensic context muzzle elevation angle, muzzle velocity, barometric pressure, wind speed and even the original size and shape of the projectile may be known to a reasonable degree of accuracy. However, to reconstruct the trajectory (or, at least, determine the area from which it was fired), the same theories --- momentum, gravity, drag, drift and other factors --- are used. However, compared to those who fire the projectile, the forensic examiner cannot readily determine the values of all these variables at the time of firing, which makes the computation significantly more complex and introduces errors, which the forensic examiner will (hopefully) be able to quantify/ It is worth pointing out that software behaves in a very similar manner. It is typically easy to predict what a program will do; however, reconstructing what a program did is much harder. A number of pertinent questions should be asked: \begin{enumerate} \item Are there scientific theories (akin to those use in ballistic trajectory calculation) that are useful to understand (or predict what will happen in) the digital realm? \item To what extent (if at all) are such theories used in the reconstruction of events in a computing context in the current discourse on digital forensics? \end{enumerate} The latter question may be reformulated as follows: What are the scientific theories that a digital forensic scientist can use to justify that his or her testimony is true? Do these theories meet the requirements of foundational scientific validity? \subsection{On the origins of forensic science} An alternative route to explore the nature of forensic science is an exploration of the roots of forensic science. This section explores two aspects of these roots: it explores the semantics of the phrase and the original recognised use of science in a court case. Prediction observes a phenomenon (the `cause') and predicts an outcome (the `effect'). Therefore, if $A$ (predictably) causes $B$, and $A$ is the only cause of $B$, then if $A$ and $B$ happened, one can infer that $A$ caused $B$. Stated differently, $A$ now \emph{explains} $B$. This is exactly how forensic science uses laws to explain phenomena; forensic science is often defined as a scientific analysis performed to determine the root cause of one or more events. Locard, by many seen as the father of forensic science formulated what has become known as \emph{Locard's exchange principle}; in his 1934 book \emph{La Police et les M\'ethodes Scientifiques} he formulates it as ``Any action of a human \ldots{} cannot unfold without leaving some mark'' \cite[p.7]{locard}\footnote{This is a direct translation as he formulates it in the cited book: ``Toute action de l'homme \ldots{} ne peut pas se dérouler sans laisser quelque marque.''} It has been formulated in a number of ways --- often in the short form: every contact leaves a trace. While this principle is not a scientific law, it works remarkably well, and in many ways seem even more valuable in the digital realm. If we know from science that contact between $X$ and $Y$ leaves some trace $T$, observing $X$, $Y$ and $T$ may enable us to explain $T$ (assuming the usual caveats about determining causes form what are deemed to be effects). For such an explanation to be accepted as testimony, law is required to make two concessions: (a) It needs to recognise some notion of scientific truth, that may be conveyed from one scholar to another in a `hearsay' fashion and that science has checks and balances in place to ensure 'truth'; these checks and balances override the need to hear (and cross examine) the original scholar to determine (`legal') truth; and (b) the scientist is allowed to \emph{conclude} that the presence of $A$ explains the occurrence of $B$. This latter concession is important because the law prefers to hear the `facts' and then reach its own conclusions. Now some conclusion, based on science rather than the law, effectively becomes a fact in the legal process. \subsection{On the digital} Science, truth and reality in a sense form a triad: Science helps us to discover the truths about the reality in which we live. Conversely, if science make correct claims (in particular, correct predictions) about the reality in which we live, science has uncovered truth. (Postmodernists will arguably disagree here, but it is not clear that postmodern forensic science is possible\ldots) Now enter the digital realm. This is an environment that seems to be human-made. Many of its prominent concepts, such as \emph{cyberspace} derived from science fiction. Reality in this context may be virtual --- that is, reality may be `unreal'. Yet, despite these idiosyncrasies, we have moved into this world lock, stock and barrel. Whether one views this `cyberspace' as an alternative world, or just use the Internet for shopping, banking and talking, does not matter. The digital is integrated in our lives (or vice versa). If things in life go wrong we often need to prove claims we make. And, in this integrated world, many relevant events may have happened on the digital side. Hence, it is no surprise that a branch of forensics --- digital forensics --- developed to find truths about what happened in the digital sphere. But, unlike the physical world, there seem to be very few rules that constrain the digital world. In the physical world, the rules of physics enable us to predict what will happen (or explain what happened). Is there a basis on which we can make such claims about the digital space? This is the purpose of this text: to explore \emph{which} questions about the digital space can be answered in a scientific manner, so that we can demonstrate a scientific truth for our claims --- in particular claims that may be useful as evidence in a legal context. \subsection{Digital forensic science} From the preceding it is rational to question whether a digital forensic science can ever exist. Most (if not all other) forensic sciences deal with natural phenomena, natural substances or human nature (which is also natural in some senses at least). Even human-made tools are made of natural materials that will, when it interacts with any other natural material, behave in a predictable manner. Note that the word ``natural'' is used loosely here: plastics and other synthetic materials exhibit ``natural'' characteristics --- that is, in contact with other materials, they will (to a lesser or greater degree) react in a predictable manner --- this artificial material possesses (an artificial) ``nature''. In contrast, computing and the various artefacts produced by it are as close to alchemy that humanity has ever come. It is trivial to program a computer to, for any inputs $x_i$, generate any desired outputs $y_j$; it is almost equally simple to modify `trusted' software to produce arbitrary outputs for given inputs --- unless security mechanisms are in place that will ensure that the software cannot be modified. Stated differently, it seems one needs to build systems that are so secure (and correct) that they perform as reliably and as consistently as a law of nature does. However, I think very few experts would be willing to stake their reputations on such an assumption that a piece of software in infallible (or even, say, 99.999\% reliable). The shift from digital forensic science to computing in the previous paragraph may not seem logical. However, digital evidence is --- as Fred Cohen \cite{cohen-examine} so aptly states --- a bag of bits\footnote{Perhaps the phrase ``bag of of bit sequences'' would have been more apt.} out of which the examiner has to extract some `evidence'. Evidence (or, at least, meaning) may be inferred from one of only two processes: (1) If the bits through some justifiable process can be arranged to form some meaningful artefact,\footnote{The term \emph{artefact} is meant to refer to something digital produced for later use; it forms the traces available to the digital forensic examiner. In a number of forensic science branches the term \emph{artefact} refers to something artificially introduced into a photograph or recording that was not part of what was originally recorded; in those branches artefacts are ignored as artificial additions to recorded observations.} then meaning has obviously been found. Alternatively, (2) if the bag of bits is the result of some computational process it may sometimes be possible to make claims about the inputs to that process and/or the process itself. \newtheorem{conjecture}{Conjecture} \begin{conjecture} \label{con:claims} Digital forensic science claims can only assume one or both of two forms, namely \begin{enumerate} \item That the digital data examined is an example of a specific class of artefact; and/or \item That the digital data examined proves or disproves a claim that the data was the result of specific data transformed by a specific computational process. \end{enumerate} More formally these two claims may be stated as follows: \begin{enumerate} \item For some `recognised category' $C$ (to be elaborated on later) and some sequence of bits $s$, the digital forensic scientist can \emph{conclude} that $s \in C$; and/or \item That, given some computational process $P$, some inputs $x$ and some output $s$, the digital forensic scientist may \emph{conclude} that, depending on the specific values, $P(x)$ did or could have produced $s$. \end{enumerate} \end{conjecture} Both of these claims, for the sake of simplicity, have been stated in a somewhat more limited form than intended. This will be addressed below. In fact, it will be shown that in this limited form the conjecture has much wider application than what it may seem initially. To `prove' this conjecture in one direction (namely that scientific forensic claims can indeed take one --- or both --- of these two forms) examples will suffice. However, conjectures are conjectures because they cannot (yet) be proven; to convince the reader that the examples to be provided are indeed correct, we need conjecture \ref{con:design} to be introduced below. `Proving' the conjecture in the other direction is harder and may indeed be shown to be false. Note that conjecture \ref{con:claims} refers to digital forensic science specifically; it excludes branches of forensic science that may deal with digital artefacts, but where the claims made are not in the digital realm. Thus the intention here is \emph{not} to deal with, for example, voice recognition or authorship attribution of a recording or a document, respectively, that happen to be in a digital format. Those branches include `natural' properties (such as the properties of human speech or the vocabulary and style used to compose a document), and hence do not face the same challenges as `pure' digital forensic science. A defence of the conjecture that these are the only two valid forms of scientific forensic claims will be attempted later. However, to proceed in the former direction (that there are indeed two forms) another conjecture is required, which will be colloquially formulated as follows. \begin{conjecture} \label{con:design} In digital forensic science the notion of `intelligent design' will often be sufficient to correctly classify an artefact. The degree of certainty with which this can be done depends on the nature of the class. \end{conjecture} To illustrate this conjecture, suppose that an investigator obtains a set of bytes for which some reasonable grounds exist to infer that a subset of the bytes are intended to be interpreted in a given fashion. To make this concrete, suppose one obtains a sequence of bytes from a system that are purportedly a JPG file. The claim (or hypothesis) that it is a JPG file may come from the file extension (if the file name is available), the initial bytes of the sequence and/or a variety of other clues. Conjecture \ref{con:design} claims that we are able to determine whether the sequence of bytes indeed a JPG file or not and make that claim with a specified degree of certainty. Of course, if the sequence of bytes conforms to all syntactic and semantic requirements for a JPG file, it opens in a variety of JPG viewers and (possibly) yields an identifiable picture, the sequence is a JPG structure, without any doubt. The only source of uncertainty is whether it existed on the medium from which it was retrieved as a JPG file. This is where the level of certainty needs to be determined. It is extremely unlikely that a random sequence of bytes from a medium will form a JPG image. On the other hand, in the unlikely case that one tries all permutations of subsets of bytes on a medium, the likelihood that one of the permutations will conform to the JPG specifications increases dramatically. Another example may be useful: if one recovers an 8-bit value from a medium it obviously can be a member of the class of 8-bit unsigned binary numbers. The question whether it existed (that is, was used) as an 8-bit binary number on the system in question can only be answered after much more context has been studied. Clearly, the likelihood of error does depend on the complexity of the artefact being examined: A JPG file has a header which not only has a standard format, but also has fields that impact the interpretation of the remainder of the file. As noted, when opening the file in an image viewer one would normally expect to see an intelligible image. If this is true of a file confidence grows that we indeed have a JPG file. A series of additional checks may be desired, such as the EXIF metadata to increase confidence --- if required. In contrast, other formats may have much less inherent structure (effectively, much less redundancy/meaning) and it may be much harder (or even impossible) to confirm whether they exhibit ``intelligent design traits.'' It is now time to return to conjecture \ref{con:claims} to fulfil the promise that examples of the two conjectured claims would be provided. For the first form the example alluded to will suffice: If the investigator obtains a file that claims to be a JPG image (say, through its extension), determines that it conforms to the rules and specifications of a valid JPG image and, when opened with an image viewer displays what is clearly a picture, the conclusion that the file is indeed a JPG file is obvious. The contents of that file can then be reproduced in a form that will enable the court (or some suitably qualified expert) to make its findings. In some instances the digital forensic scientist will be qualified to do this, given the second form of conjecture \ref{con:claims}. As an example of the second form of conjecture \ref{con:claims} consider the case where the computational process $P$ is the calculation of a known reliable hash function and the input $x$ is a sequence of bytes. Then the digital forensic scientist may conclude that $s$ is (or is not) the hash of $x$. To say that $P(x)=s$ is straightforward; however, the intention is also to conclude that $P^{-1}:s \mapsto x$, which needs to be qualified by the confidence (or error rate) of such a claim, because this is inherently a probabilistic claim. However, note that this example does not suggest that $P$ should be a standard, well-studied computation: $P$ may, for example, also be a piece of malware never encountered before. Given the fact that these two forms of claims are used on a daily basis in digital forensics no further elaboration is required to substantiate their utility. What needs attention is their sufficiency and (eventually) a stronger justification that there is a scientific basis for (some) such claims. \section{The manifesto} The manifesto that follows represents the insights that may be gained from the discussion in the preceding sections. Not every point contained in the manifesto can be deduced in full from the preceding discussion, though. \newcounter{mi} \subsection*{Forensic science} \begin{enumerate} \item The term \emph{forensics} refers to forensic \emph{science}. Any notion of a non-scientific forensics contradicts a generally held understanding in the academic literature and by the general public of forensics; such a notion would inherently cause confusion. \item The utility of science in forensic science is the ability of science to explain phenomena. The explanatory ability of science is inherently related to its ability to (correctly) predict. \item The reliability (or accuracy) of a forensic science (or forensic discipline) is limited by the accuracy with which the underlying science can predict. \item The term \emph{science} is contested and the problem of demarcating science remains critical. Philosophy of science provides many useful insights. In addition, standard scientific practices, such as peer review, provide a practical basis for demarcation. Both the appropriate nature and appropriate practice are necessary elements to denote an activity as scientific. \item Forensic science ultimately has to explain why an event is seen as the root cause of other events. Forensic science therefore needs to be a science (or an application of a science or based on a science) that (a) can justifiably claim to be a science, and (b) has explanatory --- and hence --- predictive abilities. \setcounter{mi}{\theenumi} \end{enumerate} \subsection*{The digital realm} \begin{enumerate} \setcounter{enumi}{\themi} \item Computing is used in many branches of forensic science, such as matching exemplar fingerprints with those stored in an extensive database or visualising physical phenomena in various ways. The fact that computers (and, hence, digital representations of phenomena) are used does not imply that digital forensics is being used. In these cases computing is used to support some forensic test. If a category descriptor is required for such computing the phrase \emph{forensic computing} accurately reflects the activity. \item The phrase \emph{digital forensics} is commonly used to describe an examination of digital artefacts that \emph{exist as digital artefacts} (rather than physical artefacts that have been converted to digital). To emphasise the point, fingerprints that have been transferred to paper are not examined as paper forensics; similarly fingerprints that have been converted to a digital representation do not form part of digital forensics. One possible characterisation of digital forensics is that it examines events (or traces of events) that happened in the digital realm; the purpose of digital forensics then is to determine the root cause of, or to reconstruct events that happened in cyberspace. \setcounter{mi}{\theenumi} \end{enumerate} \subsection*{Examinations and investigations} \begin{enumerate} \setcounter{enumi}{\themi} \item Forensic examinations punctuate investigations. An investigation (such as a police investigation or a criminal investigation) typically includes many activities that are not scientific (and that cannot be scientific). Investigators often follow leads that are wrong or based on unreliable evidence. Decisions about which leads to follow and when to abandon a specific line of investigation are often not based on objective criteria. The investigators' experience, intuition, the legal requirements of obtaining search warrants and other permissions, the behaviour of those implicated by a case and many other factors determine the course of the investigation. It is expected that the investigation will uncover relevant facts. The role of forensic science is to test hypotheses (or theories) that arise for (scientific) factuality. Investigators work with leads that range from unlikely to proven facts. The bar for considering something a lead is low, but leads may differ in strength; a strong lead may need much stronger grounds to be considered a strong lead. Do note that a proven fact may be a weak lead --- if it, for example, turns out to be irrelevant. \item The phrase \emph{forensic investigation} is usually a misnomer. This phrase is often used when disasters (such as airplane accidents) are investigated. The phrase may allude to the fact that forensic science often fulfils a major function in such investigations. However, such investigations include many non-scientific aspects (such as interviews with eyewitnesses and survivors). Forensic examinations are typically conducted by laboratories best equipped for the specific test to be performed; in the case of major disasters, many forensic facilities in many countries may be involved, where each focusses on one component, one category of residue or some other specific facet of the investigation. The investigators work on the investigation; the forensic laboratories conduct their specific analysis limited to the question raised by the investigation team. In order to minimise confusion it is best to explicitly distinguish between forensic examinations (or forensic analyses) within the context of a (non-forensic) investigation. \item With forensics being inherently scientific, care should be taken to not refer to non-scientific procedures as forensic activities. Many forensic processes may be useful during an investigation, but the converse is not always true. Forensic results will, in general, be admissible in court as evidence; leads and investigation results will not be admissible as facts unless sufficiently corroborated. Hence the investigator should clearly understand the difference between the two. \item The word \emph{evidence} should similarly be used with care. On the one hand, evidence may be whatever is collected in relation to a crime --- whether it will have probative value or not. On the other hand \emph{evidence} may be something that proves a claim; this is the type of evidence handed up in a court of law. In a forensic context, evidence ought to have the second meaning --- (forensic) evidence will, in particular, be evidence about which forensic truth claims are made. \setcounter{mi}{\theenumi} \end{enumerate} \subsection*{Independence} \begin{enumerate} \setcounter{enumi}{\themi} \item The use of forensic science is not limited to the criminal justice system; many forensic disciplines (with digital forensics a prime example) ought to be of use in civil matters, internal hearings and other contexts where such evidence may contribute to justice. This ought to be reflected in the language used to report research results; words such as crimes, guilt and innocence should be used judiciously in research on the topic since they ultimately affect the research agenda and application of forensic research. (This neither means that these words should be avoided at all costs, nor that work that is of particular use in a given context --- criminal, civil, or other --- should be discouraged; however, many forensic procedures will be applicable to more than one context, and its exposition and development should not be limited by unnecessary suggestions of context through examples, terminology or other potential biases.) \item Forensic science is ultimately in the service of justice, rather than specific users of forensic science. Too often forensic science research focuses on its use in law enforcement (as the most prominent example). Digital forensic science will often be more useful in corporate contexts than most other forensic disciplines. Care should therefore be taken that the digital forensic research agenda is balanced and serves the interests both of those with and without access to resources. One way of gaining neutrality is for any work that produces a mechanism to prove some proposition $p$ to also reflect on how to prove $\overline{p}$ or to prove some proposition $q$ that could serve as a rebuttal of the claim that $p$ happened. \item Neither law enforcement, nor the corporate sector is, in general, equipped to do scientific research (with some significant exceptions). Hence the `natural home' for forensic science research are the traditional research institutes, such as universities. Funding from industry or law enforcement should be recognised as possible sources of bias (if not in the research itself, then in the research agenda). Hence any such sponsorship should be explicitly declared as potential conflicts of interest.\footnote{This is standard practice in most medical research and already strictly enforced by the American Academy of Forensic Sciences.} In the ideal world digital forensic research will be funded by government or other bodies who have little reason to prescribe \setcounter{mi}{\theenumi} \end{enumerate} \section{Conclusion} Manifestos are often written by authors who deem it necessary to assume and express a position at a time when they perceive a danger that, if such an option is not expressed an opportunity will be lost to impact the direction of some discourse. The use of the term \emph{manifesto} indicates strong convictions of the author that (a) an adjustment of the course is necessary and (b) the issues that are raised in the manifesto are those that ought to be high on the agenda for reflection. In this sense a manifesto is contextual; it speaks to the current discourse, rather than provide a conclusive, comprehensive perspective on the topic at hand. In this manner, this manifesto does not attempt to define digital forensic science. Its intention is to highlight necessary (but not sufficient) aspects of a digital forensic science. A manifesto is, by nature, a conviction set forth by its author(s). A conviction does not claim to be absolutely correct, but issues a challenge to others participating in the discourse to engage in further discussion on the points raised in the manifesto. As a conviction, it is a call for change in the current course of events. The weaknesses of forensic science have made newspaper headlines over many years, but the news media are often easily dismissed as being more interested in sensationalism, rather than facts. However, when organisations, such as the US National Academies of Science and the United States President's Council of Advisors on Science and Technology raises serious concerns about the absence or lack of (foundational) science in most of the forensic science disciplines that they considered, it is a loud and clear signal that introspection is required. The two reports issued by these organisations that were cited above say very little about digital forensic science, it does not absolve the digital forensic community from introspection and a well-considered response. Hopefully the manifesto above posits claims that will indeed lead to reconsideration of the `old' answers to the issues raised (where) such answers exist, and reflection on the `new' issues raised. \section*{Acknowledgements} I would like to thank a number of colleagues, friends and family members who read, commented on (and critiqued) the manifesto. They will remain anonymous to protect them from the mob of digital forensic practitioners who may be upset by the publication of this manifesto. You know who you are. I appreciate your assistance. \bibliography{dfm} \end{document} \chapter{On the scientific bases for digital forensic science} \section{Algorithmics} The example regarding hashes already alluded to the first possible basis for scientific deduction in a matter dealing with digital forensics. Let us use the term \emph{algorithmics} for this category. We know how easy or hard it is to solve many computational problems. Much of that is based on the (unproven) Church-Turing thesis. Despite being unproven, this thesis is falsifiable (as the term is used in Popper's description of science), is widely accepted and relied upon. From this (and some other theses) algorithms have been developed to digitally sign documents, encrypt data and perform other operations used (and relied upon) daily in the world of e-commerce and related contexts. In some cases flaws are discovered in specific instances and some algorithms have been found to have inherent weaknesses. However, by en large, such algorithms exist that are as trusted as other artefacts derived from science. Often such algorithms rely on non-disclosure of data, such as a key. If not disclosed the possibility of finding it through a brute force (or, sometimes, other form of attack.) However, for a brute force (and sometimes other forms of attack) it is possible to express the probability of a successful attack --- which translates to a calculable error rate (in the absence of unknown attacks, where such attacks may be an option). In general algorithmics enables the scientist to determine the ease with which a given value can be computed (or even the impossibility to compute a certain value). Categories of interest include those where a value may be hard to compute, but easy to verify once found, as well as those where verification remains hard even if a candidate value is found. An encryption key may, for example, be hard to compute; however, once a candidate is located and the candidate decrypts encrypted messages to ones that are meaningful the candidate has been verified. On the other hand, once a purported prime number has been found, verifying the claim is intractable; however, verifying it using probabilistic algorithms (with a known error rate) is indeed possible. An example of this option with more obvious digital forensic application will be provided elsewhere. \section{Class characteristics} A key question that often arises (and often seems easy to answer) is the question whether a found artefact is an instance of a given class. The question is not often formulated in this manner, and, this formulation is reminiscent of object-oriented language; however, our intention is to formulate the question using typical forensic terminology, where the terms \emph{class} and \emph{class characteristics} are indeed common. In digital forensics this question may manifest itself in the context of file systems (``Is this an NTFS disc?''), files (``Is this a JPEG image?"), system constructs (``Is this a Windows XP registry?'') and so on. Superficially this type of question seems straightforward to answer (in many or even most cases). However, the question is inherently ambiguous and needs to be explored further --- both in terms of intent of the question and the certainty with which it can be answered. To illustrate this point the question may arise whether a file on a system is a picture that constitutes contraband. Opening the file with an image viewer may `reveal' an image, which, in principle, terminates the digital forensic part of the investigation; an expert on contraband images (or the court) is now in a position to determine whether the image does indeed constitute contraband. However, if the image viewer is unable to open the file one may rightfully ask whether this is sufficient proof that the file does not constitute contraband. Let us explore this question somewhat deeper. Real-world artefacts are often recognisable by (in Wittgenstein's terms) a \emph{family resemblance} they share with one another. A modern telephone shares few similarities with one from a century ago, but human beings view them in the same class regardless. Digital artefacts, in contrast, are often precisely defined, and even if only one bit out of thousands changes, it may no longer be recognisable as such. In other cases significant changes may be made, with the artefact at least remaining recognisable. Syntax is the first facet that makes a digital artefact `recognisable'. The format of data messages are often described in the form of a grammar. Bakcus-Naur Format (BNF), or some extented variant, EBNF is one common way of describing the format. Other options are ASN.1 (Abstract Syntax Notation 1), a description of a data record using a (mathematical) grammar, or, for data constructed based on an underlying formalism, such as XML, a schema, Data Type Definition or similar structure may be used to define the precise grammar for the stored or transmitted artefact. To make matters more concrete, it is, for example, possible to verify the syntax of an image, word processor document or email. If it parses without errors one may conclude that this artefact is --- at least syntactically --- a member of its identified class of artefacts. Since such artefacts are produced by software, it is reasonable to expect that related artefacts will usually adhere to such a common syntax. Consider, for example, a popular word processor format. Then all word processors using this format \emph{should} use a shared syntax (at least) to represent documents. Making a few random changes to such a document with a low-level editor may damage it to the extent that the word processors will no longer be able to open it, arguably removing it from the class of valid documents. However, in another instance, modification may still leave the document usable, but possibly with contents somewhat changed. Hence given some format ``$D$'' it is possible that the following `related' classes exist: \begin{enumerate} \item An `ideal' class $D_I$ of all `strings' that conform to the (formal) specification of $D$. In the ideal case the specification may be a grammar $G_D$ and $D_I$ is then the set of all strings that can be generated by $G_D$, conforming to all semantic constraints. \item For any program $P$ that is able to read documents in format $D$, let $D^r_P$ be the set of all documents that $P$ reads and interprets correctly. Note that the term \emph{correctly} here simply means that the program operates without failing. \item For any program $P$ that is able to write documents in format $D$, let $D^w_P$ be the set of all documents that $P$ can generate. \end{enumerate} Note that the nature of $P$ is not fixed \emph{a priori} --- it may be a specific version of commercial software (including dynamic libraries shared with other software with given patches applied), it may be software (commercial or otherwise) found on a given computer, it may be a conceptual algorithm, and so on. ... symbolic execution .... symbolic execution signatures ?? ... differential attribution (class attribution vs individual attribution) ... edit distance Note that some documents are inherently complex and the mere fact that a string of bytes conform to such complex rules instil a level of confidence that one has indeed classified the artefact correctly. The odds that a random string of bytes will conform to the rules placed on a JPEG image are infinitesimally small. However, using a random string as the starting point for such a calculation would normally be misleading. Data will generally be `chunked': on disc the bytes in a sector will generally retain their sequence. When sectors are grouped into clusters, the order of data in a cluster can generally be expected to be in their original order, but the clustering method may be an inference. On networks data usually arrive in packets with some error checking code that `vouches' for the integrity of the packet. Of course, data is malleable and a human (amongst others) can fabricate data that violates almost any assumption that can be made. However, the forensic findings discussed in this section do not deal with authenticity of an artefact, but just with the identification of artefacts (including identification of artefacts that deviate in some way from some expected norm). Keep in mind that digital artefacts are often containers for other artefacts: a disc is a container of partitions; partitions contain file systems; file systems contain files; often files are wrappers that encapsulate related information (such as cover art and other metadata in, say, music files or thumbnail images in full-size images). A top-down approach may verify the integrity of each of these containers before the contents are inspected. Confidence about the integrity of the container yields more confidence in deductions that are made about the contents of such containers. As an example of this latter point, once the integrity of a file system has been established one can use the metadata linking the blocks on that disc into files with a higher degree of trust than would otherwise have been the case. Note that the top-down order is also not mandatory: where time is of the essence it may often make sense to accept, say, the integrity of the file system as a starting point to facilitate quick discovery of useful information; the integrity of the file system may then be examined later, while the initial leads are pursued. If the integrity of the filesystem is confirmed, the initial assumption is validated; if concerns are later raised about the integrity of the filesystem the `speculatively' uncovered evidence can be discarded --- it, at least, provided avenues that could be (sometimes successfully) explored during time that would otherwise definitely have been wasted. Also, as noted earlier, the degree of scrutiny afforded to any artefact depends on what one wants to learn from that artefact. In many cases the mere fact that an image viewer displays an image when presented with an artefact will be sufficient to classify the artefact. In other cases much closer scrutiny may be warranted. \section{Prevalence} The notion of prevalence is problematic in any artificial environment. At one time it was possible to detect much spam because spam exhibited certain obvious characteristics. Certain words (such as the phrase \emph{You have won \ldots in the \emph{X} sweepstakes}, where X was the name of a well-known company, law or familiar phrase, was an immediate indicator of spam. Similarly, specific ``from'' addresses were known spam senders. However, the ease with which such spam could be detected quickly meant that such spam was filtered and no longer reached a huge proportion of their intended audiences. Prevalence of such spam therefore declined, and more sophisticated spam (such as personalised spam) became more common. It is safe to assume that any patterns in spam that can be learned by spam detectors can also be learned by spam senders and that any detected patters can be removed so that spam can bypass filters based on such patterns. It is also safe to assume that sophisticated spammers implement ``quality control'' mechanisms in which the ability of spam sent to penetrate the best known defences are continuously monitored and remedial steps taken where required. In artificial systems it is much easier to immediately initiate new behaviour or implement new characteristics. In many branches of forensic science prevalence is a key element of the science. In DNA identification the prevalence of short tandem repeats at specific genetic loci in a given population is a key element of the accuracy (or error rate) that DNA identification can claim. Even though this prevalence may be known to criminals there is nothing they can do to modify it. Given the inherent distinction between natural and artificial prevalence the question arises whether prevalence plays any role in forensics that deal with an artificial system. In simplistic terms: are (prevalence) statistics relevant to digital forensics? One response may be that a concerted well-resourced global initiative may be able to provide real-time prevalence statistics about threats (in particular, malware, active exploit abuse, spam, and so on), about installed systems, about the usage of online services, as well as almost any other factor of interest. However, forensic science often depends on an assumption that a random individual from that prevalence pool is the subject of a forensic examination. It is (in most cases) unlikely that the individual involved in some incident will have been selected based on a specific occurrence of short tandem repeats in his or her genetic makeup, or on swirls and whorls in their dermatoglyphic makeup, or be an outlier in terms of blood-spatter traces. However, in the case of artificial systems, the tools used, the selected target and/or the strategy used may be due to a specific choice made by the actors in the incident; the fact that any of these is an outlier in statistical terms does not translate to a numerical probability of uniqueness or any other similar claims about accuracy or error rates. *********************************************************** In forensics prevalence is often useful when a combination of independent conditions or markers are present in an artefact. This is precisely the approach followed by DNA identification. The prevalence of short-tandem repeats (STRs) at specific loci on human genetic material in a given population is relatively easy to determine. If a, say 10\%, of the population has an STR on a specific locus and DNA material found at a scene has an STR at that locus, the proportion of potential donors of that genetic material is narrowed down to 10\% of the population. If the same found sample as an STR at another locus of interest and, say, 8\% of the population has an STR at that location (and presence of this STR is independent of presence of the other STR discussed earlier), then the donor of that DNA sample is one of only $10\% \times 8\% = 0.8\%$ of the population. Once presence (or absence) of STRs at about ten loci of the sample (with the exact number dependent on standard practices a given country) has been determined, the expected number of persons with that genetic makeup is a tiny fraction of one person. Hence, finding a matching donor is statistically highly improbable. However, the donor of that sample will, of course, match the sample. Hence, when a matching suspect (or other party of interest) is found what is statistically highly improbable has been achieved --- and it is fair to conclude that the match is not a random event, but caused by the fact that the matching individual is indeed the donor of the sample. Moreover, the size of the ``statistically expected'' group is a measure of the possibility of a false positive. The question that arises is whether similar prevalence data can be used to reach similar conclusions about digital devices. Possible ``markers'' may include the operating system used on a device, ports that are open, software that is installed, physical interfaces and peripherals, configuration settings and a plethora of other characteristics. To illustrate, the prevalence of operating systems is relatively easy to determine. During an investigation it is possible to determine the operating system of a seized device relatively easily by inspection. Network scanners such as \texttt{nmap} have a remarkable ability to determine the operating system of a device via a network (to a specific (minor) version) --- unless the machine has been properly secured against footprinting. Media and/or data files often identify the operating system used to create or write them. Therefore one may be able to determine a specific marker (such as operating systems) on the device itself, remotely via a network and/or on artefacts created by such a system, providing a first step to link them with a known error rate. Moreover, operating system prevalence is a social phenomenon and social phenomena tend to be more stable over time than digital phenomena. A second example of a marker (or perhaps a second set of markers) may be the WiFi access points a device attempts to connect to. Presumably (but not yet proven) such access points are independent of operating system. There are a couple of scenarios to consider. Some major service providers deploy access points with the same name (or SSID) over major parts of the world. The market penetration of these providers are relatively easy to determine. Such statistics narrow down the portion of devices that exhibit given markers. A related but also very different remark can be made about access point deployed at private homes and other small contexts. The existence of databases of such private access points is well known. Typically prevalence statistics per access point are not available, but, being private access points, they tend to narrow the population of matching devices significantly. However, being private, the choice of operating systems used on them will often no longer be independent of the access point name --- and multiplication of prevalence statistics is no longer meaningful. In fact the independence requirement is arguably bigger that it may initially seem. It is precisely the specific choices made for network and other parameters made by operating system designers that enable software such as \texttt{nmap} to successfully identify operating systems; stated differently, it is the close coupling between system version and network behaviour choices that facilitates system identification; this indicates dependence, rather than independence. The WiFi example also illustrates a second concern: While WiFi traces may also be present in various contexts (on the device itself, in the vicinity of the define of it broadcasts access point names in search of the access points and on embedded hardware, such as WiFi-enabled SD cards) the traces are left in general in a very different set of artefacts than the operating system traces. This indicates that it may be hard to identify a set of markers that is sufficiently general to link associated artefacts that exhibit dissimilar class characteristics. It is a relatively simple task to add additional concerns to this short list; this paper will, however, refrain from doing so. In summary, prevalence data \emph{may} be useful link artefacts where such linking can be achieved with known error rates. Surprisingly many prevalence measures are more stable than expected, because they really depend on social phenomena. However, the range of possible markers and independence between such markers seem like major challenges. Perhaps even more importantly, while relatively stable prevalence indicators exist, the ease wit which these markers can be manipulated on a device used in the commissioning of a crime is a major concern. We cannot conclude that prevalence has no role to play in digital forensics; however, to utilise prevalence poses significant challenges. Perhaps prevalence will be important in some niche forensic applications. Until its utility is demonstrated a pessimistic view of prevalence-based techniques seem realistic. \chapter{The manifesto --- to follow RSN} The purpose of this document is to derive a manifesto as an artefact to discuss. The intention is to derive it from the various forces (forensics, truth, reliability, and so on) that emerge from the document thus far. At this stage I am still working on this derivation process --- and, hence, do not include a manifesto yet. My intention is to fill this empty chapter with at least some draft as soon as possible. \appendix \chapter{bits and pieces} Jeon BR, Seo M, Lee YW, Shin HB, Lee SH, Lee YK (2011). "Improving the blood collection process using the active-phlebotomist phlebotomy system". Clinical Laboratory 57 (1-2): 21–7. PMID 21391461. draws the blood *********************** \section{Expert witnesses} Above two characteristics of forensic science have been identified, namely the (a) admissibility of (specific forms of) hearsay evidence; and (b) permission to include conclusions in testimony. (Again this summary should be augmented by disclaimers, qualifications, explanations, exceptions and so on to be considered a correct claim; however, our goal here is to provide simple handles to invoke these notions --- along with any baggage that may be associated with them). In what follows, the phrases \emph{hearsay evidence} and \emph{derive conclusions} will be used to denote these concepts. A court may rely on the testimony of an expert witness; in many jurisdictions the bar to be an expert witness is set relatively low: anyone who knows more about a specific topic than the general public may be deemed an expert. A homeless person, for example, may be an expert on street living. This person may provide the court with insights about the hardships of street living, possible ways of obtaining food and shelter, community life on the street, and so on. However, this person will not be allowed (in general) to present hearsay evidence and this person will not be allowed to apply his or her experiences to the case being tried and offer some conclusion based on expertise. Let us consider another example: suppose someone wants to protect a home from being burglarised --- in particular by ensuring that the burglars are caught. This person decides to rig a paintball gun near a window used in the past by burglars, such that anyone who enters through the window will be shot with paint with, say, a fluorescent pink hue. Sure enough someone breaks in and the gun fires. Our homeowner informs the police that they may find someone wandering the streets literally lighting up the night in pink. Soon afterwards a glowing pink suspect is apprehended. Irrespective of the homeowner's expertise, testimony will be limited to the homeowner's actions (or experiences). Conclusions about whether the glowing pink identifies the burglar will be the court's prerogative. (And if the gun injured the intruders at all, a new crime may suddenly be investigated, where the purported intruder claims medical and other costs from the plaintiff To bring it somewhat closer to forensic sience, in ... vs ... in the USA the court was far from convinced that fingerprint identification is rooted in science. Hence the expert witnesses were instructed to only testify about what they saw, did and experienced. However, they were barred from testifying in any way that the sets of fingerprints (collected from the suspects and found at the crime scene) \emph{matched}. Testimony about a match would have required them to apply a theory (conveyed by trainers and books to trainees, that is, it would have required them to violate a theory that was --- at that moment not deemed scientific and hence subject to the `normal' rules that apply to expert testimony. *********************** To illustrate, consider the following list of translations of ``Science and technology'' and of ``technology'' (where the suffix \emph{-logy} is interpreted ``study of'', as it usually does) in a number of languages. \begin{tabular}{lll} \textbf{} & \textbf{Techn\'e} &\textbf{``Technology''} \\ \hline Afrikaans & Tegniek & Tegnologie \\ \textbf{English} & \textbf{Technology,craft,art} & \textbf{Technology} \\ French & la science et la technologie &\\ German & Technik &\\ Greek & $E\pi i\sigma\tau$\\ Spanish & Tecnología &\\ Zulu & & \\ \end{tabular} Van Dale zegt over technologie het volgende: tech·no·lo·gie (de ~ (v.), ~ën) leer van de handelingen waardoor de mens de voortbrengselen van de natuur tot stoffen verwerkt tot bevrediging van zijn behoeften systematische toepassing van een wetenschap in de techniek[2] 156,202d180 ******************************************** https://aquileana.wordpress.com/2014/02/01/aristotles-three-types-of-knowledge-in-the-nichomachean-ethics-techne-episteme-and-phronesis/ In the Dictionary of Philosophy, it is defined as: “The set of principles, or rational method, involved in the production of an object or the accomplishment of an end; the knowledge of such principles or method; art. Techne resembles episteme in implying knowledge of principles, but differs in that its aim is making or doing, not disinterested understanding”. Characteristics: Pragmatic, variable, context-dependent. Oriented toward production. Based on practical instrumental rationality governed by a conscious goal. The original concept appears today in terms such as “technique” and “technology.” ... 3.?Phronesis It means Practical wisdom. It is related to the following main ideas: Ethics. Deliberation about values with reference to praxis. Pragmatic, variable, context dependent. Oriented toward action. Based on practical value-rationality. Aristotle distinguished between Sophia and Phronesis in the following manner. Sophia involves reasoning concerning universal truths, while Phronesis includes a capability of rational thinking. In order to practice phronesis, Aristotle felt that political abilities were required, as well as thinking abilities. Aristotle categorized there elements of character (ethos) in the following manner: 1) phronesis (how to act in particular situations), 2) areté (virtue) and 3) eunoia (goodwill). *********************************************************** ******************************************** In The Nicomachean Ethics, Aristotle (384 /322) describes three approaches to knowledge. In Greek, the three are episteme, techné and phronesis. Whereas episteme concerns theoretical know why and techné denotes technical know how, phronesis emphasizes practical knowledge and practical ethics. Aristotle classified knowledge in three different types Episteme (Scientific Knoledge), Techné (Skill and crafts) and Phronesis (Wisdom). 1.?Episteme: It means “to know” in Greek. It is related to scientific knowledge. Attributes: Universal, invariable, context-independent. Based on general analytical rationality. Epistemology, the study of knowledge, is derived from episteme. Episteme was viewed by the Greeks as a partner to techné. Plato used episteme to denote ‘justified true belief”, in contrast to doxa, common belief or opinion. 2.?Techné: The greek word translates to craftsmanship, craft, or art. 217d204 ... 218a206,208 For the ancient Greeks, when techné appears as art, it is most often viewed negatively, whereas when used as a craft it is viewed positively because a craft is the practical application of an art, rather than art as an end in itself. In “The Republic”, written by Plato, the knowledge of forms is the indispensable basis for the philosophers craft of ruling in the city. Aristotle viewed techné as an imperfect human representation of nature. Socrates and Plato also used the word, and distinguished craftsmanship (which they viewed in a positive light) from art (which they viewed in a negative light). ************************************************************* It seems that crime and, in particular, solving mysteries caused by crime, fascinated humanity from the beginnings of time. This fascination may be observed in the continued production of fiction where sleuths solve crimes using their keen powers of observation, mind-boggling deductive skills, paranormal abilities and/or requesting the intervention of the gods. In most of these tales evidence plays an invaluable role. However, the use of scientific evidence is a more recent phenomenon that evolved into storylines where evidence --- through science --- solves crimes. Period. Forensic science entered the popular discourse. And, so it came to be that public insight and public misconceptions about forensic science were both on a growth path\ldots While the popularisation of forensic science has done much to educate the public, it has also lead to many misconceptions. ************************************************************* is causation. The plane flies \emph{because} of its particular shape. And its this ability to determine cause that forms the cornerstone of forensic science. The logic is more or less the following: \begin{enumerate} \item If action $A$ causes some outcome $\alpha$; and \item No other action $B$ causes $\alpha$; then \item The presence of $\alpha$ implies that $A$ not only happened, but was the cause of $\alpha$. \end{enumerate} Of course this can be generalised as follows \begin{enumerate} \item If any of actions $A_i\ldots A_n$ cause some outcome $\alpha$; and \item No other action $B$ causes $\alpha$; then \item The presence of $\alpha$ implies that not only did one or more $A_i$ happen, but one or more $A_i$ caused $\alpha$. \end{enumerate} \end{document} \section*{Preamble} A manifesto is a document that set out the perspective of the author of the manifesto, or that of the group on behalf of whom the manifesto is written. The use of the manifesto, as literary form, dates back several centuries, and is a tool used in various social contexts. In contrast to most scientific publications, a manifesto stems from a conviction, rather than objectively verifiable facts. To be more specific: Manifestos are often written in a context where many facts are available (and even obvious), but where the interpretation of those facts is expressed as a subjective truth, with the hope that it will sway others to accept such a perspective as accurate or valid. The current paper is a manifesto about the nature of digital forensic science. However, given the fact that manifestos differ from the typical research paper, it is necessary to make a few remarks about manifestos in a broader context. In particular is it necessary to show that such manifestos (in some cases, at least) have a place in the academic literature. Manifestos are typically written at `crisis' moments in history, where (in the view of the author(s), at least) some adjustment in the current course of action is necessary. The manifesto is embedded in a context and is a reaction to that context, and should be read in the context of prevailing conditions in in terms of how it reacts to such conditions. As a first example to illustrate these points, consider the Russell-Einstein Manifesto compiled by Bertrand Russell and Albert Einstein \cite{russel-einstein} in the early stages of the Cold War. It opens with the claim that ``we feel that scientists should assemble in conference to appraise the perils that have arisen as a result of the development of weapons of mass destruction [the nucleur bomb], and to discuss a resolution in the spirit of the appended draft.'' This manifesto is situated in the context of science given that its intended audience is scientists. However, it deviates from the usual scientific rigour found in science in many respects; it contains a claim ``on very good authority that a bomb can now be manufactured which will be 2,500 times as powerful as that which destroyed Hiroshima'' --- in the typical scientific paper `good authority' will not be sufficient basis for substantiating such a claim. An example of a manifesto in \emph{our} broader discipline, consider ``The object-oriented database system manifesto'' \cite{oodbman} published in the \emph{Proceedings of the First International Conference on Deductive and Object-Oriented Databases} that took place in 1989. The trigger for that manifesto was the fact that research activity on the topic increased without reflection on what an object-oriented database system really is. The authors expressed the concern that the first product to market may define the concept if such reflection does not occur. Their manifesto is therefore a `prescriptive' document --- one that favours a position, but ``a position, not so much expecting it to be the final word as to erect a provisional landmark to orient further debate.'' With well over 1600 citations (according to Google Scholar) at the time of writing, the manifesto was arguably in the end more influential than most research papers in that area were. Another well-known manifesto in our discipline is the \emph{GNU Manifesto} written by Richard Stallman \cite{GNU}, which details the `crisis' caused by commercial interests that curtailed users' freedom to share software. It explains (and justifies) the free software philosophy. Though it was officially published in a popular magazine (rather than a scholarly publication) it too has exerted a powerful influence in academia. A somewhat tenuous link between the GNU Manifesto and academia exists in that the crisis that triggered the Manifesto happened while Stallman worked at the MIT AI Laboratory. It is also worth noting that several honorary doctorates were bestowed on Stallman by various universities around the work for his work that stemmed from the philosophy set out in the GNU Manifesto. These examples obviously do not imply that manifestos have an inherent value, nor that all manifestos are equal. They do, however, illustrate that some manifestos have a role to play in scholarly discourse; the natural home for a manifesto is as a statement in a public forum --- that is, in the modern conference room. Digital forensic science, the focus of the current manifesto, is at a point of crisis. As a member of the family of forensic sciences digital forensic science deserves the same level of scrutiny currently directed at most forensic disciplines. Some of the recent forensic science scandals include the formal recognition that FBI microscopic hair analysis until 2000 was flawed \cite{fbi-hair}, and the more recent concerns about forensic bite-mark analysis \cite{bites}. These concerns are not new and not limited to a few isolated disciplines. The most thorough review of forensic science remains the US National Academies of Science report on forensic science, published in 2009 \cite{nas}. The problem caused by flawed (or unscientific or pseudo-scientific) forensic science is twofold: On the one hand it affords punishment to the innocent and let the guilty escape such punishment. Secondly, the unreliability of some activities under the rubric of forensic science casts doubts over forensic disciplines that are indeed scientific. The science epithet in forensic science if applied correctly, should be a sign of reliability; unfortunately, in too many forensic disciplines that epithet is used to create a sense of authority, rather than to describe the foundations of the discipline. The subtitle of the National Academies of Science report is ``A way forward''. This is also the goal of the manifesto that follows; it is an attempt to give justifiable meaning to the phrase \emph{digital forensic science}. The phrase \emph{digital forensics} is encountered more frequently that \emph{digital forensic science}; however, the shorter phrase simply accepts that science is implied. Hence the assignment of meaning to \emph{digital forensic science} in the current manifesto automatically extends the same meaning to the contracted \emph{digital forensics} form. *************************************** Developments after the dark ages gave us an absolute belief in science. Hence science was to be a perfect tool to achieve justice. However, a couple of issues arose. In postmodern times our believe in scientific truth is no longer absolute. Kuhn showed us that scientific truth changes when old theories are no longer sufficient. From Popper we learnt that scientific theories often are not proven --- we only need to know how to disprove them. While these claims are not exactly what Kuhn and Popper said, they are close enough to indicate the root of some confusion. To make matters worse we don't even all agree on what science is --- to the philosophically inclined it is interesting to see how various people read Kuhn and Popper, or, in a postmodern twist, to see how such people are \emph{written} by Kunh and Popper (as well as written by many other philosophers, theorists and ignorance). Add to this how incorrect application of `correct' science has proven the guilt of the innocent and the innocence of the guilty, we have --- to put it mildly --- a quagmire. %One option is to abandon the project that employs scientific %truth to find truth for the law --- and some people do take this %route. To argue that they are wrong is an arduous task and one %that we will not attempt to undertake here. Here we will use %the more `pragmatic' approach that claims that it is not %necessary to throw the baby out with the bathwater, with the full %knowledge that this metaphor will only convince those who want to %be convinced. We'll have to return to this issue at some stage %and present a more convincing argument. ************************************** However, the understanding of knowledge is an old problem; over two millennia ago Aristotle already proposed a classification scheme: In his text, \emph{The Nicomachean Ethics}, he distinguished between \emph{episteme}, \emph{techn\'e} and \emph{phronesis} --- a distinction that is still useful, and which will be used below to consider the basis for making truth claims based on forensic science. \emph{Episteme} originates from the ancient Greek word with the meaning ``to know''. Prior to Aristotle's classification, Plato already found it necessary to distinguish between \emph{empisteme} as a ``justified true belief'', in contrast to \emph{doxa}, which he saw as the (unjustified) popular opinion. In today's language we associate \emph{episteme} with science. Episteme is the stem of the word \emph{epistemology}, which is the study of what can be known (or, of what we can indeed assert as justified true beliefs). Epistemology has a long history, with hundreds of philosophers critiquing, extending, delineating and otherwise weighing in on the topic. Hence, claiming that \emph{episteme} equates to science is an oversimplification, but the alternative is to consider an informed discourse stretching over millennia in detail. \emph{Techn\'e} refers to technical know-how --- the arts and crafts of today. In fact, it's problematic to discuss the notion of \emph{techn\'e} in English because the concept does not have a proper equivalent in English. In many cases in the world of today the notions of science and \emph{techn\'e} are used in combination to recognise that the two concepts belong together, but are not the same. In English this is often expressed as ``science and \emph{technology}.'' However, the English word \emph{technology} also has other meanings leading to a conflation of disparate concepts. The word \emph{techn\'e} was derived from the Greek word for \emph{art}. More specifically as a form of knowledge \emph{techn\'e} refers to ``how to'' knowledge. It may, therefore refer to, for example, knowledge about how to create a statue out of a piece of marble. However, it also has the more technical meaning that we see in the stem of the word \emph{artisan}. \emph{Art} here refers to the skillset that enables someone to make tools and other artefacts, repair a motor vehicle or cutting someone's hair. In the same sense \emph{techn\'e} is often translated as craft, as one sees in the stem of the word craftsperson. However, neither \emph{art} nor \emph{craft} conveys the appropriate meaning in full. (Technology and technique are two other candidates that also do not capture the precise meaning.) %Given the difficulty to properly express the notion of %\emph{techn\'e} --- and the important differences between it and %science --- another example may be useful: In the early days of %photography the problem was one of permanently `capturing the %light'. Note that \emph{techn\'e} knowledge may --- but need not --- occur in the form of applied science. In such cases, those applying the knowledge have a justified true belief that applying the knowledge will lead to a predetermined outcome. However, those using such knowledge can often achieve the desired outcome without being able to justify their belief, apart from `knowing' that it comes from some source they trust (and, possibly, knowing from experience that it always works). From the above it is clear that an expert witness using techn\'e knowledge as a basis will be able to testify about his or her observations (over time) and may even be able to testify that they have frequently or rarely encountered a certain phenomenon that may be present in the case being heard. Phronesis is wisdom or, more precisely, practical wisdom. It is knowledge enabling one to make the `right' decisions and choices, or making `wise' decisions and choices. It is practical in the sense that it is situated in a given context. In the legal arena, this is arguably the type of knowledge the judge needs. Forensic scientists need this type of knowledge when faced by moral dilemmas. Phronesis is not absolute and do not claim objective factual knowledge. So, while it should form part of any forensic scientist's knowledge, this is not what the forensic scientist will testify to. It is not rooted in science; if related to science it arguably transcends science as a higher, but essentially unknowable knowledge. ********************************************* The discussion above solves one dilemma (characterising the type of evidence to be reasonably expected from an expert in terms of the knowledge the expert uses) by introducing another problem: determining the type of knowledge the expert uses. In all three categories above experts typically use widely accepted methods based on a common extensive body of knowledge. In all cases there may be differences of opinion on the best method to use, as well as about some details. There may be disagreement about whether a specific ``law of nature'' has been proven. In digital forensics there may even be a further debate about what form such laws of nature may assume (if they exist at all). The questions raised in the previous paragraph are not unique to forensic science (or even digital forensic science), but have been raised continually over the past few centuries. In its general form the problem even has a name: the demarcation problem. A discussion of the demarcation problem will, however, have to wait until later. ********************************************* In the Wells Harbour Case the judge found Smeaton's testimony useful and admitted it. Since English courts used (and still use) common law, this acceptance of science caused a legal precedent that opened the doors for subsequent scientific testimony. Over time testimony based on science found its way into most legal systems to the extent that forensic science may be seen as a universal phenomenon (with some local differences about exactly what is considered scientific --- or scientific enough --- to be acceptable for testimonial use). *************************************************** There are, at least, three reasons why a belief may exist that something is scientifically proven. Firstly, science often posits new theories that initially seem valuable, but are eventually refuted. Secondly, it is hard for non-specialists to distinguish between science and pseudo-science --- that is, activities that imitate science but do not apply scientific rigour to the process. Finally, the legal system may have accepted a theory as true and then treat it as a legal truth despite concerns expressed in the scientific community about the soundness of the theory. It is, for example, worth reflecting on the scientific validity of results obtained via a polygraph. More recent examples for such reflection include microscopic hair analysis and bitemark analysis. The term \emph{knowledge} refers to a set of claims that are true. In one direction knowledge may be qualified by who possesses that knowledge: human knowledge may refer to the set of knowledge that the human race has collected; expert knowledge may refer to a set of claims that an expert holds in some specific area; common sense may refer to knowledge that every human being is assumed to have. ******************************************************* Aristotle classified knowledge millennia ago in three categories; this classification is still useful. A crude modern-day interpretation of these categories would be scientific knowledge, how-to knowledge and wisdom. All three categories of knowledge may be useful to the arbitrator of a legal dispute. Note that such an arbitrator typically needs wisdom, and restrict discussion of evidence to the other two categories. Scientific knowledge is (at least in its ideal form) objective --- in other words, it is independent of the individual scientist and, in the legal context, independent from the witness who testifies about scientific facts. A scientific finding that two DNA samples originated from the same donor should not depend on the scientist who performed the test. (It is possible that a scientist did not follow the correct procedure and that the outcome of the test therefore questionable, but two scientists who perform the same test correctly are expected to arrive at the same result.) As a simple example from computing consider the case where a computer scientist demonstrates that solving a certain problem $P$ is equivalent to solving the halting problem and concludes that the problem $P$ cannot be solved by a computer. If the work is sound, the \emph{conclusion} that $P$ is unsolvable is an objective fact. The scientist can explain this finding based on the fact that the halting problem has been proven to be undecidable. This proof rests on the Church-Turing thesis --- a conjecture that has not been proven. However, it is a thesis that is formulated as a falsifiable claim in line Popper's widely accepted falsifiable claims as the demarcation criterion between science and non-science. The second category of knowledge was informally labelled as how-to knowledge. People working as programmers, engineers, wine makers, rugby coaches, musicians, medical doctors and street sweepers use this category of knowledge for their daily jobs. The how-to knowledge may or may not be based on scientific knowledge. The programmer may, for example, just tinker with code. Or the programmer way choose to use quicksort rather than bubble sort based on (scientific) knowledge of the time and space complexity of the two algorithms. The programmer may even build a compiler or operating system based on the theory of building such systems that emerged from extensive research about such systems. However, such a programmer rarely works as a scientist: her or she rarely use the ``scientific method'' (even when one caters for the inherent ambiguity of the concept); this programmer rarely tests scientific theories or produce new theories; this programmer rarely publishes new scientific theories or truths in scholarly journals. The practitioner who uses how-to knowledge typically is faced by complex situations where choices have to be made based on incomplete (or even contradictory) information. The practitioner develops expertise over time, but, where appropriate adjusts such experience based on new scientific or technical developments. It is entirely possible that two practitioners when faced with an identical complex situation may reach different conclusions and proceed in a different manner, where either conclusion or choice about how to proceed can be justified. Since the (specific) experience of the expert may affect the decision or conclusion of the expert, objectivity is not guaranteed. Stated differently, useful experts come in different forms. The nature of the truths they are allowed to testify to, depend on the nature of their expert knowledge. Forensic science is explicitly rooted in science and, hence, forensic scientists are (in principle) allowed to testify about their `justified true beliefs' based on their scientific conclusions. This is also true when \emph{forensic} or \emph{forensics} is used to denote \emph{forensic science}. Note that the claim above that the forensic expert is (in principle) allowed to testify about justified true beliefs had to be qualified, because the final decision about admission of evidence is to be made by the court. That is also the reason for opening this paragraph with a reference to \emph{useful} experts: there are many reasons why a court may decide not to accept an expert's claimed expertise (including claimed scientific expertise) as useful. A final note to conclude this section: note that the type of testimony depends on the nature of knowledge used: the same expert may use scientific and how-to knowledge, but has to distinguish between the two in terms of testimony provided. This will also have to wait to be discussed later.