Abr 06

Expert witness, computing and presumptions

Tag: Computing, Signs and ReasoningJoaquim Anguas @ 4:56 pm

I start a series of posts related to legal reasoning and computational semiotics.

This post informally analyzes and puts into context the argumentation and generalization elements used by expert witness in computing, taking into account their relationship with computational semiotics.

If semiotics is the science of signs, computational semiotics is the branch of semiotics that studies signs supported by computational means.

Expert witness in computing, derive assertions from computational signs and argumentation methods.

While it could be thought that expert witness provide feasible assertions, the fact is that, in the field of computing, often many plausible options coexist. Expert witness use informal logic approaches like non-monotonic abductive reasoning to identify the best explanation that satisfies coherence with all other known facts.

Why comes that when I act as an expert witness, I (eventually) think I am getting to de-feasible conclusions when I am not?

Because I am not taking into account all the complexity of the signs universe I would have to consider.

For example, what does an expert witness mean when she/he says “file creation was X”?

She/he means that she/he has looked to the file properties through an interface (graphical, command, function call) that returned X as file creation. But she/he made (at least) those assumptions:

  • The operating system stores the file creation time when such event occurs.
  • When you look at property “file creation” for a file, this property uses to contain file creation date.
  • The “file creation” property, wasn’t altered in any way, on purpose or not.
  • The time or time zone of the system wasn’t altered.

All of the previous are presumptive generalizations. There are actions that can minimize the odds of a wrong assertion, like making context or coherence assessments. For example, comparison with file’s time metadata in the previous example. But there’s no way an expert witness can assess all the possible options, as she/he would have to dissect the whole system from software to every bit in storage space, to explode the whole semiotics on it.

File creation is a very simple property. Things get overly complicated when higher level questions are asked to the expert witness.

In this status quo, expert witness do not know, but get convinced of.

And, for me, the key element to achieve expert witness persuasion is one: coherence.

Not that I am proposing a nihilistic approach to computer forensics in general and legal proof in computing in particular. I aim to establish a solid ground to build common practices and make explicit how assertions in expert witness reports are build.