Often a crime-drama television show will have a “single piece of evidence”, which explains the entire crime, and is used to get a guilty conviction. In real life very rarely does this situation arise. Instead typical investigations will uncover many pieces of evidence that are used during trial. Some of the evidence found during an investigation will be more persuasive to a jury, some will be less persuasive. However, it’s uncommon (and perhaps foolish) for a prosecutor to proceed to court with a single piece of evidence. What is somewhat more common, is for a prosecutor to proceed to court with multiple pieces of evidence, with perhaps one or two that are likely to be very persuasive.

One topic where the SPoE myth is often used is anti-forensics. Simply, anti-forensics is anything that a suspect does to hinder a forensic examination. Many of the sources of information that are used during an investigation (e.g. file system time stamps) can be easily modified. When a new anti-forensic technique has been discovered, there is sometimes a tendency to see the technique as a “silver bullet” which can halt an entire investigation.

The truth is, a single action (e.g. logging in, compiling a program, reading email, etc.) can impact many different aspects of the operating system, especially on a Windows system. Compromising the integrity of a “single piece of evidence” (e.g. the last accessed file system time stamp) is rarely fatal. This is because there are typically a number of places to look to find evidence to support (or deny) some theory.  Removing one piece of evidence may make an argument weaker (or stronger), but rarely does it invalidate the entire argument.

Often a crime-drama television show will have a “single piece of evidence”, which explains the entire crime, and is used to get a guilty conviction. In real life very rarely does this situation arise. Instead typical investigations will uncover many pieces of evidence that are used during trial. Some of the evidence found during an investigation will be more persuasive to a jury, some will be less persuasive. However, it’s uncommon (and perhaps foolish) for a prosecutor to proceed to court with a single piece of evidence. What is somewhat more common, is for a prosecutor to proceed to court with multiple pieces of evidence, with perhaps one or two that are likely to be very persuasive.

One topic where the SPoE myth is often used is anti-forensics. Simply, anti-forensics is anything that a suspect does to hinder a forensic examination. Many of the sources of information that are used during an investigation (e.g. file system time stamps) can be easily modified. When a new anti-forensic technique has been discovered, there is sometimes a tendency to see the technique as a “silver bullet” which can halt an entire investigation.

The truth is, a single action (e.g. logging in, compiling a program, reading email, etc.) can impact many different aspects of the operating system, especially on a Windows system. Compromising the integrity of a “single piece of evidence” (e.g. the last accessed file system time stamp) is rarely fatal. This is because there are typically a number of places to look to find evidence to support (or deny) some theory.  Removing one piece of evidence may make an argument weaker (or stronger), but rarely does it invalidate the entire argument.

The post The Single Piece of Evidence (SPoE) Myth by Mike is originally from Forensic Computing.

Unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License.