E-evidence and Asylum Seekers in the Netherlands

E-evidence and

Asylum Seekers in

the Netherlands

Author: Anne Rodrigues Supv.: Prof. Dr. F.J.M. Huysmans

anne@rodrigues.com 2nd. Reader: Dr. ir. J. Kamps

Heritage Studies MA, a.k.a. University of Amsterdam

ACKNOWLEDGEMENTS

I would first like to thank the Immigration and Naturalization Service of the Netherlands and all interviewees for their participation. Without their effort and input, this research could not have been successfully conducted or would have had to have a very different set-up. A special thanks to one of the interviewed e-experts for taking a special interest in my research and challenging me to an irritating extent.

I would also like to thank my thesis supervisor Prof. Dr. F.J.M. Huysmans of the faculty of

Humanities at the University of Amsterdam. He consistently allowed this paper to be my own work but steered me in the right the direction whenever he thought I needed it. We have had undeniable struggles during our working together but have always found a way back on course, due to perseverance on both sides.

I would further like to acknowledge Dr. ir. J. Kamps of the faculty of Humanities at the University of Amsterdam as the second reader of this thesis. I am gratefully indebted for his very valuable

comments on this thesis.

Finally, I must express my very profound gratitude to my sweet and inspiring parents, my

extraordinary and inspiring brother and to my dear friends – you know who you are – for providing me with unfailing support and continuous encouragement throughout my years of study and through the process of researching and writing this thesis. This accomplishment would not have been possible without them. Thank you so very much, I love you.

TABLE OF CONTENTS

1. INTRODUCTION AND OUTLINE OF THESIS ... 9

1.1 Introduction ... 9

1.2 Background ... 10

1.3 Problem Statement ... 12

1.4 Objective ... 12

1.5 Research Questions ... 12

1.6 Data and Methods ... 13

1.7 Contribution to Field ... 15

1.8 General Considerations prior to Research ... 16

1.9 Outline Thesis ... 17

2. E-EVIDENCE AND DIGITAL FORENSICS ... 18

2.1 Introduction ... 18

2.2 What are Digital Data? ... 19

2.3 Which Kinds of Digital Data Exist and What are Their Characteristics? ... 23

2.4 Digital Forensics ... 27

2.5 Conclusion ... 34

3. THEORY ... 36

3.1 Introduction ... 36

3.2 Dimensions of the European Refugee Issue ... 37

3.3 Applicable Non-Dutch Legislation and Policy ... 40

3.4 Dutch Law and Policy ... 49

3.5 Conclusion ... 59

4. E-EVIDENCE AND CURRENT REFUGEE STATUS DETERMINATION ... 61

4.1 Introduction ... 61

4.2 Present Handling of E-evidence by the Dutch government ... 62

4.3 Present Handling of and or Views on E-evidence by Other Appropriate Bodies... 72

4.4 Conclusion ... 81

5. ANALYSIS OF E-EVIDENCE AND CURRENT RSD ... 82

5.1 Introduction ... 82

5.2 E-evidence and The Road to Asylum in The Netherlands ... 83

5.3 Conclusion ... 100

6. GENERAL CONCLUSION AND DISCUSSION... 103

6.1 Introduction ... 103

6.2 Overview of this Thesis ... 104

6.3 Findings with Regard to the Research Questions ... 104

6.4 Strengths and Limitations of this Thesis ... 110

6.6 Suggestions for Further Research ... 120 6.7 Concluding Remarks ... 121 7. BIBLIOGRAPHY ... 123 7.1 Legislative Sources ... 123 7.2 Non-Legislative Sources ... 125 8. GLOSSARY ... 134 9. APPENDICES ... 135

Appendix 1. Initial Planning for Thesis ... 135

Appendix 2. Interviews Initially Made for Fieldwork ... 136

Appendix 3. Overview of all Interviewees in the Fieldwork of this Thesis ... 141

Appendix 4. Two Print Screens with Examples of How Metadata can (Coincidently) be Encountered in Everyday Computer-use ... 142

Appendix 5. More Characteristics of Mobile Phone Investigations ... 143

Appendix 6. Total Number of First Asylum Requests per Member State in the Years 2015, 2016 and 2017 (annual aggregated data (rounded) (Eurostat) ... 145

Appendix 7. Interview Questions for the AVIM ... 146

List of Figures Figure 1. Flowchart Data Present in Case to Investigative Changes ... 28

Figure 2. Total Number of First Asylum Requests in the EU in the Years 2015, 2016 and 2017 (annual aggregated data (rounded); Eurostat) ... 38

Figure 3. Total Number of First Asylum Requests in the Netherlands in the Years 2015, 2016 and 2017 (CBS (b) ... 39

Figure 4. The Road to Asylum in the Netherlands, Including Likely Moments of Potential E-evidence (Marc Kolle; reworked and translated by me) ... 57

Figure 5. The Road to Asylum in the Netherlands, Including Numbered Likely Moments of Potential E-evidence (Marc Kolle; reworked and translated by me) ... 82

List of Tables Table 1. Overview of Interviewed Experts on Digital Data and Digital Investigations ... 18

Table 2. Different Kinds of Electronic Data and Their Main Valuable Characteristics (Interviews 6, 7, 9 and I) ... 24

Table 3. Legislation, Directives and Sources in Werkinstructie 2014/10 (precedents from court not included) ... 56

Table 4. Overview of Interviewed Asylum Practitioners ... 61

E-EVIDENCE AND ASYLUM SEEKERS IN THE NETHERLANDS

Abstract

In the Netherlands, asylum seekers sometimes are held up for a long period of time, at times even longer than legally prescribed, in their status determination process. Every application for refuge comes with an individual story. All applications can be considered challenging to certain extent, because each applicant has varying pieces of evidence to substantiate very individual claims. Many stories are easily verifiable however, e.g. by submitted documentation, but not all cases are as transparent. The more difficult cases are the cases in which it e.g. is not clear where a person comes from because it is evident that the documentation does not match the language spoken or story told, or the reason for fleeing is not easily verifiable. The majority of asylum seekers use digital devices (e.g. smart phones) and have a digital life (e.g. on social media) in the country of origin, during their flight and in the country of arrival. The potential of this digital information as evidence is currently under-fulfilled in refugee status determination. Digital data have some complicated characteristics but may simultaneously bear witness in quite a detailed manner about the producer of the data. The relative transparency of the technical aspect of digital data may offer some very verifiable aspects to each individual claim, in a way traditional evidence does not. Raw data are just data. They become information when analyzed and interpreted in relation to the issue at hand, provided that an eventual investigator has the skills to deal with this (form of) information as evidence.

Keywords: refugees, asylum seekers, electronic evidence, e-evidence, refugee status determination, metadata, digital information, digital data, substantiation, digital devices, asylum applicants, evidence assessment, new media, social media, decision-makers, data-carriers, evaluation, verification, traditional evidence, the Netherlands

1. INTRODUCTION AND OUTLINE OF THESIS

1.1 Introduction

Digital data and social media have dubious characters. Well known, used and loved globally, they represent many inscrutabilities. The ease with which one presents oneself with an alter ego on the internet provides the most basic challenge in its use; it can be challenging to be certain of the digital data offered. This wouldn’t be majorly problematic if this information would only be used in frivolous interpersonal contact, but this data has become such a great part of life that it can and is being used in many facets of society. Governments built up huge digital databases filled with data on its citizens, and individual people all over the world are collecting their own huge piles of personal digital data concerning e.g. their work, health, holidays and habits. Employers check out social media sites of future employees and children are taken out of schools due to expressions of teachers on the internet. And it doesn’t stop there. Even though the roles of traditional media like television and landline phones have been very significant in the uprisings in the Middle-East and Northern Africa, the internet

and new and social media have played very important parts in the so-called ‘Arab Spring’ in 20111 (AlSayyad and Guvenc; Bruns, Highfield and Burgess; Byrne 2015; Comunello and Anzera; Davison; Kroes; Markham; Papaioannou and Olivos; Pontin; Tudoroiu; Wagner; Wolfsfeld, Segev and Sheafer; Shirky). People could document what was happening around them and, more importantly, instantly share what was documented. Violations and oppressions by law enforcers as well as rebels running amok, all was shared with the world. Organising a meeting, rally or demonstration was possible with a speed as never before and people massively came together to speak with one voice.

Since then, the Middle East and parts of Northern Africa have been in desperate turmoil, civil wars have torn apart the region. Additionally, ISIS became an independent entity in 2013, early 2014, seizing the moment terrorizing parts of these lands without relent to the moment of writing

(Esfandiary and Tabatabai 1; Lister 19-23; Mabon § 2,3; Van Es). More citizens than usually feel they are not safe to live normal lives and flee leaving family and possessions behind (UNHCR 2015; UN 2016; Vluchtelingenwerk Nederland 2014, 2015, 2016 (b), 2017). Furthermore, there are a lot of people who seek a better life elsewhere because they believe to have no prospects but dire poverty in their home land.2 _{Moreover, there arguably are people not able to live a sustainable life due to climate} change who also flee (De Maeseneer et al.; Dijkstra; Vandervelden; Van Huet). The decision to go cannot be an easy one. Even though the height of the refugee crisis in Europe has past (or rather has been diverted3_{), still many people flee, and some are dying en route and if they make it, often get stuck} in miserable camps or institutions (Binnie; Bolwijn; Cumming-Bruce; NOS 2017, 2018; Pollak; Van der Ploeg; Vluchtelingenwerk Nederland 2018). Stopping people from coming appears to be very difficult indeed so far so it seems like a good idea to keep the refugee status determination process in Europe, and specifically in The Netherlands, upgraded to the max to be able to face this matter.

Modernization of the refugee status determination (henceforth RSD) process could be part of the solution and can possibly partly be found in the flow of digital information that comes along with the flow of refugees (Byrne 2015, 2016). These digital data may have a certain capacity of negating or corroborating evidence in the RSD and thus far appear to be fairly underused as such.

1.2 Background

Even though not nearly as large as a few years back, Europe is still struggling with the flow of asylum seekers crossing over from the Middle East and Africa. The ongoing RSD-process is cumbersome and does not make sensible use of possible vital information that could conceivably speed up this process,

1 _{This is definitely not to say that these revolutions could not have taken place without new media nor that many} other factors were of influence like the contemporary political circumstances, naturally, but digital and social media certainly provided important communication and coordinating tools that have had their effects on the developments in these times and places.

2 _{These people are called happiness seekers, “gelukszoekers” in Dutch, and are a very sensitive issue in the} Netherlands.

as Byrne states in her article in the International Journal of Refugee Law (2015). 4 _{New and social} media were appropriated new roles as it became clear with the bloom of the Arab Spring in 2011 that these means of previously mostly frivolous communication grew into agents for potential societal change by bearing witness to human rights violations and exposing these to the world. The protection this seems to imply for people undergoing these violations and fleeing their homes is however not as straight forward as it seems. The same factors that enhance the protection in the country of origin complicate the authentication of these data in the asylum country: a lot of ambiguities surround these data.

Practices in Europe have logically not yet adapted to benefit from the full potential of the complex digital information flow these media provide; these technological developments have such a great speed that it is hard for institutions to keep up. The digital data asylum seekers have in their wake are not fully put to use as evidence to back up or negate flight accounts; the contents, clearly, but neither are the attached metadata. And the digital data that is being offered as evidence is regarded with suspicion by officials and they, lacking expertise, time and resources for thorough investigation themselves, demand for detailed corroborative evidence which many asylum seekers are inadequate to provide; often even physical documentation is difficult to obtain and verify for both officials and asylum seekers, let alone digital data (Byrne 2015, 2016; Conlan 1, UNHCR 1992 197; UNHCR 2013 90-105).

In the refugee status determination procedure in Europe, the burden of proof in principle lies with the asylum applicant (2011/95/EU; 2013/32/EU). The current method of confirmation of general evidence provided as described in European documentation is to e.g. look at local and international (news) sources for general information or information about particular events and at international and Non-Governmental Organisations (NGO’s) for information about human right violations (Byrne 2015; EC 2008). Organisations like NGO’s sur place are viewed as neutral and therefore as trustworthy and are presently the only bodies that are accepted as capable sources of information covering human rights violations. One of the shortcomings of this method, however, is that in the case of electronic evidence, it is almost impossible for these organisations to be up to date; the possibility of real-time evidence collection as events unfold and violations are committed makes for an information flow that moves much faster than the asylum seekers themselves. NGO’s simply cannot register, judge and categorize all this information at the required speed and, moreover, this massive task, thus far, has not been part of their job description.5 _{Digital data carried by applicants themselves may be the most} current evidence there is and this might need different, more focused and appropriate, confirmation techniques.

4 _{Byrne, Rosemary, “The Protection Paradox: Why Hasn’t the Arrival of New Media Transformed Refugee} Status Determination?”. International Journal of Refugee Law. 27.4 (2015): 625–48: the trigger for this research.

Methods for using these technological tools to support claims in asylum procedures need to be developed and therefore researched thoroughly. The current methodology surrounding the handling of digital data in the RSD-process of refugees in the Netherlands has not yet been fully researched and described6_{, while the speed with which these technological tools are integrated globally in daily life} makes insight in the possibilities of the produced digital data in the daily practice of RSD much needed.

1.3 Problem Statement

Refugees arriving in the Netherlands are sometimes held up for a long period of time, and many times longer than legally prescribed, in the process of their status determination (Grimmius; NOS 2016; Salm; Sneijder; Visser; Vriesema and Versteegh). The majority of refugees use digital devices (e.g. smart phones) and have a digital life (e.g. on social media) in the country of origin, during their flight and in the country of arrival. Byrne states that the potential of this digital information is greatly under-fulfilled causing the determination process to be needlessly lengthy and cumbersome, in most asylum states in the world (2015, 2016). This possible evidence is often brushed aside by officials and governments due to a lack of expertise, time and resources. Is this really the case, particularly in the Netherlands?

1.4 Objective

The objective of this thesis is to investigate the current and possible future use of digital information (e.g. social media posts, photo’s, messages, appearances in blogs or news feeds, etc.) refugees carry as evidence in the RSD-process in the Netherlands, hereby possibly providing insights that may improve the determination process, resulting in more accurate decisions, and potentially causing the

determination process to speed up and eventually become less costly.

1.5 Research Questions

The main research question derived from the problem statement previously formulated is:

• To what extent are digital data reliable enough to be applied in a regulated manner alongside traditional evidence in the refugee status determination process of refugees in The

Netherlands?

The issue in the main research question can be investigated step-by-step by breaking it down into the following sub-research questions:

1. (To what extent) Is e-evidence reliable?

a. Which kinds of e-evidence exist and what are their characteristics? b. To what extent is e-evidence manipulable?

c. Are there parts or kinds of digital information that are reliable with certainty and can therefore be admitted to the refugee status determination process immediately?

2. What are the regulations concerning e-evidence in the status determination process of refugees in the Netherlands?

a. Which laws and regulations on refugee status determination from the European Union apply in the Netherlands?

b. Which laws and regulations on refugee status determination of the appropriate overarching institutions apply in the Netherlands?

c. Which laws and regulations on refugee status determination exist in the Netherlands? 3. What is the current approach to e-evidence provided in refugee status determination cases in

The Netherlands?

a. How much expertise is present at governments and officials in The Netherlands about e-evidence?

b. Which, if any, are the recurring problems concerning e-evidence in the daily practice? 4. What can, in view of the findings, be improved in the use of e-evidence in RSD in The

Netherlands?

1.6 Data and Methods

Firstly, some overall points of attention while reading this thesis: many of the texts used have been written in Dutch since they solely regard The Netherlands. Dutch names and quotes from e.g. law texts in this thesis are translated to the best of my ability. In the footnotes interesting, supplemental or explanatory information is presented, but they are not needed to understand the core of the text

(depending on the knowledge of the reader). A glossary can be found in the back, which may be useful to peruse before continuing reading (go to glossary). The appendices offer some additional insight, sometimes into the research (-process) and sometimes into the particular discussed subject. These can easily be reviewed via the link in the text since a return-link to the reference in the text is provided. The data-gathering period for this investigation was from September 2016 until December 2017, even though the text was finished in 2019. Because of personal circumstances the analysis of the data was done at a later stage, causing some gathered data to have aged. These data repeatedly are so indicated in the text and additionally emphasized by mentioning them first per section and the placement of asterix’s before and after the data.

To answer the research questions, some different strategies of empirical qualitative research are needed; descriptive and exploratory (Silverman). Theoretical research into literature on digital data as evidence to describe the pros and cons of e-evidence is needed, firstly. Secondly, desk research into documentation such as legislation, to be able to establish whether and/or to which extent digital data are currently included in the RSD-process, and where the legislative limits may lie. To be able to establish how the appropriate law articles on e-evidence presently are interpreted, it is necessary to also look at the current protocols and regulations formulated in documentation by appropriate institutions. Next, it will be a requirement to perform some field research to investigate the current view on e-evidence of digital data professionals and the practical daily operations by asylum professionals to be able to, lastly, compare all the found data and determine how all these elements currently relate to each other. A planning will be made to set up an attainable approach to achieve these goals (available in appendix 1).

The aim is to include in this thesis: description of applicable law and policy, description of current RSD practice in The Netherlands, comparisons between the daily practice in RSD of Member States of the European Union (EU), jurisprudence, clear and in-depth technical and human rights analyses, but this may prove be too ambitious for the amount of words allowed by applicable thesis regulations.

The data gathering will thus have to be twofold: theoretical desk research into documentation and field research to gain knowledge of most appropriate practical components. The gathering of the documentation will have to be done by initially reading both core and peripheral documents, and then determine which are important for the objective of this thesis. Much documentation can be found online, since legislation is freely available online. Also, my student status gives me free access to a lot of scientific documentation online, but the good-old library will be a valuable source as well. The data gathering in the field will be done via semi-structured in-depth interviews with appropriate

participants to get as many details as possible. Three interviews will be made. One interview for decision-makers, RIC7_{- and BLT}8_{-employees, one for technical (RSD-) investigators and one} interview on regulations and policy, geared more towards executives and legal asylum professionals (see appendix 2 for the three interviews). All interviewees will also be questioned on their daily experiences. Every interviewee will receive the interview questions in advance via e-mail to get a chance to prepare for the interview. The interviews will be held at the desired location of the

interviewees. The interviews will be taped and transcribed. It will probably not be possible to code the results of the interviews due to the semi-structured set-up. All participants will be guaranteed

anonymity and they will be pointed out by number in the body of this text.

7 _{RIC: Regional Information Centre, in Dutch: Regionaal Informatie Centrum.}

8 _{BLT: Bureau Land and Language, in Dutch: Bureau Land en Taal; NB. During this investigation this name} changed to TOELT, Team Investigation and Expertise Land and Language, in Dutch: Team Onderzoek en

Participants to interview will be looked for in various fields, professions and institutions, e.g.: governmental spokespersons and institutions, asylum researchers, asylum managers, asylum

professionals, asylum lawyers, cybercrime lawyers, digital experts. Suitable people to approach will be chosen by research into their e.g. job (description), publications, experience and background. Possible participants will be approached via e-mail, telephone or internet form. A log of the whole field research process will be kept (this will not be made available in an appendix because it is filled with privacy-sensitive information about the people approached. See appendix 3 for an overview of all the respondents in this research).

The appropriate assessing institution of the Netherlands, the Immigration and Naturalization Service (henceforth the IND9_{), cooperated in this investigation among others by providing access to} employees to interview. A concept version of the final text has been reviewed and commented by the IND to gain approval for publication into the public domain.

1.7 Contribution to Field

Reading about the refugee status determination procedure asylum seekers in the Netherlands go through e.g. in the paper, many might take it at face value. But it is crucial that the information flows in this procedure are set up optimally, ensuring the best informational value of all elements in a case. Studying cultural information science, I want to dissect this process and shed a light on it from an information-management perspective. Is the current set-up optimal for all parties involved or are there parts which may be improved?

When I came to my supervisor with this topic, he had to think about it for a few days. Did my proposal really fit within the context of this master-program? When he came back, he said he was happy I made him aware that this certainly is a part of cultural information science and gave his approval for the research subject.

Then I had to start gathering literature and the fact that I was not able to find Dutch literature on this subject, may be interpreted as that an elaboration on this topic is fairly new in the Netherlands. However, a blogpost by the aforementioned Byrne has brought my attention to this topic so abroad this topic has been deliberated (even though Byrne is a law- and not an information professional; Byrne 2016). Much independent literature on asylum seekers together with e-evidence in other languages is not very easy to find however, so one could say that more investigation on this topic is needed and that this issue might benefit from being picked up by other researchers in informational studies.

It was important to perform this investigation because immigration will not stop and the RSD-process in primarily the difficult cases is lengthy and complex and may be assisted by the

incorporation of e-evidence. It may make the process more insightful and may result in more accurate

decisions. Currently, there seems to be a great dependence on the Dutch justice system to correct mistakes, as was found by this research. This may, however, put needless pressure on the justice system since these appeals may possibly be avoided. Taking a lot of time out of people’s lives and costing a lot of the Dutch taxpayers’ money, it is important to keep the RSD-process as efficient as possible. Any contribution to this field seems beneficial.

1.8 General Considerations prior to Research

Being the offspring of a refugee myself, I have made explicit effort to keep an unbiased perspective during this thesis-process. All the while I have checked myself and it has happened that I had to call myself to attention. Presumably, a little bias is inevitable, being the person that I am, but I have strived to conduct a nonpartisan investigation as much as possible (Silverman 257).

Ethics determine the research methodology (Kooistra and ‘t Hart 328). For this purpose, I have chosen for a qualitative research design. Qualitative research provides room for the involvement of very different kinds of research data and methods and is less bound by convention then e.g.

quantitative methods. This was needed because I tried to consider and involve all elements and parties concerned with RSD to be able to shed light on all sides of the equation (Boeije; Silverman).

Very pleased with my subject and ready to really make a difference in the world, I turned out to be a little naïve to think that all parties involved would be willing and forthcoming to cooperate. Of course, I had thought of issues like privacy, but I found it surprising that many people and institutions I approach declined cooperation all together. The reason predominantly given was a lack of time but later on in the process and wiser on all the delicate issues involved, I wondered if this may have been for other reasons as well, such as ethical or legal considerations. Luckily much of the used

documentation could be found in the public sphere.

It was not allowed to be present at and observe actual RSD-processes due to privacy reasons and it was not allowed to review the anonymized RSD-cases at the IND documents department available for e.g. asylum lawyers either. Even though these cases have already been anonymized, they still were considered privacy sensitive information.

At the Aliens Police (AVIM10_{) it was also not allowed to review methods and protocols for the} daily practice. The reason given was the protocol not to make the daily practice known publicly thereby complicating their job.

Consent of the interviewees to participate was obtained firstly by mail and again at the live meeting. Consent for taping the interviews was asked at the start of the interview. All interviewees were guaranteed anonymity. This was not explicitly requested by (all of) them but offered by me to create a safe environment to speak freely. The two interviewed IND-employees were asked (or maybe requested?) by my contact at the IND to participate so they might have kept some reservations, it

being clear who they are for their employer. The other interviewees participated on their own merit, giving them absolutely no reason to give desirable answers or something like that. I also offered to send everybody the text derived from the interview that was going to be included in the thesis for revision to make sure that the initial consent was not given lightly and that they remained in favor of participation. Not all interviewees have made use of this offer and one declined participation after this.

1.9 Outline Thesis

The set-up finally chosen for this thesis is a pyramid approach: it is an analytic story that starts with basic knowledge and builds out. The information provided per chapter broadens gradually and builds upon each other until all elements to understand the results of the overall analysis at the bottom of the pyramid have been laid out.

The overall characteristics of digital data will be investigated firstly, in chapter two, as well as their possible suitability as evidence. It is useful to start with this because this information is needed to understand the next chapters. After that, this research will focus on its main subject; asylum seekers and refugee status determination (RSD). In chapter three it will describe and explore the current appropriate legislative texts and the daily policy on RSD to get insight in the current view of European and Dutch lawmakers on this matter. To be able to establish how these written publications are

interpreted by the asylum professionals who work in the field daily, the findings from the fieldwork on the daily practice will be presented in chapter four. By then analyzing all the findings relatively to each other in chapter five, I will formulate some advisements for the appropriate participants concerning digital data as evidence in RSD in chapter six.

2. E-EVIDENCE AND DIGITAL FORENSICS

2.1 Introduction

The ‘e’ in ‘e-evidence’ is generally misunderstood or at least interpreted in many ways. It stands for ‘electronic’, naturally, but the rest is not immediately transparent. Interviewing participants in the refugee status determination (henceforth RSD) process in the Netherlands it became clear that what e-evidence ‘is’, is subject to various interpretations. Electronic evidence is generally understood as digital data as evidence, making it a priority to understand ‘digital data’. Furthermore, for the investigation of digital data as evidence, one needs to employ different methods than for traditional evidence, making the field of ‘digital forensics’ the second priority to explore to appreciate the issue at hand and to be able to answer the first research questions:

1. (To what extent) Is e-evidence reliable?

a. Which kinds of e-evidence exist and what are their characteristics? b. To what extent is e-evidence manipulable?

c. Are there parts or kinds of digital information that are reliable with certainty and can therefore be admitted to the refugee status determination process immediately?

To be able to answer these research questions, expertise has been sought in literature as well as in interviews with experts on digital data and -investigations. The respondents have been promised anonymity and will be pointed out by number in the body of this text. In the next table each

interviewed e-expert is indicated by number, expertise, institution (if applicable) and the date of the interview (see table 1):

Table 1. Overview of Interviewed Experts on Digital Data and Digital Investigations

Interview no Expertise Institution Date

Interview 6 E-expert Independent OSINT11_{-expert 07-12-2016}

Interview 7 E-expert Independent OSINT-expert and former Dutch Military Secret Service12_-agent

26-04-2017

Interview 9 E-expert Independent OSINT-expert 12-06-2017

11 _{OSINT: Open Source Intelligence. OSINT is collecting data from open sources and applying these in an} intelligence, thus investigative, context. Opensource data are data which are publicly available on the digital highway; data which are accessible without breaking into, thus hacking into them. E.g. a Facebook profile which is set to private is not made up of opensource data and a Facebook profile which is set to public is. Source codes of websites are opensource data even when the content may not be. Photos on Google Earth and Google Maps are open source data. There are a lot more opensource data to be found than a layman can see. Skills to obtain as many digital data as possible without breaking any laws is a very useful skill for digital investigators (in RSD), naturally. NB. Software can also be Open Source, but this is a different matter. This means that the source code of the software is open for anyone to inspect, modify or enhance.

This chapter starts with an explanation of what digital data are exactly, and then elaborates on which kinds of digital data may be used as evidence, and how. Next, the art of digital forensics is concisely discussed. In conclusion, it states some of the delicacies of this science and of digital data when applied as evidence.

2.2 What are Digital Data?

Below the main differences between digital and other information are clarified. Additionally, digital data are explained in brief.

An issue with defining digital data for this purpose is the difference between digital data and digitized data; digitized data being data that have a referent in ‘the real world’, a tangible version which forms the base for the digital version of that object. Most people would agree that a paper copy of a passport is a copy and therefore cannot be deemed equally valuable as an actual passport. In today’s digital world this matter becomes more complex. When making a colour scan or photo of a passport, one may feel like having made just a little bit more than a copy. All the actual colours are there, the photo is very readable, and you can even see many of the security details when you zoom in, so it feels a lot more valuable. But this is still just an elegant copy of a passport and it is not these digitized data referred to in this thesis. It is digital born data; data which do not refer to tangible originals but are ‘born’ in cyberspace. Real digital data in this sense do not even allow tangible versions of themselves, since these will always be viewed as just print-outs of those data. These words I am writing only exist in cyberspace and when I finish with my thesis, it will be a digital object. I can print my thesis and generate multiple tangible versions, but its birthmother will always be the digital file I am creating at this very moment.

Digital data are thus data put in by a user on an electronic device. Electronic devices operate on electrical pulses of positive or negative energy which are translated into a mathematical language called binary code (Arkfeld 2-10; Matthews 80-7). Binary code consists of two symbols, ones and zeros (bits), and sequences of these ones and zeros (bytes) make up the units a computer operates with. Most electronic devices we use nowadays are computers in the way that they use some program (software made up of ones and zeros) to execute their task and they put out in some digital form (Arkfeld 2-8 ; Oliver 7-9).13 _{Hence, a user enters information in a computer like device by the means} of a keypad, icon or another application that translates a recognizable message into the ones and zeros that make up all digital data. These cyberspace-born data are the digital data which can be of use in the RSD-process when incorporated in a methodically sound manner.14

13 _{E.g. listening to music via Spotify on your tablet: digital music also consists of ones and zeros.}

14 _{These data are currently being used by the IND in RSD but only intermittently and not in a very methodical} way, since this is not laid down in any e.g. (public) protocols or manuals (of the EASO e.g.).

2.2.1 Some Important Overarching Characteristics of Digital Data

This life in cyberspace ensures a few very distinctive overarching characteristics for digital data. And not all digital data on a computer are the same. Some of the specific characteristics provide

information that non- or other digital information cannot. Next, three of the overarching characteristics of digital data will be described, exemplifying the suitability of digital data as evidence.

a. Registries:

All digital data on an electronic device is Electronically Stored Information, ESI, but not all these data are under the direct control of the user; for all the digital data a user enters on an electronic device, the computer in the device creates data too (Arkfeld 3-57 – 3-61; Duranti & Rogers 523; Matthews 148-57, 183-8). Such data created by the operating system are called Computer Generated Documents and Computer Server Logs (henceforth, CGD and CSL).

Electronic devices e.g. record every move made on that device in a database at the root of the system.15 _{A Windows operating system also creates a registry which is a database of the ‘hidden -’ or} ‘restricted files’.16 _{Herein the system logs records of, among others (Matthews 184):}

• every USB device that was ever plugged in (serial number, model, date it was first plugged in as well as the date it was last accessed)

• all sim cards used in the device (Interview 7) • all of the last websites typed into the browser

• all of the most recently accessed files (depending on the version of Windows these can be records of hundreds of files back into the past)

• all users of the computer, including encoded passwords (which, with the right tools, can be un-encoded)

• all network and other drive connections that have been made • what applications have been installed, when and where • when applications were last accessed

• who logged in when, plus what networks or shared directories they were connected to when they logged in

15 _{By using a method of indexing and referencing the location, format, and status of every file ever created on} that device: the Master File Table (MFT) at the root of the hard drive’s directory structure in Windows’ operated systems.

16 _{Other systems will undoubtedly create a similar database in some way. These registries are called ‘hidden’ or} ‘restricted’ because they are not shown in the most superficial layer of the interface unless specifically requested by the settings on a device, and they usually require the administrative user of a device and some effort and knowledge to access them.

And in yet another ‘hidden files’ database the internet browsing history along with the internet cookies are stored. All these logs (and more) may be consulted for verification when digital data are possibly being questioned when introduced as evidence (Interviews 6, 7, 9).17

b. Metadata:

Digital data additionally contain more information than their paper cousins in the sense that every digital object carries not only the content of its information but meta-information as well: data about those data, known as metadata (Arkfeld 1-7, 3-53 – 3-57; Favro; Interviews 6, 7, 9; Matthews 154-8; Taylor & Joudrey 89-127; Volonino & Redpath 15-6). These metadata may describe when, how, where and by whom a particular set of data was created, accessed, modified and what kind of data they are18_{. Not all digital objects carry similar and equal amounts of metadata but you could say that} metadata provide context to the content to certain extent (see appendix 4 for two examples of how metadata can be encountered in everyday computer-use).

Metadata are embedded in or connected to the file they belong to by the system. This means that they are not immediately visible when accessing a digital document because they are stored in another layer than the content is, making them inaccessible to whom is not familiar with them. This also means that they generally are not visible when a document is printed.19 _{Metadata may moderately} be used as verification for e.g. the content of the appropriate data.20 _{Metadata may thus also be}

beneficial to verify a claim substantiated through a digital object as well as provide clues to human behavior to certain extent (Favro 5; Interviews 6, 7, 9).

A particular kind of metadata are Global Positioning System data or GPS-data (Arkfeld 2-66 – 2-68; Interviews 6, 7, 9; Matthews 154). This is a satellite-based navigation system which can

communicate with GPS-receivers in digital devices anywhere on earth (when not obstructed by e.g. building blocks or mountains). E.g. car navigation systems use this system to keep track of their location. GPS-receivers in digital devices record the time and the location of a device at the moment of an information input.21 _{Combining different GPS-location-points may indicate which direction a} digital device has been travelling. Combining various GPS-time-indications may provide information on the velocity the object was going between these locations.

17 _{These logs may manually be erased by the user or automatically after a certain amount of time e.g. (which} depends on the settings on the device). NB: this is however not likely in RSD cases as my field research showed (Interview 1-10).

18 _{Technically said ‘how the data are formatted’. NB: this is a very simplified way of explaining metadata. In} the world of information professionals metadata are applied in a much broader developed sense (Taylor & Joudrey 89-128, and also chapters 7 and 8 (not referenced in this thesis) at pages 199-302). Metadata will be elaborated on throughout the remainder of this chapter.

19 _{Metadata belonging to a digital object can only be consulted if the document is viewed in its native format.} 20 _{NB: Altering metadata of Twitter messages is very easy and thus should never be trusted (Interview 9).} 21 _{Known as ‘geolocation’.}

GPS-data are metadata a user usually has a lot of easy control over and is able to decide which applications save GPS-data, making them possibly unavailable for research.22 _{What is not directly} under control of the user is the fact that the GPS-receiver in a device searches for contact to network towers periodically (‘pings’), even if it is not used, to keep track of which communication channel it is the closest to, generating interesting (and reliable) data as well (Interviews 6, 7).23

c. Erasing:

Another distinctive fact of digital data is that it takes some effort to really erase digital data (Arkfeld 1-23, 3-31; Interviews 6, 7, 9; Volonino & Redpath 17, 27-33). All digital data being made up of

calculations with ones and zeros, it is unnecessary for computers to store data in a linear way (Matthews 149-53). A single file may be stored in unrecognizable parts on different locations and restored the moment you consult it (Oliver 10). And when you erase the file, the operating system just flags these data parts as deleted and leaves the data where they are.24 _{Only when in need of more} storage space will the computer overwrite these parts of information. Thus, a file is not really gone when it is erased and can be found again for some period of time with a little effort. Also, it is often forgotten that providers (and other participants between user and end-user25_{) store data as well} (Interview 7). These characteristics raise another advantage of digital data when applied as evidence.

In sum, some data are thus generated by the user and some by the operating system affording a basic difference in quality and/or usability between the two when appropriating digital data as

evidence. CGD may provide a source of invaluable evidence since these have an intrinsic

informational value that not all users have the ability to influence.26 _{The fact that digital data take a} little effort to permanently erase caters to the significance of digital data as evidence as well.27

22 _{This user does have to be able to control these settings and/or care about these settings to set these to their} personal likings, naturally.

23 _{Unless the user turns the device off and/or does not take the device with him, obviously.}

24 _{There are applications which prevent this from happening by e.g. overwriting these locations with random} characters, erasing the data permanently. Partitioning and formatting a computer may also overwrite these locations or make them inaccessible. A user does have be to computer savvy enough to have installed such an application or to maintain his/her system this way on a regular basis.

25 _{Such as the router, the internet-provider, the platform, antennas and super-nodes, but these may not be} accessed under current Dutch Immigration law.

26 _{It is imaginable that a user who premeditates to perform an illegal act, such as applying for a residence permit} on false grounds, takes steps to have such knowledge prior to the act to be able to control the CGD on his or her apparatus but I found in my research that this is unlikely to be the case in the current asylum situation in Europe (Interview 1, 2, 3, 4, 6, 7, 10).

27 _{It is also imaginable that a user who premeditates to perform an illegal act, such as applying for a residence} permit on false grounds, takes steps to have the knowledge how to really erase data of his of hers apparatus prior to the act but I found in my research that this is unlikely to be the case in the current asylum situation in Europe (Interview 1, 2, 3, 4, 6, 7, 10). Data is currently being erased by users but only in the layman way, as far as I was able to establish.

2.3 Which Kinds of Digital Data Exist and What are Their Characteristics?

In the next section different kinds of raw digital data are reviewed, and a few of their specific

characteristics. It is also argued which kinds of digital data may be put to use as e-evidence and why. Not only do all the digital devices we use produce and/or contain digital data28_{, most}

institutions in daily life produce digital data that concern their clients as well. Most governments produce unimaginable amounts of digital data about their citizens, such as: registration of birth, housing, schooling, siblings, unlawful actions, tax related things, professions, marital status,

applications for governmental support, offspring and their schooling, and so on and on, currently and historically.29 _{The informational value of these data is not too hard to envision.}30 _{A passport, e.g., can} be seen as part of these data because it is essentially a digital object nowadays. The digital data submitted to employ in RSD in a predetermined and methodological way are more personal digital data: data put in by a user on an electronic device such as when using certain applications, e.g. digital phonebooks, -photo books, -calendars, -text applications and so on, and the digital exchange of data between peers via the internet like social media inputs, messaging and internet sites. Next, a few different kinds of these personal digital data will be considered, which will clarify their possible use as e-evidence.

The following table shows different kinds of digital data, programs and hardware that may be used by a common digital data user nowadays (see table 2, on the next page). One can see that these may portray evidentiary value, either by their output, content and/or by their metadata.

The leftmost column of the table shows different kinds of digital data, media, applications and hardware which are likely being used by many people in everyday life. The second column displays whether the digital object is likely to contain content that may be revealing. The third column mentions if this content may be given additional weight when combined with other digital data. The fourth and fifth columns illustrate whether a particular object or application may have metadata or GPS-data attached to it which may be put to use.

28 _{E.g. smart phone, laptop, tablet, USB (thumb) drives, smart watch, fit bracelet, game consoles, smart TV,} DVD’s, CD’s, thermostat, thermometer, home trainer, garage door opener, MP3 player, car, navigation system, etc., etc.

29 _{And other institutions in daily life as well such as by your workplace, school, gym, public transportation,} library, church, town hall, supermarket, etc.

30 _{The assessing institution in The Netherlands (IND) does in fact use some of the data like these in the refugee} status determination process.

Table 2. Different Kinds of Electronic Data and Their Main Valuable Characteristics (Interviews 6, 7, 9 and I) Digital data / media / apps /

programs / hardware

Revealing content? Intermedial value? Metadata? GPS-data?

E-mail Yes Yes Yes No

Messaging Yes Yes Yes Yes

Social Media platforms Yes Yes Possibly31 Possibly

Social Media metro apps Yes Yes Possibly Possibly

Camera apps No No Yes Yes

Video apps No No Yes Yes

Photos Yes Yes Possibly Possibly

Videos Yes Yes Possibly Possibly

Image manipulation apps Yes Yes Yes Yes

Text documents Yes Yes Yes No32

Spreadsheets Yes Yes Yes Yes

Contacts Yes Yes Yes Yes

Databases Yes Yes Yes Yes

Cloud storage services33 _{Yes Yes Yes Yes}

Audio recording apps Yes Yes Yes Yes

News apps/groups Yes Yes Yes Yes

Web logs Yes Yes Yes Yes

Bank apps Yes Yes Yes Yes

Calendar apps Yes Yes Yes Yes

Call logs No Yes Yes Yes

Game apps No No Yes Yes

Health/ medical apps Yes Yes Yes Yes

Wearables34 _{Yes Yes Yes Yes}

Game consoles Yes Yes Yes Yes

Mobile Phone Yes Yes Yes Yes

Desktop computer Yes Yes Yes Yes

Laptop Yes Yes Yes Yes

Tablet Yes Yes Yes Yes

Providers Yes Yes Yes Yes

Servers Yes Yes Yes Yes

Router Yes Yes Yes Yes

Antennas Yes Yes Yes Yes

Items in the first and second columns can give a global representation of the owner/producer35 _{of the} digital data. E.g. because not all users use all options in the first column and this gives some insight, e.g. into the general interests or financial circumstances of the owner/producer. The second column,

31 _{These ‘possibly’s’ will be clarified a little further on.} 32 _{Interview 7.}

33 _{Such as Google Drive, Apple iCloud, Dropbox, etc., known as ‘cloud computing’ or ‘cloud storage’.}

34 _{Wearables are devices like step counters, fit bracelets and smart watches which produce a lot of digital data as} well which are mostly stored by cloud storage services.

35 _{Not all created data is owned by the producer of the data, e.g. social media posts are owned by the platform} even though they belong to the producer of the data.

content from the options used, may be representative e.g. as to personal convictions and beliefs, contacts, whereabouts and daily behaviours. E.g. textual applications or documents like e-mail and messaging may have interesting content, and photos may be of controversial subjects or happenings and may be helpful in learning more about whereabouts and timeframes by studying displayed landmarks and time indications.36 _{When the content from an item in the second column is combined} with other content from that column, the information value of both may increase drastically, becoming more usable and therefore more reliable. E.g. photos or videos may be complemented by text in text messages, the calendar and financial apps may be combined with different kinds of data on a device and present message groups may give additional insight into relations between contacts on the device. Many of the items from the first column carry metadata and/or GPS-data. These data can be applied to verify the information value of content found in the second column, by crosschecking the content with these data and similar data, hereby again increasing the reliability of the content.

In sum one could generally say that the data in the first column are just raw data, and the data in the second column are ‘representative’ (give a very general representation) of a person’s life and habits. When combining the data from the second and third column the data become ‘usable’, and when using the fourth and fifth column to verify the usable data, the data become ‘reliable’ to certain extent (and then can be verified in the physical world with the owner/producer of the data). A more detailed description of a few of the items from the first column follows next, to give additional insight into the table and this statement:

• social media (metro apps): social media platforms in itself present data which are not very interesting or usable when one is not looking for a particular person. These social media data are in the first column. When one is looking for a particular person and looks into particular content, these data become representative for a person (second column). When one starts to combine these social media data with other data from that particular person such as the messages groups on the device, one arrives at the third column and the data become more usable. When one verifies these data by looking into the metadata37 _{that go with these different} kinds of digital data, these data become more reliable

• camera app: a camera app in itself does not contain interesting content (but may show when it was e.g. opened and used) but the images it produces may contain revealing content. Moreover, a camera app on a device (mostly) automatically stores metadata on your device (unless you disable it). These data entail e.g. what

36 _{Which is already being done in the Netherlands, occasionally.}

37 _{(Most) Social media platforms strip and/or replace the metadata of digital data uploaded to the sites. The metro} apps provided by these media, however, do keep some of the original metadata, and create usable new

camera settings where used, the date and time a photo was captured, the image size and format (called EXIF data38_{) and this information combined with the content} makes the data more reliable. If an image is not viewed on the device it was made on, however, all these certainties are less certain due to e.g. how social media platforms may handle these (this will be elaborated on in paragraph 2.4) • Word or PDF document: a Word document in itself is just data. The document

may contain interesting content, making it representative of something interesting about the creator of the document (second column). When combined with e.g. email messages, more meaning may be attributed to the content and it may become more usable (third column). By then including the metadata of the document, the content may become even more usable because Word e.g. logs the changes made in the document (‘track changes’) making the content more reliable. Whether a PDF file contains metadata depends on the settings used when the file was created • call logs: call logs on a mobile phone are data that represent the persons who have

been called on a device and nothing more than that. When combined with the contacts on the device, they may give insight into relations between contacts, creating information on relations of the owner/producer of the data, making the data usable. Additionally, this information may be combined with data from routers and antennas through which these calls have taken place, giving information on e.g. locations, habits and relations of the owner/producer of the data making these data more reliable (which then can be verified by e.g. visual confirmation, completing the verification of the reliability of the gathered information)

• wearables: the device itself is found in the first column. When connected to a person the data on the device is information and so on. Devices carried on a person permanently may produce very well documented logs of the movements of the wearer, besides the information logged by the main functionality of the wearable device.39 _{Since it is a} wearable, however, it is very easy to it pass on, making the data less reliable (one can say that data online generally are more reliable than data on devices that are easy to hand over to somebody else (Interview 9)

• routers, antennas: as seen above, these hardware devices (in the first column) gather a lot of information, in the sense that they log what they do. This content you find in the second column and this becomes valuable data when combined with other data coming from the same owner/producer, etc., as explained in the ‘call logs’ section.40

38 _{EXIF: Exchangeable Image File, a format that is standard for storing interchange information in among others} digital photography image files using JPEG compression; Interview 7 (JPEG: Joint Photography Experts Group, an image file format which is familiar with various compression possibilities).

39 _{NB: these data are often stored by cloud computing services, making them harder to obtain.} 40 _{NB: there currently may be legal obstacles in getting access to these data.}

A useful feature of these data for forensic investigations is the fact that these data are not under the control of singular users

• providers, servers: these data are not under the control of the user either, but they are under the control of third parties. These are valuable sources of information, obviously, but more difficult to obtain since they are further removed from the investigated party41

To summarize, digital data is produced and collected by many different institutions and devices we work with in our everyday life. All these different kinds of digital data offer different opportunities for the extraction of significant information. Digital data even present cumulative value by combining various types of digital data. Since most digital data carry CGD, most digital data can be verified in a way never possible with comparable data in e.g. print. These characteristics allow for digital data to be potentially very useful when employed as evidence. The verification and accordingly the investigation of digital data does require its own methods: these are elaborated next.

2.4 Digital Forensics

Part of evidence gathering has thus become the unravelling of a cloudy field of ones and zeros wherein invaluable but likewise almost untraceable pieces of information lie. In every investigation there are pieces of digital data which are telling part of the story that is being investigated. This has been the case for decades now. E.g. the Clinton-Lewinsky affair in the late nineties of the previous century: crucial elements in the court case were, among others, erased emails Ms. Lewinsky had sent to her friends talking about her affair with Mr. Clinton (Arkfeld 1-25). And before that in the Rodney King case: an officer performing the beating wrote about his brutality in an email which was used in the court case (Arkfeld 1-25). So, not only in the case of cybercrime, but in any court case nowadays do investigators need to investigate digital information.

This paragraph starts with a short description of the field of forensics. It then addresses digital forensics to get an overall idea of its peculiarities. Afterwards it goes into some aspects a bit more deeply to give additional insight into a few particularities concerned with this specific domain of forensic science.

Forensic science is (any) science which is involved in the investigation of evidence in service of the justice system (Jackson and Jackson 1-14; Oliver 3-24). Since evidence may come in all shapes and sizes, many different fields of science may be involved: e.g. handwriting experts to assess

signatures, laboratory practitioners for the assessment of DNA and a forensic pathologist to determine a cause of death. Forensic science tries to provide answers by e.g. (Interview 7; Jackson and Jackson 1-14; Olivier 3-24):

1. gathering data in an effective way with legal hold, while preventing

contamination and tampering of the evidence thus safeguarding its integrity 2. processing and analysing evidence: assessing e.g. its usability and relevance,

hereby facilitating the upcoming intelligence process

3. interpreting and evaluating evidence e.g. by comparison of evidence with a relevant database or similar evidence from a different location/case, creating intelligence relevant to the case

The investigative team can then use the intelligence to make decisions about their e.g. perspective and take steps in the investigation. This flow is made visible in figure 1 (see figure 1).

Figure 1. Flowchart Data Present in Case to Investigative Changes

DATA (1) => INFORMATION (2) => INTELLIGENCE (3) => DECISION => ACTION

To reference the division explained in the description of the table in the previous paragraph (table 2): one could generally say that these data (1) fall in the first and second column, the third column creates information (2) and when one includes the fourth and fifth column, one possibly ends up with

intelligence (3).

The field of digital forensics comes with its own specifics, naturally: for the investigation of digital data its own expertise is needed. Investigating e-evidence offers its own peculiarities for its investigators compared to investigating traditional evidence. The technical aspect of digital data ensures general and overarching challenges and perks for each step of an investigation conducted with digital forensics. In the next three lists a few of these practical technical issues are categorized in the beforementioned three general stages of the digital forensic process (Arkfeld 1-3 – 1-28, 5-4 – 5-18; Cohen 40-82; Interviews 6, 7, 9; Kessler; Mason 2014b; Matthews 1-62; Oliver 3-24; Oparnica; Redgrave; Umberg and Warden):

Gathering DATA (1):

• digital data may be stored on many different locations and data-carriers and is easily transferred, which makes it hard to locate

• every electronic device has to be investigated in its own way since all these devices differ: a mobile phone requires a different technique than a personal computer42 • transmitting digital data is quick and inexpensive and storing and duplicating digital

data is quick, and inexpensive as well, since they take up almost no physical space

42 _{And more recently, the encryption of mobile phones makes investigating these much more difficult (Oparnica} 144).

• some digital data may only be accessible by the program that created it, making it more difficult to access43

• retrieving digital data can be done in a computer-based manner, reducing time and costs but the collection of digital data may involve many different techniques and technologies

• all electronic devices may be operating on different operating systems and these systems are also being renewed at an incredible speed, moreover, even small updates of systems may result in slightly different forms of e-evidence which have to be approached in their own way

• transporting digital data has to be done by experts to ensure the data are being kept on trustworthy data-carriers and some digital data may have to be examined ‘live’, making it more difficult to transport for examination44

• preserving digital data has to be done carefully and preserved data kept up-to-date • the handling of e-evidence must consequently be done by experts, and by experts

who keep their expertise up-to-date meticulously

Gathering INFORMATION (2):

• searching digital data can be done by computer, reducing time and costs, and can be extra efficient e.g. by searching by keyword, phrase, date, coding, etc45 • organizing large amounts of data is much easier in a digital format and can be

done in various meaningful ways, e.g. by keyword, phrase, date, predictive coding, etc., reducing time and costs

• copying digital data has to be done by experts hereby ensuring that all relevant information is being copied46

• it may not always be clear who produced the digital data, since users may use each other’s identifying data to produce digital data47

• digital data may be e.g. password protected, deleted, encrypted or corrupted, making it more difficult to investigate

• one user may produce a lot of data, making it difficult to find the relevant parts48

43 _{Known as ‘proprietary programming’, which may cause difficulties e.g. in the case of obsolete programs or} language specific programs.

44 _{E.g. possible valuable data that is stored in the Random-Access Memory (RAM) will be lost when a system is} shut down. NB: this is even more the case when examining mobile devices, internet-based sites and encrypted disks, when capturing network traffic and for cloud-based investigations (Kessler 5).

45 _{Not every document is equally ‘searchable’: e.g. images may form some complications.} 46 _{By making a ‘mirror -’ or ‘disk image’ instead of a copy of the data.}

47 _{And applications like ‘remote desktop’ exists e.g. and other alike possible circumstances: in these cases,} however, the use of such an application is registered in CGD. The login issue will be discussed shortly in the next paragraph.

• the investigator may need the cooperation of third parties49

• digital data produced in a networked environment are more difficult to analyse and may change rapidly

Gathering INTELLIGENCE (3):

• all content and manipulations on a device are accompanied by CGD and most digital data are searchable by content as well as by metadata • it is possible to perform computer-sophisticated analyses on digital data,

e.g. by correlating financial data with other documents

• it is easy to store digital data in an online data depository, where they can be viewed, analysed and commented on by an investigative team50

• the functionality of electronic information is preserved when preserved digitally

• the state and settings of the data carrying source of the digital data have to be researched to be able to make use of the metadata and logs and such51 • users may (un)intentionally manipulate the data, e.g. by just working on a

device or with the intention of altering the data but manipulated data can be discovered52

• software has been developed specifically for the investigation of digital data which can extract data including its metadata in a legally acceptable manner and flag duplicates and such

• e-evidence can (or will be) be seen as more trustworthy than paper because it was researched by computers instead of fallible people53

• the cyber world has no physical boundaries, costing digital forensics investigations to be more efficient

• by keeping an audit trail of the processes used in a digital forensics investigation, a third-party can repeat the process and achieve the same results

• digital data can be investigated on different levels54

how to handle the sheer volume and does not find the implicating parts (Interviews 6, 7).

49 _{E.g. from app makers for access to databases or logs of apps or from providers of services such as cellular} service providers for access to servers. NB: another disadvantage of this fact is that this ensures a need for more people and data to be thoroughly checked and more places where things could go wrong; the more people involved, the more people may make mistakes.

50 _{And, in RSD cases, a European communal depository system would be practical.} 51 _{The computer- and system integrity must be verified.}

52 _{Albeit that this may be a costly and time-consuming matter in some occasions.}

53 _{Even more when the art of digital forensics has developed further in the future, although humans will still be at} the controls for now.

54 _{The question is leading as to which levels have to be taken into consideration in an investigation, in my} opinion.