Medico-legal examinations as a paradigm for digital examinations



Citation information

M. S. Olivier. “Medico-legal examinations as a paradigm for digital examinations”. In: Program and Abstracts — The Eleventh ISABS Conference on Forensic and Anthropologic Genetics and Mayo Clinic Lectures in Individualized Medicine. Ed. by D. Primorac et al. Invited paper. International Society for Applied and Biological Sciences, June 2019, p. 97


Comparison of medico-legal and digital forensic examinations are not new. Digital forensics examination are performed on ‘live’ or ‘dead’ systems. In both cases two similarities with a medico-legal death investigation remained. The (a) basic strategy used in the early tools were maintained and the (b) assumption remained in the vast majority of work that the system to be analysed was the target of some malfeasance that needed to be discovered through examination.

The basic strategy used by tools was often to systematically search systems for keywords, contraband images or some other specified content. The medico-legal method does not search for the obvious, but examines the body systematically to find (and further examine) any abnormalities in the body.

The second similarity is the presumption of harm to the ‘body’. In the medical case this obviously holds. However, in the digital case the presumption stems from the ephemeral nature of data. A persisting concern is that criminals or malware can modify what is observed in the data. The establishment that the system is/was ‘normal’ is more important than a presumption of harm.

In the medico-legal context care is taken to conduct the examination in a layered manner. This contrasts sharply with the digital ‘autopsy’, where the search for incriminating (or exculpatory) strings of data is often the starting point.

It is the contention of this paper that computer systems as well as digital artefacts consist of subsystems, analogous to the systems in the human body, but the analogy for artefacts has not been properly explored yet.

‘Larger’ artefacts, such emailboxes, rather than individual emails, are particularly promising since the ’normal’ use of such larger artefacts, imposes specific expectations of how they would naturally evolve over time. Since the test for normality is one that depends on (a) the expected anatomy (and, possibly, expected physiology) of the artefact, and (b) the absence of pathology, a statement about the normality of such a larger artefact can be made with much more certainty.

The real benefit of the autopsy metaphor is the thorough exclusion of pathology in a system or artefact. This speaks to the system’s or artefact’s health, rather than its death. Data from a healthy digital artefact instils confidence that would not otherwise have been possible.

BibTeX reference

author={Martin S Olivier},
title={Medico-legal examinations as a paradigm for digital examinations},
booktitle={Program and Abstracts --- The Eleventh ISABS Conference on Forensic and Anthropologic Genetics and Mayo Clinic Lectures in Individualized Medicine},
publisher={International Society for Applied and Biological Sciences},
editor={Dragan Primorac and Moses Schanfield and Stanimir Vuc-Pavlovi’c and Manfred Kayser and Tama’as "Ord"og},
note={Invited paper} )

Beta version of new bibliography database; please report errors (or copyright violations) that may have slipped in.