Digital evidence

Last updated

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. [1] Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required. [1]

Contents

The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files. [2]

Many courts in the United States have applied the Federal Rules of Evidence to digital evidence in a similar way to traditional documents, although important differences such as the lack of established standards and procedures have been noted. [3] In addition, digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. In December 2006, strict new rules were enacted within the Federal Rules of Civil Procedure requiring the preservation and disclosure of electronically stored evidence. Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering. [4]

Admissibility

Digital evidence is often ruled inadmissible by courts because it was obtained without authorization. [1] In most jurisdictions a warrant is required to seize and investigate digital devices. In a digital investigation this can present problems where, for example, evidence of other crimes are identified while investigating another. During a 1999 investigation into online harassment by Keith Schroeder investigators found pornographic images of children on his computer. A second warrant had to be obtained before the evidence could be used to charge Schroeder. [1] [5]

Authentication

As with any evidence, the proponent of digital evidence must lay the proper foundation. Courts largely concerned themselves with the reliability of such digital evidence. [4] As such, early court decisions required that authentication called "for a more comprehensive foundation." US v. Scholle, 553 F.2d 1109 (8th Cir. 1976). As courts became more familiar with digital documents, they backed away from the higher standard and have since held that "computer data compilations… should be treated as any other record." US v. Vela, 673 F.2d 86, 90 (5th Cir. 1982).

A common attack on digital evidence is that digital media can be easily altered. However, in 2002 a US court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness" (US v. Bonallo, 858 F. 2d 1427–1988 – Court of Appeals, 9th). [1] [6]

Nevertheless, the "more comprehensive" foundation required by Scholle remains good practice. The American Law Reports lists a number of ways to establish the comprehensive foundation. It suggests that the proponent demonstrate "the reliability of the computer equipment", "the manner in which the basic data was initially entered", "the measures taken to ensure the accuracy of the data as entered", "the method of storing the data and the precautions taken to prevent its loss", "the reliability of the computer programs used to process the data", and "the measures taken to verify the accuracy of the program". [7]

In its turn it gave rise to a breed of commercial software technology solutions designed to preserve digital evidence in its original form and to authenticate it for admissibility in disputes and in court.

UK ACPO guidelines

In the United Kingdom, examiners usually follow guidelines issued by the Association of Chief Police Officers (ACPO) for the authentication and integrity of evidence. [8] [9] They were updated to Version 5 in October 2011 when computer based evidence was replaced with digital evidence reflecting the development of investigating information security incidents in a wider context. [9] The guidelines consist of four principles:

Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

These guidelines are widely accepted in courts of England and Scotland, but they do not constitute a legal requirement and their use is voluntary. It is arguable that whilst voluntary, non adherence is almost certain to lead to the exclusion of evidence that does not comply subject to the provisions of s 78 Police and Criminal Evidence Act 1984 (Power to exclude evidence obtained unfairly)

ADAM Principles

Building on the ACPO Guidelines with a more generic application outside of law enforcement, a doctoral thesis proposed the following overriding principles to be followed by digital forensic practitioners: [3]

  1. The activities of the digital forensic practitioner should not alter the original data. If the requirements of the work mean that this is not possible then the effect of the practitioner’s actions on the original data should be clearly identified and the process that caused any changes justified.
  2. A complete record of all activities associated with the acquisition and handling of the original data and any copies of the original data must be maintained. This includes compliance with the appropriate rules of evidence, such as maintaining a chain of custody record, and verification processes such as hashing.
  3. The digital forensic practitioner must not undertake any activities which are beyond their ability or knowledge.
  4. The digital forensic practitioner must take into consideration all aspects of personal and equipment safety whilst undertaking their work.
  5. At all times the legal rights of anyone affected by your actions should be considered.
  6. The practitioner must be aware of all organizational policies and procedures relating to their activities
  7. Communication must be maintained as appropriate with the client, legal practitioners, supervisors and other team members

Best evidence rule

Digital evidence is almost never in a format readable by humans, requiring additional steps to include digital documents as evidence (i.e. printing out the material). It has been argued that this change of format may mean digital evidence does not qualify under the "best evidence rule". [4] However, the "Federal Rules of Evidence" rule 1001(3) states "if data are stored in a computer…, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’" [10]

Commonly courts do not bar printouts under the best evidence rule. In Aguimatang v. California State Lottery , the court gave near per se treatment to the admissibility of digital evidence stating "the computer printout does not violate the best evidence rule, because a computer printout is considered an ‘original.’" 234 Cal. App. 3d 769, 798.

Video evidence

Video evidence is a video clip that may be used in a court case at trial. Examples include: [11]

See also

Related Research Articles

An expert witness, particularly in common law countries such as the United Kingdom, Australia, and the United States, is a person whose opinion by virtue of education, training, certification, skills or experience, is accepted by the judge as an expert. The judge may consider the witness's specialized opinion about evidence or about facts before the court within the expert's area of expertise, to be referred to as an "expert opinion". Expert witnesses may also deliver "expert evidence" within the area of their expertise. Their testimony may be rebutted by testimony from other experts or by other evidence or facts.

<i>Miranda</i> warning Notification given by U.S. police to criminal suspects on their rights while in custody

In the United States, the Miranda warning is a type of notification customarily given by police to criminal suspects in police custody advising them of their right to silence and, in effect, protection from self-incrimination; that is, their right to refuse to answer questions or provide information to law enforcement or other officials. Named for the U.S. Supreme Court's 1966 decision Miranda v. Arizona, these rights are often referred to as Miranda rights. The purpose of such notification is to preserve the admissibility of their statements made during custodial interrogation in later criminal proceedings. The idea came from law professor Yale Kamisar, who subsequently was dubbed "the father of Miranda."

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion, often the identity of a computer system user

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

<span class="mw-page-title-main">Discovery (law)</span> Pre-trial procedure in common law countries for obtaining evidence

Discovery, in the law of common law jurisdictions, is a pre-trial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from the other party or parties by means of discovery devices such as interrogatories, requests for production of documents, requests for admissions and depositions. Discovery can be obtained from non-parties using subpoenas. When a discovery request is objected to, the requesting party may seek the assistance of the court by filing a motion to compel discovery.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Holmes v. South Carolina, 547 U.S. 319 (2006), was a decision by the United States Supreme Court involving the right of a criminal defendant to present evidence that a third party instead committed the crime. The Court vacated the rape and murder conviction in South Carolina of a man who had been denied the opportunity to present evidence of a third party's guilt, because the trial court believed the prosecutor's forensic evidence was too strong for the defendant's evidence to raise an inference of innocence. The Court ruled unanimously that this exclusion violated the right of a defendant to have a meaningful opportunity to present a complete defense, because the strength of a prosecutor's case had no logical relationship to whether a defendant's evidence was too weak to be admissible.

<span class="mw-page-title-main">Forensic photography</span> Art of producing an accurate reproduction of a crime scene

Forensic photography may refer to the visual documentation of different aspects that can be found at a crime scene. It may include the documentation of the crime scene, or physical evidence that is either found at a crime scene or already processed in a laboratory. Forensic photography differs from other variations of photography because crime scene photographers usually have a very specific purpose for capturing each image. As a result, the quality of forensic documentation may determine the result of an investigation, in that with the absence of good documentation, investigators may find it impossible to conclude what did or did not happen.

Inevitable discovery is a doctrine in United States criminal procedure that permits admission of evidence that was obtained through illegal means if it would "inevitably" have been obtained regardless of the illegality. It is one of several exceptions to the exclusionary rule, or the related fruit-of-the-poisonous tree doctrine, which prevent evidence collected in violation of a defendant's constitutional rights from being admitted in court.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<i>Lorraine v. Markel American Insurance Co.</i>

Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, is a case in which a landmark decision about the admissibility and authentication of digital evidence was set down in the form of a 100-page opinion by Magistrate Judge Paul W. Grimm.

State vs Ari David Levie was a decision of the Hennepin County District Court, File No. K2-03-106, considered and decided by Randall, Presiding Judge.

The Scientific Working Group on Imaging Technology was convened by the Federal Bureau of Investigation in 1997 to provide guidance to law enforcement agencies and others in the criminal justice system regarding the best practices for photography, videography, and video and image analysis. This group was terminated in 2015.

The Trojan horse defense is a technologically based take on the classic SODDI defense, believed to have surfaced in the UK in 2003. The defense typically involves defendant denial of responsibility for (i) the presence of cyber contraband on the defendant's computer system; or (ii) commission of a cybercrime via the defendant's computer, on the basis that a malware or on some other perpetrator using such malware, was responsible for the commission of the offence in question.

<span class="mw-page-title-main">Audio forensics</span>

Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation of sound recordings that may ultimately be presented as admissible evidence in a court of law or some other official venue.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

<i>The Public Prosecution Service v William Elliott, Robert McKee</i>

The Public Prosecution Service v William Elliott and Robert McKee [2013] UKSC 32 is a case decided by the Supreme Court of the United Kingdom concerning admissibility of electronic evidence obtained from an electronic fingerprint reader unit that had not been approved by the Secretary of State as required by Article 61(8)(b) of the Police and Criminal Evidence Order 1989.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

<span class="mw-page-title-main">IoT Forensics</span> Branch of digital forensics

IoT Forensics is a branch of Digital forensics that has the goal of identifying and extracting digital information from devices belonging to the Internet of things field, using a forensically sound and legally acceptable process.

References

  1. 1 2 3 4 5 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   0-12-163104-4.
  2. Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4 . Retrieved 2 September 2010.
  3. 1 2 Adams, Richard (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice" (PDF).
  4. "State v. Schroeder, 613 NW 2d 911 – Wis: Court of Appeals 2000". 2000.
  5. "US v. Bonallo". Court of Appeals, 9th Circuit. 1988. Retrieved 1 September 2010.{{cite web}}: CS1 maint: location (link)
  6. Zupanec, Donald (1981-01-01). "Admissibility of Computerized Private Business Records". American law reports. alr 4th. cases and annotations. Vol. 7. pp. 16–19.
  7. Pollitt, MM. "Report on digital evidence". CiteSeerX   10.1.1.80.1663 .
  8. 1 2 "ACPO Good Practice Guide for Digital Evidence" (PDF). Retrieved 26 April 2016.
  9. "Federal Rules of Evidence #702". Archived from the original on 19 August 2010. Retrieved 23 August 2010.
  10. Shaer, Matthew (19 February 2015). "'The Media Doesn't Care What Happens Here'". The New York Times Magazine.