Digital evidence

Last updated

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. [1] Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required. [1]

Contents

The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, web browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files. [2]

Many courts in the United States have applied the Federal Rules of Evidence to digital evidence in a similar way to traditional documents, although important differences such as the lack of established standards and procedures have been noted. [3] In addition, digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. In December 2006, strict new rules were enacted within the Federal Rules of Civil Procedure requiring the preservation and disclosure of electronically stored evidence. Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering. [4]

Admissibility

Digital evidence is often ruled inadmissible by courts because it was obtained without authorization. [1] In most jurisdictions a warrant is required to seize and investigate digital devices. In a digital investigation this can present problems where, for example, evidence of other crimes are identified while investigating another. During a 1999 investigation into online harassment by Keith Schroeder investigators found pornographic images of children on his computer. A second warrant had to be obtained before the evidence could be used to charge Schroeder. [1] [5]

Authentication

As with any evidence, the proponent of digital evidence must lay the proper foundation. Courts largely concerned themselves with the reliability of such digital evidence. [4] As such, early court decisions required that authentication called "for a more comprehensive foundation." US v. Scholle, 553 F.2d 1109 (8th Cir. 1976). As courts became more familiar with digital documents, they backed away from the higher standard and have since held that "computer data compilations… should be treated as any other record." US v. Vela, 673 F.2d 86, 90 (5th Cir. 1982).

A common attack on digital evidence is that digital media can be easily altered. However, in 2002 a US court ruled that "the fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness" (US v. Bonallo, 858 F. 2d 1427–1988 – Court of Appeals, 9th). [1] [6]

Nevertheless, the "more comprehensive" foundation required by Scholle remains good practice. The American Law Reports lists a number of ways to establish the comprehensive foundation. It suggests that the proponent demonstrate "the reliability of the computer equipment", "the manner in which the basic data was initially entered", "the measures taken to ensure the accuracy of the data as entered", "the method of storing the data and the precautions taken to prevent its loss", "the reliability of the computer programs used to process the data", and "the measures taken to verify the accuracy of the program". [7]

The Best Evidence Rule is a legal principle that requires presenting the most reliable form of evidence in court, which is often the original document or file. In cases where digital evidence is involved, this means presenting the original digital file, rather than a printout or a copy. However, proving the authenticity and integrity of digital evidence can be challenging, as it is relatively easy to manipulate digital files and metadata. [8] Therefore, establishing a clear chain of custody and demonstrating that the evidence presented is unchanged from its original state is crucial. To address this issue, commercial software technology solutions have been developed to preserve digital evidence in its original form and authenticate it for admissibility in court disputes.

UK ACPO guidelines

In the United Kingdom, examiners usually follow guidelines issued by the Association of Chief Police Officers (ACPO) for the authentication and integrity of evidence. [9] [10] They were updated to Version 5 in October 2011 when computer based evidence was replaced with digital evidence reflecting the development of investigating information security incidents in a wider context. [10] The guidelines consist of four principles:

Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

These guidelines are widely accepted in courts of England and Scotland, but they do not constitute a legal requirement and their use is voluntary. It is arguable that whilst voluntary, non adherence is almost certain to lead to the exclusion of evidence that does not comply subject to the provisions of s 78 Police and Criminal Evidence Act 1984 (Power to exclude evidence obtained unfairly)

ADAM Principles

Building on the ACPO Guidelines with a more generic application outside of law enforcement, a doctoral thesis proposed the following overriding principles to be followed by digital forensic practitioners: [3]

  1. The activities of the digital forensic practitioner should not alter the original data. If the requirements of the work mean that this is not possible then the effect of the practitioner’s actions on the original data should be clearly identified and the process that caused any changes justified.
  2. A complete record of all activities associated with the acquisition and handling of the original data and any copies of the original data must be maintained. This includes compliance with the appropriate rules of evidence, such as maintaining a chain of custody record, and verification processes such as hashing.
  3. The digital forensic practitioner must not undertake any activities which are beyond their ability or knowledge.
  4. The digital forensic practitioner must take into consideration all aspects of personal and equipment safety whilst undertaking their work.
  5. At all times the legal rights of anyone affected by your actions should be considered.
  6. The practitioner must be aware of all organizational policies and procedures relating to their activities
  7. Communication must be maintained as appropriate with the client, legal practitioners, supervisors and other team members

Best evidence rule

Digital evidence is almost never in a format readable by humans, requiring additional steps to include digital documents as evidence (i.e. printing out the material). It has been argued that this change of format may mean digital evidence does not qualify under the "best evidence rule". [4] However, the "Federal Rules of Evidence" rule 1001(3) states "if data are stored in a computer…, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’" [11]

Commonly courts do not bar printouts under the best evidence rule. In Aguimatang v. California State Lottery , the court gave near per se treatment to the admissibility of digital evidence stating "the computer printout does not violate the best evidence rule, because a computer printout is considered an ‘original.’" 234 Cal. App. 3d 769, 798.

Video evidence

Video evidence is a video clip that may be used in a court case at trial. Examples include: [12]

See also

Related Research Articles

An expert witness, particularly in common law countries such as the United Kingdom, Australia, and the United States, is a person whose opinion by virtue of education, training, certification, skills or experience, is accepted by the judge as an expert. The judge may consider the witness's specialized opinion about evidence or about facts before the court within the expert's area of expertise, to be referred to as an "expert opinion". Expert witnesses may also deliver "expert evidence" within the area of their expertise. Their testimony may be rebutted by testimony from other experts or by other evidence or facts.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

<span class="mw-page-title-main">Discovery (law)</span> Pretrial procedure in common law countries for obtaining evidence

Discovery, in the law of common law jurisdictions, is a phase of pretrial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from other parties. This is by means of methods of discovery such as interrogatories, requests for production of documents, requests for admissions and depositions. Discovery can be obtained from nonparties using subpoenas. When a discovery request is objected to, the requesting party may seek the assistance of the court by filing a motion to compel discovery. Conversely, a party or nonparty resisting discovery can seek the assistance of the court by filing a motion for a protective order.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.

In United States federal law, the Daubert standard is a rule of evidence regarding the admissibility of expert witness testimony. A party may raise a Daubert motion, a special motion in limine raised before or during trial, to exclude the presentation of unqualified evidence to the jury. The Daubert trilogy are the three United States Supreme Court cases that articulated the Daubert standard:

The law of evidence, also known as the rules of evidence, encompasses the rules and legal principles that govern the proof of facts in a legal proceeding. These rules determine what evidence must or must not be considered by the trier of fact in reaching its decision. The trier of fact is a judge in bench trials, or the jury in any cases involving a jury. The law of evidence is also concerned with the quantum (amount), quality, and type of proof needed to prevail in litigation. The rules vary depending upon whether the venue is a criminal court, civil court, or family court, and they vary by jurisdiction.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Holmes v. South Carolina, 547 U.S. 319 (2006), was a decision by the United States Supreme Court involving the right of a criminal defendant to present evidence that a third party instead committed the crime. The Court vacated the rape and murder conviction in South Carolina of a man who had been denied the opportunity to present evidence of a third party's guilt, because the trial court believed the prosecutor's forensic evidence was too strong for the defendant's evidence to raise an inference of innocence. The Court ruled unanimously that this exclusion violated the right of a defendant to have a meaningful opportunity to present a complete defense, because the strength of a prosecutor's case had no logical relationship to whether a defendant's evidence was too weak to be admissible.

Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format. Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party.

<span class="mw-page-title-main">Forensic photography</span> Art of producing an accurate reproduction of a crime scene

Forensic photography may refer to the visual documentation of different aspects that can be found at a crime scene. It may include the documentation of the crime scene, or physical evidence that is either found at a crime scene or already processed in a laboratory. Forensic photography differs from other variations of photography because crime scene photographers usually have a very specific purpose for capturing each image. As a result, the quality of forensic documentation may determine the result of an investigation; in the absence of good documentation, investigators may find it impossible to conclude what did or did not happen.

Inevitable discovery is a doctrine in United States criminal procedure that permits admission of evidence that was obtained through illegal means if it would "inevitably" have been obtained regardless of the illegality. It is one of several exceptions to the exclusionary rule, or the related fruit-of-the-poisonous tree doctrine, which prevent evidence collected in violation of a defendant's constitutional rights from being admitted in court.

Forensic accountants are experienced auditors, accountants, and investigators of legal and financial documents that are hired to look into possible suspicions of fraudulent activity within a company; or are hired by a company who may just want to prevent fraudulent activities from occurring. They also provide services in areas such as accounting, antitrust, damages, analysis, valuation, and general consulting. Forensic accountants have also been used in divorces, bankruptcy, insurance claims, personal injury claims, fraudulent claims, construction, royalty audits, and tracking terrorism by investigating financial records. Many forensic accountants work closely with law enforcement personnel and lawyers during investigations and often appear as expert witnesses during trials.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<i>Lorraine v. Markel American Insurance Co.</i>

Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, is a case in which a landmark decision about the admissibility and authentication of digital evidence was set down in the form of a 100-page opinion by Magistrate Judge Paul W. Grimm.

The Scientific Working Group on Imaging Technology was convened by the Federal Bureau of Investigation in 1997 to provide guidance to law enforcement agencies and others in the criminal justice system regarding the best practices for photography, videography, and video and image analysis. This group was terminated in 2015.

<span class="mw-page-title-main">Audio forensics</span>

Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation of sound recordings that may ultimately be presented as admissible evidence in a court of law or some other official venue.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

<i>The Public Prosecution Service v William Elliott, Robert McKee</i>

The Public Prosecution Service v William Elliott and Robert McKee [2013] UKSC 32 is a case decided by the Supreme Court of the United Kingdom concerning admissibility of electronic evidence obtained from an electronic fingerprint reader unit that had not been approved by the Secretary of State as required by Article 61(8)(b) of the Police and Criminal Evidence Order 1989.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

<span class="mw-page-title-main">IoT forensics</span> Branch of digital forensics

IoT Forensics or IoT Forensic Science, a branch of digital forensics, that deals with the use of any digital forensics processes and procedures relating to the recovery of digital evidence which originates from one or more IoT devices for the purpose of preservation, identification, extraction or documentation of digital evidence with the intention of reconstructing IoT-related events. These events may reside across one or more configurable computing resources that are within close proximity to the location where the event has taken place.

References

  1. 1 2 3 4 5 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   0-12-163104-4.
  2. Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4 . Retrieved 2 September 2010.
  3. 1 2 Adams, Richard (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice" (PDF).
  4. "State v. Schroeder, 613 NW 2d 911 – Wis: Court of Appeals 2000". 2000.
  5. "US v. Bonallo". Court of Appeals, 9th Circuit. 1988. Retrieved 1 September 2010.{{cite web}}: CS1 maint: location (link)
  6. Zupanec, Donald (1981-01-01). "Admissibility of Computerized Private Business Records". American law reports. alr 4th. cases and annotations. Vol. 7. pp. 16–19.
  7. "Self-Collection and the Best Evidence Rule". JD Supra. Retrieved 2024-01-18.
  8. Pollitt, MM. "Report on digital evidence". CiteSeerX   10.1.1.80.1663 .
  9. 1 2 "ACPO Good Practice Guide for Digital Evidence" (PDF). Retrieved 26 April 2016.
  10. "Federal Rules of Evidence #702". Archived from the original on 19 August 2010. Retrieved 23 August 2010.
  11. Shaer, Matthew (19 February 2015). "'The Media Doesn't Care What Happens Here'". The New York Times Magazine.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.