The use of evidence generated by the investigation of a digital source must be one of the fastest-growing sources of evidence in modern trials. Everyone uses computers every day to do many tasks and as they use them they leave a trail of activity which can be used in the trial process.
There is nothing about digital evidence except its source which sets it outside the normal evidential rules and its admissibility will be considered in exactly the same way any other evidence will be considered. It is important to consider at every stage how the evidence will be admissible before the courts.
There are specific concerns about computer-generated evidence having been tampered with either automatically by an operating system or by an individual. The ACPO Guidelines set out a useful breakdown as to what is expected by lawyers from the digital evidence in order to make the best use of it:
1. The collection phase.
The integrity of the seizure of devices, hardware, also passwords.
2. The examination phase
Just as important as the actual examination of a digital device is the procedure which is followed to do that examination. There are no universally agreed standards, rules or protocols for the handling of computer evidence. Any technical processes applied to digital evidence ‘does not have to pass any formal test’ for it to be placed before a court. There are, however, best practice guidelines on the recovery of digital based evidence. One of the important parts of a witness statement might be to show that these guidelines have been followed.
The guidelines were laid down by the Association of Chief Police Offices (ACPO) of England, Wales and Northern Ireland:
During the examination phase, the forensic analyst is essentially building up the evidence so that any particular piece of information can be traced back through the system. It might be best described as a digital audit trail this may cover the exact location of a piece of information or it may be that there are systems in place which sets up an automatic auditable log. For example, an accounting system might track all invoices created during a particular time and log them in a file or journal, which can be printed upon demand. An intrusion detection system logs all attempted break-ins into another type of log. In considering the evidence it is important to be able to show where it came from and how it was generated to avoid concerns that it might have been tampered with. Forensic accountants and computer specialists working on the Enron case poured through 10,000 computer backup tapes and over 400 computers and handheld devices, searching for digital evidence. (Source: Edward Iwata, “Enron Case Could Be Largest Corporate Investigation,” USA Today, February 19, 2002.)
3. The analysis phase
Effectively at the end of this process what does the data recovered actually mean (For example an analysis might show that Mr X’s password was used to access the internet at Y time, if the computer is accurate but what it cannot show is that Mr X in fact accessed the internet. Issues which should be considered include:
Sources of digital evidence
Cross-drive analysis
A digital forensics technique that correlates information found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing anomaly detection.
Deleted files
Modern forensic software has its own tools for recovering or carving out deleted data. Most operating systems and file systems do not always erase physical file data, allowing it to be reconstructed from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.
Taken from the CPS guidance on digital evidence:
Unlike a written document, raw computer evidence must be presented with an accurate interpretation, which clearly identifies its significance in the context of where it was found. For example, the hard disk of a computer contains raw binary data. This interpretation must be undertaken by a suitably qualified person and then presented in a human-readable form for consumption by a court. Over-simplification is dangerous as it could lead to the data becoming open to interpretation.
Any doubt as to the interpretation of a single item of evidence can often be correlated with other evidence such as log files, internet history, link files, and so forth. A particular area of difficulty is the communication of risk and probability. The court ultimately has to make a clear judgment on such matters and it is not always possible to give black-and-white answers to questions. Using terminology such as ‘indicative of’ and ‘a common cause of’, it is possible to present such evidence with a possible cause and an indication of its associated probability.
After submitting an enquiry, a member of our team will be in touch with you as soon as possible
Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.