Professional Documents
Culture Documents
net/publication/332245703
CITATIONS READS
0 632
1 author:
David Mugisha
Gujarat Forensic Sciences University
10 PUBLICATIONS 0 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by David Mugisha on 06 April 2019.
david.dfis.1741@gfsu.edu.in , dav2mugisha@gmail.com
Masters student in Digital Forensics and Information Security
FORENSIC SCIENCE INSTITUTE
GUJARAT FORENSIC SCIENCES UNIVERSITY (GFSU)
Abstract
Digital evidence must be collected with a reasonable and least intrusive means. The manner
of collection depends upon the system configuration encountered, type of investigation at
hand, and the most pertinent evidence being sought to support the investigation. Nearly every
choice a forensic examiner makes, or doesn’t make, during the collection process affects data
to a certain extent. The examiner needs to be aware of the specific electronic data required for
the investigation and be prepared to address obstacles that inevitably arise in nearly
every digital evidence collection scenario.
When bringing an offence committed involving a digital device such as a computer before the
criminal court system, a strategy must be drawn up by the prosecution to prove beyond all
reasonable doubt that the defendant is guilty of the crime.
This strategy is heavily dependent on the findings of the forensic examiner or Digital
Forensic Investigator who has the immense responsibility of examining the exhibits for signs
of evidence.
This paper gives an overview of Digital evidence, Challenges relating to Digital Evidence in
details, Major categories of evidence in legal system, Admissibility of Digital Evidence under
judicial System, how is evidence presented in courtroom.
1. Introduction
Digital devices are everywhere in today’s world, helping people communicate locally and
globally with ease. Most people immediately think of computers, cell phones and the Internet
as the only sources for digital evidence, but any piece of technology that processes
information can be used in a criminal way. For example, hand-held games can carry encoded
messages between criminals and even newer household appliances, such as a refrigerator
with a built-in TV, could be used to store, view and share illegal images. The important thing
to know is that responders need to be able to recognize and properly seize potential digital
evidence. Digital evidence is defined as all information with probative value that is included
in an electronic media or is transmitted by said media. For this, we distinguish two basic
types of digital evidence:
Most types of crime now also involve computers in one way or the other, either in that
computer data and systems are the target of the offence or in that the offence is committed
through computers or in that electronic evidence on a computer may be important in relation
to an offence that otherwise is un-related to computer systems. Any offence may involve
important evidence located on a computer (including mobile devices), even if this offence is
otherwise un-related to computer systems
In other cases, digital evidence may be charges held in volatile storage, which dissipate
within seconds of a loss of power to the system. Digital evidence may be no more tangible,
nor permanent, than pulses of photons, radio frequency waves, or differential levels of
voltage on copper wires.
Examples of “digital evidence” include:
Encryption
According to TechTerms (2014), encryption is process of scrambling information that can
only be decoded and read by someone who has the correct decoding key. Encryption is used
to hide or make the evidence unreadable on the compromised system.
Attackers use many different encryption methods and in order to make the data usable,
investigators have to decrypt the encrypted data. It is time consuming and sometimes the
encrypted data cannot be decrypted.
Steganography
“Steganography is an encryption technique that can be used along with cryptography as an
extra-secure method in which to protect data.” (Janssen, 2014).
Steganography is a technique that is used to hide any information inside a file carrier without
modifying its outward appearance. Attackers use this steganography to hide their hidden data
(payloads) inside the compromised system. When investigating computer crimes, the
investigator has to identify these hidden data in order to reveal the information for further
reference.
Resource Challenges
Depending on the scenario, the volume of data involved in the case might be large. In that
case the investigator has to go through all the collected data in order to gather evidence. It
may take more time for the investigation. Since time is a limiting factor, it becomes another
major challenge in the field of digital forensics.
In volatile memory forensics, since the data stored in the volatile memory is ephemeral,
user activities are overwritten in the volatile memory. Therefore investigators can analyze
only recent information that is stored on the volatile memory. This reduces the forensic
value of the data for the investigation.
When collecting data from the source, an investigator must make sure that none of the
data is modified or missed during the investigation, and the data must be well secured.
Data sources which are damaged cannot be easily used in investigations. So it is a major
issue when an investigator finds a valuable source that is not usable.
Legal Challenges
Privacy is also important to any organization or victim. In many cases it may be required that
the computer forensics expert share the data or compromise privacy to get to the truth. A
private company or an individual user might generate lots of private information in their day
to day usage. So asking an investigator to examine their data might risk their privacy being
revealed.
1.2. Network-Based Digital Evidence
“Network-based digital evidence” is digital evidence that is produced as a result of
communications over a network. The primary and secondary storage media of computers
(e.g., the RAM and hard drives) tend to be fruitful fodder for forensic analysis. Due to data
remanence, persistent storage can retain forensically recoverable and relevant evidence for
hours, days, even years beyond file deletion and storage reuse. In contrast, network-based
digital evidence can be extremely volatile. Packets flit across the wire in milliseconds, vanish
from switches in the blink of an eye. Web sites change depending on from where they’re
viewed and when.
However, if the original exists and could be admitted, then the duplicate would not suffice.
The original purpose of this rule was to ensure that decisions made in court were based on the
best available information. With the advent of photocopiers, scanners, computers, and other
technology that can create effectively identical duplicates, copies became acceptable in place
of the original, unless “a genuine question is raised as to the authenticity of the original or the
accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu
of the original” (Best Evidence Rule).
An exact duplicate of most forms of digital evidence can be made, a copy is generally
acceptable. In fact, presenting a copy of digital evidence is usually more desirable because it
eliminates the risk that the original will be accidentally altered.
is the testimony offered by a direct witness of the act or acts in question. There are lots of
ways that events can be observed, captured, and recorded in the real world, and our court
systems try to accommodate most of these when there is relevant evidence in question. Of
course, the oldest method is the reportable observation of a fellow human being.
This human testimony is classified as “direct evidence,” and it remains some of the most
utilized forms of evidence, even if it is often disputed and unreliable. Direct evidence is
usually admissible, so long as it’s relevant. What other people witnessed can have a great
impact on a case.
• “I watched him crack passwords using John the Ripper and a password file he shouldn’t
have.”
In contrast to “direct evidence,” “circumstantial evidence” is evidence that does not directly
support a specific conclusion. Rather, circumstantial evidence may be linked together with
other evidence and used to deduce a conclusion.Circumstantial evidence is important for
cases involving network forensics because it is “the primary mechanism used to link
electronic evidence and its creator.”
Often, circumstantial evidence is used to establish the author of emails, chat logs, or other
digital evidence. In turn, authorship verification is necessary to establish authenticity, which
is required for evidence to be admissible in court.
• An email signature
“Hearsay” is the label given to testimony offered second-hand by someone who was not a
direct witness of the act or acts in question. It is formally defined by the FRE as “a statement,
other than one made by the declarant while testifying at the trial or hearing, offered in
evidence to prove the truth of the matter asserted.” This includes the comments of someone
who may have direct knowledge of an occurrence, but who is unable or unwilling to deliver
them directly to the court.
Business records can include any documentation that an enterprise routinely generates and
retains as a result of normal business processes, and that is deemed accurate enough to be
used as a basis for managerial decisions.
This can include everything from email and memos to access logs and intrusion detection
system (IDS) reports. There may be legally mandated retention periods for some of this data.
Other records may be subject to internal retention and/or destruction policies. The bottom line
is that if the records are seen as accurate enough by the enterprise that they are the basis for
managerial decision making, then the courts usually deem them reliable enough for a
proceeding. Digital evidence has been admitted under the “business records” exception to
hearsay many times, although in some cases this was erroneous. The Department of Justice
(U.S) points out that “courts have mistakenly assumed that computer-generated records are
hearsay without recognizing that they do not contain the statement of a person.”
Examples of “business records” can include:
In addition to challenging the admissibility of digital evidence directly, tools and techniques
used to process digital evidence have been challenged by evaluating them as scientific
evidence. Because of the power of science to persuade, courts are careful to assess the
validity of a scientific process before accepting its results. If a scientific process is found to
be questionable, this may influence the admissibility or weight of the evidence, depending on
the situation. (Daubert v. Merrell Dow Pharmaceuticals, Inc).
Criminal Law: In criminal law, evidence is used to prove a defendant's guilt beyond a
reasonable doubt.
Civil Law: in civil law, an element of a case is weighed by the standard of preponderance of
the evidence, which is a lower standard that "beyond a reasonable doubt."
However, before evidence can even be used in a criminal case, it must be considered
“admissible”. Whether evidence is admissible or not depends on several different factors that
the court must analyze. Many different items and statements are often excluded from
evidence in a criminal trial because it is considered “inadmissible”.
Since the ultimate goal is the use of acquired and analysed evidence to support a case in
court, electronic evidence must be obtained in compliance with existing legislation and best
practice procedure to be admissible in a trial. Although the details differ depending on
national legislation, the following basic criteria must generally be taken into account:
The law should provide for the admission of electronic evidence in court. Procedures need to
be put in place on the handling of electronic evidence. Investigators and forensic experts need
to adhere to these regulations to make evidence admissible in court proceedings.
A well-rendered report that clearly outlines the digital investigator’s findings can convince
the opposition to settle out of court, while a weakly rendered report can fuel the opposition to
proceed to trial. Assumptions and lack of foundation in evidence result in a weak report.
They should clearly state how and where all evidence was found, to help decision makers to
interpret the report and to enable another competent digital investigator to verify results.
Including important items of digital evidence as figures or attachments can be useful when
testifying in court as it may be necessary to refer to the supporting evidence when explaining
findings in the report. Presenting alternative scenarios and demonstrating why they are less
reasonable and less compatible with the evidence can help strengthen key conclusions.
Explaining why other explanations are unlikely or impossible demonstrates that the scientific
method was applied—that an effort was made to disprove the given conclusion but that it
withstood critical scrutiny.
4.2. Testimony
Proper preparation for trial makes all the difference. For digital investigators, preparing for
trial can involve meeting with attorneys in the case to review the forensic findings, address
any questions or concerns, and discuss how the information will be presented in court.
Scripting direct examination or rehearsing it may not be permitted in some contexts, but some
discussion with the attorney ahead of time is generally permissible and provides an
opportunity to identify areas that need further explanation and to anticipate questions that the
opposition might raise during cross-examination. Keep in mind that attorneys are generally
extremely busy getting many other aspects of a case ready for trial and may not have much
time or attention to devote to the digital dimension. Do not assume that the attorneys can
understand or recall the most important aspects of the digital forensic findings. In the days
prior to the trial, and even during the trial, digital investigators must be prepared to give the
attorneys what they need as quickly and concisely as possible.
When digital investigators first take the stand, they must first be accepted as an expert by the
court. During this process, called voir dire, digital investigators will generally be asked to
provide a summary of their qualifications and experience and, in some cases, will be asked
questions about their training, credentials, etc. After this process, the court will decide
whether to accept the digital investigator as an expert who can testify in the case.
When on the stand, the most important thing is to convey the facts as clearly as you can to all
in attendance. Do not rush. Attempting to hurry through testimony could make a bad
impression or worse, cause digital investigators to make a mistake. Digital investigators
should take time to consider the question and answer it correctly the first time. Speak clearly
and loud enough for at least the jury to hear, if not the entire courtroom.
During cross-examination, attorneys often attempt to point out flaws and details that were
overlooked by the digital investigator. The most effective response to this type of questioning
is to be prepared with clear explanations and supporting evidence. In some cases, the goal of
the opposing counsel may be to raise doubts about digital forensic findings. Therefore, digital
investigators should not expect the questions to be straightforward or even comprehensible.
What seems like a nontech-savvy lawyer trying to muddle through technical findings may be
a very savvy trial lawyer. Besides trying to create confusion in relation to the findings, asking
a vague question may be a tactic to get the digital investigator to answer questions that the
attorney had not thought of himself/herself. As a rule, never guess what an attorney is trying
to ask. If a question seems unclear, ask the attorney to repeat it or rephrase it to clarify what
is being asked. It is also advisable to pause before answering questions to give your attorney
time to express objections. When objections are raised, carefully consider why the attorney is
objecting before answering the question. If prompted to answer a complex question with
simply “Yes” or “No,” inform the court that you do not feel that you can adequately address
the question with such a simplistic answer but follow the direction of the court. Above all, be
honest.
If a digital investigator does not know the answer to a question, it is okay to say “I don’t
know.” Digital investigators can stick to solid evidence and avoid less certain speculation.
Before agreeing to a statement in cross-examination, consider it carefully. The opposing
counsel may not be stating a fact when asking a question like “Isn’t it true that my client was
not in possession of the mobile device at the time of the crime?” Knowing the facts of the
case and being able to deliver them in response to a misleading question may discourage
further attempts to catch the testifying digital investigator off guard.
In addition to presenting findings, digital investigators may be required to explain how the
evidence was handled and analyzed to demonstrate chain of custody and thoroughness of
methods. Digital investigators may also be asked to explain underlying technical aspects in a
relatively nontechnical way, such as how files are deleted and recovered and how tools
acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly
recommended.
It can be difficult to present digital evidence in even the simplest of cases. In direct
examination, the attorney usually needs to refer to digital evidence and display it for the trier
of fact (e.g., judge or jury).
This presentation can become confusing and counterproductive, particularly if materials are
voluminous and not well arranged. For instance, referring to printed pages in a binder is
difficult for each person in a jury to follow, particularly when it is necessary to flip forward
and backward to find exhibits and compare items. Such disorder can be reduced by arranging
exhibits in a way that facilitates understanding and by projecting data onto a screen to make it
visible to everyone in the court.
Displaying digital evidence with the tools used to examine and analyze it can help clarify
details and provide context, taking some of the weight of explaining off the digital
investigator. Some digital investigators place links to exhibits in their final reports, enabling
them to display the reports onscreen during testimony and efficiently display relevant
evidence when required. However, it is important to become familiar with the computer that
will be used during the presentation to ensure a smooth testimony. Visual representations of
timelines, locations of computers, and other fundamental features of a case also help provide
context and clarity. Also, when presenting technical aspects of digital evidence such as how fi
les are recovered or how log-on records are generated, first give a simplified, generalized
example and then demonstrate how this applies to the evidence in the case.
The risk of confusion increases when multiple computers are involved and it is not
completely clear where each piece of evidence originated. Therefore, make every effort to
maintain the context of each exhibit, noting which computer or floppy disk it came from and
the associated evidence number. Also, when presenting reconstructions of events on the basis
of large amounts of data such as server logs or telephone records, provide simplified visual
depictions of the main entities and events rather than just presenting the complex data. It
should not be necessary to fumble through pages of notes to determine the associated
computer or evidence number. Also, refer to exhibit numbers during testimony rather than
saying, “this e-mail” or “that print screen.”
Digital investigators may need to refer back to their work on a case years later and are often
required to provide all notes related to their work and possibly different versions of an
edited/corrected report. In the United Kingdom, there is a process called disclosure that aims
to make the discovery process more streamlined and transparent, requiring the prosecution to
provide all relevant material to the defense.To facilitate such review or disclosure, it is
helpful to organize any screenshots or printouts (initialled, dated, and numbered) of important
items found during examination. For instance, create a neatly written index of all screenshots
and printouts.
5. Conclusion
It has thus been seen that with the increasing impact of technology in
everyday life, the production of electronic evidence has become a necessity
in most cases to establish the guilt of the accused or the liability of the
defendant. The shift in the judicial mindset has occurred mostly in the past
twenty years and most legal systems across the world have amended their
laws to accommodate such change.
The foundation of any case involving digital evidence is proper evidence handling. Therefore,
the practice of seizing, storing, and accessing evidence must be routine to the point of
perfection. Standard operating procedures with forms are a key component of consistent
evidence handling, acting as both memory aids for digital investigators and documentation of
chain of custody. Also, training and policies should provide digital investigators with a clear
understanding of acceptable evidence handling practices and associated laws.
Verifying that evidence was handled properly is only the first stage of assessing its reliability.
Courts may also consider whether digital evidence was altered before, during, or after
collection, and whether the process that generated the evidence is reliable.
On the stand, digital investigators may be asked to testify to the reliability of the original
evidence and the collection and analysis systems and processes, and to assert that they
personally established the chain of custody and forensically preserved the data. An
unexplained break in the chain of custody could be used to exclude evidence.
Fahdi, M.L. Clarke, N.L. Furnell, S.M. (2013). Challenges to Digital Forensics: A Survey
of Researchers & Practitioners Attitudes and Opinions. [Online]. P 1. Available
from: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6641058 [Accessed
06/22/2017].
TechTerms. 2014. Encryption. [ONLINE] Available
at: http://www.techterms.com/definition/encryption. [Accessed 06/22/2017].
Kassner, M. 2008. 10+ things you should know about rootkits. [ONLINE] Available
at: http://www.techrepublic.com/blog/10-things/10-plus-things-you-should-know-about-
rootkits/. [Accessed 06/22/2017].
Network Forensics by Sherri Davidoff Jonathan Ham,2012
Carrier, B. (2002). Open Source Digital Forensics Tools: The Legal Argument. Available
from http:// www.atstake.com/research/reports/acrobat/atstake_opensource_forensics.pdf
.Committee on the Judiciary House (US) and US House Committee on the Judiciary,
Federal Rules of Evidence (December 2011) (Committee on the Judiciary, 2011),
http://judiciary.house.gov/hearings/ printers/112th/evidence2011.pdf
H. Marshall Jarrett, Director, EOUSA, “Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations,”
(Office of Legal Education Executive Office for United States Attorneys, 2009), 198–202,
http://www.justice.gov/criminal/cybercrime/ssmanual/ssmanual2009.pdf
U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations Manual (2009)
Casey, E. (2002). Error, uncertainty and loss in digital evidence. International Journal of
Digital Evidence, 1 (2). Available from
http://www.ijde.org/archives/docs/02_summer_art1.pdf .
NCJRS:Digital Evidence in the Courtroom: A Guide for Law Enforcement and
Prosecutors,2007
Simson L. Garfinkel, “Digital Forensics,” Scientific American (SeptemberOctober 2013),
available at: www.americanscientist.org/issues/pub/digital-forensics
Craig D. Ball, “Becoming a Better Witness on Digital Forensics” (2014)
Larry Daniel and Lars Daniel, Digital Forensics for Legal Professionals (Syngress 2012)
Daniel B. Garrie and J. David Morrissy, “Digital Forensic Evidence in the Courtroom:
Understanding Content and Quality,” 12 NW. J. TECH. & INTELL. PROP. 121 (2014)
Sean E. Goodison, Robert C. Davis and Brial A. Jackson, “Digital Evidence and the U.S.
Criminal Justice System,” (RAND Corp. 2015), available at
https://www.ncjrs.gov/pdffiles1/nij/grants/248770.pdf
Stuart C. Gaul, Jr. and Jerri A. Ryan, “Admissibility of Electronically Stored
Information,” Chapter 10 in eDiscovery (PBI Press 2017)
Cases
Michigan v. Miller. (2001). 7th Circuit Court, Michigan.
Lorraine v. Markel Am. Ins. Co. (2007). WL 1300739 (D. Md., May 4, 2007). Available
from http://
www.lexisnexis.com/applieddiscovery/lawlibrary/LorraineVMarkel_ESI_Opinion.pdf .
United States v. Bunty. (2008). WL 2371211 E.D. Pa. June 10, 2008.
UK Ministry of Justice. (2010). Criminal procedure rules, part 33—expert evidence.
Available from http://www.justice.gov.uk/criminal/procrules_fi
n/contents/rules/part_33.htm .