See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332245703

DIGITAL FORENSICS: Digital Evidence In Judicial System

Article  in  International Journal of Cyber Criminology · March 2019

CITATIONS READS

0 632

1 author:

David Mugisha
Gujarat Forensic Sciences University
10 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Android Application Malware Analysis View project

All content following this page was uploaded by David Mugisha on 06 April 2019.

The user has requested enhancement of the downloaded file.

 DIGITAL FORENSICS:
Digital Evidence in judicial System
By David MUGISHA

david.dfis.1741@gfsu.edu.in , dav2mugisha@gmail.com
Masters student in Digital Forensics and Information Security
FORENSIC SCIENCE INSTITUTE
GUJARAT FORENSIC SCIENCES UNIVERSITY (GFSU)

Abstract

Digital evidence must be collected with a reasonable and least intrusive means. The manner
of collection depends upon the system configuration encountered, type of investigation at
hand, and the most pertinent evidence being sought to support the investigation. Nearly every
choice a forensic examiner makes, or doesn’t make, during the collection process affects data
to a certain extent. The examiner needs to be aware of the specific electronic data required for
the investigation and be prepared to address obstacles that inevitably arise in nearly
every digital evidence collection scenario.

When bringing an offence committed involving a digital device such as a computer before the
criminal court system, a strategy must be drawn up by the prosecution to prove beyond all
reasonable doubt that the defendant is guilty of the crime.

This strategy is heavily dependent on the findings of the forensic examiner or Digital
Forensic Investigator who has the immense responsibility of examining the exhibits for signs
of evidence.

This paper gives an overview of Digital evidence, Challenges relating to Digital Evidence in
details, Major categories of evidence in legal system, Admissibility of Digital Evidence under
judicial System, how is evidence presented in courtroom.
 1. Introduction
Digital devices are everywhere in today’s world, helping people communicate locally and
globally with ease. Most people immediately think of computers, cell phones and the Internet
as the only sources for digital evidence, but any piece of technology that processes
information can be used in a criminal way. For example, hand-held games can carry encoded
messages between criminals and even newer household appliances, such as a refrigerator
with a built-in TV, could be used to store, view and share illegal images. The important thing
to know is that responders need to be able to recognize and properly seize potential digital
evidence. Digital evidence is defined as all information with probative value that is included
in an electronic media or is transmitted by said media. For this, we distinguish two basic
types of digital evidence:

1. Data stored in computer systems or devices.(Digital Evidence)

2. Information transmitted electronically through communication networks (Network-
Based Digital).

1.1. Digital Evidence

“Digital evidence” is any documentation that satisfies the requirements of “evidence” in a

proceeding, but that exists in electronic digital form. Digital evidence may rest in
microscopic spots on spinning platters, magnetized to greater or lesser degrees in a somewhat
nonvolatile scheme, but regardless, unintelligible except through multiple layers of
abstraction and filesystem protocols.

Most types of crime now also involve computers in one way or the other, either in that
computer data and systems are the target of the offence or in that the offence is committed
through computers or in that electronic evidence on a computer may be important in relation
to an offence that otherwise is un-related to computer systems. Any offence may involve
important evidence located on a computer (including mobile devices), even if this offence is
otherwise un-related to computer systems

In other cases, digital evidence may be charges held in volatile storage, which dissipate
within seconds of a loss of power to the system. Digital evidence may be no more tangible,
nor permanent, than pulses of photons, radio frequency waves, or differential levels of
voltage on copper wires.
Examples of “digital evidence” include:

• Emails and IM sessions

• Invoices and records of payment received

• Deleted photograph or videos recorded on the suspect’s device

1.1.1. Challenges relating to Digital Evidence

 Encryption
According to TechTerms (2014), encryption is process of scrambling information that can
only be decoded and read by someone who has the correct decoding key. Encryption is used
to hide or make the evidence unreadable on the compromised system.

Attackers use many different encryption methods and in order to make the data usable,
investigators have to decrypt the encrypted data. It is time consuming and sometimes the
encrypted data cannot be decrypted.

 Steganography
“Steganography is an encryption technique that can be used along with cryptography as an
extra-secure method in which to protect data.” (Janssen, 2014).

Steganography is a technique that is used to hide any information inside a file carrier without
modifying its outward appearance. Attackers use this steganography to hide their hidden data
(payloads) inside the compromised system. When investigating computer crimes, the
investigator has to identify these hidden data in order to reveal the information for further
reference.

 Data hiding in storage space

Attackers hide some data inside storage areas and make them invisible to the usual system
commands and programs. It makes the investigation more complex and more time consuming
and sometimes data can be corrupted too. Rootkit is one of the most popular techniques used
to hide data in storage space.
  Residual Data wiping
When the attacker uses a computer for his goal, a few hidden processes (e.g. temporary files,
history of commands) are running without the knowledge of the attacker. But an intelligent
attacker can avoid this risk by wiping out the tracks that were made by his process and
making the system work as if it has not been used for such a purpose.

 Resource Challenges
Depending on the scenario, the volume of data involved in the case might be large. In that
case the investigator has to go through all the collected data in order to gather evidence. It
may take more time for the investigation. Since time is a limiting factor, it becomes another
major challenge in the field of digital forensics.

 In volatile memory forensics, since the data stored in the volatile memory is ephemeral,
user activities are overwritten in the volatile memory. Therefore investigators can analyze
only recent information that is stored on the volatile memory. This reduces the forensic
value of the data for the investigation.

 When collecting data from the source, an investigator must make sure that none of the
data is modified or missed during the investigation, and the data must be well secured.

 Data sources which are damaged cannot be easily used in investigations. So it is a major
issue when an investigator finds a valuable source that is not usable.

 Legal Challenges
Privacy is also important to any organization or victim. In many cases it may be required that
the computer forensics expert share the data or compromise privacy to get to the truth. A
private company or an individual user might generate lots of private information in their day
to day usage. So asking an investigator to examine their data might risk their privacy being
revealed.
1.2. Network-Based Digital Evidence
“Network-based digital evidence” is digital evidence that is produced as a result of
communications over a network. The primary and secondary storage media of computers
(e.g., the RAM and hard drives) tend to be fruitful fodder for forensic analysis. Due to data
remanence, persistent storage can retain forensically recoverable and relevant evidence for
hours, days, even years beyond file deletion and storage reuse. In contrast, network-based
digital evidence can be extremely volatile. Packets flit across the wire in milliseconds, vanish
from switches in the blink of an eye. Web sites change depending on from where they’re
viewed and when.

1.2.1. Challenges relating to Networked-base Digital Evidence

Network-based evidence poses special challenges in several areas, including acquisition,

content, storage, privacy, seizure, and admissibility. We will discuss some common
challenges below.

 Acquisition: It can be difficult to locate specific evidence in a network environment.

Networks contain so many possible sources of evidence—from wireless access points
to web proxies to central log servers—that sometimes pinpointing the correct location
of the evidence is tricky. Even when you do know where a specific piece of evidence
resides, you may have difficulty gaining access to it for political or technical reasons.
 Content :Unlike filesystems, which are designed to contain all the contents of files
and their metadata, network devices may or may not store evidence with the level of
granularity desired. Network devices often have very limited storage capacity.
Usually, only selected metadata about the transaction or data transfer is kept instead
of complete records of the data that traversed the network.
 Storage: Network devices commonly do not employ secondary or persistent storage.
As a consequence, the data they contain may be so volatile as to not survive a reset of
the device.
 Privacy: Depending on jurisdiction, there may be legal issues involving personal
privacy that are unique to network-based acquisition techniques.
  Seizure: Seizing a hard drive can inconvenience an individual or organization. Often,
however, a clone of the original can be constructed and deployed such that critical
operations can continue with limited disruption. Seizing a network device can be
much more disruptive. In the most extreme cases, an entire network segment may be
brought down indefinitely. Under most circumstances, however, investigators can
minimize the impact on network operations.
 Admissibility: Filesystem-based evidence is now routinely admitted in both criminal
and civil proceedings. As long as the filesystem-based evidence is lawfully acquired,
properly handled, and relevant to the case, there are clear precedents for
authenticating the evidence and admitting it in court. In contrast, network forensics is
a newer approach to digital investigations. There are sometimes conflicting or even
nonexisting legal precedents for admission of various types of network-based digital
evidence. Over time, network-based digital evidence will become more prevalent and
case precedents will be set and standardized.

2. Major categories of evidence in legal system

2.1. Real Evidence

What is “real” evidence? “Real evidence” is roughly defined as any physical, tangible object
that played a relevant role in an event that is being adjudicated. It is the knife that was pulled
from the victim’s body. It is the gun that fired the bullet. It is the physical copy of the contract
that was signed by both parties. In our realm it is also the physical hard drive from which data
is recovered, and all the rest of the physical computer components involved.

Examples of “real evidence” can include:

• The signed paper contract

• The physical hard drive or USB device

• The computer itself—chassis, keyboard, and al

2.2. Best Evidence
When dealing with the contents of writing, recording, or photograph, courts sometimes
require the original evidence. If the original evidence is not available, then alternate evidence
of its contents may be admitted under the “best evidence rule.” For example, if an original
signed contract was destroyed but a duplicate exists, then the duplicate may be admissible.

However, if the original exists and could be admitted, then the duplicate would not suffice.
The original purpose of this rule was to ensure that decisions made in court were based on the
best available information. With the advent of photocopiers, scanners, computers, and other
technology that can create effectively identical duplicates, copies became acceptable in place
of the original, unless “a genuine question is raised as to the authenticity of the original or the
accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu
of the original” (Best Evidence Rule).

An exact duplicate of most forms of digital evidence can be made, a copy is generally
acceptable. In fact, presenting a copy of digital evidence is usually more desirable because it
eliminates the risk that the original will be accidentally altered.

Examples of “best evidence” include:

• A photo of the crime scene

• A copy of the signed contract

• A file recovered from the hard drive

• A bit-for-bit snapshot of a network transaction

2.3. Direct Evidence “Direct evidence”

is the testimony offered by a direct witness of the act or acts in question. There are lots of
ways that events can be observed, captured, and recorded in the real world, and our court
systems try to accommodate most of these when there is relevant evidence in question. Of
course, the oldest method is the reportable observation of a fellow human being.
This human testimony is classified as “direct evidence,” and it remains some of the most
utilized forms of evidence, even if it is often disputed and unreliable. Direct evidence is
usually admissible, so long as it’s relevant. What other people witnessed can have a great
impact on a case.

Examples of “direct evidence” can include:

• “She showed me an inappropriate video.”

• “I watched him crack passwords using John the Ripper and a password file he shouldn’t
have.”

• “I saw him with that USB device.”

2.4. Circumstantial Evidence

In contrast to “direct evidence,” “circumstantial evidence” is evidence that does not directly
support a specific conclusion. Rather, circumstantial evidence may be linked together with
other evidence and used to deduce a conclusion.Circumstantial evidence is important for
cases involving network forensics because it is “the primary mechanism used to link
electronic evidence and its creator.”

Often, circumstantial evidence is used to establish the author of emails, chat logs, or other
digital evidence. In turn, authorship verification is necessary to establish authenticity, which
is required for evidence to be admissible in court.

Examples of “circumstantial evidence” can include:

• An email signature

• A file containing password hashes on the defendant’s computer

• The serial number of the USB device

2.5. Hearsay Digital

“Hearsay” is the label given to testimony offered second-hand by someone who was not a
direct witness of the act or acts in question. It is formally defined by the FRE as “a statement,
other than one made by the declarant while testifying at the trial or hearing, offered in
evidence to prove the truth of the matter asserted.” This includes the comments of someone
who may have direct knowledge of an occurrence, but who is unable or unwilling to deliver
them directly to the court.

Examples of “hearsay” can include:

• “The guy told me he did it.”

• “He said he knew who did it, and could testify.”

• “I saw a recording of the whole thing go down.”

• A text file containing a personal letter

2.6. Business Records

Business records can include any documentation that an enterprise routinely generates and
retains as a result of normal business processes, and that is deemed accurate enough to be
used as a basis for managerial decisions.

This can include everything from email and memos to access logs and intrusion detection
system (IDS) reports. There may be legally mandated retention periods for some of this data.
Other records may be subject to internal retention and/or destruction policies. The bottom line
is that if the records are seen as accurate enough by the enterprise that they are the basis for
managerial decision making, then the courts usually deem them reliable enough for a
proceeding. Digital evidence has been admitted under the “business records” exception to
hearsay many times, although in some cases this was erroneous. The Department of Justice
(U.S) points out that “courts have mistakenly assumed that computer-generated records are
hearsay without recognizing that they do not contain the statement of a person.”
 Examples of “business records” can include:

 Contracts and other employment agreements

 Invoices and records of payment received
 Routinely kept access logs
 /var/log/messages

2.7. Scientific Evidence

In addition to challenging the admissibility of digital evidence directly, tools and techniques
used to process digital evidence have been challenged by evaluating them as scientific
evidence. Because of the power of science to persuade, courts are careful to assess the
validity of a scientific process before accepting its results. If a scientific process is found to
be questionable, this may influence the admissibility or weight of the evidence, depending on
the situation. (Daubert v. Merrell Dow Pharmaceuticals, Inc).

These criteria are as follows:

1. Whether the theory or technique can be (and has been) tested.

2. Whether there is a high known or potential rate of error, and the existence and
maintenance of standards controlling the technique’s operation.
3. Whether the theory or technique has been subjected to peer review and publication.
4. Whether the theory or technique enjoys “general acceptance” within the relevant
scientific community.

3. Admissibility of Digital Evidence under judicial System

What Is Admissible Evidence?

Admissible evidence is any document, testimony, or tangible evidence used in a court of law.
Evidence is typically introduced to a judge or a jury to prove a point or element in a case.

 Criminal Law: In criminal law, evidence is used to prove a defendant's guilt beyond a
reasonable doubt.
 Civil Law: in civil law, an element of a case is weighed by the standard of preponderance of
the evidence, which is a lower standard that "beyond a reasonable doubt."
However, before evidence can even be used in a criminal case, it must be considered
“admissible”. Whether evidence is admissible or not depends on several different factors that
the court must analyze. Many different items and statements are often excluded from
evidence in a criminal trial because it is considered “inadmissible”.

Since the ultimate goal is the use of acquired and analysed evidence to support a case in
court, electronic evidence must be obtained in compliance with existing legislation and best
practice procedure to be admissible in a trial. Although the details differ depending on
national legislation, the following basic criteria must generally be taken into account:

 Authenticity: it must be possible to positively tie evidentiary material to the

investigated incident.
 Completeness: it must tell the whole story and not just a particular perspective.
 Reliability: there must be nothing about how the evidence was collected and
subsequently handled which causes doubt about its authenticity and veracity.
 Believability: it must be readily believable and understandable to a judge and/or the
members of a jury.
 Proportionality: its application to digital forensics establishes that the whole
investigative process must be adequate and appropriate: the benefits that are to be
gained by using a specific measure must outweigh the harms for the party or parties
affected by the measure.

The law should provide for the admission of electronic evidence in court. Procedures need to
be put in place on the handling of electronic evidence. Investigators and forensic experts need
to adhere to these regulations to make evidence admissible in court proceedings.

What If Evidence Is Considered Inadmissible?

If an item of evidence is considered inadmissible, it means that it can’t be used in court

during trial as evidence against the accused. An example of this is where a witness statement
is considered irrelevant because it doesn’t prove or disprove any facts in the case. In that
case, the statement can’t be entered into the record as evidence and won’t be used against the
defendant during trial.
Thus, it’s very important to make sure that evidence is carefully reviewed and analyzed in
preparation for trial. This generally requires the assistance of a qualified criminal attorney,
who understands the specific evidence rules for their jurisdiction.

4. Presenting Digital Evidence

Digital investigators are commonly asked to testify or produce a written summary of their
findings in the form of an affidavit or expert report. Testifying or writing a report is one of
the most important stages of the investigative process because, unless findings are
communicated clearly in writing, others are unlikely to understand or make use of them.

4.1. Expert Reports

A well-rendered report that clearly outlines the digital investigator’s findings can convince
the opposition to settle out of court, while a weakly rendered report can fuel the opposition to
proceed to trial. Assumptions and lack of foundation in evidence result in a weak report.

Therefore, it is important to build solid arguments by providing supporting evidence and

demonstrating that the explanation provided is the most reasonable one. Whenever possible,
digital investigators should support assertions in their reports with multiple independent
sources of evidence to ensure that any potential weakness in one source of digital evidence
does not undermine an otherwise valid conclusion.

They should clearly state how and where all evidence was found, to help decision makers to
interpret the report and to enable another competent digital investigator to verify results.

Including important items of digital evidence as figures or attachments can be useful when
testifying in court as it may be necessary to refer to the supporting evidence when explaining
findings in the report. Presenting alternative scenarios and demonstrating why they are less
reasonable and less compatible with the evidence can help strengthen key conclusions.

Explaining why other explanations are unlikely or impossible demonstrates that the scientific
method was applied—that an effort was made to disprove the given conclusion but that it
withstood critical scrutiny.
 4.2. Testimony

Proper preparation for trial makes all the difference. For digital investigators, preparing for
trial can involve meeting with attorneys in the case to review the forensic findings, address
any questions or concerns, and discuss how the information will be presented in court.
Scripting direct examination or rehearsing it may not be permitted in some contexts, but some
discussion with the attorney ahead of time is generally permissible and provides an
opportunity to identify areas that need further explanation and to anticipate questions that the
opposition might raise during cross-examination. Keep in mind that attorneys are generally
extremely busy getting many other aspects of a case ready for trial and may not have much
time or attention to devote to the digital dimension. Do not assume that the attorneys can
understand or recall the most important aspects of the digital forensic findings. In the days
prior to the trial, and even during the trial, digital investigators must be prepared to give the
attorneys what they need as quickly and concisely as possible.

When digital investigators first take the stand, they must first be accepted as an expert by the
court. During this process, called voir dire, digital investigators will generally be asked to
provide a summary of their qualifications and experience and, in some cases, will be asked
questions about their training, credentials, etc. After this process, the court will decide
whether to accept the digital investigator as an expert who can testify in the case.

When on the stand, the most important thing is to convey the facts as clearly as you can to all
in attendance. Do not rush. Attempting to hurry through testimony could make a bad
impression or worse, cause digital investigators to make a mistake. Digital investigators
should take time to consider the question and answer it correctly the first time. Speak clearly
and loud enough for at least the jury to hear, if not the entire courtroom.

During cross-examination, attorneys often attempt to point out flaws and details that were
overlooked by the digital investigator. The most effective response to this type of questioning
is to be prepared with clear explanations and supporting evidence. In some cases, the goal of
the opposing counsel may be to raise doubts about digital forensic findings. Therefore, digital
investigators should not expect the questions to be straightforward or even comprehensible.
What seems like a nontech-savvy lawyer trying to muddle through technical findings may be
a very savvy trial lawyer. Besides trying to create confusion in relation to the findings, asking
a vague question may be a tactic to get the digital investigator to answer questions that the
attorney had not thought of himself/herself. As a rule, never guess what an attorney is trying
to ask. If a question seems unclear, ask the attorney to repeat it or rephrase it to clarify what
is being asked. It is also advisable to pause before answering questions to give your attorney
time to express objections. When objections are raised, carefully consider why the attorney is
objecting before answering the question. If prompted to answer a complex question with
simply “Yes” or “No,” inform the court that you do not feel that you can adequately address
the question with such a simplistic answer but follow the direction of the court. Above all, be
honest.

If a digital investigator does not know the answer to a question, it is okay to say “I don’t
know.” Digital investigators can stick to solid evidence and avoid less certain speculation.
Before agreeing to a statement in cross-examination, consider it carefully. The opposing
counsel may not be stating a fact when asking a question like “Isn’t it true that my client was
not in possession of the mobile device at the time of the crime?” Knowing the facts of the
case and being able to deliver them in response to a misleading question may discourage
further attempts to catch the testifying digital investigator off guard.

In addition to presenting findings, digital investigators may be required to explain how the
evidence was handled and analyzed to demonstrate chain of custody and thoroughness of
methods. Digital investigators may also be asked to explain underlying technical aspects in a
relatively nontechnical way, such as how files are deleted and recovered and how tools
acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly
recommended.

It can be difficult to present digital evidence in even the simplest of cases. In direct
examination, the attorney usually needs to refer to digital evidence and display it for the trier
of fact (e.g., judge or jury).

This presentation can become confusing and counterproductive, particularly if materials are
voluminous and not well arranged. For instance, referring to printed pages in a binder is
difficult for each person in a jury to follow, particularly when it is necessary to flip forward
and backward to find exhibits and compare items. Such disorder can be reduced by arranging
exhibits in a way that facilitates understanding and by projecting data onto a screen to make it
visible to everyone in the court.
Displaying digital evidence with the tools used to examine and analyze it can help clarify
details and provide context, taking some of the weight of explaining off the digital
investigator. Some digital investigators place links to exhibits in their final reports, enabling
them to display the reports onscreen during testimony and efficiently display relevant
evidence when required. However, it is important to become familiar with the computer that
will be used during the presentation to ensure a smooth testimony. Visual representations of
timelines, locations of computers, and other fundamental features of a case also help provide
context and clarity. Also, when presenting technical aspects of digital evidence such as how fi
les are recovered or how log-on records are generated, first give a simplified, generalized
example and then demonstrate how this applies to the evidence in the case.

The risk of confusion increases when multiple computers are involved and it is not
completely clear where each piece of evidence originated. Therefore, make every effort to
maintain the context of each exhibit, noting which computer or floppy disk it came from and
the associated evidence number. Also, when presenting reconstructions of events on the basis
of large amounts of data such as server logs or telephone records, provide simplified visual
depictions of the main entities and events rather than just presenting the complex data. It
should not be necessary to fumble through pages of notes to determine the associated
computer or evidence number. Also, refer to exhibit numbers during testimony rather than
saying, “this e-mail” or “that print screen.”

Digital investigators may need to refer back to their work on a case years later and are often
required to provide all notes related to their work and possibly different versions of an
edited/corrected report. In the United Kingdom, there is a process called disclosure that aims
to make the discovery process more streamlined and transparent, requiring the prosecution to
provide all relevant material to the defense.To facilitate such review or disclosure, it is
helpful to organize any screenshots or printouts (initialled, dated, and numbered) of important
items found during examination. For instance, create a neatly written index of all screenshots
and printouts.
 5. Conclusion
It has thus been seen that with the increasing impact of technology in
everyday life, the production of electronic evidence has become a necessity
in most cases to establish the guilt of the accused or the liability of the
defendant. The shift in the judicial mindset has occurred mostly in the past
twenty years and most legal systems across the world have amended their
laws to accommodate such change.

The foundation of any case involving digital evidence is proper evidence handling. Therefore,
the practice of seizing, storing, and accessing evidence must be routine to the point of
perfection. Standard operating procedures with forms are a key component of consistent
evidence handling, acting as both memory aids for digital investigators and documentation of
chain of custody. Also, training and policies should provide digital investigators with a clear
understanding of acceptable evidence handling practices and associated laws.

Verifying that evidence was handled properly is only the first stage of assessing its reliability.
Courts may also consider whether digital evidence was altered before, during, or after
collection, and whether the process that generated the evidence is reliable.

On the stand, digital investigators may be asked to testify to the reliability of the original
evidence and the collection and analysis systems and processes, and to assert that they
personally established the chain of custody and forensically preserved the data. An
unexplained break in the chain of custody could be used to exclude evidence.

An understanding of major categories of evidence discussed above, is necessary to develop

solid conclusions and to defend those conclusions and the associated evidence on the stand. A
failure to understand these concepts can weaken a digital investigator’s conclusions and
testimony.

Ultimately, digital investigators must present their findings in court to a nontechnical

audience. As with any presentation, the key to success is preparation, preparation, and more
preparation. Be familiar with all aspects of the case, anticipate questions, rehearse answers,
and prepare visual presentations to address important issues. Although this requires a
significant amount of effort, keep in mind that someone’s liberty might be at stake.
Reference
 UK Law Commission. (2009). The admissibility of expert evidence in criminal
proceedings in England and Wales: a new approach to the determination of evidentiary
reliability.
 United States Department of Justice. (2002). Searching and seizing computers and
obtaining electronic evidence in criminal investigations. Available from
http://www.usdoj.gov/ criminal/ cybercrime/s&smanual2002.htm .
 Digital Evidence in the Courtroom by Eoghan Casey

 Fahdi, M.L. Clarke, N.L. Furnell, S.M. (2013). Challenges to Digital Forensics: A Survey
of Researchers & Practitioners Attitudes and Opinions. [Online]. P 1. Available
from: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6641058 [Accessed
06/22/2017].
 TechTerms. 2014. Encryption. [ONLINE] Available
at: http://www.techterms.com/definition/encryption. [Accessed 06/22/2017].
 Kassner, M. 2008. 10+ things you should know about rootkits. [ONLINE] Available
at: http://www.techrepublic.com/blog/10-things/10-plus-things-you-should-know-about-
rootkits/. [Accessed 06/22/2017].
 Network Forensics by Sherri Davidoff Jonathan Ham,2012
 Carrier, B. (2002). Open Source Digital Forensics Tools: The Legal Argument. Available
from http:// www.atstake.com/research/reports/acrobat/atstake_opensource_forensics.pdf
 .Committee on the Judiciary House (US) and US House Committee on the Judiciary,
Federal Rules of Evidence (December 2011) (Committee on the Judiciary, 2011),
http://judiciary.house.gov/hearings/ printers/112th/evidence2011.pdf
 H. Marshall Jarrett, Director, EOUSA, “Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations,”
 (Office of Legal Education Executive Office for United States Attorneys, 2009), 198–202,
http://www.justice.gov/criminal/cybercrime/ssmanual/ssmanual2009.pdf
 U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic
Evidence in Criminal Investigations Manual (2009)
 Casey, E. (2002). Error, uncertainty and loss in digital evidence. International Journal of
Digital Evidence, 1 (2). Available from
http://www.ijde.org/archives/docs/02_summer_art1.pdf .
 NCJRS:Digital Evidence in the Courtroom: A Guide for Law Enforcement and
Prosecutors,2007
  Simson L. Garfinkel, “Digital Forensics,” Scientific American (SeptemberOctober 2013),
available at: www.americanscientist.org/issues/pub/digital-forensics
 Craig D. Ball, “Becoming a Better Witness on Digital Forensics” (2014)
 Larry Daniel and Lars Daniel, Digital Forensics for Legal Professionals (Syngress 2012)
 Daniel B. Garrie and J. David Morrissy, “Digital Forensic Evidence in the Courtroom:
Understanding Content and Quality,” 12 NW. J. TECH. & INTELL. PROP. 121 (2014)
 Sean E. Goodison, Robert C. Davis and Brial A. Jackson, “Digital Evidence and the U.S.
Criminal Justice System,” (RAND Corp. 2015), available at
https://www.ncjrs.gov/pdffiles1/nij/grants/248770.pdf
 Stuart C. Gaul, Jr. and Jerri A. Ryan, “Admissibility of Electronically Stored
Information,” Chapter 10 in eDiscovery (PBI Press 2017)
Cases
 Michigan v. Miller. (2001). 7th Circuit Court, Michigan.
 Lorraine v. Markel Am. Ins. Co. (2007). WL 1300739 (D. Md., May 4, 2007). Available
from http://
www.lexisnexis.com/applieddiscovery/lawlibrary/LorraineVMarkel_ESI_Opinion.pdf .
 United States v. Bunty. (2008). WL 2371211 E.D. Pa. June 10, 2008.
 UK Ministry of Justice. (2010). Criminal procedure rules, part 33—expert evidence.
Available from http://www.justice.gov.uk/criminal/procrules_fi
n/contents/rules/part_33.htm .

View publication stats