Professional Documents
Culture Documents
(https://www.unodc.org/dohadeclaration/index.html) (https://www.unodc.org/e4j/index.html)
(https://www.youtube.com/playlist?list=PLP1rrIC89eFD7pAiE0jJnzlAV-1e4Q9Yi)
(https://twitter.com/dohadeclaration) (https://www.flickr.com/photos/unodc/collections/72157675942404974/)
Tertiary (https://www.unodc.org/e4j/en/tertiary/index.html) Cybercrime (https://www.unodc.org/e4j/en/tertiary/cybercrime.html)
Share this page
Module 6: Practical Aspects of Cybercrime Investigations & Digital Forensics (https://www.unodc.org/e4j/en/cybercrime/module-6/index.html)
Key Issues (https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/index.html)
(https://www.unodc.org/###)
Digital Evidence Admissibility (https://www.unodc.org/e4j/en/cybercrime/module-6/key-issues/digital-evidence-admissibility.html)
Exercises (https://www.unodc.org/e4j/en/cybercrime/module-6/exercises.html)
The forensic relevance of the digital evidence is assessed in this phase as well. Forensic relevance is determined by whether the digital evidence:
links or rules out a connection between the perpetrator and the target (e.g., victim, digital device, website, etc.) and/or the crime scene (the place
where the crime or cybercrime occurred); supports or refutes perpetrator, victim and/or witness testimony; identifies the perpetrator(s) of the
cybercrime; provides investigate leads; provides information about the method of operation ( modus operandi or M.O.) of the perpetrator (i.e., the
habits, techniques and unique features of the perpetrator's behaviour); and shows that a crime has taken place ( corpus delicti) (Maras, 2014; Maras
and Miranda, 2014).
Digital evidence can reveal signature behaviour of cybercriminals, such as malware developers and hackers (Casey, 2011). A signature
behaviour is a recognizable and distinguishable pattern of activity (e.g., specific techniques, tools, and moniker) that can be attributed to a
source, which provides some form of psychological or emotional benefit (e.g., gratification and recognition by peers) to the cybercriminal
(Casey, 2011).
Digital forensics experts provide testimony in court to explain their qualifications; how digital devices, online platforms and other ICT-related sources
work; the digital forensics process; why a specific digital forensics tool was used and not others; how digital evidence was preserved acquired, and
analysed; the interpretation and findings of the analyses performed, and the accuracy of these interpretations; and any alterations that may have
occurred to the data and why these alterations occurred (US National Institute of Justice; 2004a; Maras, 2014).
The qualifications of digital forensics experts are also examined to establish the competency of the individuals handling and analysing digital
evidence. This competency is essential to ensure work product quality and confidence in produced results ( SWGDE Overview of the Accreditation
Process for Digital and Multimedia Forensic Labs
(https://www.swgde.org/documents/Current%20Documents/SWGDE%20Overview%20of%20the%20Accreditation%20Process%20for%20Digital%20and%
, 2017). Nevertheless, there are no universal competency standards for digital forensics experts. The qualifications of digital forensics experts vary
by country (UNODC, 2013). The certification of digital forensics experts may or may not be required; this depends on the jurisdiction (UNODC, 2013).
This phase, therefore, evaluates whether experts have the necessary qualifications to serve as an expert witness and/or to perform the required
examinations of ICT and ICT-related data. What is also determined is whether the competency of these experts and analysts were verified and
tested.
The Daubert Tracker (https://www.dauberttracker.com/casereport.cfm) , named after the US case Daubert v. Merrell Dow Pharmaceuticals Inc.
(1993) that set the criteria that US courts use to determine the reliability of a forensics test or evidence introduced in court, keeps track of
reported and unreported legal cases where experts' methods and qualifications have been challenged (Maras, 2014).
The standards and protocols of the digital forensics laboratory are also examined to determine the competency of the laboratory in the handling and
analysis of digital evidence and the production of reliable results. What is particularly examined is whether "a laboratory is using reliable methods,
appropriate equipment and software, competent personnel, and drawing reasonable conclusions" (SWGDE Overview of the Accreditation Process
for Digital and Multimedia Forensic Labs, 2017, p. 4). Accreditation assists in this endeavour "by provid[ing] a means to improve quality, assess
performance, provide independent review, meet established standards, and serve to ensure the promotion, encouragement, and maintenance of the
highest standards of forensic practice" (Barbara, 2012). Although the ISO/IEC 17025 (https://www.iso.org/home/standards/popular-
standards/isoiec-17025-testing-and-calibra.html) "endeavours to standardize laboratories worldwide in terms of testing, quality control, [and]
calibration," its support by the digital forensics community is mixed (Merriott, 2018). Furthermore, while accreditation provides the necessary
oversight and accountability mechanisms to ensure that standards for forensic practice are met ( SWGDE Myths and Facts about Accreditation for
Digital and Multimedia Evidence Labs
(https://www.swgde.org/documents/Current%20Documents/SWGDE%20Myths%20and%20Facts%20about%20Accreditation%20for%20Digital%20and%2
, 2017), it is not universally practiced. In the United States, for example, accreditation is required by some but not all states (Barbara, 2012). In the
United Kingdom, the Forensic Science Regulator accredits the organisations involved in digital forensics (Forensic Access, 2017), while in South
Africa, the designated national agency for accreditation is the South African National Accreditation System (SANAS, 2016 ; see Act No. 19 of 2006;
i.e., the Accreditation for Conformity Assessment, Calibration and Good Laboratory Practice Act of 2006).
Ultimately, this three-phase model consolidates common legal and technical requirements for evidence admissibility across jurisdictions (Antwi-
Boasiako and Venter, 2017). The standardization of digital forensics practices is key to ensuring the admissibility of digital evidence across
jurisdictions. Given the transnational nature of cybercrime, the harmonization of digital forensics practices is not only of paramount importance to
the investigation of cybercrime, but is also essential to international cooperation on cybercrime matters (discussed in Cybercrime Module 7
(https://www.unodc.org/e4j/en/cybercrime/module-7/key-issues/intro.html) on International Cooperation against Cybercrime).
Electronic Discovery
Like digital forensics, e-Discovery is a process whereby digital data "is sought, located, secured, and searched with the intent of using it as
evidence in a legal case" (Lawton, Stacey, and Dodd, 2014, p. 4). However, there are key differences between digital forensics and e-Discovery.
Unlike digital forensics, e-Discovery is primarily focused on retaining data as a matter of record (in the most cost-effective manner) and in
order to fulfil legal requirements to produce digital evidence in legal proceedings when compelled to do so by a court.
Read more: Lawton, D., R. Stacey, and G. Dodd. (2014). eDiscovery in digital forensic investigations
(https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/394779/ediscovery-digital-forensic-investigations-
3214.pdf) . UK Home Office. CAST Publication Number 32/14.
(https://www.unodc.org/###) (https://www.unodc.org/###)