Evidence Collection & Admissibility

Computer ForensicsBACS 371

Outline

Evidence overview Evidence admissibility Challenges to evidence Evidence acquisition Preserving evidence Evidence authenticity Forensic methodology Special considerations2

5 Rules of Evidence

Admissibility – the evidence must be admissible in court.

Authenticity – the evidence must relate to the incident in question

Completeness – the evidence must be comprehensive

Reliability – the evidence must be consistent and uncontaminated

Believability – the evidence should be clearly understandable and believable by the jury

Admissible Evidence?

What makes evidence “admissible”? Short answer – if a judge says it is, it is… Judges use guidelines for admissibility:

Is the evidence relevant? Is the evidence authentic and credible? Is the evidence competent?

An overriding principle is the “exclusionary rule” which says it is not admissible if it was not collected legally.

Is it Relevant?

The question of relevance is usually the first considered by a judge. If it is not relevant, then it will not be admissible.

To be considered relevant the evidence must satisfy 2 conditions:1. It must be material – directly relating to

the case being presented.2. It must be probative – proves something

that will help get to the truth of the situation.

Is it Authentic and Credible?

The question of authenticity is basically asking if the evidence is what it purports to be.

This requires asking a number of questions which include: Is the material an opinion? If it is an opinion, is it the opinion of an

expert witness? Was it collected correctly? Could it have been altered in any way?

Is it Competent?

It is not prejudicial in any way. This applies primarily to evidence not directly related to the case.

It is not privileged. For example, it cannot involve attorney-client, doctor-patient, … or other privileged communication.

It cannot be collected in violation of Constitutional rights.

It cannot be hearsay (except for expert witnesses).

It cannot violate an exclusionary rule.

Withstanding Challenges to Evidence

Criminal trials are often preceded by a suppression hearing.

This is where the admissibility (i.e., suppression) of evidence is determined.

At this hearing, the judge determines if the 4th Amendment was correctly followed.

Also, if proper discovery procedure is not followed, defendants can challenge evidence admissibility.

Exclusionary Rules

Exclusionary rules test whether evidence will be admissible (judges use them).

Exclusionary rules pertain to the following: Relevancy Privilege Opinion of an expert Hearsay Authentication

Acquiring Evidence – Legal AspectsThere are a number of pertinent legal aspects to acquiring evidence. These include: The 4th Amendment affects how forensic

analysts can acquire evidence Preserving the evidence Establish authenticity of the evidence Following a repeatable process to ensure

admissibility

10

4th Amendment Considerations when Acquiring Evidence

When does evidence “seizure” occur? Who owns the computer that contains

data? What type of image is “good enough” to

be searched? Do attempts to delete data involve privacy

or indicate a cover-up? When searching a network, where do you

stop? What if one search leads to another?

Where does one search stop and another begin?

11

Preserving the Evidence

Computer Forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic data.

Three C’s of evidence: Care - Take Care of the way you collect and

handle it Control - Take Control of it by seizing and

storing it properly Chain of Custody - Keep an accurate Chain of

Custody12

Preserving and Storing the Evidence

Keep evidence in possession or control at all times

Document movement of evidence between investigators (chain of custody).

Secure evidence appropriately so that it can’t be tampered with or corrupted.

Mathematically authenticate data. (i.e., hash values)

13

Preserving the Evidence

Preserving the evidence means that you practice a defensible (objective, unbiased) approach that is: Performed in accordance with forensic

science principles Based on standard or current best practices Conducted with verified tools to identify,

collect, filter, tag and bag, store, and preserve e-evidence

Conducted by individuals who are certified in the use of verified tools, if such certification exists

Documented thoroughly14

Establishing Authenticity

You should use one of the following 3 criminal evidence rules: Authentication – show that it’s a true copy

Best Evidence Rule – work with the original

Exceptions to Hearsay rule – confessions or business records

Forensic analyst tend to use authentication based upon hash values

15

Legal Authenticity StandardsOver the years, several evidence standards have been devised.

Relevancy test – Anything that is materially relevant to case

Frye Standard – Technique my be sufficiently established (general acceptance test)

Coppolino Standard – Even if not generally accepted, court can accept if good foundation laid

Marx Standard – No need to sacrifice common sense Daubert Standard – Rigorous test with special discovery

procedures

16

Forensic Methodology

A forensic methodology is a well-defined, repeatable process used by forensic analysts to ensure that:

Evidence is properly collected, prepared, and stored

Evidence is analyzed in a consistent and thorough manner acceptable to the court

Analyst objectivity is maintained Documentation is collected to ensure that

a comprehensive report can be generated.

17

Brief Outline of the Scientific Method

Successful forensic examinations generally follow the scientific method.1. Identify and research a problem2. Formulate a hypothesis3. Conceptually and empirically test the

hypothesis4. Evaluate the hypothesis with regards to

test results5. If hypothesis is acceptable, evaluate its

impact. If not, reevaluate the hypothesis

18

Special Considerations

Digital Forensics has some special considerations when it comes to evidence.

The plain view doctrine Multiple computer users Search with consent

19

Plain View Doctrine

The plain view doctrine was developed for physical, tangible evidence.

Digital evidence requires a more refined definition of “plain view” Inadvertence approach Prophylactic test approach Computers as containers approach

20

Multiple Computer Users

Any time a computer is configured for multiple users the issue of privacy becomes convoluted.

Legal search in these cases revolves around the notion of “reasonable expectation of privacy.”

Accounts with passwords are a strong case for individual account privacy.

The problem is also present in network environments and cloud storage situations.21

Search with Consent

Multiple computer user accounts combined with forensic tools that cannot distinguish who actually owns a file can cause search with consent problems.

The general rule is that consent cannot be given to another users files if an effort has been made to segregate the users (e.g., passwords, independent folders, …)

The issue is clouded when the user accounts have administrative privilege (since they can reset passwords).

22

23

Summary

Evidence must be admissible, authentic, complete, reliable, and believable.

Judges determine admissibility based on a set of exclusionary rules and other procedural concerns.

Improper search and seizure can make even the best evidence inadmissible.

There are various ways to establish the authenticity of evidence.

Certain special considerations must be taken into account when working with digital evidence.