Evidence Collection & Admissibility

Computer ForensicsBACS 371

Outline Evidence overview Evidence admissibility Challenges to evidence Evidence acquisition Preserving evidence Evidence authenticity Forensic methodology Special considerations2

5 Rules of Evidence Admissibility – the evidence must be

admissible in court. Authenticity – the evidence must relate to

the incident in question Completeness – the evidence must be

comprehensive Reliability – the evidence must be consistent

and uncontaminated Believability – the evidence should be clearly

understandable and believable by the jury3

Admissible Evidence?What makes evidence “admissible”? Short answer – if a judge says it is, it is… Judges use guidelines for admissibility:

Is the evidence relevant? Is the evidence authentic and credible? Is the evidence competent?

An overriding principle is the “exclusionary rule” which says it is not admissible if it was not collected legally.

4

Is it Relevant? The question of relevance is usually the

first considered by a judge. If it is not relevant, then it will not be admissible.

To be considered relevant the evidence must satisfy 2 conditions:1. It must be material – directly relating to

the case being presented.2. It must be probative – proves something

that will help get to the truth of the situation.

5

Is it Authentic and Credible? The question of authenticity is basically

asking if the evidence is what it purports to be.

This requires asking a number of questions which include: Is the material an opinion? If it is an opinion, is it the opinion of an

expert witness? Was it collected correctly? Could it have been altered in any way?

6

Is it Competent? It is not prejudicial in any way. This applies

primarily to evidence not directly related to the case.

It is not privileged. For example, it cannot involve attorney-client, doctor-patient, … or other privileged communication.

It cannot be collected in violation of Constitutional rights.

It cannot be hearsay (except for expert witnesses).

It cannot violate an exclusionary rule.7

Withstanding Challenges to Evidence

Criminal trials are often preceded by a suppression hearing.

This is where the admissibility (i.e., suppression) of evidence is determined.

At this hearing, the judge determines if the 4th Amendment was correctly followed.

Also, if proper discovery procedure is not followed, defendants can challenge evidence admissibility.

8

Exclusionary Rules Exclusionary rules test whether

evidence will be admissible (judges use them).

Exclusionary rules pertain to the following: Relevancy Privilege Opinion of an expert Hearsay Authentication9

Acquiring Evidence – Legal AspectsThere are a number of pertinent legal aspects to acquiring evidence. These include: The 4th Amendment affects how forensic

analysts can acquire evidence Preserving the evidence Establish authenticity of the evidence Following a repeatable process to ensure

admissibility10

4th Amendment Considerations when Acquiring Evidence When does evidence “seizure” occur? Who owns the computer that contains

data? What type of image is “good enough” to

be searched? Do attempts to delete data involve privacy

or indicate a cover-up? When searching a network, where do you

stop? What if one search leads to another?

Where does one search stop and another begin?

11

Preserving the EvidenceComputer Forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic data.

Three C’s of evidence: Care - Take Care of the way you collect and

handle it Control - Take Control of it by seizing and

storing it properly Chain of Custody - Keep an accurate Chain of

Custody12

Preserving and Storing the Evidence

Keep evidence in possession or control at all times

Document movement of evidence between investigators (chain of custody).

Secure evidence appropriately so that it can’t be tampered with or corrupted.

Mathematically authenticate data. (i.e., hash values)

13

Preserving the Evidence Preserving the evidence means that you

practice a defensible (objective, unbiased) approach that is: Performed in accordance with forensic

science principles Based on standard or current best practices Conducted with verified tools to identify,

collect, filter, tag and bag, store, and preserve e-evidence

Conducted by individuals who are certified in the use of verified tools, if such certification exists

Documented thoroughly14

Establishing Authenticity Authenticity is normally established by

one of the following 3 methods: Authentication – show that it’s a true copy Best Evidence Rule – work with the original Exceptions to Hearsay rule – confessions or

business recordsForensic analyst tend to use authentication based upon hash values

15

Legal Authenticity StandardsOver the years, several evidence standards have been devised. These exist to determine if evidence is what it purports to be (i.e., “authentic & credible”) Relevancy test – Anything that is materially relevant to case Frye Standard – Technique my be sufficiently established

(general acceptance test) Coppolino Standard – Even if not generally accepted, court

can accept if good foundation laid Marx Standard – No need to sacrifice common sense Daubert Standard – Rigorous test with special discovery

procedures

16

Forensic MethodologyA forensic methodology is a well-defined, repeatable process used by forensic analysts to ensure that:

Evidence is properly collected, prepared, and stored

Evidence is analyzed in a consistent and thorough manner acceptable to the court

Analyst objectivity is maintained Documentation is collected to ensure that

a comprehensive report can be generated.17

Brief Outline of the Scientific Method

Successful forensic examinations generally follow the scientific method.1. Identify and research a problem2. Formulate a hypothesis3. Conceptually and empirically test the

hypothesis4. Evaluate the hypothesis with regards to

test results5. If hypothesis is acceptable, evaluate its

impact. If not, reevaluate the hypothesis

18

Special Considerations Digital Forensics has some

special considerations when it comes to evidence.

The plain view doctrine Multiple computer users Search with consent

19

Plain View Doctrine The plain view doctrine was developed for

physical, tangible evidence. Digital evidence requires a more refined definition

of “plain view” Inadvertence approach - Did the investigator discover

the evidence accidentally or as the result of a systematic search?

Prophylactic test approach - required that a neutral 3rd party go thru and separate relevant evidence when intermixed with non-relevant.

Computers as containers approach - treats individual directories as “closed containers”. Requires specially worded warrant to view all.

20

Multiple Computer Users Any time a computer is configured for

multiple users the issue of privacy becomes convoluted.

Legal search in these cases revolves around the notion of “reasonable expectation of privacy.”

Accounts with passwords are a strong case for individual account privacy.

The problem is also present in network environments and cloud storage situations.21

Search with Consent Multiple computer user accounts combined

with forensic tools that cannot distinguish who actually owns a file can cause search with consent problems.

The general rule is that consent cannot be given to another users files if an effort has been made to segregate the users (e.g., passwords, independent folders, …)

The issue is clouded when the user accounts have administrative privilege (since they can reset passwords).

22

23

Summary Evidence must be admissible, authentic,

complete, reliable, and believable. Judges determine admissibility based on a set of

exclusionary rules and other procedural concerns. Improper search and seizure can make even the

best evidence inadmissible. There are various ways to establish the

authenticity of evidence. Certain special considerations must be taken into

account when working with digital evidence.