Chapter 7: Digital Evidence in the Courtroom

Overview

In this age of science, science should expect to find a warm welcome, perhaps a permanent home, in our courtrooms. The reason is a simple one. The legal disputes before us increasingly involve the principles and tools of science. Proper resolution of those disputes matters not just to the litigants, but also to the general public - those who live in our technologically complex society and whom the law must serve. Our decisions should reflect a proper scientific and technical understanding so that the law can respond to the needs of the public.

(Breyer 2000)

Individuals processing evidence must realize that, in addition to being pertinent, evidence must meet certain standards to be admitted. It is easy enough to claim that a bloody glove was found in a suspect's home, but it is another matter to prove it. When guilt or innocence hangs in the balance, the proof that evidence is authentic and has not been tampered with becomes essential. The US Federal Rules of Evidence, the UK Police and Criminal Evidence Act (PACE) and Civil Evidence Act, and similar rules of evidence in other countries were established to help evaluate evidence. For instance, before admitting evidence, a court will generally ensure that it is relevant and evaluate it to determine if it is what its proponent claims, if the evidence is hearsay, and if the original is required or a copy is sufficient. There are many other issues that a court must consider to determine if evidence is admissible and a failure to consider these issues from the outset may cause evidence to be excluded, potentially losing the case.

One of the most important aspects of authentication is maintaining and documenting the chain of custody (a.k.a. continuity of possession) of evidence. Each person who handled evidence may be required to testify that the evidence presented in court is the same as when it was processed during the investigation. Although it may not be necessary to produce at trial every individual who handled the evidence, it is best to keep the number to a minimum and maintain documentation to demonstrate that digital evidence has not been altered since it was collected. Without a solid chain of custody, it could be argued that the evidence was handled improperly and may have been altered, replaced with incriminating evidence, or contaminated in some other fashion.

Having someone on the search team who is trained to handle digital evidence can reduce the number of people who handle the evidence, thus streamlining the presentation of the case, and minimizing the defense opportunities to impugn the integrity of the evidence. Additionally, having standard operating procedures, continuing education, and clear policies help to maintain consistency and prevent contamination of evidence. Given the ease with which digital evidence can be altered, the importance of procedures and the use of only trained personnel to handle and examine cannot be overstated.

This chapter provides an overview of the major issues that arise when digital evidence is presented in court, including admissibility, uncertainty, and presentation of digital evidence. The process of preparing a case for trial is time consuming, expensive, and may not result in a satisfactory outcome, particularly if there is insufficient evidence or evidence was handled improperly. Also, before deciding to take legal action, organizations should consider the impact if they are required to disclose information about their systems that may be sensitive (e.g. network topology, system configuration information, source code of custom monitoring tools) and other details about their operations that they may not want to make public.