7.7
Scientific Evidence
In addition to challenging the admissibility of digital evidence directly, tools and techniques used to process digital evidence have been challenged by evaluating them as scientific evidence. Because of the power of science to persuade, courts are careful to assess the validity of a scientific process before accepting its results. If scientific process is found to be questionable, this may influence the
admissibility
or weight of the evidence, depending on the situation.
In the United States, scientific evidence is evaluated using four criteria developed in Daubert v. Merrell Dow Pharmaceuticals, Inc., 1993. These criteria are:
-
whether the theory or technique can be (and has been)
tested
;
-
whether there is a high known or potential rate of error, and the existence and maintenance of standards controlling the technique's operation;
-
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
whether the theory or technique has been subjected to peer review and publication;
-
Whether the theory or technique enjoys "general acceptance" within the relevant scientific community.
Thus far, digital evidence processing tools and techniques have withstood scrutiny when evaluated as scientific evidence. However, testing techniques or tools and determining error rates is challenging, not just in the digital realm. Although many types of forensic examinations have been evaluated using the criteria set out in Daubert, the testing
methods
have been weak. "The issue is not whether a particular approach has been tested, but whether the
sort
of testing that has taken place could pass muster in a
court
of science." (Thornton 1997). Also, error rates have not been established for most types of forensic examinations, largely because there are no good mechanisms in place for determining error rates. Fingerprinting, for example, has undergone recent controversy (Specter 2002). Although the underlying concepts are quite reliable, in practice, there is much room for error. Therefore, errors are not simply caused by flaws in underlying theory but also in its application. This problem applies to the digital realm and can be addressed with increased standards and training.
One approach to validating tools is to examine the source code. However, as noted earlier, many commercial developers are unwilling to disclose this information. When the source code is not available, another form of validation is performed - verifying the results by examining evidence using another tool to ensure that the same results are obtained. Formal testing is being performed by the National Institute of Standards and Technology (NIST) and some organizations and individuals perform informal tests. However, given the rate at which computer technology is changing, it is difficult for testers to keep pace and establish error rates for the various tools and systems. Additionally, tool testing does not account for errors introduced by digital
investigators
through misapplication or misinterpretation. Therefore, the most effective approach to validating results and establishing error rates is through peer review - that is to have another digital
investigator
double check findings using multiple tools to ensure that the results are reliable and repeatable.
7.8
Presenting Digital Evidence
Preparation is one of the most important aspects of testifying in
court
(National Center for Forensic Science 2003). Scripting direct examination and rehearsing it with the attorney ahead of time provides an opportunity to identify areas that need further explanation and to anticipate questions that the
opposition
might raise during cross-examination. Conclusions should be stated early in testimony rather than as a punch line at the end because there is a risk that the opportunity will not arise later. During cross-examination,
attorneys
often attempt to point out flaws and details that were overlooked by the digital
investigator
. The most effective response to this type of questioning is to be prepared with clear
explanations
and supporting evidence.
It is advisable to pause before answering questions to give your attorney time to express objections. When objections are raised,
carefully
consider why the attorney is objecting before answering the question. If prompted to answer a complex question with simply "Yes" or "No,"
inform
the court that you do not feel that you can adequately address the question with such a simplistic answer but follow the direction of the court. Above all, be honest.
In addition to presenting findings, it is necessary to explain how the evidence was handled and
analyzed
to
demonstrate
chain of custody and thoroughness of
methods
. Also, expect to be asked about underlying technical aspects in a relatively non-technical way, such as how files are deleted and recovered and how tools acquire and preserve digital evidence. Simple diagrams depicting these processes are strongly recommended.
It can be difficult to present digital evidence in even the simplest of cases. In direct examination, the attorney usually needs to refer to digital evidence and display it for the trier of fact (e.g. judge, jury). This presentation can become confusing and counterproductive, particularly if materials are voluminous and not well arranged. For instance, referring to printed pages in a binder is difficult for each person in a jury to follow, particularly when it is necessary to flip forwards and
backwards
to find exhibits and compare items. Such
disorder
can be reduced by arranging exhibits in a way that facilitates understanding and by
projecting
data onto a screen to make it visible to everyone in the court.
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
Displaying digital evidence with the tools used to examine and analyze it can help clarify details and provide context, taking some of the weight of explaining off the
examiner
. Some examiners place links to exhibits in their final reports, enabling them to display the
reports
onscreen and
efficiently
display relevant evidence when required. However, it is important to become familiar with the computer that will be used during the presentation to ensure a smooth testimony. Visual representations of
timelines
, locations of computers, and other fundamental features of a case also help provide context and clarity. Also, when presenting technical aspects of digital evidence such as how files are recovered or how logon records are generated, first give a simplified, generalized example and then demonstrate how this applies to the evidence in the case.
The risk of confusion
increases
when multiple computers are involved and it is not completely clear where each piece of evidence originated. Therefore, make every effort to maintain the context of each exhibit, noting which computer or floppy disk it came from and the associated evidence number. Also, when presenting reconstructions of events based on large amounts of data such as server logs or telephone records, provide simplified visual depictions of the main entities and events rather than just presenting the complex data. It should not be necessary to fumble through pages of notes to determine the associated computer or evidence number. Also, refer to exhibit
numbers
during testimony rather than saying, "this e-mail" or "that print screen."
Digital
investigators
are often required to provide all notes
related
to their work and possibly different versions of an edited/corrected report. Therefore, organize any screenshots or printouts (initialed, dated, and numbered) of important items found during examination. For instance, create a neatly written index of all screenshots and printouts.
