7.9 Summary

The foundation of any case involving digital evidence is proper evidence handling. Therefore, the practice of seizing, storing, and accessing evidence must be routine to the point of perfection. Standard operating procedures with forms are a key component of consistent evidence handling, acting as both memory aids for digital investigators and documentation of chain of custody. Also, training and policies should provide digital investigators with a clear understanding of acceptable evidence handling practices and associated laws.

Verifying that evidence was handled properly is only the first stage of assessing its reliability. Courts may also consider whether digital evidence was altered before, during, or after collection, and whether the process that generated the evidence is reliable. Claims of tampering generally require some substantiation before they are seriously considered. Someone familiar with the system in question, who can testify that the computer was operating normally at the time, can generally address questions regarding the process that generated a given piece of digital evidence. Digital evidence examiners are encouraged to state clearly their certainty in each piece of digital evidence that they use to reach their conclusions. A proposed Certainty Scale is provided in Table 7.1 for this purpose. If there are significant doubts about the reliability of relevant computer systems and processes, the court may decide to give the associated digital evidence less weight in the final decision.

On the stand, digital investigators may be asked to testify to the reliability of the original evidence, the collection and analysis systems and processes, assert that they personally collected and verified the data, and established the chain of custody. An unexplained break in the chain of custody could be used to exclude evidence. An understanding of direct versus circumstantial evidence, hearsay, and scientific evidence is necessary to develop solid conclusions and to defend those conclusions and the associated evidence on the stand. A failure to understand these concepts can weaken an examiner's conclusions and testimony. For instance, interpreting circumstantial evidence as though it were direct evidence, or basing conclusions on hearsay, could undermine an examiner's findings and credibility.

Ultimately, digital evidence examiners must present their findings in court to a non-technical audience. As with any presentation, the key to success is preparation, preparation, and more preparation. Be familiar with all aspects of the case, anticipate questions, rehearse answers, and prepare visual presentations to address important issues. Although this requires a significant amount of effort, keep in mind that someone's liberty might be at stake.