When it comes to submitting digital evidence for use in a trial, the same levels of care need to be applied as with non-digital evidence.
Crime is a part of human life and, for a crime to be resolved, investigators have to reconstruct the crime scene and analyse the actions of both the suspect and the victim so that any evidence can be identified and used to support and legal proceedings.
As technology has evolved, criminals are now able to use new methods to commit traditional crimes and develop new types of crimes. Crimes committed through the use of technology still require the same principles of investigation, though the scene can now be a virtual environment that must be secured and examined as digital evidence.
Digital evidence is information or data of an evidential value that is stored on or transmitted by a computer or digital device and can be defined as follows:
‘Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi’ (Casey, E., Dunne, R. (2004) Digital Evidence and Computer Crime Forensic Science, Computers and the Internet. St. Louis: Academic Press).
A wider array of devices are capable of holding larger amounts of data and digital evidence can be found on an increasing number of types of storage media, including, computer hard drives, mobile phones and removable media such as memory cards.
As an expert witness and digital forensics Consultant I am finding that digital evidence is becoming more prevalent within a wider range of both criminal and civil cases including murder, unlawful images, child care cases, commercial and employment disputes. These cases can require the examination of evidence to determine whether it had been used to commit or facilitate a crime as well as to identify supportive material for either side of a legal case.
In order for digital evidence to be admissible in court a number of criteria must be met, including, ensuring that the evidence has not been altered and that an auditable trail has been kept relating to the storage and investigation of the evidential device or media. The key points of the handling and investigation of digital evidence is provided as follows:
Actions taken to secure and collect digital evidence should not affect the integrity of that evidence;
Persons conducting an examination of digital evidence should be trained for that purpose;
Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.
(U.S. Department of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Washington).
The nature of digital devices therefore makes them particularly susceptible to damage or corruption. Due to the constant requirement for devices to be physically smaller in size yet bigger in capacity, the components become ever smaller and more delicate, therefore, even storing the devices in an unsuitable environment can cause the corruption and loss of some or all of the data present.
Therefore, to ensure its integrity, a ‘chain of custody’ relating to the evidence should be established. This usually amounts to a paper trail detailing the whereabouts of all evidential sources during custody, along with the details of individuals having access to it, when and any actions taken with it. This, along with a comparison and review of the digital media itself should allow for the acceptance by an independent examiner that a given item of media has not been corrupted or compromised following seizure.
As the level of understanding of the operation of computers and mobile phones has developed within legal cases, those investigating cases involving digital evidence have a better awareness of the methods of seizure and handling. Previously it was not uncommon to find cases where the digital evidence had been switched on and operated by a ‘curious’ investigating officer to ‘see what was there’.
Thankfully, far greater emphasis is now placed on audit trails and storing the evidence correctly and, today, such activity by untrained individuals is now rare. The adherence to computer evidence guidelines is crucial to ensuring that the evidence considered is all that was available and basing an examination on flawed evidence that is only partially complete.