Admissibility of Digital Evidence in Court
Is digital evidence admissible in court? Everyone is working and playing online now. This means that crimes that used to take place in the physical world are being committed electronically. Do you know where to find that evidence, how to capture it, and how to show it to a jury and explain its significance?
We do. Contact us to help you find, collate, and explain the digital evidence your client needs to make their case. You are busy crafting your legal strategies and arguments. Let digital evidence experts deal with the tech.
The Rise of Digital Evidence Used in Court
In 2008, with much trepidation, I entered into my first criminal defense case as a computer forensics expert. The case centered around a 14-year-old juvenile arrested on 21 counts of a 3rd-degree felony for possession and distribution of child pornography. My knee-jerk reaction was that this is absurd. During this time period, “sexting” was new and being investigated by law enforcement, and the news outlets were reporting on ‘sexting’ incidents by school-aged children texting illicit photos of themselves and others.
In the case above:
- Law enforcement monitored the internet looking for computers sharing out content as part of a peer-to-peer network.
- Upon locating a PC sharing content, a search for illicit material commences.
- If illicit material is confirmed, a subpoena is sent to the service provider of the identified IP address, requesting the subscriber name and physical address of the computer.
- Local law enforcement seizes all electronic devices found in the address.
- Law enforcement then conducts a forensic analysis looking for evidence.
- A forensics detective provides evidence to the attorney prosecuting the case.
- The device is then stored, the criminal complaint filed, and the defendant arrested.
I learned during my investigation of this case, and others since is that law enforcement does not look at the “how.” The criminal complaint assumed this 14-year-old was knowingly looking for and distributing child pornography. What they did not explain is that child pornography is an unwanted by-product of peer-to-peer networks. The evidence found was indeed located on the peer-to-peer shared folder.
As part of my investigation, I confirmed that 7 of the 21 files were copied to the juvenile’s computer when his attendance was confirmed at school. In essence, the juvenile was not at the keyboard when some of these illicit files were copied to the computer. Law enforcement either did not confirm this or kept it from defense counsel. Either way, it was a negligent oversight on their part and critical to our defense.
In criminal defense cases, many of the defendants do not have the means to hire a forensic expert. The government will introduce electronic evidence without a defense challenge to the preservation, authenticity, chain-of-custody of devices, and the “how” that electronic data provides. Often, this evidence introduced is misleading or flat out incorrect.
Is Digital Evidence Admissible in Court?
Simply put, yes. But it involves having a digital evidence expert testify as to what the evidence is, where it came from, and how it was generated. This is where we come in.
Principles of Digital Evidence
Many civil lawsuits follow a similar pattern, either by a lack of forensic knowledge and testing or intentional deceit. It’s our professional duty as digital forensic experts to assist counsel through legally responsible methods to ensure the Admissibility of Digital Evidence in both civil and criminal cases.
There are requirements for electronic evidence more so that hardcopy or tangible evidence. Electronic evidence is fragile and subject to many factors that can alter and delete content. Regardless of the matter, be it a civil lawsuit or criminal matter, all electronic evidence has to be preserved, documented, and analyzed completely.
Early on at around 2006, attorneys began to shift their attention from hardcopy discovery only to including emails. But there is much more to an investigation than merely turning over emails. Windows computers have Registry Files that provide hidden information on computer use and configuration. We developed a process called eRisk Analysis that reviews areas of the computer that identifies potential evidence such as cloud accounts, USB devices connected, Web history, file deletion activity, and applications that may have been installed then removed (such as data clean up utilities).
Macintosh computers have PLISTs that are the Windows equivalent to the Windows registry files.
Google Drive provides file audit logs online that are not provided with their Takeout utility. This information will provide information on when files were copied, shared, and edited.
Video surveillance is typically on a proprietary system and may need to be exported to a format that is compatible with video viewers.
Corporate systems, email, and data communication services provide the ability for auditing user activity but are typically disabled by default. This functionality needs to be enabled and tested to ensure the quality of the data collected and that it does not impact system performance.
Last but certainly not least, Smartphones, which have exponentially grown in use and interest, provide a unique set of challenges and application data. The problem with phones is the ability to collect data from new phone hardware. Additionally, the version of the phone OS and the version of the App can impact the ability to acquire data.
One example is WhatsApp forensics. Earlier versions provide digital forensic experts the ability to extract text messages from the App. But new versions tightened security and created significant challenges to extract data. App updates can happen daily and impact our work to provide successful admissibility of digital evidence. This is a cat and mouse game for smartphone forensics to reverse engineer the App in efforts to extract data. This is common across the smartphone environment.
Handling Digital Evidence
Step One: Understand the Need
I always request to review the complaint and any relevant motions pertaining to electronic evidence. Counsel must ensure that a thorough review of all potential areas of evidence are identified and prioritized. The universe of relevant data identified will provide the scope of the project and determine the budget for the client.
Step Two: Preservation and Authentication
This step serves as the foundation of what all other steps will be relying on. For admissibility of evidence to succeed, the preservation of electronic evidence must be authenticated via hash verifications when applicable and documentation created to memorize the steps taken to acquire electronic evidence.
The concept of “hashing” data is using a mathematical algorithm to fingerprint data. Data can be a file, a folder, or a hard drive. MD5 hashing (message digest 5) is the most common hash method but a more secure SHA-1 (Secure Hash Algorithm) is used as well.
MD5 Hash Example:
SHA-1 Hash Example:
The hash value is referenced by the digital forensic analyst whenever data is processed or copied to ensure that all data authenticates back to the original data. Hash values do not change when the metadata of a file changes or when a file is renamed. The hash value will change when any content is changed in the file. For instance, adding a period to a sentence in a Word document will change the hash value.
Note: Spoliation is a term used to define electronic evidence, critical to the other side’s case, that has been altered or deleted and negatively affects the other side’s ability to litigate their case. Without a proper preservation methodology, there is no way to defend the challenges of the authenticity of electronic evidence and jeopardizes the admissibility of electronic evidence.
Step Three: Evidence Redundancy
During the acquisition of electronic evidence, or immediately after that, electronic evidence must be secured on two separate pieces of media to provide redundancy in the event one of the copies is at risk of corruption or hardware failure. One copy is labeled as “original” and the other “working copy”.
For cost-effectiveness, we use hard drives to store data. All data is stored on two separate hard drives and securely stored in a fire-resistant evidence locker.
Step Four: Chain-of-Custody
Chain-of-custody documentation is established at the time of acquisition and should include the location and access at the time of acquisition. For instance, if a smartphone is provided for preservation, the custodian of the smartphone and the method it was delivered needs to be documented. Once the smartphone is received, a receipt is generated, and once the smartphone is returned, the receipt is closed out. At this point, the acquired electronic evidence is tracked through a chain-of-custody.
Since 2006, IT Acceleration has used secure evidence tracking software from Tracker Products. This software provides the ability to run reports and streamline the labeling and storing of evidence.
Step Five: Analysis
The world of electronic evidence has grown exponentially and increases in complexity almost daily. Consider that any matter may include evidence of electronic data acquired from computers, smartphones, the web and cloud, and any special needs of data from such items as applications, video surveillance, voicemail, system audit logs, etc.
The analysis of the electronic evidence may entail the use of special forensic applications to streamline processing, evidence identification, and forensic analysis. One taboo that we never want to do as a testifying expert is to testify on behalf of what a forensic application reported without confirmation. A textbook example of this issue happened at the Casey Anthony trial. A detective for the government testified that the application “CacheBack” report the word chloroform was searched 84 times. After the trial, the application vendor issued a statement that their algorithm was incorrect and produced incorrect results.
Step Six: Reporting
Reporting is so important from a few factors:
- It needs to be understood by the layperson. There can be so much technobabble with technology issues that the judge and jury will not understand. Write the report to the layperson while supplementing it with technical details.
- The evidence reported needs to be validated, perhaps from multiple forensic applications or the point of origins such as the operating system or application.
- The analysis needs to be thorough. This is the opportunity for the other side to understand the impact that the forensic analysis is providing their adversary. Report or rebuttal have resulted in plea deals and settlement offers to eliminate heading to trial.
- In reviewing the reports from the adversary refuting their findings, the rebuttal needs to be clear and concise as to why their reporting is incorrect.
- Visuals help the reader to understand the content better.
- The narrative needs to flow and tell the story.
The government is notorious for dumping what they report, providing no narrative or flow to follow their analysis and evidence identification. It can be very confusing, and I’m sure this is done intentionally. In most cases, we have had to follow up with questions to the government attorney, asking them to explain and provide details to their reporting.
The private forensic firms in civil cases have issues with reporting. Technical people typically do not like to document, and this can be apparent in poorly written reports provided by the other side.
Step Seven: Testifying
The final stop and the culmination of all the hard work put into the investigation and research all come down to this moment. Granted that a small percentage of cases actually make it to trial, which is why counsel needs to engage a seasoned professional with technical expertise and testifying experience. With only one shot, it is critical to cover all the topics clearly and completely. Taking the information from the expert report and providing an oral narrative can be tricky as not to over-complicate the response to the judge and jury.
What to Look for From a Digital Forensics Company
IT Acceleration has years of Information Technology experience. This experience is not something that can be taught easily – you had to have lived it. The same technologies we support for our clients over the past 30 years are the same technologies we investigate for litigation. Technology expertise is critical for your legal team.
Digital forensic training and tools serve as the basis for taking the IT expertise and performing forensic investigations and incident response when security breaches are discovered. But don’t get hung up on three-letter acronyms after a name. These are meaningless if the person cannot perform at a high level. Ask the vendor what expertise they have in technology and how many years have they been involved in Information Technology, exclusive of forensics. You will get varied responses from many vendors not having the technical background required to perform the steps listed above thoroughly and competently.
Excellent oral and written communication goes without saying.
Availability to counsel and client is required as litigation has a tendency to evolve very quickly, and court-ordered dates much are adhered to.
Confidence to believe in the work they are doing and to present the facts without question.
Your Digital Forensic Investigators and Digital Evidence Expert Witnesses
Digital forensic investigations are not cheap, and you will get what you pay for. Choose your digital forensics expert wisely. Focusing on cost when our involvement is small compared to the entirety of litigation may not be the wisest choice when your case depends upon digital evidence and expert testimony. Our digital forensic experts and digital evidence expert witnesses have a proven history of helping clients win. Call us at (407) 401-8991 to find out how we can help you.