Digital Forensic Evidence
Since the results of a digital forensic investigation often end up in court, it is important to understand some of the issues surrounding digital forensic evidence. In order for any collected evidence to be useful in court, it must be admitted by the trial judge. When deciding whether or not to admit a piece of evidence, the trial judge follows established standards including the rules of evidence for the court and case type, standards for expert testimony related to the evidence, and proper collection and preservation techniques. If the judge determines that a forensic investigation has been conducted in an improper way, or the digital evidence has been damaged in the process, the entire forensic investigation may prove to be worthless.
Video Lecture
Formative Case Law
With respect to digital forensic evidence, there are several important pieces of case law that provide a foundation for the rules of evidence that apply at the federal and state levels in order for scientific evidence, including the results of digital forensic investigations, to be admissible in court. At the federal level, Frye v. United States (1923) and Daubert v. Merrell Dow Pharmaceuticals (1993) were key formative cases. In State of South Carolina v. Jones (1979), the state established its own standard for the admissibility of scientific evidence.
Admissibility of scientific evidence in federal court was dominated for most of the 20th century by a case heard in the Court of Appeals for the District of Columbia Circuit in 1923. The reasoning in this case became known as the Frye Standard, and it required general acceptance of a technique by the relevant scientific field:1
“Just when a scientific principle or discovery crosses the line between the experimental and demonstrable stages is difficult to define. Somewhere in this twilight zone the evidential force of the principle must be recognized, and while the courts will go a long way in admitting experimental testimony deduced from a well-recognized scientific principle or discovery, the thing from which the deduction is made must be sufficiently established to have gained general acceptance in the particular field in which it belongs.”
Between 1993 and 1999, the United States Supreme Court refined the Frye Standard into what is now known as the Daubert Standard, named for the first of three separate cases. The court followed the principles established by the Frye Standard, but required lower courts to consider the reliability of the methods used, and whether or not those methods had been adequately tested in order to establish that reliability. A key passage from that decision was:2
“Faced with a proffer of expert scientific testimony under Rule 702, the trial judge, pursuant to Rule 104(a), must make a preliminary assessment of whether the testimony’s underlying reasoning or methodology is scientifically valid and properly can be applied to the facts at issue. Many considerations will bear on the inquiry, including whether the theory or technique in question can be (and has been) tested, whether it has been subjected to peer review and publication, its known or potential error rate, and the existence and maintenance of standards controlling its operation, and whether it has attracted widespread acceptance within a relevant scientific community. The inquiry is a flexible one, and its focus must be solely on principles and methodology, not on the conclusions that they generate.”
In contrast to the Daubert Standard, the State of South Carolina follows a standard established in a South Carolina Supreme Court case (State v. Jones) from 1979:3
”… the degree to which the trier of fact must accept, on faith, scientific hypotheses not capable of proof or disproof in court and not even generally accepted outside the courtroom.”
While this Jones Standard was refined in 1998-1999 (State v. Council), the South Carolina Supreme Court did not adopt the federal Daubert standard:4
“In considering the admissibility of scientific evidence under the Jones standard, the Court looks at several factors, including: (1) the publications and peer review of the technique; (2) prior application of the method to the type of evidence involved in the case; (3) the quality control procedures used to ensure reliability; and (4) the consistency of the method with recognized scientific laws and procedures.”
Rules of Evidence
In order for a forensic report or the results of its related investigation to be admitted in court, the applicable Rules of Evidence must be followed. If the case will be heard in South Carolina state court, the South Carolina Rules of Evidence will apply. However, if the case will be heard in federal court, the Federal Rules of Evidence will apply. While there is a lot of overlap between these rules, it is important to consider that state cases are routinely removed to federal courts or eventually appealed to federal courts. Consequently, it is important to preserve evidence and prepare reports in accordance with the federal standards in any places where those standards are stricter than the state standards.
Since a digital forensic examiner would be considered an “expert witness” for the purpose of presenting the results of an investigation before a court, it is important to consider Rule of Evidence 702. Conveniently, the federal and South Carolina rules are both numbered 702. These rules take into account the relevant standards established from the case law above, but the forensic expert must still conduct the examination and draw conclusions in line with those standards.
Federal Rule of Evidence 702
“A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.”5
South Carolina Rule of Evidence 702
“If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise.”6
Collection of Evidence
In order to ensure that the results of a forensic investigation would have the best chance of being admitted into federal court, collection of evidence should use tools and techniques that meet the stricter Daubert Standard. Since a case that is initially destined for South Carolina state court could wind up removed or appealed into federal court, following only the Jones Standard might not be sufficient in the long run. For this reason, it is imperative to follow established techniques for retrieving information from computer systems. It is also important to use forensic software that has been tested and verified to perform correctly.
There are some important caveats to consider with forensic software. First, it is easier to verify the correct operation of an open-source tool than it is to confirm the operation of a tool for which the source code is not available. On the flip side, open-source tools may be community supported and may not have been subject to rigorous, independent validation testing that a proprietary tool vendor might be able to afford. In any case, pirated software should never be used in a forensic investigation. Law enforcement agencies and crime labs have been known to procure tools through other-than-legal means in the face of budgetary challenges. Since using a pirated application is itself an illegal act, it would be easy for the opposing party to challenge the admissibility of evidence collected using improperly licensed software. If an agency or entity cannot afford proper licenses, it must not use the licensed application.
Evidence Preservation
All steps in the investigative process must be documented. From the time that a piece of computer equipment, or a piece of data from a remote provider, is received through the time of disposal of the case, a written record of the location and disposition of the evidence must be kept. This chain of custody is critical for establishing an assertion that the evidence has been properly preserved.
In addition to maintaining the chain of custody, it is important to use non-destructive methods of acquiring evidence from devices whenever possible. Changing original systems or storage devices in the process of an investigation raises counter-assertions that the results of the investigation are not reliable. If proper preservation techniques are not followed, spoliation of the evidence might occur. Spoliation occurs whenever the original evidence is lost, corrupted, or changed, and it is by itself a reason for a court to rule the evidence inadmissible. If the entire case relies on such evidence, it is likely that the case will be dismissed, and the whole forensic investigation rendered useless.
Notes and References
-
Frye v. United States, 293 F. 1013 (D.C. Cir. 1923) [PDF]. Archived by the University of Florida Levin College of Law. ↩
-
Daubert v. Merrell Dow Pharmaceuticals (92-102), 509 U.S 579 (1993). Archived by the Cornell University Legal Information Institute. ↩
-
21066 - State v. Jones (1979). Archived by Justia. ↩
-
24932 - State v. Council (1999). South Carolina Judicial Branch. ↩
-
Rule 702. Testimony by Expert Witnesses. Cornell University Legal Information Institute. ↩
-
Rule 702: Testimony by Experts. South Carolina Judicial Branch. ↩