Admissibility in Court
October 28, 2016
Categorised in: Computer Forensic & Cyber Applications
Courts need to determine whether evidence is “safe” to put before a jury and will help provide a solid foundation for making a decision in the case.
In practice, admissibility is a set of legal tests carried out by a judge to assess an item of evidence.
This assessment process can become complicated, particularly when the evidence was not handled properly or has traits that make it less reliable or more prejudicial.
Some jurisdictions have rules relating to admissibility that are formal and sometimes inflexible, while other jurisdictions give judges more discretion.
In this case, both parties offered copies of e-mail messages that could not be authenticated properly.
The magistrate judge would not admit the e-mail messages, noting that unauthenticated e-mails are a form of computer-generated evidence that pose evidential issues.
The magistrate outlined five issues that must be considered when assessing whether digital evidence will be admitted:
3. Not hearsay or admissible hearsay
4. Best evidence
5. Not unduly prejudicial
Although some of these issues may not be applicable in certain instances, each must be considered.
Other issues that may prevent digital evidence from being admitted by courts are improper handling and illegal search and seizure.
Although courts have been somewhat lenient in the past on improper handling of digital evidence, more challenges are being raised relating to evidence handling procedures as more judges and attorneys become familiar with digital evidence.
Courts are much less forgiving of illegal search and seizure of evidence.
The most common mistake that prevents digital evidence from being admitted by courts is that it is obtained without authorization.
Generally, a warrant is required to search and seize evidence.
the Fourth Amendment requires that a search warrant be secured before law enforcement officers can search a person’s house, person, papers, and effects.
To obtain a warrant, investigators must demonstrate probable cause and detail the place to be searched and the persons or things to be seized.
More specifically, investigators have to convince a judge or magistrate that, in all probability:
1. a crime has been committed;
2. evidence of crime is in existence; and
3. the evidence is likely to exist at the place to be searched.
Search warrants in the United Kingdom and other European countries can be more loosely defined than in the United States. In the United Kingdom, for instance, there are several kinds of warrants (e.g., a specific premises warrant, all-premises warrant, and multiple entry warrant), and they do not have to specify what things will be seized.
The main exceptions that can allow a warrantless search in the United States are plain view, consent, and exigency. If investigators see evidence in plain view, they can seize it provided they have obtained access to the area validly.
By obtaining consent to search, investigators can perform a search without a warrant but care must be employed when obtaining consent to reduce the chance of the search being successfully challenged in court.
Regarding exigency, a warrantless search can be made for any emergency threatening life and limb or in which digital evidence is imminently likely to be altered or destroyed.
In the latter circumstances, it might be necessary to seize the computing device immediately to reduce the potential of destruction of evidence.
After the digital evidence is preserved, it is generally prudent to obtain a warrant to conduct a forensic examination of the digital evidence.
There are four questions that investigators must consider when searching and seizing digital evidence:
1. Does the Fourth Amendment and/or the Electronic Communications Privacy Act (ECPA) apply to the situation?
2. Have the Fourth Amendment and/or ECPA requirements been met?
3. How long can investigators remain at the scene?
4. What do investigators need to reenter?
When addressing these questions, remember that the ECPA prohibits anyone, not just the government, from unlawfully accessing or intercepting electronic communications, whereas the Fourth Amendment applies only to the government.
Even when investigators are authorized to search a computer, they must maintain focus on the crime under investigation. For instance, in United States v. Carey (1998), the investigator found child pornography on a machine while searching for evidence of drug-related activity but the images were inadmissible because they were outside of the scope of the warrant.
One approach to dealing with this issue is to obtain another search warrant for that crime when evidence of another crime is discovered.
AUTHENTICATION OF DIGITAL EVIDENCE
Courts generally ask if the recovered evidence is the same as the originally seized data when considering whether digital evidence is admissible.
To demonstrate that digital evidence is authentic, it is generally necessary to satisfy the court that it was acquired from a specific computer and/or location, that a complete and accurate copy of digital evidence was acquired, and that it has remained unchanged since it was collected.
In some cases it may also be necessary to demonstrate that specific information is accurate, such as dates associated with a particular file that is important to the case. The reliability of digital evidence clearly plays a critical role in the authentication process .
Chain of custody and integrity documentation are important for demonstrating the authenticity of digital evidence.
Proper chain of custody demonstrates that digital evidence was acquired from a specific system and/or location, and that it was continuously controlled since it was collected.
Thus, proper chain of custody documentation enables the court to link the digital evidence to the crime.
Incomplete documentation can result in confusion over where the digital evidence was obtained and can raise doubts about the trustworthiness of the digital evidence.
Integrity documentation helps demonstrate that digital evidence has not been altered since it was collected.
In situations where the hash value of digital evidence differs from the original, it may be possible to isolate the altered portions and verify the integrity of the remainder.
For example, bad sectors on a hard drive generally cause the hash value calculated for the drive to change each time it is computed.
Documenting the location of bad sectors will help a digital investigator determine whether they are allocated to files that are important to the case.
In addition, the hash values of individual files that are important to the case can be compared with those on the original hard drive to ensure that specific files are not impacted by the bad sectors.
When there are concerns that digital evidence was mishandled and that potentially exculpatory information was destroyed, courts may still decide to admit the evidence.
In one case, digital investigators inadvertently booted the evidential computer but were able to satisfy the court that the digital evidence could still be trusted.
In some cases, the opposing party will attempt to cast doubt on more malleable forms of digital evidence, such as logs of online chat sessions.
RELIABILITY OF DIGITAL EVIDENCE
To authenticate digital evidence, it may also be necessary to assess its reliability.
There are two general approaches to assessing whether digital evidence can be relied upon in court.
The first approach is to focus on whether the computer that generated the evidence was functioning normally, and the other approach is to examine the actual digital evidence for evidence of tampering and other damage.
The reliability of a particular computer system or process is difficult to assess and, in practice, courts are not well equipped to assess the reliability of computer systems or processes.