Computer Forensics
BACS 371
Evidence Collection & Admissibility
Outline
Evidence overview
 Evidence admissibility
 Challenges to evidence
 Evidence acquisition
 Preserving evidence
 Evidence authenticity
 Forensic methodology
 Special considerations

2
5 Rules of Evidence





Admissibility – the evidence must be admissible in
court.
Authenticity – the evidence must relate to the
incident in question
Completeness – the evidence must be
comprehensive
Reliability – the evidence must be consistent and
uncontaminated
Believability – the evidence should be clearly
understandable and believable by the jury
Admissible Evidence?
What makes evidence “admissible”?


Short answer – if a judge says it is, it is…
Judges use guidelines for admissibility:
 Is
the evidence relevant?
 Is the evidence authentic and credible?
 Is the evidence competent?

An overriding principle is the “exclusionary rule”
which says it is not admissible if it was not collected
legally.
Is it Relevant?


The question of relevance is usually the first
considered by a judge. If it is not relevant, then it
will not be admissible.
To be considered relevant the evidence must satisfy
2 conditions:
1.
2.
It must be material – directly relating to the case
being presented.
It must be probative – proves something that will help
get to the truth of the situation.
Is it Authentic and Credible?


The question of authenticity is basically asking if the
evidence is what it purports to be.
This requires asking a number of questions which
include:
 Is
the material an opinion?
 If it is an opinion, is it the opinion of an expert witness?
 Was it collected correctly?
 Could it have been altered in any way?
Is it Competent?





It is not prejudicial in any way. This applies
primarily to evidence not directly related to the
case.
It is not privileged. For example, it cannot involve
attorney-client, doctor-patient, … or other
privileged communication.
It cannot be collected in violation of Constitutional
rights.
It cannot be hearsay (except for expert witnesses).
It cannot violate an exclusionary rule.
Withstanding Challenges to Evidence
Criminal trials are often preceded by a
suppression hearing.
 This is where the admissibility (i.e., suppression)
of evidence is determined.
 At this hearing, the judge determines if the 4th
Amendment was correctly followed.
 Also, if proper discovery procedure is not
followed, defendants can challenge evidence
admissibility.

Exclusionary Rules
Exclusionary rules test whether evidence will be
admissible (judges use them).
 Exclusionary rules pertain to the following:

 Relevancy
 Privilege
 Opinion
of an expert
 Hearsay
 Authentication
Acquiring Evidence – Legal Aspects
There are a number of pertinent legal aspects to
acquiring evidence. These include:




10
The 4th Amendment affects how forensic analysts can
acquire evidence
Preserving the evidence
Establish authenticity of the evidence
Following a repeatable process to ensure
admissibility
4th Amendment Considerations when
Acquiring Evidence






11
When does evidence “seizure” occur?
Who owns the computer that contains data?
What type of image is “good enough” to be
searched?
Do attempts to delete data involve privacy or
indicate a cover-up?
When searching a network, where do you stop?
What if one search leads to another? Where does
one search stop and another begin?
Preserving the Evidence
Computer Forensics is the discipline of acquiring,
preserving, retrieving, and presenting electronic data.
Three C’s of evidence:
 Care - Take Care of the way you collect and handle it
 Control - Take Control of it by seizing and storing it properly
 Chain of Custody - Keep an accurate Chain of Custody
12
Preserving and Storing the Evidence
Keep evidence in possession or control at all
times
 Document movement of evidence between
investigators (chain of custody).
 Secure evidence appropriately so that it can’t
be tampered with or corrupted.
 Mathematically authenticate data. (i.e., hash
values)

13
Preserving the Evidence

Preserving the evidence means that you practice a
defensible (objective, unbiased) approach that is:
 Performed
in accordance with forensic science principles
 Based on standard or current best practices
 Conducted with verified tools to identify, collect, filter,
tag and bag, store, and preserve e-evidence
 Conducted by individuals who are certified in the use
of verified tools, if such certification exists
 Documented thoroughly
14
Establishing Authenticity

You should use one of the following 3 criminal
evidence rules:
 Authentication
 Best
– show that it’s a true copy
Evidence Rule – work with the original
 Exceptions
to Hearsay rule – confessions or
business records
Forensic analyst tend to use authentication based upon
hash values
15
Legal Authenticity Standards
Over the years, several evidence standards have
been devised.





16
Relevancy test – Anything that is materially relevant to case
Frye Standard – Technique my be sufficiently established
(general acceptance test)
Coppolino Standard – Even if not generally accepted, court
can accept if good foundation laid
Marx Standard – No need to sacrifice common sense
Daubert Standard – Rigorous test with special discovery
procedures
Forensic Methodology
A forensic methodology is a well-defined, repeatable
process used by forensic analysts to ensure that:
 Evidence is properly collected, prepared, and
stored
 Evidence is analyzed in a consistent and thorough
manner acceptable to the court
 Analyst objectivity is maintained
 Documentation is collected to ensure that a
comprehensive report can be generated.
17
Brief Outline of the Scientific Method
Successful forensic examinations generally follow
the scientific method.
1.
2.
3.
4.
5.
18
Identify and research a problem
Formulate a hypothesis
Conceptually and empirically test the hypothesis
Evaluate the hypothesis with regards to test results
If hypothesis is acceptable, evaluate its impact. If
not, reevaluate the hypothesis
Special Considerations

Digital Forensics has some special
considerations when it comes to evidence.
 The
plain view doctrine
 Multiple computer users
 Search with consent
19
Plain View Doctrine


The plain view doctrine was developed for physical,
tangible evidence.
Digital evidence requires a more refined definition
of “plain view”
 Inadvertence
approach
 Prophylactic test approach
 Computers as containers approach
20
Multiple Computer Users




21
Any time a computer is configured for multiple users
the issue of privacy becomes convoluted.
Legal search in these cases revolves around the
notion of “reasonable expectation of privacy.”
Accounts with passwords are a strong case for
individual account privacy.
The problem is also present in network environments
and cloud storage situations.
Search with Consent



22
Multiple computer user accounts combined with
forensic tools that cannot distinguish who actually
owns a file can cause search with consent problems.
The general rule is that consent cannot be given to
another users files if an effort has been made to
segregate the users (e.g., passwords, independent
folders, …)
The issue is clouded when the user accounts have
administrative privilege (since they can reset
passwords).
Summary





Evidence must be admissible, authentic, complete,
reliable, and believable.
Judges determine admissibility based on a set of
exclusionary rules and other procedural concerns.
Improper search and seizure can make even the
best evidence inadmissible.
There are various ways to establish the authenticity
of evidence.
Certain special considerations must be taken into
account when working with digital evidence.
23