Computer Crime Research Center


The Digital Evidence in the Information Era

Date: March 10, 2004
Source: Computer Crime Research Center
By: Judge Mohamed Chawki


1. The evidence is the foundation of any criminal case, including those involving cybercrimes.Searching, examining, collecting, and preserving evidence may differ from one law enforcement officer to another, however these procedures are governed by laws and legislations that should be followed. Errors in gathering, developing, or presenting evidence can have dire consequences on the trial.

2. An evidence can be generally defined as ‘ something that tends to establish or disprove a fact. It can include documents, testimony, and other objects’. It can be classified into three categories:

- Real or physical evidence, which consists of tangible objects that can be seen and touched.

- A testamentary evidence, where the testimony of a witness can be given during a trial, based on a personal observation or experience.

- Circumstantial evidence, which is based on a remark, or observation of realities that tends to support a conclusion, but not to prove it.

3. In criminal trials, the prosecution has to prove every element of its case beyond a reasonable doubt. In civil trials, on the other hand, a party has the burden only of proving his or her affirmative contentions by a preponderance of the evidence. In recent years the problems of procuring evidence have been eased somewhat by the introduction of broader discovery (i.e., disclosure) rules. In civil cases, these rules compel each party to a suit to allow the other to have access to its witnesses and to certain types of evidence before the trial. In criminal cases, the judge has the discretionary power to order discovery; however, in any event, the prosecutor must release all exculpatory evidence on request.[1]

The rise of digital forensics and the digital evidence

4. As early as 1984, the FBI Laboratory and other law enforcement agencies began developing programs to examine computer evidence. To properly address the growing demands of investigators and prosecutors in a structured and programmatic manner, the FBI established the Computer Analysis and Response Team (CART). In 1991, a new term; "Computer Forensics" was coined in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. It is the science whereby; experts extract data from computer media in such a way that it may be used in a court of law; it deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as Forensic Computer Science. Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. Since then, it has become a popular topic in technological circles and in the legal community, while the digital forensic is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations”

5. The domain of computer forensics involves collecting, preserving, seizure, analyzing and presentation of computer-related evidence utilizing secure, controlled methodologies and auditable procedures, the These examinations involve the examination of computer media, such as floppy disks, hard disk drives, backup tapes, CD-ROM's and any other media used to store data. The forensic specialist uses specialized software, not normally available to the general public. The examination will discover data that resides in a computer system, or recover deleted/erased, encrypted or damaged file information and recover passwords, so that documents can be read. Any or all of this information found during the analysis may or can be used during both criminal and civil litigation. Thus, this evidence can be visible when stored in the mean of files saved on disks, or not visible, when it requires some sort of software to locate it.

6. Regarding computer related crimes cases, evidences are classified into three main categories, according to SWGDE/IOCE standards:

- Digital evidence, where the information are stored or transmitted in electronic or magnetic form.

- Physical items, where the digital information is stored, or transmitted through a physical media.

- Data objects, where the information are linked to physical items.

Admissibility of the digital evidence

7. Generally speaking, there are three requirements for the evidence to be admissible in the court. (a) Authentication, (b) the best evidence rule, and (c) exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law. In addition, the U.S. courts require the legality of the evidence; it must be obtained in accordance with the laws governing search and seizure, including laws expressed in the U.S. and state legislations. Some legislation sets special rules to admissible the digital evidence. Starting by rule 401, the evidence is defined ‘as having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence’.

While rule 402 of the federal rule of evidence states that ‘All relevant evidence is admissible, except as otherwise provided by the Constitution of the United States, by Act of Congress, by these rules, or by other rules prescribed by the Supreme Court pursuant to statutory authority. Evidence which is not relevant is not admissible.

8. When these rules are still not clear, there are some requirements and precautions that should be followed by investigators. The IACIS provides some of these requirements to its members, to ensure that competent, professional forensic examinations:

- Forensically sterile examination media must be used.

- The examination must maintain the integrity of the original media.

- Printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled and transmitted.

Searching and Seizing the Digital Evidence

9. The first successful step in searching and seizing the digital evidence is to know and understand well what will be searched and seized. Secondly, investigators and law enforcement officers doing these steps must have a warrant to search, which covers the location and description of the system.Thirdly, the digital evidence shall be well seized when it is located.

A: Items that can be searched and/or seized

10. When speaking about searching or seizing computers, we usually do not refer to the CPU (Central Processing Unit) only; computer is useless without the devices that allow for input (e.g., the Keyboard or the mouse) and output (e.g., a monitor or printer) of Information. These devices are known as "peripherals,"' and they are an integral part of any "computer system. It means "[t]he input/output units and auxiliary storage units of a computer system, attached by cables to the central processing unit.[2]

11. Thus, searching and seizing the Digital Evidence in computers will often refer to the hardware, software, and data contained in the main unit. Printers, external modems (attached by cable to the main unit), monitors, and other external attachments will be referred to collectively as "peripherals" and discussed individually where appropriate. When we are referring to both the computer and all attached peripherals as one huge package, we will use the term "computer system." "Information" refers to all the information on a computer system, including both software applications and data.[3]

Software is the term used to describe all of the programs we use when we employ the computer for some task; it is usually delivered to us on either one or more small magnetic disks or CD-ROMs.There are two basic categories of software: system software and application software. System software consists of the programs that manage our operation of the computer; while application software consists of the programs that allow us to work on higher-level tasks. They all compose the evidence searched.

12. Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups: (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored off-site, and the computer at the search scene is used to access this off-site location.

13. In some cases, the distinction is...

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-11-30 23:14:28 - i think you should have cases in which... anonamous
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo