This week's reading (Chapters 3 and 4 of the text), starts to answer the question: “What is digital evidence?” - not in the physical sense but in the legal sense. The text then discusses what steps you should take to identify and collect it.
- Chapter 3 talks about four basic classifications of evidence that can be applied to items of potential investigative value:
Testimonial Evidence – Testimony or a statement by an individual about what they observed or experienced through any of their senses. For example, a witness may have heard tires screech and a loud crash but not actually have seen the accident. In this example, even though he didn’t actually see the crash, the witness’s testimony is still valuable. It can help pinpoint the time of a crash, determine the number of vehicles involved, or explain what the lighting or weather conditions were at the time of the accident. Testimonial evidence can be significant as either direct or corroborating evidence. “Expert testimony” is a subclass of testimonial evidence that allows a subject matter expert (once accepted by the court) to offer opinions and interpretations of other evidence that has been or will be presented. A non-expert usually cannot offer opinions in his testimony.
Real Evidence – Also called physical evidence, is something you can see and touch. Examples might include a murder weapon, a hard disk drive, fingerprints, blood or other bodily fluids, clothing, stolen property, etc.
Documentary Evidence – Documents (records, checks, photographs, for example) that are like real evidence in that they may be physical items (like printed materials). Documentary evidence also includes results of the analysis of documents or records to show a pattern of behavior. For example, you examine (and create) potential documentary evidence each time you balance your checkbook.
Demonstrative Evidence – Evidence that utilizes or requires a demonstration, such as the use of a chart or map, to help prove what happened. Demonstrative evidence is most often created by an expert witness. An example might be using a dummy to show how a person was standing when he was shot, or it could be a flow chart showing how money was moved between different accounts.
All four types of evidence can be, and frequently are, used together in court to prove or disprove the facts of a case.
Here is your first discussion topic for this week:
1. You are a digital forensic examiner and have been asked to examine a hard drive for potential evidence. Give examples of how the hard drive, or the data on it, could be used as - or lead to - the presentation of all four types of evidence in court. If you believe that one or more of the types of evidence would not be included, clearly explain why not.
II. Another part of Chapter 3 discusses search and seizure or the ability to retrieve evidence.
Over the past two weeks, some of you have mentioned search warrants in your discussions. The Fourth Amendment to the U.S. Constitution (and the Supreme Court’s subsequent interpretations of it) requires that, before a search can be conducted and evidence can be seized, the Government must obtain a search and seizure warrant (based on probable cause) from an impartial magistrate. There is no similar requirement for a private person or organization to obtain a search warrant or work under the same constraints.
However, the line can be blurred if, for example, a private person or organization searches property or seizes evidence (without a warrant) and subsequently turns it over to the Government. In fact, they may be able to do so even if the search would not have been legal (if performed by law enforcement), or even if they did not have the right to enter the place to be searched or committed civil trespass.
Although it may seem counterintuitive and like a violation of individual rights, the only time the Fourth Amendment applies to a private party is if the private party is acting as an agent for the Government or law enforcement (such as a Government contractor or a citizen asked by a police detective to gather information for a specific purpose or investigation).
There are, of course, exceptions to the requirements on the Government to obtain a search warrant prior to searching or seizing evidence. For example, the Government would not need a search warrant:
- When a person with proper authority gives consent to conduct the search (e.g., the company CEO gives permission to search company servers for company data), or
- When there are “exigent circumstances” that, if the time was taken to obtain a proper warrant, could result in the destruction of evidence or harm to another person. It should be noted, however, that searches undertaken due to exigent circumstances must be followed-up with a legally obtained warrant as soon as the exigent circumstance has been effectively neutralized.
Exigent circumstances could come into play in a digital evidence case when (for example) the owner of a computer likely containing digital evidence knows of the investigation and could delete the evidence from his storage devices before a warrant could be obtained. However, while the storage devices could most likely be seized without a warrant to prevent data destruction, this exigent circumstance is not a valid reason to take the next step and conduct a forensic analysis of the storage media. To do this, a warrant must be obtained immediately.
If evidence is not seized properly it may not be admissible in court. It is therefore important to know the rules governing what you can and cannot do, whether you are a private entity or an instrument of the Government. In order to sufficiently your actions from a legal perspective, you will also need to be able to explain why you took the steps you did. This is also helpful in minimizing any potential civil liability.
Let’s pause here for a caution: Search and seizure issues under the 4th Amendment are among the most complex and difficult issues in all of American jurisprudence. It is safe to say that these issues are argued every day in courts across the country. In this class, I neither want nor expect you to fully understand - much less discuss - the immense complexity and innumerable subtleties in 4th Amendment issues. This is not a law school constitutional law course. I do , however, need you to grasp that these issues are very real and will come into play in virtually every criminal case involving the acquisition and analysis of digital evidence. Your understanding of the basics will impact your actions in every case.
After you seize a device and have obtained the proper authority to conduct a search of its contents, you must then be able to testify that your next steps were forensically sound and within the scope of your search authority (whether granted by consent or warrant). Unless special precautions are taken, you risk changing digital data on a device each time you access it. For this reason, it is important you avoid conducting an analysis of an original (evidence) device (such as the suspect’s hard drive removed from his computer), but instead make a forensically sound copy (i.e., a bit-for-bit copy of the original made without altering the original data, often accomplished with the use of a tool called a write-blocker) suitable for examination.
- Chapter 4 discusses common tasks facing a digital investigator, such as: 1) identifying different types of devices you should look for when conducting a search and, 2) the preservation and analysis of those devices.
Here is your second discussion question this week (be sure to respond to all parts):
2. You have been asked to assist a law enforcement team that is serving a valid search warrant related to a child pornography investigation. You are serving as the digital forensic expert for the team, and, as such, have been assigned the task of identifying and collecting the digital evidence at the search location.
A. What steps should you take before the search?
B. What types of evidence should you look for when searching the residence?
C. What types of items would you seize?