Ben Kixmiller's DFIR Website

Handling Digital Evidence

Introduction

A longstanding challenge of Digital Forensics is understanding how to handle digital evidence. Three guidelines that govern the handling of evidence include the Federal Rules of Evidence (FRE), the Daubert Standard, and case law. This post will go over these guidelines and why they are important to know.

Authenticity of Digital Evidence

The authentication of digital evidence “requires evidence sufficient to support a finding that the matter in question is what the proponent claims”. Evidence is admissible in court if a judge finds it authentic.

Digital evidence is tougher to authenticate than paper. Modifications are easier to discern for paper records. It is difficult to decipher alterations to digital evidence. Digital forensic experts provide integrity to an investigation by gathering and analyzing digital evidence.

Federal Rules of Evidence (FRE)

Traditional (paper) and Digital evidence is subject to the Federal Rules of Evidence (FRE). The Best Evidence Rule, which is in the FRE, is the legal standard that forensic tools and techniques must pass for evidence to be shown in court. The evidence gathered from the tools must reflect data accurately.

Rule 702 addresses guidelines for evidence to be admissible. Some of the guidelines include:

  • Have the theories and techniques been tested?
  • Have the methods been peer reviewed?
  • What is the error rate of the technique?
  • Are they subject to standards governing the application?
  • Is there global acceptance of the method?

The admissibility of evidence focuses on the expert’s methodology and not on the outcome of the expert’s analysis. There are 2 requirements for evidence to be admissible: the evidence must be relevant and it must be derived by the scientific method and supported by validation. The scientific method helps provide repeatable and reproducible results for any investigation. It gives digital forensic cases a strict process to follow which leads to similar results for each investigation.

Daubert Standard

The Daubert Standard lets a digital forensic expert give opinion testimony if the opinion is based on “scientific knowledge” that helps the jurors determine if the digital evidence is pure and unadulterated. This ruling is based on the Daubert vs. Merrell Dow Pharms court case. The Supreme Court determined guidelines to decide if the methodology or reasoning of a digital examiner is valid and reasonable. The guidelines are similar to Rule 702 in the section above.

Case Law

The United States uses a “common law” legal system that allows judges to create or refine the law. Case law is used to determine the admissibility of digital evidence. Corporations have been penalized for not preserving and producing evidence in a timely manner (spoilation) such as the ‘Zubalake vs. UBS Warburg‘ case.

Common law vs civil law

References

Bringing science to digital forensics with standardized forensic corpora – Simson Garfunkel and others

New Federal Rules of Evidence – Manes, G.

Overview of Licensing and Legal Issues for Digital Forensic Investigators – Gavin W. Manes and Elizabeth Downing

Leave a comment