When it comes to presenting digital evidence for use in court, the same levels of care must be applied as with non-digital evidence.
Crime is a part of human life, and for a crime to be solved, investigators must reconstruct the crime scene and analyze the actions of both the suspect and the victim so that any evidence can be identified and used to support legal proceedings. .
As technology has evolved, criminals can now use new methods to commit traditional crimes and develop new types of crimes. Crimes committed through the use of technology still require the same investigative principles, although the scene may now be a virtual environment that must be protected and examined as digital evidence.
Digital evidence is information or data of probative value that is stored or transmitted by a computer or digital device and can be defined as follows:
‘Any data stored or transmitted using a computer that supports or refutes a theory of how a crime occurred or that addresses critical elements of the crime, such as intent or alibi’ (Casey, E., Dunne, R. (2004) Digital Evidence and Computer Crime, Forensics, Computer Science, and the Internet St. Louis: Academic Press).
A broader range of devices are capable of storing large amounts of data, and digital evidence can be found on an increasing number of types of storage media, including computer hard drives, mobile phones, and removable media, like memory cards.
As an expert witness and digital forensics consultant, I find that digital evidence is becoming more prevalent within a broader range of criminal and civil cases, including murder, illegal imaging, child care cases, business and employment disputes. These cases may require examination of the evidence to determine whether it has been used to commit or facilitate a crime, as well as to identify supporting material for either side of a legal case.
For digital evidence to be admissible in court, a number of criteria must be met, including ensuring that the evidence has not been tampered with and that an auditable trail has been maintained relating to the storage and investigation of the evidential device or medium. . The key points of digital evidence handling and investigation are provided below:
Actions taken to secure and collect digital evidence must not affect the integrity of that evidence;
Persons conducting an examination of digital evidence must be trained for this purpose;
Activity related to the seizure, examination, storage, or transfer of digital evidence must be documented, retained, and available for review.
(US Department of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Washington).
Therefore, the nature of digital devices makes them particularly susceptible to damage or corruption. Due to the constant requirement for devices to be physically smaller in size but larger in capacity, components become smaller and more delicate, therefore even storing devices in an unsuitable environment can cause corruption and loss. of some or all of the data. here.
Therefore, to ensure its integrity, a ‘chain of custody’ related to the evidence must be established. Typically, this equates to a paper record detailing the whereabouts of all evidence sources during custody, together with details of who has access to them, when, and what action was taken with them. This, together with a comparison and review of the digital media itself, should allow an independent examiner to agree that a given item of media has not been corrupted or compromised after seizure.
As the level of understanding of how computers and mobile phones work within legal cases has developed, those who investigate cases involving digital evidence have become more knowledgeable about methods of seizure and handling. Previously, it was not uncommon to find cases where digital evidence had been activated and operated by a ‘curious’ investigating officer to ‘see what was there’.
Fortunately, much more emphasis is now placed on audit trails and the correct storage of evidence, and today such activity by untrained individuals is now rare. Adherence to computerized evidence guidelines is crucial to ensure that the evidence considered is all that was available and to base an examination on faulty evidence that is only partially complete.
As a forensic investigator, I was recently involved in a case that highlights the importance of ensuring the integrity of digital evidence. The case involved an unemployed middle-aged man who lived alone and supported himself, although he used his computer to talk to other people within chat rooms.
She had been in contact with one of her friends online through a chat room for eight months before they asked her to do them a favor and cash a check that her elderly mother couldn’t do. Her expenses were going to be covered and she saw no problem in transferring the money to her mother’s account. Unfortunately, she didn’t even think the check might be fraudulent until he found himself at a police station and was questioned on suspicion of trying to cash a fraudulent check.
He provided the police with his version of events; Fortunately, his home computer had also been seized. They examined the computer and found evidence indicating that the defendant had been in contact with the individual, but found no evidence to support the origins of the check or the story behind it. He was subsequently charged with fraud and was due to appear for trial in Crown Court.
Given the partial evidence identified by police, the defendant’s attorneys understood the situation well enough to know that a second opinion of the computer hard drive should be conducted to determine if evidence of any computer chat logs can be found.
It was only after careful review of deleted areas of the hard drive, in conjunction with the use of data recovery software, that chat log activity supporting the defendant’s version of events was identified. The record showed that the defendant and his friend had conversed on several occasions and also confirmed the origin of the check. After months of investigation, after the identification of this evidence, the case was dropped on the morning of the trial.
If the computer evidence had not been sufficiently protected and secured after the seizure and the data present had not been altered in any way, either by use of the hard drive or by mishandling of the drive, the relatively small piece of crucial evidence could have been lost and the defendant’s version of events could not have been supported.
During the digital evidence examination process, it is standard procedure that the evidence is connected to a suitable system that uses write-protect hardware so that the original device cannot be tampered with or accessed.
Due to the volatility of digital evidence, best practice is to take a forensic “image” of the hard drive or storage device that consists of an exact byte-for-byte copy of all data and space, both live files and deleted information, which is present on the device. This forensic image then forms the basis of investigation and analysis, and the original exhibit can be safely stored.
At the beginning of the forensic copy process, the device is assigned an acquisition hash value (most commonly an MD5 hash value). Once the evidence has been forensically acquired (image, copy-like), it is assigned a verification hash value.
The hash mechanism is currently believed to indicate that the acquired evidence is a complete and accurate copy of the data contained on the original device and that if the acquisition and verification hashes match, then the evidence cannot have been tampered with. place.
There are several types of hash value, including HAVAL, MD5, and SHA. The forensic field has embraced the MD5 hash as a method of proving that one file is identical to another or that an item of digital evidence has not been tampered with since its original acquisition. The MD5 hash value was developed starting in 1991 by Professor Ronald L. Rivest.
Since the MD5 algorithm is based on a 128-byte block of data, it would seem that there is a chance that the data in a digital media item can be tampered with, but the MD5 hash value is not tampered with. Given this, I am currently conducting research to try and verify if an item of digital evidence can be modified without changing its MD5 hash value.
This will allow the adoption of a technique that allows alteration of digital evidence without changes to the assigned hash value. The result of this investigation may be that it is possible to alter an item of digital evidence enough to render current hashing techniques unreliable in court.