Lecture 2 Digital Forensics: Best Practices & Admissibility

Admissibility of Digital Evidence

  • Courts assess if digital evidence is suitable and safe for legal judgment.

  • Admissibility involves legal tests by a judge.

  • Rules vary by jurisdiction; investigators must be aware of these tests.

Assessing Admissibility of Evidence

  • Key tests include:

    • Proper handling

    • Reliability

    • Authenticity

    • Hearsay

    • Best evidence

    • Scientific evidence

    • Authorised search & seizure

ACPO Guidelines for Proper Handling (UK)

  • Association of Chief Police Officers (ACPO) provides a good practice guide.

  • Principle 1: No action should alter data that may be used in court; preserve evidence integrity.

  • Principle 2: Access to original data requires competence to explain relevance and implications.

  • Principle 3: Maintain an audit trail of all processes applied to digital evidence.

  • Principle 4: The investigator in charge is responsible for adherence to the law and principles.

  • ACPO guidelines are authoritative nationally and internationally but face critiques regarding stagnation and competence evaluation.

Reliability of Digital Evidence

  • Assess if the system or process producing digital evidence yields accurate results.

  • Focus on the reliability of the digital evidence itself.

  • Consider the reliability of digital evidence in the context of AI systems.

Authenticity of Digital Evidence

  • Satisfy the court that:

    1. Evidence was acquired from a specific system/location.

    2. A complete and accurate copy was acquired.

    3. The evidence remained unchanged since collection.

  • The 2 instruments relevant to demonstrate authenticity of digital evidence (i) chain of custody (ii) proof of integrity.

Chain of Custody (control access to physical evidence) & Hashing (proving evidence remains unchanged)

  • Chain of custody controls access to physical evidence (who, when, why).

  • Hashing proves evidence remains unchanged

  • Assurance of integrity must be provided for a Court of Law via cryptographic hashing.

  • Document the hash value (digest) of evidence, including bit-by-bit copies of hard-drive or mobile devices, file exported from such bit by bit copy & network captures.

Admissibility of evidence: Hearsay

  • Hearsay is an out-of-court statement repeated in court to prove its truth; generally inadmissible.

  • Technically hearsay only Applies to human-generated content like emails and chat messages.

  • For machine generated/ Digital evidence from algorithms (browing history, logs, ATM receipts) isn't hearsay; the issue is authenticity and reliability.

  • Hearsay rules differ: generally admissible in UK civil proceedings but conditional in criminal proceedings.

Admissibility of evidence: Best Evidence

  • Provide the best available evidence to court.

  • Courts accept identical duplicates unless authenticity or accuracy is questioned.

  • Printouts missing original parts (e.g., edits in a Word document) may not be admitted.

Admissibility of evidence: Search Warrants

  • Evidence obtained without legal authorization isn't admissible.

  • Warrants require reasonable grounds to believe a crime occurred and evidence exists at the location.

  • UK warrants need not specify what will be seized, just the offence.

Admissibility of evidence: Scientific Evidence

  • Investigative tools and methods can be challenged.

  • The Daubert standard guides evaluation of novel tools in the U.S. and UK.

  • UK Law Commission's interpretation of Daubert principles:

    1. Testability of the theory or technique.

    2. Peer review and publication.

    3. Known error rate and standards.

    4. Widespread acceptance.

ISO/IEC 17025:2017

  • Forensic Science Regulator’s (FSR) Code of Practice mandates ISO 17025 accreditation for digital forensic services.

  • Ensures consistent standards and court reliance on evidence validity.

  • Planned rollout in the UK with mandatory accreditation phases for data acquisition/extraction and examination/analysis.

  • Labs lacking ISO 17025 certification must declare non-compliance.

General Forensics Guidelines

  • Minimize impact on evidence.

  • Document everything for reproducibility; maintain an audit trail (contemporaneous notes).

  • Secure evidence: take offline, restrict access, hash files; maintain a chain of custody.

Note Taking

  • Notes should be clear, intelligible, accurate, and contemporaneous (up-to-date, chronological, timestamped).

  • Examiners should record everything seen, heard, and done.

  • Notes should enable recall of actions long after the investigation and allow others to understand the work if the examiner is unavailable.

In a nutshell: General forensics guidelines

Cause as little impact on the evidence as possible
Examine the evidence but >>> don’t alter it!

Document everything
Reproducibility is key: timestamp and details of each step of

the investigation has to be recorded
>>> Maintain audit trail (i.e, Contemporaneous Notes)

Secure the evidence
Take it offline, restrict access, hash evidence files (integrity)

>>> Maintain a Chain of Custody (access log)
... for traceability of who had access to the evidence, when & why