The rapid development of technology and the use of digital devices such as mobile phones, computers and tablets, which have become an indispensable part of modern society, have resulted in a significant transition from the creation of physical to digital data.
In conjunction with the proliferation of technology, there is a tendency to use information derived from digital devices for criminal activities (e.g., cybercrimes like hacking, malware and internet fraud, but also traditional crimes such as homicide, drug trafficking and terrorism).
Consequently, the role of digital forensics in fighting crime is becoming ever more important and it is critical for law firms and courts to develop a well-thought-out strategy for such investigations.
Digital forensics follows a similar process to crime scene forensics when collecting evidence for a potential trial. The digital forensics process involves collecting, analysing and reporting on digital data in a way that is legally admissible. Digital evidence can also be used to prove whether a person has been involved in crimes that are unrelated to technology, such as murder or larceny.
The main repositories of digital evidence are computers, storage devices, telephones, networks, cloud servers and emails. However, as the Internet of Things develops, many other devices will provide digital evidence.
EVIDENCE ACQUISITION
Evidence acquisition should always be performed to ensure that it will be admissible in legal proceedings. The key criteria for handling such evidence are as follows:
-
Under no circumstances should evidence be altered. No action should alter data held on a computer, storage media or network which may subsequently be relied on in court. Changes on a computer may occur by merely turning it on or moving the mouse.
-
Where a person finds it necessary to access original data held on a computer or storage medium, they must be competent to do so and be able to give evidence to explain the actions taken. This principle applies even though an investigation may be time critical and evidence must be examined immediately.
-
An audit trail or record of all processes applied to computer-based electronic evidence should be created and preserved. A third party should be able to repeat these processes and replicate the results.
-
The person in charge of the investigation has the overall responsibility for ensuring that the law and the above principles are adhered to.
ADMISSIBILITY IN COURT OF LAW
Evidence is legally admissible when it:
-
is offered to prove the facts of a case; and
-
does not violate the Constitution or other legal statutes.
The golden rule of admissibility is that all evidence which could be relevant is admissible and evidence that is irrelevant is inadmissible.
Therefore, the courts must determine whether digital evidence could be relevant to the disputed facts of the case and whether it is suitable and safe to be admitted in proceedings. In practice, admissibility is a set of legal tests carried out by a judge to assess an item of evidence according to the following criteria.
High-level criteria that can be used to identify the needs and admissibility of digital evidence in court are given below:
-
Relevance and reliability
Digital evidence should be examined for traces of tampering, deletion or other changes. The system that gave the relevant results must function properly and produce accurate results. In this respect, the appointment of an IT expert who can obtain information from the computers, server or other digital devices is must.
-
Illegally obtained evidence
In principle, evidence obtained in violation of a country's Constitution is inadmissible. As a result, some forms of digital evidence, such as IP addresses, may not be accepted by the courts, as the IP address of a user is closely connected with their privacy, a human right that is protected under the Constitution of that country. However, in some cases, evidence concerning the privacy of a person may be given to the police for investigation purposes. The ability to obtain such evidence is limited to cases where the police are investigating felonies and a court order has been issued for that purpose.
-
Assessing authenticity of evidence
The courts must be satisfied that evidence was acquired from a specific system or location and a complete and accurate copy of digital evidence is needed. Further, evidence must remain unchanged from when it was collected. This can be achieved by hashing the digital evidence (Md5, SHA). If the hashed code is the same, it proves that the digital evidence has not been tampered with.
-
Documents to demonstrate and support the authenticity of the evidence
A chain of custody to record the transfer of the evidence, integrity documentation to compare the digital fingerprint of the evidence, taken at the time of collection and the fingerprint in its current state are required.
-
Best evidence
The best available evidence should be provided to the court. Courts generally accept identical duplicates, especially in cases where it is adequately proved that the original evidence has been lost or destroyed, unless a question is raised about the authenticity of the original and the accuracy of the copy.
-
Search warrants
Evidence may not be admitted in court if it has been obtained without authorization.
-
Scientific evidence and process
The admissibility of digital evidence and the tools, methods and techniques used in the investigation can be challenged in court.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM