Before delving into the investigative process and computer forensics, it is essential that the investigator have a thorough understanding of the Rules of Evidence. The submission of evidence in any type of legal proceeding generally amounts to a significant challenge, but when computers are involved, the problems are intensified.
Special knowledge is needed to locate and collect evidence and special care is required to preserve and transport the evidence. Evidence in a computer crime case may differ from traditional forms of evidence inasmuch as most computer-related evidence is intangible-in the form of an electronic pulse or magnetic charge. Before evidence can be presented in a case, it must be competent, relevant, and material to the issue, and it must be presented in compliance with the rules of evidence. Anything that tends to prove directly or indirectly that a person may be responsible for the commission of a criminal offense may be legally presented against him.
Proof may include the oral testimony of witnesses or the introduction of physical or documentary evidence. By definition, evidence is any species of proof or probative matter, legally presented at the trial of an issue, by the act of the parties and through the medium of witnesses, records, documents, and objects for the purpose of inducing belief in the minds of the court and jurors as to their contention. In short, evidence is anything offered in court to prove the truth or falsity of a fact in issue. This section describes each of the Rules of Evidence as it relates to computer crime investigations.
I. TYPES OF EVIDENCE
Many types of evidence exist that can be offered in court to prove the truth or falsity of a given fact. The most common forms of evidence are direct, real, documentary, and demonstrative.
• Direct evidence is oral testimony, whereby the knowledge is obtained from any of the witness’s five senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a specific act (e.g., an eyewitness statement).
• Real Evidence, also known as associative or physical evidence, is made up of tangible objects that prove or disprove guilt.
• Physical evidence includes such things as tools used in the crime, fruits of the crime, or perishable evidence capable of reproduction. The purpose of the physical evidence is to link the suspect to the scene of the crime. It is the evidence that has material existence and can be presented to the view of the court and jury for consideration.
• Documentary evidence is evidence presented to the court in the form of business records, manuals, and printouts, for example. Much of the evidence submitted in a computer crime case is documentary evidence.
• Demonstrative evidence is evidence used to aid the jury. It may be in the form of a model, experiment, chart, or an illustration offered as proof.
When seizing evidence from a computer-related crime, the investigator should collect any and all physical evidence, such as the computer, peripherals, notepads, or documentation, in addition to computer-generated evidence.
II. Four types of computer-generated evidence are
• Visual output on the monitor.
• Printed evidence on a printer.
• Printed evidence on a plotter.
• Film recorder (i.e., a magnetic representation on disk and optical representation on CD).
A legal factor of computer-generated evidence is that it is considered hearsay. The magnetic charge of the disk or the electronic bit value in memory, which represents the data, is the actual, original evidence. The computer-generated evidence is merely the computer output is used in the regular course of business, the evidence shall be admitted.
III. Best Evidence Rule
The Best Evidence Rule, which had been established to deter any alteration of evidence, either intentionally or unintentionally, states that the court prefers the original evidence at the trial, rather than a copy, but they will accept a duplicate under these conditions:
• Original lost or destroyed by fire, flood, or other acts of God. This has included such things as careless employees or cleaning staff.
• Original destroyed in the normal course of business.
• Original in possession of a third party who is beyond the court’s subpoena power.
This rule has been relaxed to allow duplicates unless there is a genuine question as to the original’s authenticity, or admission of the duplicate would, under the circumstances, be unfair. Even with some relaxation of the best evidence rules, many district attorneys/prosecuting attorneys may still require that an original be submitted in evidence or most probably be accessible if absolutely necessary.
IV. Exclusionary Rule
Evidence must be gathered by law enforcement in accordance with court guidelines governing search and seizure or it will be excluded as set in the Fourth Amendment. Any evidence collected in violation of the Fourth Amendment is considered to be “Fruit of the Poisonous Tree,” and will not be admissible.
Furthermore, any evidence identified and gathered as a result of the initial inadmissible evidence will also be held to be inadmissible. Evidence may also be excluded for other reasons, such as violations of the Electronic Communications Privacy Act (ECPA) or violations related to provisions of Chapters 2500 and 2700 of Title 18 of the United States Penal Code.
Private Citizens are not subject to the Fourth Amendment’s guidelines on search and seizure, but are exposed to potential exclusions for violations of the ECPA or Privacy Act. Therefore, internal investigators, private investigators, and GERT team members should take caution when conducting any internal search, even on company computers.
For example, if there is no policy explicitly stating the company’s right to electronically monitor network traffic on company systems, internal investigators would be well advised not to set up a sniffer on the network to monitor such traffic. To do so may be a violation of the ECPA.
V. Hearsay Rule
Hearsay is second-hand evidence- that is not gathered from the personal knowledge of the witness but from another source. Its value depends on the veracity and competence of the source. Under the federal Rules of Evidence, all business records, including computer records, are considered hearsay, because there is no firsthand proof that they are accurate, reliable, and trustworthy. In general, hearsay evidence is not admissible in court. However, there are some well-established exceptions (e.g., Rule 803) to the hearsay rule for business records.
VI. Business Record Exemption to the Hearsay Rule
Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.
To meet Rule 803 (6) the witness must:
• Have custody of the records in question on a regular basis.
• Rely on those records in the regular course of business.
• Know that they were prepared in the regular course of business.
Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order disclosure of the details of the computer, logs, and maintenance records in respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or reviewed-at least the exceptions (e.g., failed logon attempts)—in the regular course of business, they do not meet the criteria for admissibility.
Federal Rules of Evidence 1001(3) provide another exception to the Hearsay Rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business. This dump merely acts as statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer
VII. Chain of Evidence: Custody
Once evidence is seized, the next step is to provide for its accountability and protection.
The chain of evidence, which provides a means of accountability, must be adhered to by law enforcement when conducting any type of criminal investigation, including a computer crime investigation. It helps to minimize the instances of tampering. The chain of evidence must account for all persons who handled or who had access to the evidence in question. The chain of evidence shows:
• Who obtained the evidence?
• Who secured the evidence?
• Who had control or possession of the evidence?
It may be necessary to have anyone associated with the evidence testify at trial. Private Citizens are not required to maintain the same level of control of the evidence as law enforcement, although they are well advised to do so. Should an internal investigation result in the discovery and collection of computer-related evidence, the investigation team should follow the same, detailed chain of evidence as required by law enforcement. This will help to dispel any objection by the defense that the evidence is unreliable, should the case go to court.
VIII. Admissibility of Evidence
The admissibility of computer-generated evidence is, at best, a moving target. Computer generated evidence is always suspect, because of the ease of which it can be altered, usually without a trace. Precautionary measures must be taken to ensure that computer-generated evidence has not been tampered with, erased, or added.
To ensure that only relevant and reliable evidence is entered into the proceedings, the judicial system has adopted the concept of admissibility:
• Relevancy of Evidence: Evidence tending to prove or disprove a material fact. All evidence in court must be relevant and material to the case.
• Reliability of Evidence: The evidence and the process to produce the evidence must be proven to be reliable. This is one of the most critical aspects of computer-generated evidence.
IX. Evidence Life Cycle
The evidence life cycle starts with the discovery and collection of the evidence. It progresses through the following series of states until it is finally returned to the victim or owner:
Collection and identification.
Storage, preservation, and transportation
Presented in court
Returned to the victim (i.e., the owner).
• Collection and Identification. As the evidence is obtained or collected, it must be properly marked so that it can be identified as being that particular piece of evidence gathered at the scene. The collection must be recorded in a log book identifying that particular piece of evidence, the person who discovered it, and the date, time, and location discovered. The location should be specific enough for later recollection in court. When marking evidence, these guidelines should be followed:
• The actual piece of evidence should be marked if it will not damage the evidence by writing or scribing initials, the date, and the case number if known. This evidence should be sealed in an appropriate container, then, the container should be marked by writing or scribing initials, the date, and the case number, if known.
• If the actual piece of evidence cannot be marked, the evidence should be sealed in an appropriate container and then that container marked by writing or scribing initials, the date, and the case number, if known.
• The container should be sealed with evidence tape and the marking should write over the tape, so that if the seal is broken it can be noticed.
• When marking glass or metal, a diamond scriber should be used. For all other objects, a felt tip pen with indelible ink is recommended. Dependent on the nature of the crime, the investigator may wish to preserve latent fingerprints. If so, static-free nitride gloves should be used if working with computer components, instead of standard latex gloves.
X. Storage, Preservation, and Transportation
• Documents and disks (e.g., hard, floppy, and optical) should be seized and stored in appropriate containers to prevent their destruction. For example, hard disks should be packed in a static-free bag within a cardboard box with a foam container. It may be best to rely on the system administrator or a technical advisor on how to best protect a particular type of system, especially mini-systems or mainframes.
• Finally, evidence should be transported to a location where it can be stored and locked. Sometimes, the systems are too large to transport, thus the forensic examination of the system may need to take place on site.
XI. Evidence Presented in Court
Each piece of evidence that is used to prove or disprove a material fact must be presented in court.
• After the initial seizure, the evidence is stored until needed for trial. Each time the evidence is transported to and from the courthouse for the trial, it must be handled with the same care as with the original seizure. In addition, the chain of custody must continue to be followed. This process will continue until all testimony related to the evidence is completed. Once the trial is over, the evidence can be returned to the victim (i.e., owner) or disposed of properly.
XII. Returned to Victim
The final destination of most types of evidence is back with its original owner.
Some types of evidence, such as drugs or paraphernalia, are destroyed after the trial. Any evidence gathered during a search, even though maintained by law enforcement, is legally under the control of the courts. Even though a seized item may be the victim’s and may even have the victim’s name on it, it may not be returned to the victim unless the suspect signs a release or after a hearing by the court. However, many victims do not want to go to trial. They just want to get their property back.
Many investigations merely need the information on a disk to prove or disprove a fact in question, thus there is no need to seize the entire system. Once a schematic of the system is drawn or photographed, the hard disk can be removed and then transported to a forensic lab for copying. Mirror copies of the suspect disk are obtained by using forensic software and then one of those copies can be returned to the victim so that he or she can resume business operations.