Digital Evidence Flashcards
Witness Evidence:
Eyewitnesses or expert witnesses drawing on specialist skills. Transcripts of interviews under caution can be used. Recording used under Police and Criminal Evidence Act 1984 (PACE)
Documentary Evidence:
Documents, not limited to written documents. Commonly subject to some form of authentication
Real Evidence:
Physical evidence in form of material objects. Proves a fact based on demonstrable and verifiable physical characteristics
Daubert Test Guidelines:
1) Judge must ensure scientific expert testimony proceeds from scientific knowledge
2) Judge must ensure the expert testimony is relevant to task at hand and rests on reliable foundation
3) Requires the use of scientific methodology
Daubert Case Key Parameters for Scientific Methodology:
1) Empirical Testing: Whether theory or technique is falsifiable, irrefutable and/or testable
2) Whether its been subjected to peer review and publication
3) Known or potential error rate
4) Existence and maintenance of standards and controls concerning operation
5) Degree to which theory and technique is accepted by relevant scientific community
Relevant Evidence:
Logically goes to proving or disproving some fact at issue in the prosecution
Admissibility:
- Relates to facts at issue or
- to circumstances those facts probable or improbable and continuity of evidence
- Whilst no general test has been specified, reproducibility is considered critical for reliability
Three categories of evidence obtained from computers:
1) Evidence processed by a computer when functioning as a calculated (real evidence)
2) Evidence that a computer is programmed to record (real evidence)
3) Evidence processed by a computer but entered by a person
Major issues for computer crime is the complexity of underlying technology:
- Rarely the case any longer that evidence is located exclusively on a single physical device that can be analysed comprehensively
- Data may be distributed and even criminal acts may be distributed as in the case of botnets with obfuscated command and control channels
- Witnesses to computer crime scenes are usually other computers
- Digital forensics is fragile, any accidental or deliberate change, obliteration, relocation of evidence can render it void
Good Practice Guide for Digital Evidence - Principle 1 (Integrity):
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court
Good Practice Guide for Digital Evidence - Principle 2 (Qualified):
In circumstances where a person finds i necessary to access original data held on a computer or on storage media, that person must be competent to do so and be ale to give evidence explaining the relevance and the implications of their actions
Good Practice Guide for Digital Evidence - Principle 3 (Contemporaneous Notes):
An audit trail or other record of all processes applied to computed-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result
Good Practice Guide for Digital Evidence - Principle 4 (Roles):
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the aw and these principles are adhered to
UK Forensic Science Regulator (FSR) Codes of Practice:
All forensic laboratories in the UK are required to comply with ISO 17025:2005. General requirements for the competence of testing and calibration laboratories and ISO 17020:2012. Requirements for the operation of various types of bodies performing inspection
