When it comes to submitting digital evidence for use in a trial, the same levels of care need to be applied as with non-digital evidence.
Crime is a part of human life and, for a crime to be resolved, investigators have to reconstruct the crime scene and analyse the actions of both the suspect and the victim so that any evidence can be identified and used to support and legal proceedings.
As technology has evolved, criminals are now able to use new methods to commit traditional crimes and develop new types of crimes. Crimes committed through the use of technology still require the same principles of investigation, though the scene can now be a virtual environment that must be secured and examined as digital evidence.
Digital evidence is information or data of an evidential value that is stored on or transmitted by a computer or digital device and can be defined as follows:
‘Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi’ (Casey, E., Dunne, R. (2004) Digital Evidence and Computer Crime Forensic Science, Computers and the Internet. St. Louis: Academic Press).
A wider array of devices are capable of holding larger amounts of data and digital evidence can be found on an increasing number of types of storage media, including, computer hard drives, mobile phones and removable media such as memory cards.
As an expert witness and Digital Forensic Consultant I am finding that digital evidence is becoming more prevalent within a wider range of both criminal and civil cases including murder, unlawful images, child care cases, commercial and employment disputes. These cases can require the examination of evidence to determine whether it had been used to commit or facilitate a crime as well as to identify supportive material for either side of a legal case.
In order for digital evidence to be admissible in court a number of criteria must be met, including, ensuring that the evidence has not been altered and that an auditable trail has been kept relating to the storage and investigation of the evidential device or media. The key points of the handling and investigation of digital evidence is provided as follows:
Actions taken to secure and collect digital evidence should not affect the integrity of that evidence;
Persons conducting an examination of digital evidence should be trained for that purpose;
Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review.
(U.S. Department of Justice (2004) Forensic Examination of Digital Evidence: A Guide for Law Enforcement, Washington).
The nature of digital devices therefore makes them particularly susceptible to damage or corruption. Due to the constant requirement for devices to be physically smaller in size yet bigger in capacity, the components become ever smaller and more delicate, therefore, even storing the devices in an unsuitable environment can cause the corruption and loss of some or all of the data present.
Therefore, to ensure its integrity, a ‘chain of custody’ relating to the evidence should be established. This usually amounts to a paper trail detailing the whereabouts of all evidential sources during custody, along with the details of individuals having access to it, when and any actions taken with it. This, along with a comparison and review of the digital media itself should allow for the acceptance by an independent examiner that a given item of media has not been corrupted or compromised following seizure.
As the level of understanding of the operation of computers and mobile phones has developed within legal cases, those investigating cases involving digital evidence have a better awareness of the methods of seizure and handling. Previously it was not uncommon to find cases where the digital evidence had been switched on and operated by a ‘curious’ investigating officer to ‘see what was there’.
Thankfully, far greater emphasis is now placed on audit trails and storing the evidence correctly and, today, such activity by untrained individuals is now rare. The adherence to computer evidence guidelines is crucial to ensuring that the evidence considered is all that was available and basing an examination on flawed evidence that is only partially complete.
As a forensic investigator, I was recently involved in a case that highlights the importance of ensuring the completeness of digital evidence. The case involved an unemployed middle-aged man who lived on his own and kept himself to himself, though, used his computer to talk to other people within chat rooms.
He had been in contact with one of his online friends via a chat room for eight months before they asked for him to do them a favour and cash a cheque that their elderly mother was unable to do. His expenses were to be covered and he saw no problem with then transferring the money to the mother’s account. Unfortunately, he did not even think that the cheque could be fraudulent until he found himself in a police station and being interviewed on suspicion of attempting to cash a fraudulent cheque.
He provided police with his version of events; fortunately, they had also seized his home computer. They examined the computer and found evidence to indicate that the defendant had been in contact with the individual, yet found no evidence to support the origins of the cheque or the story behind it. He was subsequently charged with fraud and was due to appear for trial at Crown Court.
Given the partial evidence identified by the police, the defendant’s solicitors understood the situation sufficiently to know that a second opinion should be conducted of the computer hard drive to determine whether the evidence of any chat logs could be found on the computer.
It was only after a careful review of the deleted areas of the hard drive, along with the use of data recovery software that chat log activity was identified that supported the defendant’s version of events. The log proved that the defendant and his friend had conversed on a number of occasions and it also confirmed the origins of the cheque. After months of investigation, after the identification of this evidence, the case was dropped on the morning of the trial.
Had the computer evidence not been sufficiently protected and secured following seizure and the data present altered in any way, whether it be by use of the hard drive or improper handling of the drive, the relatively small piece of crucial evidence may have been lost and the defendant’s version of events could not have been supported.
During the examination process of digital evidence it is standard procedure for the evidence to be connected to a suitable system using write protecting hardware so that no alteration or access to the original device is possible.
Due to the volatility of digital evidence it is best practise to take a forensic ‘image’ of the hard drive or storage device that consists of an exact byte-by-byte copy of all data and space, both live files and deleted information, which is present on the device. This forensic image then forms the basis of the investigation and analysis and the original exhibit can then be securely stored.
At the start of the forensic copying process, the device is assigned an acquisition hash value (most commonly an MD5 hash value). Once the evidence has been forensically acquired (imaged, similar to copied) the evidence is assigned a verification hash value.
Currently, it is believed that the hash value mechanism indicates that the acquired evidence is a complete and accurate copy of the data contained on the original device and that if the acquisition and verification hash values match then no alteration of the evidence can have taken place.
Various types of hash value exist, including, HAVAL, MD5 and SHA. The forensic arena has adopted the MD5 hash as a method of proving that one file is identical to another or an item of digital evidence has not been altered since its original acquisition. The MD5 hash value was developed from 1991 by Professor Ronald L. Rivest.
As the MD5 algorithm is based on a 128-byte data block, it would appear that there is the possibility that the data on an item of digital media could be manipulated, yet the MD5 hash value not be altered. Given this, I am currently undertaking research to attempt to verify whether an item of digital evidence can be altered without changing its MD5 hash value.