Home
| Databases
| WorldLII
| Search
| Feedback
Precedent (Australian Lawyers Alliance) |
THE CHALLENGES OF INTERPRETING DIGITAL EVIDENCE IN THE COURT ROOM
By Allan Watt PhD
‘Computer forensics’ refers to the collection, preservation, analysis and presentation of computer-based evidence. In litigation, computer forensics often requires expert testimony.
Computer forensic evidence is considered to be just as important as normal forensic evidence; whether the search and subsequent analysis are required pursuant to a search warrant seeking evidence for a criminal matter, or to an Anton Piller order, the same level of care in conducting the search of the electronic evidence is required.
COLLECTION
Regardless of whether the matter is criminal or civil, the same standards for collecting, gathering and ultimately presenting the evidence should be followed. Various methods are available and most of these are determined by the software for the collection and analysis of this evidence. Many investigators these days use special forensic software such as EnCase, published by Guidance Software, Forensic Tool Kit, published by Access Data, or Internet Evidence Finder, published by Magnet Forensics and NUIX, among others. These tools allow an investigator to obtain an evidential standard image, which is the collection phase of data from a hard disk drive (HDD). Hardware write-blocking facilities allow an evidential standard image to be taken quickly, using the Microsoft Windows environment to take maximum advantage of the memory and processor power available on modern systems.
THE PRESERVATION PHASE
The purpose of taking an image is to obtain an unintrusive exact clone of the HDD showing that the drive has not been interfered with in any way. The modern imaging process also extracts every piece of physical digital evidence that is available for extraction from the magnetic media. The electronic media refers to the platters on the HDD, a CD or floppy disk and even extends to tapes, memory sticks and cards. When obtaining the image with software like EnCase, the original data once placed in these evidence files cannot be altered in any way. It is called EnCase because it actually encases the entire physical contents of the HDD into a file that is encoded by the application itself.
The purpose behind this is to ensure that the contents cannot be viewed without the forensic software. The imaged drive through this process is placed into what is determined to be an evidence file. To reiterate, the imaging process provides a protected copy of the entire physical drive, including the deleted and unused areas and the original contents, and this copy cannot be modified or altered by an investigator. This provides protection for the investigator and also guarantees that the evidence has not been altered or tampered with in any way.
ANALYSIS
The evidence includes data called meta evidence (just as metadata is data about data, meta-evidence is evidence about evidence). This is available simply by checking the registry data of the imaged computer to confirm that it was registered to the subject. It may contain data that no one other than the user would have known about, or was generated at the scene where the computer was taken or seized, and provide other details such as where the end user licence agreement was located, with the licence serial number which matches the one imbedded in the software on the actual HDD. Forensic tools during the investigation phase allow the investigator to conduct a number of examinations, such as entering search words in various different languages and different formats and types of computer code, which will then check the entire physical drive for the presence of this information.
The fact that a file has been deleted, altered or modified or even formatted does not remove that data from a computer. Today, with the new large HDDs that now exist, deleted data such as word documents or picture files can be present for years before they are overwritten and truly unavailable. Depending on the drive’s configuration, new data does not necessarily overwrite the entire cluster or sector, so that the underlying data that previously occupied those areas can still remain, and be quite clearly visible and viewed with the aid of this forensic software. These facilities can enable the search process to locate and recover deleted data, whether it is a word document, an email, log files and other complex information. Some of these can be contained in operating system files that in themselves will indicate if data or settings have been modified or altered. Unfortunately, the same does not apply to the new, smaller solid state drives that are usually defragmented daily, so if data is deleted it is overwritten far more frequently.
Files that have long since been deleted, such as picture files, movie files and many others, can also be recovered. When using programs SUCH as Microsoft Internet Explorer, every site that a computer visits is recorded in a history log. These logs can usually be recovered and will display where and when that specific computer went on the internet. Such evidence can often be valuable corroborative evidence, in that it can determine the fact that someone was using a specific computer at a given time.
The other key issue with electronic evidence, pre-forensic collection, is that it can be manipulated by anyone with access to the device. Users can change the clock and try to fabricate a document or email, as if it had been created historically. An expert in the field, though, will look for metadata that will indicate if this has indeed occurred, and can thereby authenticate or otherwise digital evidence.
Once all the various searches and discovery of the evidence have been completed, it is then analysed. The investigator must then assess all the evidence and determine whether it provides the answers to the initial inquiry, which in turn created the need to image and analyse the computer. All the evidence should be extracted and presented, whether it supports the case or not. Ultimately then, all this evidence needs to be formulated in a way that can presented before the court.
PRESENTATION
A problem emerges, however, when evidence is presented by experts to a court (whether in a judge-only trial or where there is a jury present) with no knowledge whatsoever of what has been presented to them. Evidence that is totally outside the court’s understanding can be confusing, and inhibit the court from making a clear and accurate decision. Ultimately the outcome of a case could be affected by whether the court understands the evidence. This is even more likely to occur in very complex cases, where the technical workings and operations of a computer are at issue, as opposed to the simple recovery of a document whose existence is not disputed. Experts can disagree. Different methods of analysis may lead them to totally different points of view, creating a situation whereby the evidence being presented in court is contradictory and confusing. Arriving at a decision can be made very difficult, if the experts have differing opinions, especially before a jury. If the evidence is highly technical, the different processes used by the experts may generate conflicting results, owing to the different methods used. Simplifying the evidence may further cause different interpretations, or one method may result in it being more overbearing and prejudicial than another.
Presenting evidence in a manner that is comprehensible to the court may require an explanation of the method used. This is of course the final component of the computer forensic process: the presentation of the evidence in court, whether it be by producing log files in hard copy, actually demonstrating the process of the forensic software through the use of electronic projectors hooked up to a computer, or simply by verbal description.
Computer-based evidence is very complex in nature, and therefore difficult to present in a way that is readily understood by the court. Visual demonstrations can help, whether by using charts, models or by drawing diagrams. Alternatively, in the technical world, it is now possible to use new tools such as a projector attached to a computer, and demonstrate the actual evidence as located by the software on the screen.
Such visual aids may enable the judge and/or jury to see what actually existed on the drive of the computer and allow them to understand what is heard, so they can comprehend what the computer recorded in a given situation. This may be demonstrating such activity as altering the clock, or the carrying out of a specific application from which log files or other activity have been generated. These demonstrations can help lift technical barriers so that people can visualise what occurred, rather than trying to determine what occurred through their own interpretation.
Electronic evidence
Documentary evidence can be categorised as hearsay, depending on what it is being used to demonstrate. What is important, however, is the best evidence rule – the most important issue in relation to the extraction and the presentation of any electronic evidence. The best evidence rule refers to the best evidence that is available to be presented before the court, which can be understood by the judge and jury and other parties involved without being overbearing or prejudicial to any party in the process. Evidence in the cloud, for example, may be volatile and the examiner may have only one opportunity to collect that evidence at the appropriate time, and this may have to be done in a manner that is not consistent with computer forensic collection principles. If the collection of such evidence is deferred, it may be removed and no longer be available; this is particularly the case with social media and similar data.
The amount of electronic digital recording that occurs daily about somebody is quite astonishing, and some may wonder about how much of it is being accurately recorded. With the emergence of computer forensics, all this data being recorded is valuable – usually at some point at the end of this data that we interface with daily there will be a computer recording or processing of it. As the end user, this mindset is not top of mind when the swipe card is being used to access a building or an EFTPOS card is being used to make purchases or withdraw cash. Again, all these actions are being handled and managed by a computer. Mobile phones constitute an even greater electronic tracking device, given the large percentage of the population who are regularly in transit and sending text messages or making calls using their mobile phone. Like the new cards previously mentioned, mobile phones are a portable GPS device, enabling people to be identified wherever they are in the world, at any time. Given the interface that occurs on a daily basis with electronic devices, we live in a completely digital world where much of what we do is being recorded whether we know it and acknowledge it or not; this trend is only likely to increase and develop as the electronic age matures still further.
One of the biggest problems with electronic evidence is contamination, where evidence has been captured on a device but has been contaminated by subsequent use. Ultimately, some wrongdoing has been identified, or knowledge has surfaced that indicates that relevant evidence previously existed on a computer, prompting the need to have it investigated. Unfortunately, the often valuable unknown evidence has subsequently become contaminated, overwritten, modified or altered in a way that makes it difficult to restore it to its previous state.
The greatest concern, though, are the Sherlock Holmeses of the world, who have an inkling that something has gone wrong and start interfering with the computer in an effort to try and identify what has occurred. Then, having attempted to source the evidence themselves, they only later call in a computer forensic expert when they realise that litigation is going to ensue. By then, the evidence has unfortunately often been altered, modified or destroyed in some way, the often valuable log files overwritten or destroyed, limiting the ability to extract evidence, even with the best evidence rule. The best approach is, if in doubt, to have an evidential image taken. At least then the contents of the electronic media have been preserved and are available for the future should it be necessary to complete the required analysis and formulate it in a manner that can be presented in court.
Verbal presentations
Scenario:
It is Friday afternoon in week three of a trial. The jury has returned from lunch, the well-presented computer forensic examiner, though very expert and professional, commences their verbal evidence of the facts and their opinions of what occurred. The jury look at the books containing the extracted data, emails, log files or other data. The expert provides in-depth technical knowledge of the intricate workings of the computer and explains in detail how the information presented was likely to have occurred.
If half of the jury is still listening after five minutes, it would be considered good going; if two of them understand what is being said, this would be an amazing achievement.
If the legal representatives require the computer forensic expert for the other party to sit beside them to interpret what is being presented, then the jury is also unlikely to understand the evidence being presented, unless by any chance they are all highly technically minded. The verbal presentation of evidence in any discipline characterised by highly technical information, especially if there is any variation in the issues and their possible interpretation, is likely to fall outside the comprehension of anyone other than another expert.
Besides describing the nature of physical documents, other methods should be considered to aid the court in understanding what is being presented.
PRESENTATIONS USING A DATA PROJECTOR
‘A picture is worth a thousand words’ is a well-worn axiom and projecting images on to a large screen within the court can be very effective. Where evidence about data, documents, metadata, images, folders, paths, dates, etc are being discussed, the use of a projector can be a powerful aid. Aside from generating some interest for the court and jury, it allows them to visually access what is being presented and how it relates to other evidence. For example, when a document or an email that was created electronically is at issue, displaying an image of the computer showing the actual text electronically can be very useful. This facility now exists with projectors, computers and software. It is not a difficult process to demonstrate visually that the data exists, and where appropriate any other corroborative evidence that adds weight to the evidence.
CONCLUSIONS
The concept of computer forensics is very complex, not only for the court but the legal profession and the judiciary as a whole. Not only is the forensics process complex, even determining the qualifications and expertise of the professionals appointed as experts can be an issue in itself. It is recommended that a minimum standard be set for forensic experts, such as computer forensic experts, and a guide be available to allow the judiciary to reference and determine if someone is sufficiently qualified to act as an expert, as is the case with other disciplines. This process should be conducted in consultation with the High Court Rules for Experts.
There is no compulsory accreditation of experts in Australia or New Zealand, and although it would only be considered to be an aid to adding weight to the expert’s evidence, this area needs some review.
Given the complexity of computer forensic evidence, the process of presenting much of it verbally can be confusing and difficult to comprehend. Wherever possible, demonstrations and explanations using either visual displays such as projectors or diagrams and charts, or practical demonstrations, should be used to aid the court in understanding the evidence.
Computer forensic tools are excellent aids for investigators and although they produce reports that can assist in interpreting the evidence, some of these may require explanation to help the court understand their significance. Proficiency in the use of these tools can take experts years to acquire, so it would be unreasonable to expect a court to understand what is being presented in the space of half an hour if these tools were used to display evidence in court. Given the complexity of this area, it is essential that lawyers understand the evidence clearly before it is presented to the court. Unless the existence or authenticity of the evidence is in question, tools like this should be avoided for demonstration purposes.
Dr Allan Watt is the Director of Allan Watt Digital Forensics, digital evidence investigators and analysts specialising in the extraction of evidence from electronic media. He holds a PhD in Forensics Computing and a Masters Degree in Cyber Terrorism. PHONE 1300 66 99 02 EMAIL info@digitalforensic.com.au. WEBISTE www.digitalforensic.com.au.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrecedentAULA/2017/24.html