Given the pervasive nature of information technology the nature of evidence presented in court is less likely to be paper-based and in most instances will be in electronic form. However, evidence relating to computer crime, regardless of definition, is significantly different from that associated with the more ‘traditional’ crimes for which there are well-established standards and procedures.
In Australian courts the admissibility of evidence is governed by both statute and common law. Each state and territory have their own Evidence Act, with some combined to echo the Federal (Commonwealth) Evidence Act. The general principle adopted by these courts for copies of documents presented as evidence is that a copy of a document is recognised as equivalent to the original and that this applies to computer records.
As with other types of evidence, the courts make no presumption that such evidence is reliable without some evidence of empirical testing in relation to the theories and techniques associated with the production of the copy.
It has been stated that “…reliability assessments should focus on the technique and its accuracy (as well as the proficiency of the operator/analyst).” This issue of reliability means that courts pay close attention to the manner in which electronic evidence has been obtained, in particular the process in which the data is captured and stored.
Because the tools and procedures employed by digital forensic practitioners are generally outside the knowledge and understanding of the courts and juries they need to be described in such a way that they can be understood by the layperson.
In addition, they should also conform to some standards of practice and be recognised by other practitioners working in the field. Courts may apply methods used for testing scientific evidence to digital evidence presented before them and this is commonly based on American practice.
In this regard it is the practice of American Courts, when seeking to determine the reliability of scientific evidence, to apply the Daubert Test, named after the Daubert v Merrell Dow Pharmaceuticals case.
In this case the US Supreme Court determined that it was the duty of a trial judge to scrutinise evidence, particularly if it is of an ‘innovative or unusual scientific’ nature to ensure that it meets with the requirements of the Federal Rule of Evidence 702. This has often been identified as the judge taking on the role of ‘gatekeeper’.
Based on the Federal Rule of Evidence 702 the process for determining the admissibility of evidence requires that any expert testimony must be derived from “scientific knowledge”. However, “scientific knowledge” itself requires that “sound scientific methodology” has been applied based on the “scientific method” and this led to the court in the Daubert v Merrell Dow Pharmaceuticals case establishing what has become known as the Daubert Test.
In practice the Daubert Test is often summarised as four components that provide clarity around determination of ‘sufficient facts or data’ and ‘reliable principles and methods’:
- Whether the theory or technique in question can be and has been tested.
- Whether it has been subjected to peer review and publication.
- Its known potential rate of error along with the existence and maintenance of standards controlling the technique’s operation.
- The degree of acceptance within the relevant scientific community
Despite the fact that the Daubert case was heard in 1993 its influence is still strong in relation to digital evidence as demonstrated by the consultation paper issued by the Law Commission for England and Wales which effectively mimics the Daubert Test used in the United States.
However, when applying the Daubert Test to cases involving digital forensic tools and techniques it appears that regarding digital forensics as a science causes some issues, in particular the lack of generally accepted standards and procedures.
A suggested reason for this is that the discipline has been developed without the typical initial research that would have provided the sound scientific basis necessary for admitting digital forensic evidence. This view is understandable given that the practice of digital forensics was initially undertaken by practitioners who were not scientists but law enforcement officers and only more recently has it become a role for IT professionals.
The United States Computer Emergency Readiness Team also identify the immaturity of digital forensics as a significant issue and comment, “Because computer forensics is a new discipline, there is little standardization and consistency across the courts and industry. As a result, it is not yet recognised as a formal “scientific” discipline”.
We currently have a situation in which, in the absence of anything better, some courts are using methods that apply to ‘classical’ science to determine the reliability of objects from digital forensics which is a relatively new discipline and lacks many of the attributes appropriate for a ‘scientific’ test.
More research is required that does not attempt to address the issue of the reliability of the tools or computer systems that a digital forensic practitioner may choose to utilise in the course of their work but focuses instead on describing the process of acquiring digital evidence.
The fundamental issue is that there is no comprehensive description for the process of acquiring digital evidence that can be applied by practitioners operating in the different digital forensic areas. This is not an isolated weakness within the field of digital forensics because the whole field of digital forensics still lacks consensus in fundamental aspects of its activities.
About the Author
Richard Adams is a senior member of one of the Big Four professional services firms and has spent many years working on both criminal and civil matters. In addition, through his many years of working with a variety of law enforcement agencies, Richard is aware of the requirements of the courts in relation to the handling and processing of evidence and his on-going doctoral research topic is the acquisition of potential electronic evidence. Richard is on the Australian Standards ISO Working Group for handling electronic evidence.