User:LawCN88/sandbox

Digital evidence (sometimes known as computer-based electronic evidence, being closely tied to the field of forensic computing , is any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical element of the offense such as intent or alibi.

Definitions
Whether to call it as "digital evidence" or "electronic evidence", there is a lack of consistence on this issue internationally. Though the former has been academically recognised, the legislations tend to use "electronic", e.g. the Uniform Electronic Evidence Act in Canada and the Rules on Electronic Evidence in the Philippines. While the conception of "digital" in the information world is different from what people usually use in everyday life, some concepts like "Electronic signature" have already been accepted by the public. To be stringent, "electronic evidence" could be more wide-ranged, which could also be analog technology-based. Some legal interpretations of the validity of digital signatures (not the crypto sense, rather, the indication of intent binding a statement) are based on interpretations of precedents regarding the transmission of telexes (a defunct analog messaging technology).

Some examples of definitions are as follows:
 * "Any information of probative value that is either stored or transmitted in a digital form." proposed by the Standard Working Group on Digitl Evidence.
 * "Information stored or transmitted in binary form that may be relied upon in court." by the International Organization of Computer Evidence.
 * "Information and data of investigative value that are stored on or transmitted by a computer." - The Association of Chief Police Officers in UK suggested a more general definition.

Types and Use
Digital information is now ubiquitous in our everyday lives and the use of digital evidence is becoming increasingly relevant in legal matters. According to a study by University of California-Berkeley in 2001 found that 93% of all new information at that time was created entirely in digital format.

The media holding digital evidence includes: Hard disks, CD’s, DVD’s, floppies; PDA’s(Personal digital assistant), compact flash, zip disks, jazz disks; backup tapes, copiers, printers, scanners, cell phoness. When considering the many sources of digital evidence, it is useful to categorize computer systems into three groups: (1) Open computer systems such as laptops, desktops that comprised of hard drives. (2) Communication system, e.g. traditional telephone systems, wireless telecommunication systems and the Internet. (3) Embedded computer systems such as mobile devices, smart cards.

Digital evidence can be useful in a wide range of criminal investigations, including homicides, sex offenses, missing persons, child abuse, drug dealing, fraud, and theft of personal information. Also, civil cases can hinge on digital evidence, and electronic discovery is becoming a routine part of civil disputes. The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files.

Challenging Aspects
Despite from the many advantages of digital data, for instance, it contains detailed information and it saves time to be compiled than manual evidence, other characteristics distinguishing digital evidence from the traditional one should be pointed out: digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available.
 * 1) It is a messy, slippery form of evidence that can be very difficult to handle.
 * 2) It is generally an abstraction of some digital object or event.
 * 3) It is usually circumstantial, making it difficult to attribute computer activity to an individual.
 * 4) The fact that digital evidence can be manipulated or destroyed so easily raises new challenges for digital investigators. The possible problems are raised by malicious software, the Trojan horse and viruses.

Pre-trial Processing
Having professionals, experts or specialised agencies to handle and process digital evidence is of great importance, streamlining the presentation of the case and minimizing risk of destroy the integrity of evidence. For instance, the International Organization on Computer Evidence was established in the mid-1990s “to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another states.” Also, standard operating procedures, clear principles and policies, as well as special tools help digital evidence being effectively admitted in courts.

Three A's Principle
In forensic methodology, there are three A's needed to be aware of:
 * Acquire - Do not alter or damage the original.
 * Authenticate - Proof that your recovered evidence is the same as the original.
 * Analyze - Inspect evidence without altering it.

In addition, there are efforts to develop digital evidence examination into an accredited discipline under international standards, like the ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories.

Example - UK ACPO guidelines
In the United Kingdom examiners usually follow guidelines issued by the Association of Chief Police Officers (ACPO) for the authentication and integrity of evidence. The guidelines consist of four principles:


 * 1) No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
 * 2) In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
 * 3) An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
 * 4) The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

Tools
A number of proprietary tools are needed in the performance of specialist' investigation and analysis of digital evidence. They will be different depending on different operating systems and processing stages.

Examples of tools for image acquisition: Guidance Software's EnCase Enterprise Edition and Technology Pathway's ProDiscover can acquire images over the network in a live environment. In a controlled environment, AccessData Forensic Toolkit, Encase Forensic Edition and the open-source Sleuth Kit can acquire a full sector-by-sector drive image of any hard disk under investigation. Fine-grained keyword searches - Paraben's NetAnalysis, E-Mail Examiner and Net E-Mail Examiner, and dtSearch's dtSearch excel at searching through disk or partition contents, e-mail-specific searches or Internet history analysis.

Admissibility
Digital evidence must also meet certain criteria for the purpose of being admitted. Traditionally, the U.S. Federal Rules of Evidence, the UK Police and Criminal Evidence Act 1984 and the Civil Evidence Act 1995 and similar rules of evidence in other countries were established to help evaluate evidence. Admissibility, which is usually the first thing to consider, is however accompanied by many complexities and nuances.

In [http://www.lexisnexis.com/applieddiscovery/lawlibrary/LorraineVMarkel_ESI_Opinion.pdf Lorraine v. Markel Am. Ins. Co.], 2007 WL 1300739, where both parties offered copies of email messages that could not be authenticated properly, the magistrate outlined five issues that must be considered when assessing whether digital evidence will be admitted: relevance, authenticity, not hearsay or admissible hearsay, best evidence, not unduly prejudicial. Though some of these may not be applicable in certain instances, each must be considered.

Authorization
Authorization is required to search and seize evidence. In the U.S., search warrant is traditionally regulated in the Fourth Amendment and the Electronic Communications Privacy Act. In December 2006, strict new rules were enacted within the Federal Rules of Civil Procedure requiring the preservation and disclosure of electronically stored evidence. Digital evidence is often attacked for its authenticity due to the ease with which it can be modified, although courts are beginning to reject this argument without proof of tampering.

Authentication
As with any evidence, the proponent of digital evidence must lay the proper foundation, where Chain of custody and integrity documentation play a vital role. Courts largely concerned themselves with the reliability of such digital evidence. As such, early court decisions required that authentication called "for a more comprehensive foundation." (US v. Scholle, 553 F.2d 1109 (8th Cir. 1976)). As courts became more familiar with digital documents, they backed away from the higher standard and have since held that "computer data compilations… should be treated as any other record." (US v. Vela, 673 F.2d 86, 90 (5th Cir. 1982)).

The "more comprehensive" foundation required by Scholle remains good practice. The American Law Reports lists a number ways to establish the comprehensive foundation. It suggests that the proponent demonstrate "the reliability of the computer equipment", "the manner in which the basic data was initially entered", "the measures taken to insure the accuracy of the data as entered", "the method of storing the data and the precautions taken to prevent its loss", "the reliability of the computer programs used to process the data", and "the measures taken to verify the accuracy of the program".

Reliability
There are two general approaches: one is commonly used in the past legislations in U.S. and UK, focusing on whether the computer that generated the evidence was functioning normally; the other is to examine the actual digital evidence for evidence of tampering and other damage.

Best Evidence
According to the "best evidence rule", courts often require the original formation of evidence when dealing with the contents of a writing, recording, or photograph. But with the help of photocopiers, scanners, computers, and other technology which can create effectively identical duplicates, copies become generally acceptable to replace of the originals. One evident benefit of presenting digital evidence is to eliminate the risk of changing the original by incident. The "Federal Rules of Evidence" rule 1001(3) states "if data are stored in a computer…, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’"

Hearsay
There is some digital evidence which is not hearsay at all. Hearsay is a "statement, other than one made by the declarant while testifying at the trial… offered in evidence to prove the truth of the matter asserted." A declarant is a person. Therefore, courts have held that digital evidence is not hearsay when it is "the by-product of a machine operation which uses for its input ‘statements’ entered into the machine" and was "was generated solely by the electrical and mechanical operations of the computer and telephone equipment." (State v. Armstead, 432 So.2d 837, 839 (La. 1983)).

Moreover, where the evidence is not offered to prove the truth of the statements, digital evidence is not hearsay. This is the case, for example, with logs of chatroom conversations. While a chatroom log may contain many out of court statements, which would otherwise be hearsay, they may be used for other purposes, including as a party admission. (US v. Simpson, 152 F.3s 1241 (10th Cir. 1998)).

Hearsay exception - Business records

There are several exceptions under hearsay rule, business records being one typical example. Statutory traces can be followed. In Section 5(1) of the Irish Criminal Evidence Act 1992,

...information contained in a document shall be admissible in any criminal proceedings as evidence of any fact therein of which direct oral evidence would be admissible if the information a. Was compiled in the ordinary course of a business.

b. Was supplied by a person (whether or not he so compiled it and is identifiable) who had, or may reasonably be supposed to have had, personal knowledge of the matters dealt with.

c. In the case of information in non-legible form that has been reproduced in permanent legible form, as reproduced in the course of the normal operation of the reproduction system concerned. The trend: more courts are likely to acknowledge the distinction between computer-generated and computer-stored records as they become familiar with digital evidence and as more refined methods for evaluating the reliability of computer-generated data become available.