M6 - Evidentiary Requirements

Class: CYBR-405

Notes:

Best Evidence Rule

Goals of the Best Evidence Rule

The best evidence rule describes the expectation of the court and legal system that the evidence reported and supplied to the court is the best evidence that the nature of the case will allow. No evidence is admissible unless it passes the best evidence rule.

The goal of the best evidence rule is to show that the evidence presented is as original (original digital file) as possible. Some examples that are generally considered to be original evidence are shown below.

Evidence
Anything that tends to prove or disprove a fact in question. Each fact or conclusion must be supported by the evidence.

Best Evidence Rule

A forensic investigator should always use the "best evidence" rule to prioritize evidence and support reasonable conclusions.

Accepted
As pointed out, the best evidence is always sought in the forensics report. However, the best evidence (original evidence) is not always available. A copy of the original is considered "best" if the original is not available due to non-malicious reasons.

Rejected
In the case where the best or original copy is not available because of a malicious act (such as a hacker destroying the evidence), the evidence may be excluded by the legal system after a court judge has examined the circumstances of the case.

How is Evidence Evaluated?

The evidence is evaluated on the following characteristics:

The substance and volume of evidence are derivatives of a case. In other words, forensic investigations can only reveal evidence, not manufacture it. As a result, substance and volume are somewhat outside the control of the forensic reporter. The unreasonable nature of a theory can similarly be outside of the control of the forensic reporter. Convincing a jury of an unreasonable theory requires good evidence (substance and volume) and a persuasive witness with a persuasive presentation.

Objective vs. Subjective Evidence

Properly collected and documented evidence can be reconstructed by a third, neutral party who should come to the same result, validating the report as accurate and tested. When this occurs, the documentation can be vital to helping prove a theory of the case and can be a determining piece of evidence.

Objective Evidence
Evidence that can be verified as truth by a third party is objective evidence. It is evidence that is a fact.

Subjective Evidence
Subjective evidence cannot be verified by a third party and is not fact. It is an opinion. Subjective evidence has minimal value in a legal setting because legal standards to prove a case must be met, and opinions from non-experts do not meet the legal standards of admissibility.

Hearsay

The definition of hearsay is a statement (written or oral) made by someone other than the declarant to prove the truth of the matter asserted. Hearsay is a specia case of the best evidence rule that prohibits evidence or testimony about a statement (written or oral) that is not the most original source for that statement. In nearly all cases, the most original source for a statement is the person who made the statement.

The objective of hearsay is to prevent second-hand or indirect evidence from being considered in weighty matters in which errors would bear terrible consequences.

Hearsay: Examples

Let's take a look at some examples of what is and isn't hearsay.

What Is Hearsay:
What Isn't Hearsay:

Hearsay: Tapping

If one considers a computer to be a communication medium like a phone line, which can be "tapped," the evidence could be subject to all of the rules and regulations that guide wire-tapping.

In many cases, the evidence itself would be excluded since it was not recorded as a result of a warrant obtained with just cause or the recording officiated under the guidance of communication specialists.

If the communication medium (similar to a phone tap) was a "self-documenting" communication medium that automatically recorded all communication, hearsay would not be an issue since these records would be computergenerated. As a result, all statements would be automatically included.

The rules for hearsay and best evidence further highlight the difference between evidence available during the investigation phase and evidence available to be reported.

Tapped
Intercepting communications transmitted all or in part over the wire.

Authenticity vs. Reliability

The two primary legal requirements for authenticating digital documents are authenticity and reliability. Unless proof of authenticity and reliability has been implemented to ensure the records are authentic, evidentiary standards cannot be met and any evidence submitted may be ruled inadmissible. Identifying who or what created a digital document in a shared collaborative environment is a growing challenge for legal cases involving records stored in cloud environments.

What is Authenticity?

Authenticity requires:

What is Reliability?

Reliability for authenticating digital documents means that effective safeguards have been implemented by a reliable or trustworthy source to assure the continuing accuracy and integrity of the originally created record.

Authentication of Digital Evidence

When questions of authenticity arise, the three recognized components of authenticity (identity, integrity, and time) are used as a test of verifiable proof as a prerequisite for the admissibility of digital evidence.

Digital information is treated by the courts as a subset of "data compilation" for purposes of authenticating both business and official public records. The expressed intent is that the term should encompass but not be limited to electronic computer storage. Evidentiary requirements for authenticating business records and public documents require a Custodian of Records or other qualified witness to render business records as self-authenticating.

Federal Rules of Evidence section 902 , part 11 specifies that the "custodian or other qualified witness" must certify that the "data compilation" was:

  1. "Made at or near the time of the occurrence,"
  2. "By, or from information transmitted by, a person with knowledge of those matters,"
  3. "Kept in the course of the regularly conducted activity," and
  4. Was "made by the regularly conducted activity as a regular practice."

Additionally, as a precondition of admissibility in the absence of a live foundation witness, FRE 902(11) further specifies there must be no indication of untrustworthiness in the source or preparation.

Custodian of Record

Possession of digital records does not qualify one as a Custodian of Records. It is essential that a proper foundation be laid by a record custodian or other qualified witness who can explain the record-keeping system of an organization and vouch that the requirements of Rule 803(6) have been met.

Testimony by the custodian of the record or other qualified witness that the record is authentic and was made and kept in the regular course of business will be sufficient to support its admission into court. Additionally, under FRE 902(4), public records are admitted without further proof when certified by an official custodian or other authorized public officer in a manner consistent with the requirements for documents under seal.

Documents Under Seal

A document under seal is self-proving and admissible in court. Documents under seal must meet the following requirements:

The seal must be kept under the exclusive possession and control of the public officer and is not to be used by any unauthorized person.

The seal authenticates the official act as the act of a notary and appears as an impressed or embossed sign, as an imprinted or stamped sign, or as a handwritten or typed mark, and must provide the relying parties the ability to independently verify the notary and detect alterations to the signature and document.

Electronic Documents Under Seal

ESIGN and Uniform Electronic Transactions Act (UETA) authorize the use of electronic signatures and seals by notaries. Information contained within the seal identifies the individual as a duly appointed public officer with the authority to perform official acts.

Existing legal requirements for digital evidence apply to cloud-storage data. The risk of forgery is reduced by requiring an authenticating seal from a public officer. An official act under seal is self-proving.

Both paper and electronic documents with a completed official certificate are established to be self-authenticating and admissible in court as they are. This includes digital seals which contain the same notary-related provisions and definitions as paper documents. The seal authenticates the official act and appears as an embossed sign, an imprint, or a handwritten or typed mark. The seal must provide the court with the ability to independently verify the notary and detect alterations to the signature and document.

Frye vs. Daubert

Frye and Daubert

The examples of using technology in an unprecedented way or using new technology that has not been certified present a situation in which a new process or new technology needs to be introduced in court. When will a court accept a new, novel, or scientific discipline (e.g., digital forensics)?

Trial judges make the final decision as to whether expert witness testimony, technology, and processes can be used in court. Remember that a judge is not a scientist, an expert in computers, nor an expert in forensics. The forensic report must present the information clearly so that the judge or any layman can understand it.

Courts (judges) apply two standards for accepting evidence.

Frye

In recent years, there has been a tendency to move from the Frye Standard to the Daubert Standard.

The Frye standard requires a general acceptance of a technique. General acceptance is subjective and leads to dueling experts. The method of overcoming "dueling experts" is to provide more and better experts to testify to the validity of the process and/or technology.

Daubert Standard

The Daubert standard limits the use of experts validating the process or technology in legal proceedings by specifying two criteria: relevance and reliability. The relevance criterion specifies whether the information produced by the technology or procedure is relevant to the case. The reliability criterion relies on the qualifications of the expert witness and whether the scientific method was followed.

Daubert: Misuse of Scientific Evidence

The misuse of scientific evidence is a serious problem. Even the FBI laboratory is under suspicion. There have been several recent cases where serologists, pathologists, and lab chemists have falsified results and reports and sent hundreds of innocent people to jail. Most misuse of scientific evidence is pro-prosecution. Daubert sheds light on shoddy procedures, protocols, and proficiency testing.

The Daubert ruling rests on an interpretation of the Federal Rules of Evidence. As a statutory (rather than constitutional) case, it is not necessarily binding on the states. However, many courts of appeals are ordering remands or whole new hearings because the trial court failed to conduct a Daubert hearing. There is also variation from state to state in how Daubert hearings are conducted.

What are the Reliability Factors in Daubert?

All trial courts make a preliminary determination of admissibility. This job involves an initial assessment of whether the evidence is relevant, competent, and material. In short, can the evidence be properly applied to the facts in this case? This is the traditional "gatekeeping" function of courts. A number of reliability factors can enter into this and subsequent hearings using the Daubert standard.

Comparing Frye to Daubert

Example comparing statements of Daubert and Frye:

Pasted image 20260131225217.png|600

The Daubert ruling substitutes a reliability test for a relevancy test. For states that follow neither Frye nor Daubert, this means that the continued practice of using reliability as a weight once relevancy has been established, exposes a serious constitutional liability.

Search and Seizure

Search and Seizure Overview

Evidence seized as a result of an illegal search may not be admissible in court. Many reasons may cause a search and/or seizure to be ruled illegal. Both attorneys and forensic professionals should be familiar with the local rules and regulations regarding evidence search and seizure.

Keeping in mind that many factors may be used to rule a search/seizure illegal, most challenges to evidence on the basis of search and seizure emerge from the Fourth Amendment of the United States Constitution, which is found in the Bill of Rights. The Fourth Amendment addresses the rights pertaining to search and seizure.

Fourth Amendment

The right of the people to be sure in their persons, houses, papers, and effects against unreasonable searches and seizures shall not be violated, no warrants shall be issued but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized.

Rules for Search and Seizure

The rules for search and seizure, hearsay, and best evidence can prove disastrous if the forensic report does not adequately address each issue in turn, and completely. Therefore, the formal report must prove that each piece of evidence is the best the nature of the case can provide, and it cannot be hearsay.

Every portion of the evidence must be collected legally and the legality of the seizure of that evidence must be established. The journal of the forensic investigator can help produce a timeline that shows the orderly search and seizure of evidence and how one search/seizure might have justified subsequent searches.

Hearsay
A written or oral statement made by someone other than the declarant to prove the truth of the matter asserted.

Best Evidence
Allows the forensics investigator to access and analyze the device as close to its original state as possible.

Search and Seizure: Reasonable Expectation of Privacy

The Fourth Amendment rights are extended to all citizens, and generally include any property that has some reasonable control to protect it from being immediately visible to other citizens.

The right of privacy is extended to "persons, houses, papers, and effects." Clearly, computers and similar technologies were not in mind when the amendment was penned by the authors. However, the definition of "effects" is generally extended to cover the physical computers, the data stored on the computer, and the data stored on any storage medium.

The legal system routinely upholds the right of reasonable expectation of privacy. This right is both subjective and objective. In many cases, the court has already ruled certain locations as beyond the reasonable expectation of privacy. In cases where the court has not ruled, the court can make a subjective call as to whether the search was reasonable.

Search and Seizure: Plain Sight Doctrine

The plain sight doctrine specifies that forensic professionals can search and seize anything in plain sight without a warrant. All other searches or seizures that are not in plain sight and where there exists an expectation of privacy or exigent circumstances require a warrant.

Examples in which evidence is in plain sight and can be collected or seized without a warrant, and where searches can proceed because there is no expectation of privacy can be found in the following:

Warrant
A document that specifies what items, rooms, persons are to be searched and the address and location to be searched.

Search and Seizure: Exigent Circumstances

Exigent circumstances are special cases. For example, a forensic professional who believes the evidence will be destroyed unless it is immediately seized can seize the evidence prior to obtaining a warrant.

In other exigent circumstances, law enforcement may arrest a person that they believe committed a crime or enter a location where a crime is suspected to have occurred. Once the arrest of the person has occurred, the suspect can be searched in accordance with law enforcement policy for search and seizure of suspects. Similarly, once law enforcement has entered a location, evidence of a crime that is in plain sight can be seized.

In all other cases, a warrant is required. The Fourth Amendment specifies that a warrant can be issued, but only after justifiable cause has been established with evidence. This justifiable cause supported by evidence is referred to as probable cause. Probable cause is validated by a judge.

Search and Seizure of Digital Evidence

Digital evidence located on personal and business computers provides two very pointed challenges to search and seizure, such as the warrant, place of business, and encryption.

Warrant

The Forensic Examination Must be Done Within the Scope Authorized by the Legal Documents.
If a forensic examination is authorized by a search warrant to search for evidence related to drug trafficking, the examiner may not search specifically for evidence of other crimes, such as child pornography. However, if the examiner encounters evidence of another crime (in plain-view), the examination must stop and a new search warrant should be obtained to allow for the further search of evidence associated with the newly discovered crime.

Business

Expectation of Privacy of Private Citizens at Their Places of Business
At the heart of this case is the question, "Can the employer search and seize an employee's computer without probable cause?" In general, the employee has no right to privacy in the workplace.

Encryption

Encrypted Digital Evidence
A warrant may be legally issued to seize the computer and its digitally encoded data. The encrypted data and any data that can be decrypted is evidence that can be legally seized. The challenge is that many encryption algorithms cannot be decrypted without a password. And if the encrypted data would implicate the owner of the data in a crime, can the owner be legally compelled to reveal the means to decrypt the data? This challenge pits the Fourth Amendment right to privacy against the Fifth Amendment right to not implicate oneself in a crime.

Evidence from the Cloud

Data assets stored in the cloud must be managed to ensure the evidentiary requirements for proving authenticity and reliability can be met. The methods and practices used must be applied to these electronic documents issued from trusted or authoritative official sources in the same way other evidence is validated. Unlike with physical evidence, operational responsibility for data in the cloud shifts away from the data holders.

Cloud service providers (CSPs), data owners, and holders now have a shared responsibility to set policies in place to protect data, including access, and usage controls.

Access

These are policies, procedures, and tokens that control who may access the data. The data owners are then restricting access to the data and limiting access only to those who have proper permissions to have access.

Authentication

Authentication is the process of determining whether someone or something is who or what it is declared to be. The very nature of digital data makes it difficult to establish authenticity when in the cloud. There can be unlimited copying as well as numerous access points or varying geographic locations of the digital information. This presents a challenge distinguishing between forged and authentic digital information.

Usage Controls

These are policies, procedures, and settings to ensure that anyone with access to the data follows the policies for how the data may be used or distributed afterwards. The data holder is restricting the future use of the data to certain pre-set parameters. This is done through authentication.

Authentication Factors

The way to distinguish between authentic and forged digital files is through the factors of authentication:

Security research has determined that for a positive identification, elements from at least two, and preferably all three, factors must be verified.

Search and Seizure Requirements for Cloud Computing

The dynamic nature of cloud computing makes it possible for criminals to commit crimes and immediately destroy the electronic evidence. The cloud can also be used as an instrument of the crime, while in other cases, a cloud-hosted service can be the target of a crime.

This created a whole new set of laws and technology challenges such as law enforcement authority to have access to cloud-based data for the following purposes:

Search and Seizure for Cloud Computing

Unique legal problems are raised when current laws are applied to cloud computing. Issues are intertwined with the technical ability to acquire data and range from whose law governs cloud data to who can legally execute the warrant. A starting point for obtaining cloud evidence is a search warrant.

Crime in the cloud requires new laws and creates technology challenges such as the rights of law enforcement to have access to cloud-based data or to monitor chats, tweets, and social networking sites or mandates requiring investigative support from cloud providers.

Law enforcement is currently the source that asks the cloud provider for data. Once a warrant has been obtained from a court, seizure and acquisition of the digital artifacts from the cloud service provider are the initial steps.

Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943)

If the servers that house the data are located in another country, a U.S. court may not have jurisdiction. This may be the case even though the cloud service provider is based in the U.S. As a result, Congress enacted the Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) that changed data privacy and government surveillance laws to reflect industry cloud computing practices. The CLOUD Act amends the Stored Communications Act (SCA) of 1986 which compels U.S. companies to honor warrants or court orders requesting data stored on servers regardless of whether the data is in the U.S. or foreign soil. The CLOUD Act was passed in 2018.

Search Warrant for the Cloud

When a search warrant or subpoena is delivered, the cloud service provider or a designated remote investigator executes the search, collects the data, and returns it to law enforcement.

The search warrant or subpoena would list items such as:

Law Enforcement and Cloud Service Providers

Some cloud service providers are already prepared to collect data for law enforcement. They have established infrastructure logging mechanisms, billing records, and packet captures that can be retrieved and submitted to law enforcement if requested.

When one of these providers receives a warrant, they gather the data requested, validate the data with cryptographic checksums, and copy the data to some portable media (such as a thumb drive, disk, or portable hard drive) for law enforcement. This requires trust in the provider, its systems, and its staff. Law enforcement can then submit the evidence to court procedures.

When cloud service providers are prepared for and agree to partner in evidence collection, this relieves law enforcement from needing remote acquisition tools. This also relieves law enforcement from the need to acquire an advanced understanding of the cloud environment. It doesn't free them from needing to process the data or from the significant trust issues that result from cloud storage. The examiner, the judge, and the jury must trust the integrity of the data that has been provided.

Search and Seizure Requirements for Mobile Devices

The search and seizure requirements for mobile devices, as with computers and digital cloud data, begin with a warrant or subpoena being issued by a court. The warrant will specify the particular items, equipment, or areas of a mobile or held-held device that may be examined. Once the mobile device has been seized pursuant to the warrant, standard procedures for crime scene evidence collection from mobile hand-held devices are followed. Let's take a look at the steps for ensuring the procedures you use meet admissibility standards in the courts.

Is there additional evidence?

Before handling any mobile devices, consider if other data is needed from the phone such as DNA or fingerprints.

If so, follow DNA crime scene protocols to collect the DNA and preserve that evidence prior to any further activities. Handle digital evidence in a manner that preserves its evidentiary value.

Keep the device on.

There is a huge potential for loss of data if either the battery expires or network activity occurs, causing call logs or other recoverable data to be overwritten.

Be sure to:

Charge the device.

If there is a need to keep the phone on, it should be kept charged and not tampered with. It should then be switched off before transport.

Transport the device.

To protect the device and prevent accidental operation in transit, the phone should be packaged in a rigid container, secured with support ties.

Place the container in an evidence bag.

The container should be placed into an evidence bag sealed to restrict access, and the labeling procedures should be completed for the exhibit.

What else will you need?

Recover any non-electronic evidence from the scene such as written passwords, handwritten notes, blank pads of paper with indented writing, hardware and software manuals, calendars, literature, text or graphical computer printouts, and photographs.

Tactics for Proving Evidence Collection Procedures

Once the evidence is proven to be sound, an attorney may choose to scrutinize the investigator or the evidence collecting itself. This section focuses on understanding the potential challenges made to the procedural circumstances of the collection of evidence.

The procedural circumstances are the people, procedures, and technology that collected every piece of evidence, and each one will be assessed in order to determine whether the credibility of the report can be verified. It is the objective of each challenge to rule the evidence invalid or unacceptable to a court.

As one piece of evidence is removed, other evidence that was discovered as a result of the first evidence may also be ruled unacceptable to the court. Every report must proactively address these points.

People Involved in Procedural Circumstances

Those involved in procedural circumstances should be qualified investigators, assigned to collect and analyze evidence. Since evidence collection can generally only be done once, collection must always be performed or supervised by trained professionals.

Professional qualifications are not the only standard by which a forensic evidence collection or analysis may be judged. Moral values or ethical standards may be called into question. Consider the extreme case in which an investigator was terminated for accepting money to plant evidence at a particular scene. In this case, every analysis made by the investigator (uncompromised or not) is suspect because the forensic analyst was proven to be unprofessional through his lack of moral and ethical standards.

Both professionalism and professional qualifications can generally be established quickly and easily by supplying the professional affiliations of the investigators. Many professional associations maintain professional, ethical, and technical qualification standards. Association with one of these professional organizations certifies the investigator. The number, type, and quality of the certifications will vary from association to association.

Technology and Procedure

Agencies such as the NIST and the DHS routinely vet forensic technology. Certification from such government technology groups is generally sufficient to obtain acceptance of the technology in court. Similarly, certification on the person using the technology along with documentation that standard procedures were followed is sufficient to establish acceptance to a court.

This leaves several scenarios unaddressed:

In such cases, the forensic examiner will need to test, verify, and validate the results and be prepared to testify to such processes before the evidence and findings will be relied upon.