FEATURE ARTICLE -
Issue 19 Articles, Issue 19: Aug 2007
The arrival of the internet in the public’s eye in the late 1990’s was heralded as an event as revolutionary as the invention of Gutenberg’s press. A decade later, the true effects of digital technologies on communications, publishing, and commerce are only beginning to be appreciated. News reports of novel evidential sources are appearing: records of Google searches used to establish premeditation in murder trials, car air bag sensor data presented as a digital eyewitness in prosecuting unsafe driving.
While the occurrence of cyber-crime and the employment of computer forensics have increased substantially in this time, this revolution has largely bypassed the practice of law. This is due in part to the unique technical difficulties in presenting in court evidence sourced from digital devices, so called digital evidence.
The problem of digital evidence
In the early days of computing, digital evidence was referred to as computer evidence. This typically meant “the regular printout from a computer”. Accompanied by the testimony of a computer expert (usually the person who administered the single mainframe computer system from which these printouts were sourced) such computer evidence tended to be accepted under business document type exceptions to the hearsay rule.
The emergence in the 1980’s of the stand-alone personal computer, and its adoption as a business tool, heralded the genesis of the practice of computer forensics. In this new paradigm of personal computing, the average computer was operated and administered by novice operators. This left relatively few situations where experts were placed to provide useful testimony. In absence of this kind of authority, a new breed of technically minded police and other professionals began considering and explaining the digital artifacts finding their way into investigations and legal matters.
An understanding that digital evidence was fundamentally different from existing types of evidence began to form. Unlike regular document oriented evidence, computer evidence found on computer storage media such as floppy disks conveyed no information per se. The information contained in a computer file is latent; that is, in order to understand the content of a file, one requires software to interpret it. For example, in order to read the contents of a word processing file, one needs to open it with a word processor such as Microsoft Word.
Unlike paper documents, computer evidence is highly volatile, and can be easily and undetectably modified or manufactured. Consequently, establishing authenticity of evidence has tended to be problematic. New types of artifacts of evidentiary value were discovered: deleted files could be recovered, and “slack space” containing portions of old versions of files extracted.
Digital evidence today is voluminous and complex, with growth continuing to accelerate. This complicates investigation; finding digital “smoking guns” becomes more of a needle-in-a-haystack problem.
The relevance of digital forensics today
Today the field of digital forensics has matured to the point that widely accepted protocols and procedures for handling and preserving the authenticity of digital evidence have been developed. A small industry producing digital forensics investigation tools has emerged, and forensics practitioners have begun to organise and consider accreditation. Standards for management of IT evidence are beginning to be considered at a national level.
The skills required for practice of digital forensics remain, however, specialised and distinct from those possessed by other IT professionals. Effective expert opinion on digital evidence or technical systems requires credentials which demonstrate credible expertise, deep technical knowledge, and a methodical approach to investigation. Presenting expert opinion moreover requires an ability to explain highly complex systems in a manner that is accessible to the average finder of fact.
This newly developed area of expertise is for the most part still under-utilised in legal matters. While the courts today regularly admit digital evidence, such evidence is often not subjected to the level of scrutiny appropriate to the volatile nature of digital evidence and the unreliability of computer systems.
Despite the challenges of digital evidence, the shift of communications and commerce to the digital realm presents new opportunities for establishing (or disputing) facts. Far more communication than ever before is committed to records. Water-cooler style gossip is committed to email, and email communication is routinely retained. Computers are now embedded in a plethora of digital devices from MP3 players to car engine management systems to mobile phones, leaving persistent traces of everyday actions. The advent of new forensic techniques and the development of the practice of digital forensics allows for often previously unattainable evidence to be presented in a form acceptable to the courts.
Adapting to a new evidential landscape
The majority of information, especially business records, are now created and maintained in digital form. As such, document discovery and disclosure in civil litigation must address the fact that the subject of discovery is now fundamentally digital evidence. Discovery will increasingly rely on digital forensics techniques to address the problems of identifying potential evidence, verifying authenticity, and finding critical evidence.
Digital information is now ubiquitous in our everyday lives and the use of digital evidence is becoming increasingly relevant in legal matters. While digital evidence carries with it evidentiary challenges including interpretation and establishing authenticity, such evidence presents new opportunities to legal practitioners in advocating for their clients. As legal practitioners recognise the potential of digital evidence the role of the forensic expert will become increasingly significant in bridging the gap between the complexity of the ever-changing technical landscape and legal practice.
Bradley Schatz B.Sc. (Comp. Sci.)
Comment on this article in the Hearsay Forum
About the Author
Bradley Schatz has recently completed his Ph.D. dissertation, the subject of which is digital evidence and computer forensics. He has assisted in bringing a number of civil and criminal defence matters to successful resolutions. Bradley may be contacted on mobile 0422 949 039 and email bradley@evimetry.com.au
