Magnet Forensics recently released a whitepaper entitled “12 Tips for Presenting Digital Evidence in Court.” The title of this article is a bit misleading, as many of the tips pertain to forensic examinations in general and not necessarily presenting the results before the Court. Protegga will address each of these categories and whether the recommendations presented are valid and/or necessary.
The first seven recommendations presented in the whitepaper primarily focus on the examiner’s knowledge of legal principles, digital forensic tools and methods, and the physical seizure and acquisition of evidence. A basic knowledge of legal principles and their application to electronically stored information should be considered mandatory. Examiners must understand the laws surrounding the seizure of evidence, the need to maintain a chain of custody and its importance in the admissibility of evidence before the Court, and the volatility of digital evidence.
Examiners should also know the capabilities of the forensic tools in their toolkit. While Magnet Forensics suggests examiners be trained and certified in the forensic tools themselves, Protegga’s experience has been that understanding how to use a tool does not mean that the examiner understands the origin or significance of the displayed artifacts. If the examiner does not understand the raw data, how can he or she determine if the forensic tool analyzed the data correctly?
The next two tips presented in the whitepaper deal with correlating artifacts and validating one’s results. As a forensic science, digital forensics relies on the ability to replicate results. Examiners must remember that digital forensic tools are simply tools. Examiners must be able to replicate the same artifacts using multiple tools to ensure that the results are valid. In addition, examiners must rely on multiple artifacts to properly correlate an activity or event.
The final three recommendations actually pertain to the reporting and presentation of one’s findings before the Court. Forensic reports must emphasize key findings and explain the significance of each finding and how it relates to the overall examination. Examiners must be cognizant of their audience and provide analogies and/or visual aids to clearly explain technical concepts. It is also important to provide summaries and timelines of events, so readers have a clear understanding of events. If examiners are able to explain technical information to a lay audience, they will inevitably project confidence and credibility in their testimony.
Written By: Graciela Rubio
After earning her Bachelor of Science degree in Electrical and Computer Engineering from Worcester Polytechnic Institute, Grace joined Protegga in January 2010 as a Computer Forensic Investigator. In addition to over thirteen years of experience in operating systems and application support, networking and hardware support, and systems programming, Grace’s in-depth knowledge of computer systems, electronic data, quality control systems, and reverse engineering has provided the strong foundation needed for a career in computer forensics.
Grace has assisted clients in retrieving and analyzing computer evidence in cases involving Theft of Intellectual Property, Theft of Trade Secrets, Breach of Contract, Hidden Assets, Child Custody, Electronic Tracking, Securities and Exchange Commission Investigations, Department of Justice Antitrust Investigations, Investigations on behalf of Bankruptcy Trustees, Spoliation and Destruction of Evidence, and other legal matters. As an expert witness, Grace has testified in both civil and criminal matters within the United States Bankruptcy Court, the United States District Court, the Superior Court of Washington, and multiple district courts within the State of Texas.