RULES OF EVIDENCE

Before delving into the investigative process and computer forensics, it is essential that the investigator have a thorough understanding of the Rules of Evidence. The submission of evidence in any type of legal proceeding generally amounts to a significant challenge, but when computers are involved, the problems are intensified. Special knowledge is needed to locate and collect evidence and special care is required to preserve and transport the evidence. Evidence in a computer crime case may differ from traditional forms of evidence inasmuch as most computer-related evidence is intangible — in the form of an electronic pulse or magnetic charge.

Before evidence can be presented in a case, it must be competent, relevant, and material to the issue, and it must be presented in compliance with the rules of evidence. Anything that tends to prove directly or indirectly that a person may be responsible for the commission of a criminal offense may be legally presented against him. Proof may include the oral testimony of witnesses or the introduction of physical or documentary evidence.

By definition, evidence is any species of proof or probative matter, legally presented at the trail of an issue, by the act of the parties and through the medium of witnesses, records, documents, and objects for the purpose of inducing belief in the minds of the court and jurors as to their contention. In short, evidence is anything offered in court to prove the truth or falsity of a fact in issue. This section describes each of the Rules of Evidence as it relates to computer crime investigations.

Types of Evidence

Many types of evidence exist that can be offered in court to prove the truth or falsity of a given fact. The most common forms of evidence are direct, real, documentary, and demonstrative. Direct evidence is oral testimony, whereby the knowledge is obtained from any of the witness’s five senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a specific act (e.g., an eyewitness statement).

Real evidence, also known as associative or physical evidence, is made up of tangible objects that prove or disprove guilt.

Physical evidence includes such things as tools used in the crime, fruits of the crime, or perishable evidence capable of reproduction. The purpose of the physical evidence is to link the suspect to the scene of the crime. It is the evidence that has material existence and can be presented to the view of the court and jury for consideration.

Documentary evidence is evidence presented to the court in the form of business records, manuals, and printouts, for example. Much of the evidence submitted in a computer crime case is documentary evidence.

Finally, demonstrative evidence is evidence used to aid the jury. It may be in the form of a model, experiment, chart, or an illustration offered as proof.

When seizing evidence from a computer-related crime, the investigator should collect any and all physical evidence, such as the computer, peripherals, notepads, or documentation, in addition to computer-generated evidence. Four types of computer-generated evidence are

•  Visual output on the monitor.

•  Printed evidence on a printer.

•  Printed evidence on a plotter.

•  Film recorder (i.e., a magnetic representation on disk and optical representation on CD).

A legal factor of computer-generated evidence is that it is considered hearsay. The magnetic charge of the disk or the electronic bit value in memory, which represents the data, is the actual, original evidence. The computer-generated evidence is merely a representation of the original evidence; but in Rosenberg v. Collins, the court held that if the computer output is used in the regular course of business, the evidence shall be admitted.

Best Evidence Rule

The best evidence rule, which had been established to deter any alteration of evidence, either intentionally or unintentionally, states that the court prefers the original evidence at the trial rather than a copy, but will accept a duplicate under these conditions:

•  The original was lost or destroyed by fire, flood, or other acts of God. This has included such things as careless employees or cleaning staff.

•  The original was destroyed in the normal course of business.

•  The original is in possession of a third party who is beyond the court’s subpoena power.

This rule has been relaxed to allow duplicates unless there is a genuine question as to the original’s authenticity, or admission of the duplicate would, under the circumstances, be unfair.

Exclusionary Rule

Evidence must be gathered by law enforcement in accordance with court guidelines governing search and seizure or it will be excluded as set in the Fourth Amendment. Any evidence collected in violation of the Fourth Amendment is considered to be “Fruit of the Poisonous Tree,” and will not be admissible. Furthermore, any evidence identified and gathered as a result of the initial inadmissible evidence will also be held to be inadmissible. Evidence may also be excluded for other reasons, such as violations of the Electronic Communications Privacy Act (ECPA) or violations related to provisions of Chapters 2500 and 2700 of Title 18 of the United States Penal Code.

Private citizens are not subject to the Fourth Amendment’s guidelines on search and seizure, but are exposed to potential exclusions for violations of the ECPA or Privacy Act. Therefore, internal investigators, private investigators, and CERT team members should take caution when conducting any internal search, even on company computers. For example, if there is no policy explicitly stating the company’s right to electronically monitor network traffic on company systems, internal investigators would be well advised not to set up a sniffer on the network to monitor such traffic. To do so may be a violation of the ECPA.

Hearsay Rule

Hearsay is secondhand evidence: evidence that is not gathered from the personal knowledge of the witness but from another source. Its value depends on the veracity and competence of the source. Under the federal Rules of Evidence, all business records, including computer records, are considered hearsay, because there is no firsthand proof that they are accurate, reliable, and trustworthy. In general, hearsay evidence is not admissible in court. However, there are some well-established exceptions (e.g., Rule 803) to the hearsay rule for business records.