Business Record Exemption to the Hearsay Rule

Federal Rules of Evidence 803(6) allow a court to admit a report or other business document made at or near the time by or from information transmitted by a person with knowledge, if kept in the course of regularly conducted business activity, and if it was the regular practice of that business activity to make the [report or document], all as shown by testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.

To meet Rule 803(6) the witness must:

•  Have custody of the records in question on a regular basis.

•  Rely on those records in the regular course of business.

•  Know that they were prepared in the regular course of business.

Audit trails meet the criteria if they are produced in the normal course of business. The process to produce the output will have to be proven to be reliable. If computer-generated evidence is used and admissible, the court may order disclosure of the details of the computer, logs, and maintenance records in respect to the system generating the printout, and then the defense may use that material to attack the reliability of the evidence. If the audit trails are not used or reviewed — at least the exceptions (e.g., failed log-on attempts) — in the regular course of business, they do not meet the criteria for admissibility.

Federal Rules of Evidence 1001(3) provide another exception to the hearsay rule. This rule allows a memory or disk dump to be admitted as evidence, even though it is not done in the regular course of business. This dump merely acts as statement of fact. System dumps (in binary or hexadecimal) are not hearsay because they are not being offered to prove the truth of the contents, but only the state of the computer.

Chain of Evidence: Custody

Once evidence is seized, the next step is provide for its accountability and protection. The chain of evidence, which provides a means of accountability, must be adhered to by law enforcement when conducting any type of criminal investigation, including a computer crime investigation. It helps to minimize the instances of tampering. The chain of evidence must account for all persons who handled or who had access to the evidence in question.

The chain of evidence shows:

•  Who obtained the evidence.

•  Who secured the evidence.

•  Who had control or possession of the evidence.

It may be necessary to have anyone associated with the evidence testify at trial. Private citizens are not required to maintain the same level of control of the evidence as law enforcement, although they are well advised to do so. Should an internal investigation result in the discovery and collection of computer-related evidence, the investigation team should follow the same, detailed chain of evidence as required by law enforcement. This will help to dispel any objection by the defense that the evidence is unreliable, should the case go to court.

Admissibility of Evidence

The admissibility of computer-generated evidence is, at best, a moving target. Computer-generated evidence is always suspect, because the ease of which it can be tampered with, usually without a trace. Precautionary measures must be taken to ensure that computer-generated evidence has not been tampered with, erased, or added to. To ensure that only relevant and reliable evidence is entered into the proceedings, the judicial system has adopted the concept of admissibility:

•  Relevancy of evidence: evidence tending to prove or disprove a material fact. All evidence in court must be relevant and material to the case.

•  Reliability of evidence: the evidence and the process to produce the evidence must be proven to be reliable. This is one of the most critical aspects of computer-generated evidence.

Once computer-generated evidence meets the business record exemption to the hearsay rule, is not excluded for some technicality or violation and follows the chain of custody, it is held to be admissible. The defense will attack both the relevancy and reliability of the evidence, so that great care should be taken to protect both.

Evidence Life Cycle

The evidence life cycle starts with the discovery and collection of the evidence. It progresses through the following series of states until it is finally returned to the victim or owner:

•  Collection and identification.

•  Storage, preservation, and transportation.

•  Presented in court.

•  Returned to the victim (i.e., the owner).

Collection and Identification

As the evidence is obtained or collected, it must be properly marked so that it can be identified as being that particular piece of evidence gathered at the scene. The collection must be recorded in a log book identifying that particular piece of evidence, the person who discovered it, and the date, time, and location discovered. The location should be specific enough for later recollection in court. When marking evidence, these guidelines should be followed:

•  The actual piece of evidence should be marked if it will not damage the evidence by writing or scribing initials, the date, and the case number if known. This evidence should be sealed in an appropriate container, then the container should be marked by writing or scribing initials, the date, and the case number, if known.

•  If the actual piece of evidence cannot be marked, the evidence should be sealed in an appropriate container and then that container marked by writing or scribing initials, the date, and the case number, if known.

•  The container should be sealed with evidence tape and the marking should write over the tape, so that if the seal is broken it can be noticed.

When marking glass or metal, a diamond scriber should be used. For all other objects, a felt-tip pen with indelible ink is recommended. Depending on the nature of the crime, the investigator may wish to preserve latent fingerprints. If so, static-free nitride gloves should be used if working with computer components, instead of standard latex gloves.