Computer Forensics and Security: Chapter 3: Digital Evidence in the Court Room
The section in the Federal Rules of Evidence 901 (b) (9) titled "Requirement of Authentication or Identification{ includes what?
"Evidence describing a process or system used to produce a result and showing the process or system procedures an accurate result"
With the advent of photocopiers, scanners, computers, and other technology that can create effectively identical duplicates, copies become acceptable in place of the original, unless what?
"A genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu of the original"
The purpose of a court room is to administer justice, and the role of who in this context is to present supporting facts and probabilities?
Digital investigators
Proving that someone disturbed materials online is challenging and generally requires multiple data points that enable the court to reconnect the data back to the defendant beyond what?
A reasonable doubt
Who are often pressured, both subtly and overtly, to concentrate on specific areas of inquiry and to reach conclusions that are favorable to a particular party?
Digital investigators
Who may be confronted with a difficult choice-of renouncing such truth or facing the consequences of holding an unpopular belief?
Digital investigators
Who should be able to estimate and describe the level of certainty underlying their conclusions to help fact-finders determine that weight to attach?
Digital investigators
____________________ ________________ can also be influenced by the pressures of their peers.
Digital investigators
The most common mistake that prevents digital evidence from being admitted by courts is that it is obtained with authorization. True/False?
False - it is obtained without authorization
In "science," we are trying to identify rules that are universally false. True/False?
False - trying to identify rules that are universally true
The most effective way to counteract preconceived theories is to employ a methodology that compels digital investigators to find flaws in their theories, a practice known as ________________.
Falsification
C6 Level of Certainty
Files containing known child pornography were found on the defendant's computer, on the basis of hash values of the files matching known child pornography and a visual inspection of the file contents.
The case of United States v. Tank is significant because it is one of the first to deal with what?
The authentication of chat logs
The other approach is to examine the actual digital evidence for evidence of tampering and other damage. This is one of the general approaches to assessing whether digital evidence can be relied upon in court. True/False?
True
The source IP address of network traffic may be assigned to a proxy device rather than the actual originating computer, and GPS coordinates on a mobile device or satellite navigation system can be inaccurate. True/False?
True
The system clock on a computer can be incorrect, and date-time stamps can be interpreted incorrectly. True/False?
True
There are two general approaches to assessing whether digital evidence can be relied upon in court. True/False?
True
When describing the level of certainty associated with a particular finding, some digital investigators use an informal system of degrees of likelihood that can be used in both the affirmative and negative sense. What is the system of degrees of likelihood that can be used in both the affirmative and negative sense?
Almost definitely, most probably, probably, very possibly, and possibly
In the past, the majority of legislation in the United States and United Kingdom followed the first approach, instructing courts to evaluate computer-generated records on the basis of the reliability of the system and process that what?
Generated records
In some instances investigators will face what if they feel that a miscarriage of justice has occurred?
An ethical dilemma
Analysis of digital evidence requires interpretation that forms the bias of what?
Any conclusions reached
In 2009, the U.S. 9th Circuit Court recommended stricter controls for forensic analysis of digital evidence, challenging the concept of plain view in the digital dimension and suggesting approaches to reduce the risk of what?
Associated privacy violations
In one case, a suicide on a computer raised concern because it had a creation date after the victim's death. It transpired that the computer clock was incorrect and the note was actually written when?
Before the suicide
In common law countries, the standard of proof for criminal prosecutions is what and for civil disputes is the what?
Beyond a reasonable doubt; balance of probabilities
To be an effective digital investigator and expert witness, it is necessary to be more self-aware and resistant to self influences like ________________, ________________, and ________________.
Bias, emotion, and greed
Having standard operating procedures, continuing education, and clear policies helps to maintain consistency and prevent what?
Contamination of evidence
In fact, presenting a copy of what is usually more desirable because it eliminates the risk that the original will be accidentally altered?
Digital evdience
After the ___________ ____________ is preserved, it is generally prudent to obtain a warrant to conduct a forensic examination of the digital evidence.
Digital evidence
Although courts have been somewhat lenient in the past on improper handling of evidence, more challenges are being raised relating to evidence handling procedures as more judges and attorneys become familiar with what?
Digital evidence
Have the Fourth Amendment and/or ECPA requirements been met? This is one of four questions that investigators must consider when searching and seizing what?
Digital evidence
In 1997, the UK Law cCommission recommended the repeal of Section 69 of PACE (Law Commission, 1997)m noting the difficulties in asserting the inability of computer systems, and criticizing section 69 of PACE because the evidence might be unreliable, and it failed to address the major becaues of inaccuracy in what?
Digital evidence
In 2007, a case in Maryland dealt with the admissibility of what specifically and provided general guidelines for reaching a decision?
Digital evidence
In addition to requiring digital investigators to be honest and forthright, courts are concerned with the authenticity of the what they present?
Digital evidence
In general, when assessing the reliability of what, it is most effective to focus on the evidence itself rather than the reliability of the process it create?
Digital evidence
In some cases, the opposing party will attempt to cast doubt on more malleable forms of ___________________ _____________________, such as logs of online chat sessions.
Digital evidence
Members of law enforcement who conducted an investigation apprehend a defendant may be required to present what objectively in court and may have the duty to identify weaknesses in a prosecution case?
Digital evidence
More courts are likely to acknowledge the distinction between computer-generated and computer=stored records as they become familiar with what and as more refined methods for evaluating the reliability computer-generated data become available?
Digital evidence
Regarding exigency, a warrantless search can be made for any emergency threatening life and limb or in which what is imminently likely to be altered or destroyed?
Digital evidence
The field of digital forensics does not currently have formal mathematics or statistics to evaluate levels of certainty associated with ______________________ _________________.
Digital evidence
The reliability of what clearly plays a critical role in the authentication process as discussed in more detail later in this chapter?
Digital evidence
There is clearly a need for ma more formal and consistent method of referring to the relative certainty of different types of what?
Digital evidence
When there are concerns that what was mishandled and that potentially exculpatory information was destroyed, courts will decide to admit the evidence?
Digital evidence
__________________ ____________________ might not be admitted if it contains hearsay, because the speaker or author of the evidence is not present in court to verify its trustworthiness.
Digital evidence
Documenting the location of bad sectors will help a ______________________ ___________________ determine whether they are allocated files that are important to the case.
Digital investigator
Courts depend on the trustworthiness of ______________ ______________ and their ability to present evidence accurately.
Digital investigators
Generally, in the prosecutorial environment, theories based upon scientific truth are subordinate to legal judgement and who must accept the ruling of the court?
Digital investigators
If a prime suspect emerges as an investigation progresses; who must resist the urge to formally assert that an individual is guilty, even though it is an investigator's duty to champion the truth?
Digital investigators
In one case, who inadvertently booted the evidential computer but were able to satisfy the court that the digital evidence could still be trusted?
Digital investigators
The U.S. Federal Rules of Evidence, the UK Police and Criminal Evidence Act (PACE) and the Cival Evidence Act, and similar rules of evidence in other countries were established to help evaluate what?
Evidence
Because an exact duplicate of most forms of digital evidence can be made, a copy is generally not acceptable. True/False?
False - a copy is generally acceptable
Investigators have to convince a judge or magistrate that, in all probability a crime has not been committed. True/False?
False - a crime has been committed
Other issues that may prevent digital evidence from being admitted by courts are what?
Improper handling and illegal search and seizure
Computers can introduce errors and uncertainty in various ways including, what?
In the time and location of events
_________________ ______________ helps demonstrate that digital evidence has not been altered since it was collected.
Integrity documentation
The level of certainty that digital investigators assign to their findings is influenced by their ___________________ and ______________________.
Knowledge and experience
When technical evidence supporting theories based on scientific truth is presented to a group of reviewers who are not familiar with the methods used, what may occur?
Misunderstandings and misconceptions
Some jurisdictions have rules relating to admissibility that are formal sometimes inflexible while other jurisdictions give judges what?
More discretion
The collection or seizure phase of a digital investigation, having someone search on the search team who is trained to handle digital evidence can reduce the number of people who handle evidence, thereby streamlining the what?
Presentation of evidence
Some digital investigators say that the evidence "suggests" that something is in the realm of possibility and then the evidence "indicates" that something is what?
Probable
The magistrate outlined five issues that must be considered when assessing whether digital evidence ill be admitted. What are these five issues?
Relevance, authenticity, not hearsay or admissible hearsay, best evidence, not unduly prejudicial
The court process differs from the scientific peer review, where reviewers are qualified to understand and comment on what with credibility?
Relevant facts and methods
To authenticate digital evidence, it may also be necessary to assess its what?
Reliability
In nearly all trials, what kind of evidence is only part of the total picture?
Scientific and technical
______________ ______________ in the United Kingdom and other European countries can be more loosely defined than in the United States.
Search warrants
At the outset of an investigation, there is some form of what?
Suspicion, alert, or accusation
Even when investigators are authorized to search a computer, they must maintain focus on what?
The crime under investigation
The rationale for this approach is that, because records of this type are not the counterpart of a statement by a human declarant, which should ideally be tested by cross-examination of tat declarant, they should not be treated as hearsay, but rather their admissibility should be determined on the basis of the reliability and accuracy of the process involved. True/False?
True
When dealing with the contents of a writing, recording, or photograph, courts sometimes require what?
The original evidence
The first approach is to focus on whether the computer that generated the evidence was functioning normally. This is one of the general approaches to assessing whether digital evidence can be relied upon in court. True/False?
True
The main risk of developing full hypotheses before closely examining available evidence is that investigators will impose preconceptions during evidence and analysis, potentially missing or misinterpreting a critical clue simply because it does not match their notion of what occurred. True/False?
True
When a client tells a digital investigator how dishonest the other party is or presents the case in a way that is intended to garner sympathy, the digital investigator must resist any urge to form opinions about the case based on what?
These emotional needs
Although courts evaluate all computer-generated data as business records under the hearsay rule, this approach may be inappropriate when a person was not involved. True/False?
True
Although digital investigators could conceivably assign a C-Value to each piece of evidence they have analyzed, that approach can add confusion rather than clarity. True/False?
True
An e-mail message may be used to prove that an individual made certain statements, but cannot be used to prove the truth of the statements it contains. True/False?
True
Before deciding to take legal action, organizations must consider if they are required to disclose information about their systems that may be sensitive (e.g., network topology, system configuration information, and source code of custom monitoring tools) and other details about their operations that they may not want to make public. True/False?
True
Computer security professionals in the private sector often have to investigate longtime coworkers and cases in all sectors can involve brutal abuse of innocent victims, inciting distraught individuals and communities to strike out at the first available suspect. True/False?
True
Courts generally ask if the recovered evidence is the same as the originally seized data when considering whether digital evidence is admissible. True/False?
True
Courts need to determine whether evidence is "safe" to put before a jury and will provide a solid foundation for making a decision in the case. True/False?
True
Data that depend on humans for their accuracy, such as entries in a database that are derived from information provided by an individual, are ordered under the business record exception if they meet the above description. True/False?
True
Digital investigators must be extremely firm on what conclusions the evidence supports to avoid being swayed by an attorney trying to push the limits on evidence. True/False?
True
Digital investigators must generally accept an attorney's decision not to proceed with a case or not to disclose certain evidence. True/False?
True
Does the Fourth Amendment and/or the Electronic Communications Privacy Act )ECP) apply to the situation? This is one of four questions that investigators must consider when searching and seizing digital evidence. True/False?
True
Identifying and isolating falsified records in a specific log file or bad sectors on a hard drive enable fact-finders to rely on the remaining reliable data. True/False?
True
In fact computer-generated data may not be considered at all because they do not contain human statements or they do not assert a fact but simply document an act. True/False?
True
In situations where the hash value of digital evidence differs from the original, it may be possible to isolate the altered portions and verify the integrity of the remainder. True/False?
True
Individuals processing evidence must realize that, in addition to being pertinent, evidence must meet certain standards to be admitted. True/False?
True
Investigators have to convince a judge or magistrate that, in all probability evidence of crime is in existence. True/False?
True
Investigators have to convince a judge or magistrate that, in all probability the evidence is likely to exist at the place to be searched. True/False?
True
It is the duty of the digital investigators to present findings in a clear, factual, and objective manner. True/False?
True
It is the human condition to have emotional reactions, harbor prejudices, and be subject to other subtle influences. True/False?
True
On Internet Relay Chat (IRC), for example, in addition the chat window, there may be important information in other areas of an IRC client such as the status window and private chat or fserve windows. True/False?
True
Some digital investigators use the term likely to express a lower level of certainty than probably, whereas others treat these terms as synonyms. True/False?
True
The Canadian case against Pecciarich provides an interesting example of what my be considered hearsay in the context of online activities. True/False?
True
The Fourth Amendment requires that a search warrant be secured before law enforcement officers can search a person's house, person, papers, and effects. True/False?
True
To demonstrate that digital evidence is authentic, it is generally necessary to satisfy the court that it was acquired from a specific computer and/r location, that a complete and accurate copy of digital evidence was acquired and that it has remained unchanged since it was collected. True/False?
True
What do investigators need to reenter? This is one of four questions that investigators must consider when searching and seizing digital evidence. True/False?
True
When a large amount of data is missing on a computer and an intruder is suspected, digital investigators should determine if the damage is more consistent with disk corruption than an intrusion. True/False?
True
When digital investigators have a low level of confidence in available digital evidence, they may not be able to reach a conclusion without additional corroboration information. True/False?
True
Generally, a _______________ is required to search and seize evidence.
Warrant
In the United Kingdom, for instance, several kinds of warrants (e.g., a specific premises warrant, all=premises warrant, and multiple entry warrant), and they do not have to specify what?
What things will be seized