2. DISCOVERY OF ELECTRONIC
EVIDENCE
What is Electronic Evidence?
EE’s Admissibility
Electronic Evidence Discovery
Case Study
Conclusion
3. ELECTRONIC EVIDENCE
Electronic evidence or digital evidence is any probative information stored
or transmitted in digital form that a party to a court case may use at trial.
The digital era has increased the dependency organizations and people have
on electronic storage media.
Files, transactional records, mail communication and data are maintained
electronically in computer systems and on servers.
All these files and data become potential evidence in case of any incident or
litigation cases.
4. ELECTRONIC EVIDENCE ADMISSIBILITY
The use of digital evidence has increased in the past few decades.
Courts have allowed the use of e-mails, digital photographs, word
processing documents, files saved from accounting programs, spreadsheets
etc.
Internet browser histories, instant message histories, the contents of
computer memory, computer backups, and digital video or audio files are
also important electronic evidences that are being considered in federal
courts these days.
5. ELECTRONIC EVIDENCE ADMISSIBILITY
Many courts in the United States have applied the Federal Rules of
Evidence to digital evidence in a similar way to traditional documents.
In addition, digital evidence tends to be more voluminous, more difficult to
destroy, easily modified, easily duplicated, potentially more expressive, and
more readily available.
It is becoming more common for lawyers to seek production of entire
computer hard disk drives, floppy diskettes, Zip disks, CD-ROMs, cell
phones, and palm computer devices.
6. ELECTRONIC EVIDENCE DISCOVERY
Since Electronic Evidence can easily be altered, its discovery and
admissibility are subject to the procedure followed in gathering, processing
and presenting them.
There are certain guidelines like: UK ACPO guidelines, ADAM
Principles proposed in a doctoral thesis etc.
Electronic evidence is admissible in court only if the above guidelines are
followed and no illegitimate actions or procedure was used in gathering
them.
7. UK ASSOCIATION OF CHIEF POLICE
OFFICERS GUIDELINES
Principle 1: No action taken by law enforcement agencies, persons employed within those
agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that
person must be competent to do so and be able to give evidence explaining the relevance
and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should
be created and preserved. An independent third party should be able to examine those
processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring
that the law and these principles are adhered to.
8. ELECTRONIC EVIDENCE DISCOVERY
With businesses and individuals relying on computers for data processing, scheduling,
and communications, it is possible to discover anything from background information
to the “smoking gun” document by investigating what is on your opponent’s computer
systems.
For evidence discovery, where the basics are concerned, the investigator is occupied
with safeguarding the chain of custody.
During the planning stage, emphasis is given to understanding the information being
sought.
Backups of discovered information files are critical to the overall process, and tools
such as revision-control software can be very handy for this task
9. CASE STUDY
In Aguimatang v. California State Lottery, the court gave near per
se treatment to the admissibility of digital evidence stating "the computer
printout does not violate the best evidence rule, because a computer
printout is considered an ‘original.’" [234 Cal. App. 3d 769, 798.]
On November 12, 1980, a grand jury sitting in the Southern District of
Texas' backed up electronic evidence admissibility stating that "computer
data compilations… should be treated as any other record.“[US v. Vela,
673 F.2d 86, 90 ]
10. CONCLUSION
Electronic Evidence is any digital document or file that can be used in a case
in court.
There are certain guidelines that need to be followed in case of evidence
gathering and presentation.
The case studies we presented define how the Federal law and court
admitted electronic evidence in their ongoing cases.
11. IDENTIFICATION OF DATA
What is Data and how is it relevant?
Importance of time in Data Identification
Forensic Analysis of data
Conclusion
12. WHAT IS DATA?
In computer forensics the preservation, identification, extraction and
documentation of computer evidence stored in the form of magnetically encoded
information is called as a data.
Data is stored in files as well as dumbs and slack of the device storage.
User might be accessing and deleting evidence or case related data from the visible
space of the storage media but data still resides in temp files and is never actually
deleted.
It is this information that benefits law enforcement and military agencies in
intelligence gathering and in the conduct of investigations.
13. IDENTIFICATION OF DATA?
Data can be written or hidden in “extra” tracks, sectors, hidden partitions,
unallocated space.
Massive amounts of data may be written to file slack areas or hidden by
diffusion into binary objects or steganography.
Electronic eavesdropping techniques concerning cellular telephones,
personal pagers, search methodologies are highly helpful in identification of
data.
There can be huge amount of data available, but data relevant to case must
be identified and presented separately.
14. IMPORTANCE OF TIME IN DATA
IDENTIFICATION
Time associated with data gathered under any case is highly relevant and can
change the entire meaning of evidences gathered.
Many organizations have a time related to all their transactions which proves
highly beneficial in litigation cases in proving the predecessor or file’s
originality.
Accurate timekeeping is an advanced science, an avocation practiced by
hundreds of scientists around the world.
Clock filters and Autokey methods are widely used for setting up security.
15. FORENSICS ANALYSIS OF DATA
Forensic Data Analysis (FDA) is a branch of Digital forensics.
It examines structured data with regard to incidents of financial crime.
The aim is to discover and analyse patterns of fraudulent activities.
The analysis of large volumes of data is typically performed in a separate
database system run by the analysis team.
In order to analyse large structured data sets with the intention of detecting
financial crime it takes at least three types of expertise in the team.
16. FORENSICS ANALYSIS OF DATA
Live systems are usually not dimensioned to run extensive individual analysis
without affecting the regular users.
On the other hand, it is methodically preferable to analyse data copies on separate
systems and protect the analysis teams against the accusation of altering original
data.
The combination of different databases, in particular data from different systems or
sources is highly effective.
These data sources are either unknown to the perpetrator or such that they can not
be manipulated by the perpetrator afterward.
17. CONCLUSION
Data preservation, identification and extraction is a necessary part for digital
forensics so analysing it in a proper manner is an important task.
Identification and processing of relevant data is a big and essential task for
digital forensics.
For data analysis timestamp, clock filters, auto keys, clock time are important
factors through which digital forensics evaluation.