Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Law and Criminal Justice Courses Certified Fraud Examiner (CFE) Flashcard

Discuss the admissibility of electronic evidence in court, and outline the key steps necessary to maintain the chain of custody for digital evidence.



The admissibility of electronic evidence, also known as digital evidence, in court is governed by the same rules of evidence that apply to physical evidence, with some specific considerations due to its unique nature. Courts generally require that electronic evidence be relevant, authentic, complete, and reliable to be admissible. However, because digital data can be easily altered, duplicated, and transmitted, establishing its integrity and trustworthiness is crucial.

Key Considerations for Admissibility:

1. Relevance:
- The evidence must be relevant to the facts at issue in the case. This means that it must have a tendency to make a fact more or less probable than it would be without the evidence.
Example: In a fraud case involving manipulated financial statements, emails discussing the manipulation are highly relevant. A judge would likely admit these emails as evidence.

2. Authentication:
- The party offering the electronic evidence must authenticate it, meaning they must prove that the evidence is what it purports to be. This can be challenging with digital evidence because it is easily altered. Authentication can be achieved through various methods, including:
- Testimony from a person with knowledge: Someone who created, sent, or received the electronic communication can testify that it is genuine.
- Comparison with other authenticated evidence: The electronic evidence can be compared to other evidence that has already been authenticated, such as a paper document with a matching signature.
- Examination of identifying characteristics: The electronic evidence can be examined for unique characteristics, such as metadata, file hashes, or digital signatures, that can verify its authenticity.
Example: An email can be authenticated by having the sender testify that they sent it, by comparing the email's header information with server logs, or by verifying a digital signature attached to the email.

3. Completeness:
- The electronic evidence must be presented in its complete and unaltered form. This is important to ensure that the evidence is not misleading or taken out of context.
Example: Presenting only a portion of an email exchange could be misleading. The entire email thread should be presented to provide context and ensure completeness.

4. Reliability:
- The electronic evidence must be reliable, meaning that it must be trustworthy and accurate. This requires establishing that the methods used to collect, preserve, and analyze the evidence were sound and that the evidence has not been tampered with.
Example: Computer forensic experts may testify about the methods used to extract data from a hard drive and verify that the process did not alter or corrupt the data.

5. Best Evidence Rule:
- The best evidence rule generally requires that the original document be presented in court, rather than a copy. However, courts often admit duplicates of electronic evidence if the original is unavailable and the duplicate is an accurate representation of the original.
Example: A printout of an email is generally admissible as a duplicate of the electronic original, provided that it is a fair and accurate representation of the email.

Key Steps to Maintain Chain of Custody for Digital Evidence:

Maintaining a strict chain of custody is crucial for establishing the admissibility of electronic evidence. The chain of custody is a chronological record of the seizure, custody, control, transfer, analysis, and disposition of evidence. It demonstrates that the evidence has not been altered or tampered with from the time it was collected until it is presented in court.

1. Identification and Seizure:
- Identify the specific electronic devices or data sources that contain potential evidence.
- Properly seize the devices or data sources using established procedures. This may involve powering down the device, removing it from the network, and physically securing it.
- Document the date, time, location, and circumstances of the seizure, as well as the identity of the person who seized the evidence.
Example: Identifying a server containing financial records and properly shutting it down to prevent further data modification. Record the date, time, and the individuals present during the shutdown.

2. Secure Storage:
- Store the electronic evidence in a secure location with limited access. Access should be restricted to authorized personnel only.
- Maintain a log of all access to the evidence, including the date, time, and purpose of the access.
- Ensure that the storage environment is suitable for preserving the evidence. This may involve controlling temperature and humidity to prevent damage to electronic media.
Example: Storing a seized computer in a locked evidence room with climate control. Document every instance someone enters the room, and the reason for their entry.

3. Imaging and Hashing:
- Create a forensic image of the electronic device or data source. A forensic image is a bit-for-bit copy of the entire storage medium, ensuring that all data, including deleted files and metadata, is preserved.
- Calculate a hash value for the original evidence and the forensic image. A hash value is a unique digital fingerprint that can be used to verify the integrity of the data.
- Store the original evidence in a secure location and work with the forensic image for analysis.
Example: Using specialized software to create a forensic image of a hard drive and calculating its SHA-256 hash value. Securely store the original hard drive and work exclusively with the forensic image.

4. Preservation of Metadata:
- Preserve all metadata associated with the electronic evidence. Metadata provides valuable information about the creation, modification, and access of the data.
- Ensure that the metadata is not altered or deleted during the collection, preservation, and analysis process.
Example: When collecting emails, preserve the header information, which contains details about the sender, recipient, date, and time of the message.

5. Analysis and Examination:
- Conduct the analysis and examination of the electronic evidence using forensically sound methods.
- Document all steps taken during the analysis, including the tools and techniques used, the findings, and the conclusions reached.
- Ensure that the analysis is conducted by qualified and experienced personnel.
Example: Employing a certified forensic examiner to analyze the forensic image of a computer, documenting every tool used, and every step taken during the examination process.

6. Transportation and Transfer:
- Carefully document all transportation and transfers of the electronic evidence.
- Use secure packaging to protect the evidence from damage during transit.
- Obtain a receipt from the recipient of the evidence, confirming that they have received it and acknowledging their responsibility to maintain the chain of custody.
Example: When shipping a hard drive to a forensic lab, use a secure, tamper-evident container and obtain a signed receipt from the lab confirming its arrival.

7. Secure Deletion and Disposal:
- Once the electronic evidence is no longer needed, securely delete or dispose of it using methods that prevent unauthorized access.
- Document the method of deletion or disposal and the date it was performed.
Example: Using a data wiping program to securely erase all data from a hard drive before it is disposed of or reused. Document the date and method of the data wiping.

Example Scenario:
In a case involving intellectual property theft, an employee is suspected of downloading confidential company files onto a USB drive. To maintain the chain of custody for the USB drive, the following steps would be taken:

1. Identification and Seizure: The USB drive is seized from the employee's desk. The date, time, location, and name of the person seizing the evidence are documented.

2. Secure Storage: The USB drive is placed in an evidence bag, sealed, and stored in a locked evidence locker. Access to the locker is limited to authorized personnel.

3. Imaging and Hashing: A forensic image of the USB drive is created using specialized software. The hash value of the original USB drive and the forensic image are calculated and documented.

4. Analysis and Examination: A forensic examiner analyzes the forensic image to identify any confidential company files that were copied onto the USB drive. All steps taken during the analysis are documented.

5. Transportation and Transfer: If the USB drive needs to be transported to another location for analysis, it is packaged securely and a receipt is obtained from the recipient.

By following these steps, the chain of custody for the USB drive is maintained, and the electronic evidence is more likely to be admissible in court.

In conclusion, the admissibility of electronic evidence in court depends on its relevance, authenticity, completeness, and reliability. Maintaining a strict chain of custody is essential for establishing the integrity and trustworthiness of the evidence. By following established procedures for the identification, seizure, storage, imaging, analysis, transportation, and disposal of electronic evidence, fraud examiners can increase the likelihood that the evidence will be admitted in court and used to prove their case.