9.1 This chapter addresses the challenges and methodologies associated with proving a fact with electronic evidence, and considers the measures relating to the accreditation of those performing a digital forensic analysis, together with the validation of the technologies, systems and methodologies used. It looks at how and why the correct handling, preserving and analysing of electronic evidence are critical steps in an investigation process to ensure reliability of proof. It explains how the probative value of the evidence can be affected and its reliability compromised when critical procedures or measures are not followed. It further describes the use of automation and technology solutions to enhance the efficiency of investigations, and the controls used to ensure the accuracy and forensic reliability of such investigations.

9.2 All electronic evidence exists, at its most basic level, in binary form. The Binary Digit (‘bit’), which represents a logical state with one of two possible digits, is typically represented as a single digit in a binary number as either 0 or 1. These bits are in turn organized in a larger group of 8 bits called a byte. A byte can be used to represent letters of the alphabet and other characters. For example, the byte comprising the 8-bit sequence 01000001 may represent the letter ‘A’ in a word processing system, but could represent something entirely different in a video processing application. Interpretation is, therefore, relative to context and determined by the software used to interpret it. Such representation and interpretation is achieved by using multiple processing and storage layers within a digital system such as a computer, mobile telephone, GPS device or media player, etc. These processing layers include hardware such as processing chips, digital cameras and networks, operating systems such as Windows, Linux, iOS and Android, application software such as word processors, email, web browsers, messaging clients and media players, and data storage such as hard disks, memory cards and cloud environments.

9.3 Thus, when proving a fact using electronic evidence, what an individual may witness on the output such as the screen is the result of multiple phases of digital processing and interpretation performed by software. The risk is that any processing phase may be subject to error. Similarly, when specialist digital forensic software is used to preserve and present electronic evidence, it does so using a programmatic interpretation of the bits and bytes it finds, and this also may be subject to error or wrongful assumptions about the meaning of the data.

9.4 For these reasons, proof, as it applies to electronic evidence, requires more than simple reproduction of data. The process of adducing evidence and determining proof relies on the systems used and the training and experience of the people creating and using them. Both people and systems need to meet significant accreditation and demanding validation to demonstrate that all such interpretations of data have been performed accurately. This is partly because of the unique nature of electronic evidence: it is extremely volatile and subject to being altered with ease, even by the simple act of switching a computer on or off.¹

Accreditation of the digital forensics discipline

9.5 By their nature, investigations and examinations of electronic evidence are relatively new compared to other more established forms of forensic analysis such as fingerprinting, DNA analysis, toxicology and ballistics. Broadly speaking, electronic or digital (the terms are used interchangeably) investigations are concerned with the gathering, preservation and analysis of relevant digital data to provide both evidence and intelligence to assist with criminal investigations¹ and prosecutions, and with civil and regulatory matters and proceedings.

9.6 Forensic analysis of electronic evidence draws from diverse disciplines such as electrical and electronic engineering and computer science, and includes sub-disciplines such as computer forensics, network forensics, cloud forensics, data analysis, audio and video analysis and analysis of mobile devices. Accreditation has been strongly supported from within the diverse digital forensics discipline. In the USA, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) formally accredited digital forensics as a discipline in 2003 together with four sub-disciplines: computer forensics, audio analysis, video analysis and image analysis. In 2016 the ASCLD/LAB was acquired by the American National Standards Institute-American Society for Quality (ANSI-ASQ) National Accreditation Board (ANAB) and the four sub-disciplines were merged into a single discipline known as digital evidence forensics.¹ There are similar specialist advisory groups in Australia and New Zealand.² In the United Kingdom, the Forensic Science Regulator was established in 2008, and included digital forensics as a specialist group. In April 2020 the Forensic Science Regulator produced updated Codes of Practice and Conduct (issue 5) across the entire forensic industry, including for digital forensics.³

9.7 Although formal academic certification of practitioners in various disciplines and accreditation of digital forensic processes are relatively common among the digital forensic community, there is, at the time of writing, a noticeable absence of such accreditation for the process of ‘cloud forensics’ and other evidence obtained online or through, for example, social media. In this regard, rather than qualifications to use commercial tools, academic qualifications that teach fundamental principles of preservation, continuity, critical thinking and verification can be applied to ‘cloud’ forensics. However, there are a number of significant and unique challenges when dealing with data obtained online, not least of which is the fact that potential evidence held by a service provider may not be preserved in the normal manner when creating an image or snapshot of the target storage or computer platform. To this end, frameworks¹ are being developed for cloud forensics evidence collection and analysis using security information and event management that draw upon research by the National Institute of Standards and Technology (NIST),² specifically the NIST Cloud Computing Forensic Science Working Group.

Guidelines for handling digital evidence

9.8 Along with the benefits of consistency and uniformity arising from accreditation, numerous guidelines have been produced, premised on uniformity and standardization of procedures that are relevant to the collection and handling of electronic evidence. In 1995 the International Organization on Computer Evidence was established to provide international law enforcement authorities with a forum to facilitate the exchange of information relating to computer crime investigations and other issues relating to digital forensic investigations.¹ This organization, together with several other UK authorities, including the Association of Chief Police Officers (ACPO) and the National High-Tech Crime Unit, have produced a number of guidelines for the investigation and examination of electronic evidence within a criminal context. Although various sets of guidelines have, in the main, been produced specifically for criminal investigations, nevertheless the guidelines are also of significant help to practitioners and lawyers in civil matters.²

9.9 In April 2020 the UK Forensic Science Regulator published an informational guidance document entitled Legal Obligations Issue 8.¹ This provides a relatively high-level overview of the obligations placed on expert witnesses in the Criminal Justice System in England and Wales. Contemporary guidelines include documents from Australia and New Zealand,² the United Kingdom,³ the USA,⁴ Europe,⁵ Asia⁶ and ISO/IEC Standards.⁷ Likewise, INTERPOL has also established the Global Guidelines in relation to Digital Forensics Laboratories.⁸

Handling electronic evidence

9.10 As with any other form of evidence, there are a number of discrete elements that accompany the collection and handling of digital evidence. It is suggested that a digital evidence professional should, ideally, undertake her duties against the highest standards that are propounded by her peers, regardless of whether she is assisting in a criminal or civil matter. In Bilta (UK) Limited (in Liquidation) v Nazir,¹ Lewison J indicated that he did not consider it an automatic requirement that parties to civil proceedings have to subject hard drives to forensic discovery techniques. It is debatable whether it is wise not to subject hard drives to forensic search techniques, as demonstrated in the case of In the matter of Stanford International Bank Limited (in liquidation), Fundora v Hamilton-Smith.² This was an application for the discharge of the appointed Joint Official Liquidators of Stanford International Bank Limited and other parties on the basis that, among other reasons, they destroyed digital data and employed improper practices in relation to computer and electronic data.³ The precise matters in dispute were as follows:

9.11 After considering the relevant ACPO guidelines at the material time, Thomas J decided that the action of the Joint Official Liquidators was not in accordance with standard forensic practice, and in so doing, they acted improperly. To this extent, the various guidelines put forward as best practices provide sound advice and guidance when dealing with electronic evidence, and if followed, they can serve to counter allegations that the evidence has not been gathered or dealt with properly.

9.12 In Khodorkovskiy and Lebedev v Russia,¹ a case before the European Court of Human Rights, the defence raised a number of important issues challenging the electronic evidence sought to be admitted that related to the volatile and mutable nature of such evidence. It alleged, among other things, that the hard drives that were seized had not been properly packed and sealed, so it was possible to add information to them while the drives were in the possession of the General Prosecutor of the Russian Federation,² as the investigators discovered more files on the drives than there were on the same drives when examined by the experts,³ that the drives and the list of files discovered by the prosecution were not attached by the General Prosecutor to the case materials, and that there was no evidence that documented the continuity of the evidence.⁴ In concluding that these deficiencies were not relevant, the court said:

9.13 In our opinion, this decision fails to emphasize the importance of professional digital forensics when seizing data in digital form. From a technical perspective, a hash value, calculated on site upon taking a forensic image of the hard drives that have been seized (or, if this is impossible, shortly thereafter), could have easily served as proof of the evidence having been untouched since it was first acquired (provided that the hash was kept securely or communicated to the defence or suspect at an early stage). However, there was no indication that the court relied upon, or the defence proffered, such evidence in support of such a conclusion.

9.14 Notwithstanding the preference for an original forensic image, or a demonstration of full and complete provenance, together with contemporaneous notes beginning from the source of the evidence, it may still be possible to prove the authenticity of certain types of digital evidence beyond doubt. One example of such a method is the examination of email messages which are downloaded to a USB drive. In such circumstances, it may not be possible to establish direct continuity from the computer or server on which the original email messages were created or transmitted before they were downloaded to the USB drive. Neither is it possible to obtain a forensic image of the senders’ or receivers’ computers. Therefore, the authenticity of the email messages and any attachments may be called into question. However, if an email message contains a DKIM¹ (Domain Keys Identified Mail) signature, it is possible to establish beyond doubt that the message and any attachment is authentic and has not been modified since it was sent, regardless of how it has been handled since.² This is because DKIM is one of the authentication methods used by mailbox providers to determine that an email was sent from a particular email account.³

9.15 However, in other cases the application of cryptographic hashing or other cryptographically sound acquisition techniques is difficult, if not impossible. Increasingly, evidence procured from large computing platforms and cloud services will require testing by digital evidence professionals.¹ Another way to prove the data is to rely on a third party – such as the service provider – that controls the storage of data. This means that rather than relying on an operating procedure for acquiring evidence, the provenance and trustworthiness of the provider become relevant.

Identifying electronic evidence

9.16 The first sign that something is wrong may be in the form of electronic evidence. For instance, a security administrator in a bank might consider an investigation necessary when the intrusion detection system sets off an alarm, or where the email logs indicate that a particular member of staff is receiving an excessive number of emails during the course of a day or over an extended period. The case of Miseroy v Barclays Bank plc¹ is illustrative. In July 2002 a formal investigation was initiated because an employee of Barclaycard appeared to be receiving a disproportionate number of emails during the day. The audit of the emails sent and received by three employees showed that one Mr Miseroy, who was with the Fraud Prevention Department, had sent a significant number of emails. As a result, he was also included in the investigation. After a series of investigatory meetings, it was concluded that Mr Miseroy had abused the email facilities by sending out an unwarranted number of personal emails, in breach of the Group IT Security Policies regarding the use of corporate email facilities. Some of the emails he sent out included content that was derogatory, offensive and sexist, which Mr Miseroy admitted was not appropriate. The investigations also showed emails exchanged between him and a manager in a different department, in which Mr Miseroy had arranged to pass cannabis to that manager. It was also determined that Mr Miseroy disclosed confidential information regarding Barclay’s operations and customers. Mr Miseroy was summarily dismissed for gross misconduct, and the members of the tribunal accepted that his dismissal was within the range of reasonable responses of a reasonable employer in relation to the circumstances of the case.

9.17 Such a case, where the source and reliability of evidence that something is wrong needs to be assessed, will require an investigation into the facts. At such an early stage, the actions of the investigator may inadvertently change the electronic evidence itself. For instance, in the case of Aston Investments Limited v OJSC Russian Aluminium (Rusal),¹ the actions of the IT administrators caused important files and information to be removed, and subsequent forensic examination ran into difficulties because of the unintended changes made to the system. This is why it is essential to have an appropriate procedure in place to deal with the way an investigation is initiated and conducted, whether by way of civil proceedings, where there is an obligation for each party to disclose documents relating to matters in question under the Civil Procedure Rules,² or in criminal matters, where the relevant investigating authorities have both common law and statutory powers to search and seize evidence. In the criminal context, investigating police officers will be expected to have conducted themselves in accordance with recognized guides for their jurisdiction. In the United Kingdom, ACPO³ has produced the ACPO Good Practice Guide for Digital Evidence (ACPO Guide).⁴ The ACPO Guide sets out the four main phases for handling electronic evidence – collection, examination, analysis and reporting – and concentrates on the collection phase. A digital evidence professional should consider adopting the practices for the four phases of his investigations. With the advent of forensic triage techniques, these four phases may be augmented with an initial ‘assessment’ or ‘triage selection’ phase.

9.18 While the following discussion concentrates on matters relating to electronic evidence in the context of a criminal investigation, the reader will readily acknowledge the relevance of the discussion in the context of a civil matter when undertaking work in the disclosure phase of a civil action.¹

Gathering electronic evidence

9.19 Once it has been established that it is necessary to seize or gather evidence in digital form, a further set of procedures should be in place to guide the digital evidence professional with respect to the scene or information itself, including the identification and seizure or acquisition of the evidence as necessary.¹ Where a physical crime scene is involved, it is now a well-established practice that the scene should be photographed, or even recorded by video, and the layout of the hardware recorded in relation to the scene. The investigator then needs to determine what, if any, physical evidence, such as computers, printers, computer mice or facsimile machines, should be retained (the ACPO Guide provides a list of the types of hardware and storage devices that are susceptible to being retained).² It is important to not permit anybody to disturb the hardware or the network, or work on any computer. It is also advisable that the police officers engaged in searching for digital evidence be properly trained.³

9.20 The problem with digital evidence is the ease by which the data can be altered or destroyed. Digital devices are volatile instruments. For instance, the random access memory in a computer will contain a great deal of information relating to the state of the computer, such as the processes that are running, whether the computer is connected to the Internet and what file systems are being used. When a computer is switched off, a large part of this volatile data is immediately and irretrievably lost. Depending on the circumstances of the case being investigated, it may be very important to retain such data before the computer is switched off or simply unplugged from the electricity supply. This question is becoming increasingly important because of the ready availability of encryption utilities that are easy to use, and the increasing availability of low-cost hard disks that include whole disk encryption as a matter of course. The preservation of a forensic copy of a computer system’s RAM may be the only way of gaining investigative access to the contents of a target device whose content is encrypted with complex keys.¹ Indeed, there may be occasions when great care should be taken when arresting suspects physically at a computer, because it is possible that they might switch off the computer and disrupt or delete any incriminating files before any preventative action can be taken, as in the case of Aleksei Kostap. He was arrested by members of the Serious and Organised Crime Agency, who attached handcuffs to him, but with his hands in front of his body. According to a press report, he managed to take action that caused certain databases to be deleted. It was thought the databases might have contained records of the gang’s activities. Apparently, while handcuffed, Kostap also acted to initiate the use of intricate layers of encryption on various computer systems, which experts were not able to decrypt.² In addition, new developments in the methods used to store data on storage devices may cause problems in the future. Graeme B. Bell and Richard Boddington have demonstrated that:

9.21 The authors provide the observations in this chapter for the guidance and assistance of professionals involved in facilitating the proof of digital evidence.

9.22 While it may be convenient to consider preservation of ‘cloud storage’ as analogous to preservation of data on a hard disk in a computer, this is not the case. Cloud service providers make computing infrastructure available as virtualized components that can be connected using virtualized networking infrastructure. It is usually possible, given enough privileges, to quickly preserve the state and contents of a virtual machine, its volatile memory and any block storage attached to it. But that is not the whole picture. In such virtualized environments, data of material relevance such as access and event logs may be available only to the members of staff of the service provider. Therefore, identifying and preserving the contents of volatile data and attached storage accessible to the victim(s) or suspect(s) but failing to have the service provider preserve all relevant system, access and event logs would be to miss the most important facts about the evidence and thus potentially undermine the ability to prove the case.

Gathering of data following legal retention or reporting obligations

9.23 In other cases, metadata and logs are retained by service providers who follow a legal requirement. This is often the case for identifying information such as IP addresses, telephone numbers and related subscriber information, and in the UK this was extended to data on sites visited on the Internet.¹ Where such legal obligations exist, other safeguards will typically apply, and an assumption can be made about the accuracy of the data that is provided by a service provider. Such data, and the process of access and acquisition or reporting, are often subject to different legislative requirements such as privacy legislation, safeguards and obligations set out in telecommunications legislation or data retention regimes.² In such cases, the probative value and admissibility will increasingly depend on the reliability of the service provider. In some cases, special accreditations or security checks are required for members of staff who work with this data or analyse it. In other cases, the related infrastructure is subject to audit requirements.

Internet of Things data and sensors

9.24 A wide variety of sensors can be found at crime scenes, depending on how many devices are connected to the Internet. Due to the increasing number of sensors, a wide array of Internet of Things (IoT) devices is becoming available and may contain evidence which can assist in the proof of a crime. The analysis of this data, which is sometimes also present at service providers (located ‘in the cloud’), can present a unique set of problems.

9.25 Location data, health data and other types of sensor may not be easy to interpret and will often require contextual analysis and interpretation. For example, location data may be important in the investigation of a murder that is alleged to have occurred in a park at a certain hour. The presence of data recorded within a personal device at the north entrance, and then again at the south entrance of the park within ten minutes of each other, may, at first sight, be indicative of a suspect’s presence at the crime scene. However, it may also be indicative of a loved one slowly driving around half the park by car, in ten minutes, to see if the victim is to be found. The accuracy, measurement interval and behaviour of the services involved (which may, for example, store the closest destination, such as the park entrance gates) and evidence from other sensors (such as the connections to the car radio and navigation by way of wireless technologies like Bluetooth) may serve as corroborating evidence of such a defence.¹ Each of the available sensors in modern-day IoT devices has its own accuracy, measurement interval and data storage mechanisms, and, therefore, evidential value. A detailed knowledge of and access to significant testing facilities is needed to stay abreast of developments in this field and in order to understand the behaviour of devices in the IoT ecosystem.²

Gathering data through network searches

9.26 The initiation of advanced encryption has significantly decreased the value of evidence gathered from traditional police powers, such as lawfully authorized interception. The advent of end-to-end encryption has led to the introduction, in many countries, of the power to conduct remote searches. These include the use – or exploitation – of software vulnerabilities in order to gain access to the systems involved. The evidence obtained through this method is difficult to evaluate, because it is typically obtained in an end user device without the user being aware of the fact that the device was deliberately being made use of. While it may be assumed that law enforcement authorities may be the only parties with legitimate access to a device, other third parties may also have authorized access. Attribution of any data and evidence found on the device is therefore more difficult, due to the existence of such an exploitable vulnerability. The value of this type of evidence can be improved where corroboration of the evidence is sought, and obtained, through other sources.

Copying electronic evidence

9.27 The process of acquiring, copying and handling electronic evidence should be carried out to the highest standards, regardless of whether the source is a hard disk, mobile device or cloud-based resources. Several commonly applied best practices and principles are relevant to this process and the four principles of handling computer-based electronic evidence as set out in the ACPO Guide illustrate the importance of the data collection phase of this process:¹

9.28 The problem of what types of electronic evidence and hardware to seize and retain can be compounded where a computer or an entire system of computers is linked to a network, and the sources of electronic evidence exist in a number of separate geographical locations. In such circumstances, and before taking any action, it will be necessary to ascertain whether it is possible or feasible to shut the network down. In most instances, this will not be an option. The investigators will need to be aware of the range of original data that might be required, should they be presented with such a situation. This will include establishing the topology of the network that is to be investigated for the data, especially if a system administrator will not cooperate. For instance, it will probably be necessary to establish the number of computers on a network, and the various types of network connection such as the Internet, cellular data networks and wireless connections that are available on the network. In the case of cloud-based resources where the user is not cooperative or unaware of the investigation, it will be necessary to engage with the cloud service provider’s team to obtain the required information and, with the appropriate authorities, gain access to the data of interest.

9.29 Professor Casey posits two empirical laws of electronic evidence collection that ought to be high on the agenda:

9.30 To ensure a complete copy of a disk is obtained, Professor Casey recommends taking a bitstream copy of the electronic evidence.¹ As a result, the copy will include information that will normally enable a digital evidence professional to reconstruct deleted files, depending on the storage technology that was used. In circumstances where the volume of digital data is so large or its storage is so complex that copying it in its entirety is not possible,² it is generally accepted that copies of selected data may be made, provided the data that is copied can be shown to be an accurate and an exact duplicate of the data that is the subject of copying, frequently referred to as ‘first in time evidence’. Many methods exist for achieving this, including the use of proprietary ‘logical evidence file formats’ of common forensic tools.

9.31 In addition to Professor Casey’s empirical laws of electronic evidence collection, there are two fundamental principles to be observed by a digital evidence professional when copying electronic evidence:

9.32 To ensure the first in time evidence and the copy are the same, the data should undergo a hashing process, described below. The reason for establishing hash values for data, including the time and date stamps of each file, is that this information will serve as a reference for checking the authenticity or veracity of the files after they have been copied.

9.33 The quality of digital files that are copied can be crucial. In the case of The Gates Rubber Company v Bando Chemical Industries Limited,¹ Schlatter MJ commented on the evidence of two digital evidence experts. The judge was impressed by the ‘credentials, experience and knowledge’ of Bando’s expert Wedig, and indicated in his decision that he relied on his opinions. As Gates failed to obtain an expert in a timely fashion, much less weight was placed on its expert.² Gates’ expert Voorhees also failed to undertake appropriate measures to secure the first in time evidence. Schlatter MJ’s judgment is quoted more fully to illustrate this point:

9.34 Although the tools and techniques used by digital evidence professionals are constantly changing and improving, the comments made by the judge in this case illustrate a very clear point: when electronic evidence is copied, the techniques that are used ought to comply with the highest possible standards for the evidence to have any probative value in legal proceedings. However, it must be emphasized that there will be occasions when the investigator is faced with a unique situation such that she can only apply her knowledge to the best of her ability in seizing data in as forensic a way as possible. One example would be a live banking system. The system might be stored on hundreds of servers in a data centre that is the size of a football field, and the data will be changing every second. No existing guidelines cover such an eventuality, which is why the investigator must make decisions based on principles of good practice.¹

9.35 An examination of the surrounding area of the scene, including any materials that are likely to be relevant to disclosure or a criminal investigation, is also important. For instance, in the case of R. v Pecciarich¹ the police seized a number of documents, catalogues and a scrapbook of newspaper articles concerning trials of sexual assault and proposed legislation dealing with abusive images of children. In this instance, the material constituted real evidence. It was also considered, as Sparrow J determined, to be circumstantial evidence to support the allegations that Pecciarich distributed abusive digital images of children, which were found on his computer and hardware devices. The relevance of materials found at the scene, including fingerprints and DNA samples taken directly from hardware devices, may become more obvious once the digital evidence professional has examined the electronic evidence in detail.

Forensic triage

9.36 Preceding the investigation and examination of electronic evidence by digital evidence professionals is a technique known as ‘forensic triage’,¹ which has received considerable attention within the forensic practitioner and law enforcement communities. Digital forensic triage is the term used to cover a range of processes, methodologies, software and hardware that can be used to enable people to prioritize their digital forensic investigations more effectively. Forensic triage is not suitable for every case. Users with appropriate training must use it in conjunction with appropriate risk assessment. Indeed, there are direct comparisons to be drawn in this regard with law enforcement processes and the medical profession. Applying the triage process, a police officer, trained in the use of a breath test meter, can use such a device to make informed decisions about a driver suspected of being intoxicated. The officer does not need to be an expert in the science embodied in the device but, instead, simply needs to be appropriately trained to configure, use and interpret the results it provides, and decide how best to take the investigation forward.

9.37 The UK Defence Science and Technology Laboratory has reviewed various digital forensic triage methods: software, hardware and processes. These evaluations, although often focused on establishing if individual tools meet the claims made by the publishers, also test the effectiveness of the technology to preserve the integrity of the target media, to correctly identify specific digital artefacts and to produce results using other forensic techniques that would withstand scrutiny. The outcomes of these independent tests are made available to police and other authorities under various classification restrictions, allowing them to form opinions about the suitability of each tool for the given scenarios.

9.38 Digital forensic triage technologies and methods are in their infancy,¹ and must take account of the need for appropriate training and accreditation. Similarly, suitable risk assessment is required in order to minimize the omission of relevant data. It could be argued that by not performing a full forensic examination of every piece of digital media found, vital evidence may be lost. An important consideration when employing digital triage techniques is the need to balance the rapid identification of material of interest and the consequence of stopping further analysis, in the knowledge that such a process may fail to identify exculpatory material or material of more significance.² Through the use of manual and automated techniques, digital forensics triage techniques have the potential for beneficial or non-degrading applications in a wide range of digital forensics matters, particularly those that require classification such as abusive images of children (from which the digital triage process originated)³ through to copyright matters.⁴

9.39 In the context of cloud computing, forensic triage techniques may be highly effective and appropriate, and can use the functionality of the cloud environment to standardize and automate a method of deployment. For instance, Amazon Web Services¹ suggest a programmatic use of triage as part of an automated incident response methodology. The inclusion of forensic controls such as hashing and comprehensive audit logging are available as standard options when such tasks are performed. Once such techniques and capabilities have been provisioned by practitioners with the appropriate skills and knowledge, any user with appropriate credentials can use them.

Preserving electronic evidence

Validating digital data

9.40 Electronic evidence in particular needs to be validated if it is to have any probative value. A digital evidence professional will typically need to copy the contents from a number of disks or storage devices. To prove that the electronic evidence has not been altered from its source copy, it is necessary to put in place checks and balances to prove that the duplicate evidence is identical to its source. A method used to prove the integrity of source data at the time the evidence was collected is known as electronic fingerprinting or ‘hashing’.¹ The electronic fingerprint uses a cryptographic technique that is capable of being associated with a single file, a floppy disk or the entire contents of a hard drive. A digital evidence professional should use software tools that are relevant to the task.² Such software tools will invariably incorporate a program that causes a checksum operation called a hash function to be applied to the source file or disk that is being copied. When a hash function is applied to digital data, the result is called a hash value as it is calculated against the content of the data. The hash function is a one-way function, and is the mathematical equivalent of a secret trapdoor. For the purposes of understanding the concept, this algorithm is easy to compute in one direction and difficult to compute in the opposite direction.³ The hash function is used to verify that a source file or the copy of a file has not changed. If the file has been altered in any way, their hash values will not be the same, and the investigator will be alerted to the discrepancy.

Hash collisions

9.41 There are many possible hashing algorithms that can be used to establish forensic veracity. For many years the MD5 (Message Digest 5) algorithm was used, but research conducted by Xiaoyun Wang and Hongbo Yu showed that it was possible to create two files with different content that produced the same MD5 value.¹ The implications of this possibility quickly led to some debate in the forensic community. One common interpretation was that MD5 could no longer be trusted because an analyst might wrongly identify an innocent file as a known file (the identification issue) or deliberately modify a file and change its hash value back to the original (the verification issue). Another hypothesis was that a suspect could make all his bad files have the hash values of known system files, thereby avoiding detection. While theoretically possible, it is practically very difficult to achieve an MD5 hash collision, and doing so requires considerable computational time for files larger than a few hundred bytes. According to Stephens and others:

9.42 In mathematical terms, an MD5 hash is 128 bits wide and therefore the probability of two files having the same MD5 value is 2^-128. Put another way, the probability of finding two files with the same MD5 value is one in just over 3x10^-39. That is once in 340 billion, billion, billion, billion comparisons. By contrast, an SHA-1 hash is 160 bits wide and so the probabilities decrease to once in every 6.8x10^-49 comparisons. In other words, in realistic terms it is very hard to produce a ‘doctored copy’ of a larger digital evidence set that has the exact same MD5 or SHA-1 hash value as the ‘original’ while still being ‘believable’. However, it is not impossible, as the recent practical technique for generating an SHA-1 collision for PDF documents has demonstrated. It took the equivalent processing power of 6,500 years of single-CPU computations and 110 years of single-GPU computations, but resulted in a (believable) ‘doctored copy’ with a hash that was equal to a known original.¹

9.43 The result of this debate is that, although the chance of an MD5 or SHA-1 collision is remote, best practice suggests creating two hash values for every file or forensic image when used for comparison. If only a single hash algorithm is used, SHA-256 would be better than MD5 or SHA-1. Using both MD5 and SHA-1 instead of a single SHA-256 is mathematically more robust. Further logic for this approach is the fact that although there are no national or international standards that require SHA-256 in digital forensics, its use instead of MD5/SHA-1 would immediately render all global child sexual exploitation image databases, which use MD5 and SHA-1 values, unusable. Furthermore, MD5 and SHA-1 are still used and accepted by every law enforcement authority worldwide to perform the three essential forensic functions: to identify known indecent images, to exclude known files such as those in the National Software Reference Library hash keeper list and to verify that files have not been changed. In the light of the recent successful collision attack of SHA-1, this practice may need to be reviewed. It is therefore advisable to retain first in time copies of any files that are to be identified in order to be able to recalculate hashes as algorithms become deprecated and new ones are introduced. For the purpose of detecting changes using digital signatures, SHA-1 and MD5 should be considered unreliable and deprecated as usage of SHA-1 began to be phased out in the technology community in 2017.¹ Since digital signatures are usually only valid for a limited time period, this is less of a problem, although even with MD5, issues have been identified since at least 2004, and they still persist.²

Fuzzy logic and uncertainty

9.44 Hashing technology, although useful in cases where absolute certainty is required, is not the best way to recognize pre-existing material – especially in relation to images, video and sound recordings. Child abuse imagery, for example, is often ‘marketed’ using different logos present inside the image. While the majority of the content is unaltered, the mere addition of a logo will invalidate any hash value that was previously calculated. For this reason, numerous technologies exist that do not rely on establishing an exact match (by way of a file hash), but rather are capable of comparing content to establish the proximity of a file to the content of a known previous copy of the material sought. These filtering algorithms usually provide an indication at a preset level of certainty, of the fact that material matches a previously observed copy. The result is a percentage of likeness, rather than an exact match (which is what is achieved by file hashes).¹ Note that the results from these algorithms, contrary to hashes, are therefore less usable as a single source of evidence. However, due to the increased use of online filtering,² their acceptance is likely to increase.

The continuity of custody

9.45 For those professionals experienced in criminal matters, the concept of the continuity of custody (also known as the chain of evidence) is well established. However, the continuity of custody, in both civil and criminal matters, should be considered very carefully with respect to electronic evidence. The reason for taking particular care with electronic evidence is because it is easy to alter. It is necessary to demonstrate the integrity of the evidence and to show that it cannot have been tampered with after being seized or copied. There is another reason for being meticulous about ensuring the continuity of electronic evidence and that its custody is correctly recorded: in a case involving a number of items of hardware and more than one computer, it will be necessary to ensure that there is a clear link between the hardware and the electronic evidence copied from the hardware. In this respect, the record should address such issues as who collected the evidence, how and where it was collected, the name of the person who took possession of the evidence, how and where it was stored, the protection afforded to the evidence while in storage and the names of the people who removed the evidence from storage, including the reasons for removing the evidence from storage.¹ Due to the increased use of online storage and services, access and custody of records may also be of relevance in the phases before they become evidence in a legal matter or dispute, especially in cases where applying cryptographic safeguards is less practical.

Transporting and storing electronic evidence

9.46 Consideration should be given to the methods by which any hardware and digital evidence is transported and stored.¹ Computers need to be protected from accidentally booting up, and consideration should be taken to ensure that hardware is clearly marked to prevent people from using the equipment unwittingly. Loose hard drives, modems, keyboards and other such materials should be placed in anti-static or aerated bags to prevent them from being damaged or their data being corrupted. Storage conditions should be appropriate. Hardware and electronic evidence should be protected from dirt, humidity, fluids, extremes of temperature and strong magnetic fields. It is possible for data to be rendered unreadable if the storage media upon which the electronic evidence is contained are stored in a damp office or overheated vehicle. In many forensic storage facilities, special data safes protect evidence from fire risk. These safes are designed to withstand heat, and keep digital media at an acceptable temperature for longer periods of time during a fire.

9.47 More recently, the availability of sophisticated file storage and server systems has resulted in systems that can store and manage data as ‘objects’, directed and controlled by policies with corresponding automated move, copy, delete and replication functions. In many cases these systems are also distributed geographically, providing better failover (the ability to automatically switch to a reliable backup system) and availability. While these features should not adversely affect the evidential veracity of stored data, it is essential for meeting evidential continuity that comprehensive access controls and audit logs are maintained at all times. Furthermore, the geographically dispersed storage of data may increasingly lead to questions of jurisdiction.

Cloud computing and online services

9.48 In the same vein, evidence is increasingly stored on publicly accessible, network-based services. Both cloud computing (the use of, often shared or virtualized, computing or storage resources available through the Internet) and the online delivery of services (software, infrastructure or platform as a service) are rapidly becoming more popular. Forensic investigation of these sources of evidence is inherently complex,¹ and is likely to force forensic standards involving the concept of ‘original evidence’ or ‘first in time evidence’ to become outdated or impracticable. In consequence, cloud forensics is emerging as a new aspect of computer forensics.²

9.49 At the same time, the use of free or low-cost ‘cloud storage’ adds a challenging complication to the process of preserving digital evidence. At the heart of this technology is the concept that a user can upload and store data and software applications to ‘the cloud’, which can then be accessed from anywhere using any device with an Internet connection. In reality, such ‘cloud storage’ can consist of many thousands (or tens of thousands) of mass storage devices (arrays of high capacity hard disks) located in many different physical locations, all connected to a storage management system software via the Internet. It is often the case that, in order to ensure that users’ data is available at all times and to protect them from loss such as disk failure or interruptions in network connectivity, many copies of the users’ data are spread across many redundant storage nodes that are physically and geographically separated from one another. Furthermore, many unrelated users share the same cloud storage facilities. In these ‘multi-tenanted’ systems, the management of such data is essentially automatic and controlled by the storage management system software rather than human managers. The implications for forensic preservation of such data may not be readily apparent.¹ It follows that because of the geographically distributed nature of such systems, issues of legal jurisdiction may also arise when seeking to preserve or obtain the data with the cooperation of the cloud operators.

9.50 One method of securing access to such data is to request that the user provides details of her account to enable suitably authorized investigators to log into the relevant account and forensically copy all pertinent data to disk, or, more efficiently, copy from the user’s ‘cloud’ to a storage location on a ‘forensic cloud’. The forensic process should include the creation of hash values (discussed above) for every file or object and the use of automatic or manual logging of each action to create a contemporaneous note for all actions undertaken. Additionally, it may be prudent, with the appropriate legal authorization, to change the access credentials of the original storage in order to prevent any deliberate or inadvertent changes from being made to it.¹ In such circumstances, principles 2 and 3 of the ACPO should be considered:

9.51 Furthermore, reasonable precautions must be taken to ensure that any changes are kept to a minimum, the changes are noted and recorded, and the person conducting the acquisition process is fully aware of the effect of her actions. For those occasions when permission to obtain access to the data from the suspect is not forthcoming, it is then essential, if possible, to preserve a copy of the volatile memory in the computer (that has access to the data), so that it is possible to search for any remaining data relating to the account.

9.52 Data can be deleted on a remote server or cloud storage before it can be secured.¹ In such complex scenarios as described above, the role of forensic triage becomes increasingly important, because it allows the investigators to evaluate the scene contemporaneously, and to identify the data, seek the appropriate authority to search and seize the data (if such an order or warrant has not been obtained, or if the order or warrant under which the search is being conducted does not cover the materials that have been found) and secure the online data before anybody who might be under suspicion (or their accomplices) gets the opportunity to destroy it remotely. It is in such circumstances that conducting a preliminary risk assessment is essential to success.

9.53 Throughout this phase of any investigation, the emphasis will be on the digital evidence professional to make informed decisions as to what data or equipment to seize and retain in any given set of circumstances.¹ Depending on the circumstances of the case, consideration has to be given to the possibility that the person at the centre of the investigation might be framed for personal or political reasons.² It will also be necessary to give reasons for seizing and retaining the property, and it will be essential to ensure that the entire procedure is properly documented. The documentation relating to electronic evidence is important. Standard operating procedures such as those described in the ACPO Guide, as noted above, should be followed. A record should be kept of every item seized, every action performed that may affect electronic data on every item, and exhibit labels should be attached to every physical item retrieved.

9.54 There are occasions when the physical hardware cannot be seized, because it is too large, it is not physically located in the jurisdiction or even in a single jurisdiction, or where seizing it would cause an organization to cease functioning. In such circumstances, the electronic evidence will have to be copied. As a result, greater care must be exercised when such electronic evidence is retrieved and copied for the first time. The range of electronic evidence that might need to be copied will include audit trails, data logs (for applications, Internet access¹ and firewall traffic, to name a few), biometric data, metadata from applications, file systems,² intrusion detection reports and contents of databases and files. Given the nature of the evidence to be copied, the integrity of the evidence that is copied and its subsequent history becomes paramount.³ Data pertaining to the integrity of these copies and their creation should be retained wherever possible.

9.55 Another way of dealing with this challenge is to request the cooperation of the service provider to retrieve evidence from its systems. This, however, often leads to jurisdictional issues. Thus, the need for better guidance on the issues arising out of cloud computing is becoming clearer. The Council of Europe has established a working group to address this issue and explore solutions in relation to access for criminal justice purposes to evidence stored on servers in the cloud and in foreign jurisdictions, including through the process of mutual legal assistance.¹ The preparation of a second Additional Protocol to the Budapest Convention on Cybercrime seeks to urgently address the need for solutions ‘for a more efficient criminal justice response to cybercrime and other crime involving electronic evidence in accordance with data protection and other safeguards’.² The shared nature of many of the services involved also creates significant issues surrounding the privacy aspects of the enhanced jurisdiction proposed. Furthermore, direct access to such data raises questions regarding the safeguards that need to be applied before such access is permitted.³

Analysis of electronic evidence

9.56 A digital evidence professional is not only required to obtain and copy electronic evidence that has a high probative value, but must also provide an analysis of that evidence. The analysis of the evidence will involve reviewing the content of the data and the attributes of the data. This exercise may also include, but will not be limited to, looking for and recovering deleted files and other data that may be hidden on the disk, checking logs for activity and checking unallocated and slack space or unallocated space¹ for residual data. Failure to assess the electronic evidence can lead to false assumptions, as in the case of Liser v Smith.² The facts of the case were not in dispute. The victim was shot after leaving work on the night of 5 May 2000. By Monday 8 May, it was known that the victim’s bank card had been used to withdraw US$200 from a Bank of America branch about 20 minutes after the murder, approximately one mile from where the body was found. According to the electronic evidence, the withdrawal occurred at 1.47 am on 6 May. The Bank of America ATM also had a video surveillance tape, which was subsequently retrieved by the police.

9.57 The bank manager informed the police that there would be a discrepancy of up to 15 minutes between the time indicated on the surveillance tape and the actual time of the withdrawal. When the tape was viewed, there was no ATM activity recorded at 1.47 am. The closest transaction that occurred was at 1.52 am, when a black male wearing a white t-shirt (the accused Jason Liser) was recorded as standing before the machine. While the evidence seemed to lead to the conclusion that Liser as the man recorded at 1.52 am was one of the killers, the evidence contained on the surveillance video did not warrant such an assumption. Other pictures from the videotape showed black males other than Liser using the ATM at 1.56 am and 2.05 am, and a black female using the machine at 2.04 am. Copies of these pictures were provided to the court. All of them were grainy and poorly photocopied. However, of relevance was that both of the men in question appeared, like Liser, to have been wearing white t-shirts and to be relatively young.

9.58 In August 2000, about three months after the murder, the police decided to put out a press release and a copy of the photograph of the man recorded as standing at the ATM at 1.52 am. Liser was subsequently recognized and arrested for the murder. He was held for less than a week, because the police decided, at this late point in time, to carry out an experiment at the aforesaid ATM machine and its video surveillance facilities. The result of the experiment led the police to conclude that the discrepancy was greater than the 15-minute gap the bank had stated. Liser was subsequently released. It is instructive to note the comments made in the Memorandum Opinion by the judge:

9.59 Compare this case with the murder of Denise Mansfield, who was found bound and strangled in her home on 29 June 2002. It was thought that she had been dead since 22 June. The police investigation centred on a surveillance camera that recorded images of people using an ATM, owned by the Sun Trust Bank. This ATM was used to withdraw US$200 from the victim’s bank account at 2.30 pm on 22 June, using her debit card. Three women (Virginia Shelton, her daughter Shirley and one of her daughter’s friends, Jennifer Starkey) were subsequently arrested. They were identified as using the machine between 2.28 pm and 2.33 pm the same day. The women did not dispute using this particular ATM. They were subsequently released after three weeks. After they were arrested, it came to light that it was assumed the clocks on the transaction computer and the ATM were synchronized. This was not correct. The women had used the ATM earlier than the time stamp on the video recording. It was reported that police officers had these records in their possession on the day they arrested the women, but it was not clear if they had examined the records before making the arrests. It was not until the father of one of the women obtained a copy of the relevant records that the women were released.¹

9.60 Both Liser v Smith and the Mansfield murder cases are good examples of the failure to fully test the electronic evidence, in particular, the time. No clock is accurate. This can be important in terms of assessing evidence in digital form.¹ In the legal context, Lord Hoffman observed, in DPP v McKeown (Sharon), DPP v Jones (Christopher)² that ‘The clock, although no doubt physically in the same box as the computer, is something which supplies information to the computer rather than being part of the processing mechanism’.³ It might have been correct that the clock was one hour out because of the difference in time zones, but clocks in computers are not always accurate. Clocks on facsimile machines may also be far from accurate, and so the following comments by Burton J (President) in Woodward v Abbey National plc (No 2), J P Garrett Electrical Limited v Cotton⁴ that imply that the data recorded by the logs at the offices of the Employment Appeals Tribunal are accurate as a matter of ‘common sense’ cannot be correct:

9.61 A more realistic comment on the accuracy or otherwise of clocks was made by Smart AJ in the case of R v Ross Magoulias,¹ where the identity of the appellant centred on the recordings made by an ATM and a security video:

9.62 A clock can also help reveal the truth when somebody attempts to alter electronic evidence. In the case of Shaun Richards, who was caught speeding on 1 June 2009, Richards attempted to prove his innocence by driving the same route (without speeding) in January 2010 and used his satellite navigation data (whose date he had doctored on his computer to 1 June 2009) as proof of his innocence. However, he had forgotten about the clock change from British Summer Time to Greenwich Mean Time, which meant that there was a one hour difference in the time for the doctored data. After this was discovered, Richards was imprisoned for four months for perverting the course of justice.¹

9.63 There may be occasions where, in the absence of proof, an intelligent assumption that comments recorded on a document have a certain meaning might be accepted by an adjudicator, even when it is possible that the comments are capable of other meanings. In particular, the failure to offer an explanation to rebut the assumed meaning of the content of a digital document submitted in evidence may lead to a finding against the party adducing the evidence, as in Hedrich v Standard Bank London Limited.¹ The case concerned a wasted costs order, which was based on breach of the duty owed by a solicitor to the court to perform his duty as an officer of the court in promoting the cause of justice. Ward LJ took particular care in assessing the conflicting evidence, because of the complexity of the facts. The bank sought to have its costs paid by the claimants’ solicitors, Messrs Zimmers. The bank was required to establish a strong prima facie case to succeed, and as part of its case, it sought to prove Zimmers were in receipt of an email on a date before Zimmers claimed that they had actual sight of the evidence. The bank relied on the following relevant text of that email:

9.64 In the absence of evidence from a digital evidence professional, the inference the bank sought to draw from this information was that Zimmers received notification of this particular email in May 2005, to counter the claim that Zimmers did not see it until the trial was under way in December 2005. This was highly relevant, because the bank was asking the court to order Zimmers to pay costs of £342,917.08. In meeting this argument, the barrister for Zimmers, Graeme McPherson QC, conducted some research on the Internet for an alternative explanation for the printed date of 11 May 2005. Ward LJ accepted the following offered explanation, although there was no evidence of the truth of it:

9.65 It would have been wise of the bank to establish the meaning of this information, because of the evidential hurdle required to prove its case. It would not have taken a digital evidence professional long to have established whether the information proved the date was the date of the release of that particular version of the software or not. It might have been for the court to ask the parties to seek an opinion on this issue before reaching a conclusion, but given the nature of the proceedings, in particular the rule that where there is room for doubt, the respondent lawyers are entitled to the benefit of it, it is not surprising that the court did not let the matter continue any further, and accepted the alternative explanation.¹

9.66 A further observation of relevance is that, in itself, the electronic evidence may not be conclusive. The case of Mogford v Secretary of State for Education and Skills¹ illustrates this point. Mr Mogford appealed against a decision of the Secretary of State for Education and Skills to include his name in the list maintained under the provisions of the Education (Restriction of Employment) Regulations 2000 (SI 2000/2419) that prevented him from being employed as a teacher under the provisions of regulation 5(1)(c). The Secretary of State made this decision because abusive images of children, text files, emails relating to this material and bookmarks with links to websites containing abusive images of children had been found on Mogford’s computer. Mogford denied that he was responsible for this material. The members of the Tribunal were satisfied that the Secretary of State proved on a balance of probabilities that either Mogford was solely responsible for the materials found on the computer, or that he participated with others in obtaining this material, and he knew that it was on his machine. The reasons given included:

9.67 Consideration was also given to the timing of the file system activity, especially those that occurred close to midnight of 27 April 1997 that showed access to a series of websites depicting abusive images of children, and the members of the Tribunal carefully examined the evidence presented by the digital evidence professional who sought to link access to such websites to Mogford. The electronic evidence showed that Mogford had created a spreadsheet that contained details of earnings from private lessons, and this spreadsheet was closed down at 00.28 on 27 April 1997. Mogford denied that he had closed down this spreadsheet, claiming that he had opened his spreadsheet at some other time earlier, had failed to close it down, and someone else had shut down his computer, thereby closing the spreadsheet in the process. The members of the Tribunal articulated the importance of this item of evidence and the explanation offered by Mogford as follows:

9.68 The observations noted above illustrate the importance of understanding the nature of digital data.¹ The aim should be to test the accuracy of the evidence and to ask if the conclusions are correct, rather than making decisions based on an imperfect analysis of the available evidence. It should never be assumed that because evidence is in electronic form, that it must therefore be correct and impervious to being tested to prove whether it is accurate or false. The important point to note is that questions of the accuracy and quality, together with the nature and quantum, of electronic evidence are contextual.

Tools

9.69 A digital evidence professional will not only, ideally, require an in-depth knowledge of the operating system she is to investigate, but will also need to use a number of proprietary tools in the performance of the investigation and analysis of digital evidence. The types of tool to be used will depend on the operating system being examined and whether the investigation is of networks, hand-held devices, embedded systems or wireless networks.¹ Due to their technicality, the reader is encouraged to become familiar with the technology and techniques by referring to appropriate practitioner texts,² including those discussing their limitations.³ The tools used can, naturally, be the subject of cross-examination, and the underlying scientific methodology and structure of such tools can also be questioned.⁴ In this section, the aim is to illustrate why and how tools are used in the context of the Windows operating system, partly because it is so widely used.

9.70 Automated tools are necessary to perform a forensic examination of a computer economically. However, the digital evidence professional should understand the process used by the tool to perform the relevant tasks. This is because it may be necessary to explain the process to a court, or the specialist may be required to carry out the analysis without the aid of a tool, because the use of a tool in any given situation may not be appropriate. These are issues that lawyers may well need to take cognizance of in the future.¹ For instance, it is not clear that practitioners themselves are familiar with some tools, and may question the worth of early versions.² This is because it seems that such tools are tested informally, rather than formally proven to be correct. It has therefore been suggested that such tools should be tested formally.³ In an effort to enhance the veracity of evidence adduced from a forensic examination, it is becoming common practice within forensic laboratories to use what is known as ‘dual tool’ verification techniques. Simply put, an analyst will perform an examination using one piece of forensic software and, where data of potential relevance is identified, will use a second tool, produced by a different vendor, to perform the same examination and compare the results. If they match, more weight can be given to the accuracy of the data. However, it must be emphasized that such techniques are not a replacement for critical thinking or experimentation.⁴

9.71 It should also be noted that software in forensic tools is far from impartial or infallible.¹ Indeed, the users of forensic tools may themselves not be aware that some tools do not carry out as detailed an examination as they think. Jonathan Zdziarsk commented on a problem encountered with forensic tools in his 2014 blog post ‘An example of forensic science at its worst: US v. Brig. Gen. Jeffrey Sinclair’:

Copying the hard drive

9.72 Before obtaining access to a computer, it is essential that the investigator is familiar with the underlying operating systems, file systems and applications. By understanding the file systems, the digital evidence professional will be aware of how information is arranged, which in turn enables her to determine where information can be hidden, and how such information can be recovered and analysed. In order to establish answers to questions such as ‘Who might have had access to a computer or system?’, ‘Which files would they have been able to look at?’ and ‘Was it possible for an unauthorized outsider to obtain access to the computer from the Internet?’, the digital evidence professional should understand the nature of user accounts and profiles, and the control mechanism that determines which files a user is permitted to access upon logging into a system.

9.73 To acquire the data on a hard disk installed in a computer, an investigator will, in most cases, prefer to remove the hard disk from the computer and attach it to a specialist ‘write-protected’ interface that is attached, in turn, to an ‘imaging’ device capable of copying the forensic image stored on the media on to a previously cleaned (and verified as clean) storage device. Such interfaces are commonly referred to as ‘write blockers’, and the imaging capability may be performed by specifically designed imaging hardware or by a standard computer running imaging software. However, in some circumstances removal of the hard disk from a computer may not be possible or advisable, in which case it is common to leave the hard disk installed in the host computer and obtain access to it using the procedures described in the following paragraphs.

9.74 To avoid altering any evidence on a computer, it is necessary to bypass the operating system. When the power supply is switched on, the basic input and output system (BIOS) will carry out a power-on self-test (POST) before looking for the operating system. After the BIOS is activated and before the POST test has completed its cycle, it is possible to interrupt the process. Most computers are programmed to expect the operating system to be found on a floppy disk, hard disk, compact disc or a device attached to the Universal Serial Bus (USB) As a result, the system looks at these locations in the order set out in something called the Complementary Metal Oxide Silicon (CMOS) configuration tool. The CMOS chip retains the date, time, hard drive parameters and other details relating to configuration while the main power is switched off. By looking at the CMOS tool between the POST test and the computer being fully powered up, the digital evidence professional is able to determine where the computer will look for the operating system: for instance, a floppy disk, a hard disk or a compact disc. With this knowledge, the investigator is able to pre-empt the search for the operating system on the computer and provide an alternate operating system from another disk. It is common for this alternative operating system to be a variant of the Linux operating system that is designed to allow storage devices to be viewed in ‘Read Only’ mode. By interrupting the normal boot-up process in this way, the evidence on the hard drive remains intact and unaltered, thereby permitting the content to be copied in the state it was in when the computer was switched off. Various techniques and tools (such as an evidence acquisition boot disk) can be used to intercept this process, and the precise technique depends on the circumstances of each case.

9.75 Once the computer is booted from a suitable tool, the program can then do a sector-by-sector copy of the electronic evidence. Some tools will acquire the data and undertake an integrity check at regular intervals. There is some technical discussion about whether the tools that undertake these tasks do take an exact copy of the disk, even though all of the information is copied from the disk. One of the reasons for this is that data may be arranged in a different manner in a proprietary file format. Professor Casey suggests this is not as important as ensuring that the integrity of the evidence is maintained, which must be correct. In addition, he also suggests that at least two copies be made with different tools.¹ From a practical point of view, this may not always be possible because of time constraints and the absence of storage media.

9.76 A number of the forensic imaging tools, such as Encase and FTK, have used the expression ‘Logical Evidence Files’ which, instead of being an image of an entire hard disk, are copies of specific data accessible in the devices’ file systems (that is, the contents of a specific directory or directories). This technique has significant advantages where it is impractical to image an entire drive due to the amount of data required to be copied or because of time constraints. It should be noted that file hashing and image hashing techniques are still used to ensure the integrity of the data that is collected.¹

Viewing the data

9.77 When the electronic evidence has been copied, the data can be viewed in raw format (examining the contents of the file in binary, hexadecimal or another format that displays the literal file contents as expressed in bits) or logically (using a viewer or program suitable for processing the file at hand). It is usually necessary to view the data through a tool; human beings need the binary code, which resides on a disk or in a disk image, to be interpreted before the data can be viewed and interrogated in a sensible manner. In many tools for viewing raw data, the data can be viewed in hexadecimal form on one side of the screen and in plaintext (ASCII or Unicode) on the other side of the screen. Depending on the tool used, the data can be examined and analysed. For instance, a tool can recover slack space and compare files to determine if there are any differences to be observed.¹ Viewing data in logical view enables the user to examine it as represented by the file system. This way of looking at the data permits the user to analyse it in a different way, but it does not show the underlying information that is visible when using the physical method. Both forms of viewing data have their limitations, and it is also important to be aware that data can be misinterpreted. There is some debate about the best way of examining digital evidence, but the emphasis should be on verifying the accuracy of the evidence by using different tools.

Recovering data

9.78 An increasing number of people delete the content of their hard drives in computers in anticipation of legal action or after legal action has begun.¹ For instance, in the case of L C Services Limited v Brown,² Andrew Brown, the sales director of LC Services, was found to have broken the fiduciary duty he owed to LC Services. He also breached the terms of his services agreement and misused confidential information belonging to LC Services. It appeared that Mr Brown altered or re-installed the operating system on his computer on 1 October 2003, at the time the claimants were pursuing disclosure documents from the defendants. A digital evidence professional was subsequently able to retrieve the residue of the text of the relevant database in dispute, and the remains of a number of emails sent by Mr Brown. The content of these emails showed that he was in breach of his fiduciary duties to LC Services.³

9.79 There are several techniques that can be used to recover data that has been deleted. This can be done manually or through the use of tools, depending on the complexity of the problem faced by the specialist. For instance, some tools use a bit-for-bit copy of a disk to reconstruct the file system, including any files marked as deleted in the file allocation table, master file table or their equivalents. However, where files are fragmented and have been partially overwritten, it may be necessary to recover them by hand. A typical technique to recover deleted files (often called ‘carving’) involves searching unallocated space and swap files for such information as headers and footers. Although there are many types of file that can be recovered (carved) in this way with an appropriate tool, such as graphic files, word processing and executable files, recovery is limited to those files whose headers have not been deleted.¹

Passwords and encryption

9.80 A number of tools are available that are capable of removing passwords and bypassing or recovering them. Some tools are available for guessing passwords if the encryption keys are small enough, and where it is not possible to obtain a password, it is sometimes possible to search for unencrypted versions of the data in other areas of the hard disk.¹ Passwords can be used simply to provide access control to unencrypted data, can be the ‘key’ that decrypts encrypted data, and can even be the ‘key’ that decrypts the actual key that is used to decrypt encrypted data. The methods used to bypass passwords or ‘crack’ the code needed to decrypt encrypted data are many and varied, but in general stronger encryption algorithms and larger ‘keys’ mean that very long processing times are required to gain access to the data, if indeed they can be accessed. Depending on the processing power available, it may be impossible to reveal the passphrase or gain access to encrypted materials in a realistic time frame. The techniques used to attempt to obtain access to encrypted or password-protected data are discussed in Chapter 8 on encrypted data. The increased use of encryption on (mobile telephone) file systems poses problems and has led to significant debate and developments in the field of police powers.

Traces of evidence

Network connections

9.81 One of the most significant difficulties faced by digital evidence professionals with computers and devices that are connected to a network such as the Internet, or a series of computers or devices that are connected in an organization, is the possibility that a hacker or malicious employee might enter the system without authority and undertake a series of actions that causes an innocent person to be accused of doing something he did not do.¹ This is where data logs can help. Two types of log, the application log and system event log, contain information about how users have used the computer. Scrutinizing these logs, either manually or with a tool, can help to obtain a clearer picture about the activities that took place on the system, although consideration must be given to the integrity of the logs themselves. Note that logs may also be present at other levels in the network, such as on a fileserver, an Internet proxy or a firewall. The availability of such logs may, however, vary a great deal. A typical problem in this area is the shared use of a single public IP address for Internet traffic by many different local users. These users will typically have their own, locally distributed (private) IP address. A setup like this is known as NAT (Network Address Translation) since it requires translation of the local user’s (private) IP addresses to the public IP address and vice versa. Network-based logs only rarely contain enough data to identify the individual user, however.²

Logs, files and printing

9.82 In addition, when a user uses his computer, a digital trace is left of the actions across a range of data logs and files.¹ A data log is capable of containing any type of data, depending on what the system is programmed to capture.² For instance, if a file is downloaded from the Internet, a date and time stamp will be added to the file to demonstrate when the file was downloaded onto the computer. When the file is moved, opened or modified, the time and date stamps will be altered to reflect these changes. In addition, the metadata can also help provide more information about the file, such as the location where it was stored on the disk, the printer on which the file was printed and the time and date the file was created. When a file is printed, the computer tends to store the print job in a temporary file before it is sent to the printer when the printer has the capacity to print the file. Once the command to print has been passed to the temporary store, the user can continue to work with the application – for instance, she can continue to type a new document while the previous document is waiting to be printed. The temporary print store retains valuable information, such as the name of the file to be printed, the type of application used, the name of the printer, the purported name of the person whose file is to be printed and the data itself. In addition, there is a date and time stamp added to the file to show when the file was printed. It should be noted, however, that the date and time stamp can be altered, which means it is important to ensure that the date and time stamp is corroborated by other methods.³

Use of the Internet

9.83 When a person obtains access to the Internet, a range of data is created and retained on a computer or device, including the websites that have been visited, the contents a user has viewed and the data sources accessed.¹ Some systems, both in the network and on customer premises, also include a log of the times and dates of the Internet session and details of the device or connection that was used (such as the modem, network card or physical network port in the access network). With more services available online, it is important to be able to rely on information provided by network operators for investigation purposes. Typical information requests involve IP addresses, subscriber details and possibly payment information. Internet access logs may, furthermore, provide information as to where and how users were connected to a service, and may identify others involved in the same investigation. Finally, it is interesting to observe that CCTV systems are gradually being replaced by systems that use Internet Protocol technologies (IP) and wireless IP, which will in turn cause additional expense and increase the legal complexity (where the camera is capturing images in one country, and these images are being recorded or stored in another country) in obtaining access to such systems for the purposes of litigation or criminal proceedings.² The types of information available include those noted below.

9.84 Browser cache When viewing a page on the Internet, the browser retains and takes copies of all the elements that make up the page, such as graphics and HTML text. This copy is called a cache. The computer or device gives the page a date and time stamp at the time the page was downloaded. The reason for doing this is that when the page is visited again, the cached file is used by the computer or device in place of obtaining access to the same page online and the date and time stamp is subsequently updated. Another item of information created and logged in some browser history databases is the number of times a web page was visited. It must not be assumed, however, that just because the computer or device has recorded certain types of web page that the user actually viewed such pages. This is because some websites, in particular those promoting pornography, will redirect a browser to different websites, and may even make unauthorized changes to the computer or device.¹ It is possible to recover these cached files, even if they are deleted. Recovered files can provide such information as when the computer or device was used to obtain access to web-based email, when sites were visited and if purchases were made or financial transactions undertaken.

9.85 Cookies Many websites keep a track of visits by users to their sites by placing this information in files on the users’ computers or devices called cookies. If cookies have not been disabled, the information in the cookie directory can help with an investigation. As for websites included in the temporary cache file, it does not follow that just because there is a cookie on the computer or device that a user necessarily went to all of the websites included in the cookie directory. Some advertisements on a website may place a cookie on the user’s computer or device, even though the user did not click on and view the particular website. Further, where the user’s browser has been redirected without his permission, cookies can be added to the directory without the knowledge of the user.

9.86 Private browsing, VPN proxies and Tor In order to provide Internet users with more privacy, several browser manufacturers have introduced ‘incognito modes’ or ‘private browsing’ modes in their browser software. In this mode, no Internet history, cache entries or cookies (or any other artefacts) remain after the Internet session. This means it will be harder (if not impossible) to retrieve a reliable indication of a user’s Internet usage and surfing behaviour from the information present in the local computer system. In practice, other systems such as access logs at service providers’ services or browsed websites may still be able to identify the user by her IP address.¹

9.87 In order to further enhance user privacy and anonymity, services such as Tor (The Onion Router) and VPNs (Virtual Private Networks) are available that allow users to hide the origins of their connection to the services they use. In the case of Tor, this is achieved through a network of nodes operated by volunteers who anonymize connections to the Internet by providing a route across three or more anonymous nodes (including an entry and exit node, as they are called) on behalf of a Tor user. Since no logging is kept at any of the intermediary Tor nodes, this assures a relatively high level of anonymity. Similarly, VPNs and proxies can be used to connect to the Internet via a predetermined ‘hop’ in the network. Provided the VPN origin is not logged, this may effectively make tracing users by their network addresses impossible. Note that the use of other information and identifiers is still possible, so that various other measures may still reveal the users’ actual names, addresses and Internet activities.

9.88 Email and instant messaging Email has become a dominant method of communication for the vast majority of organizations, although text-based ‘chat’ is used increasingly by individuals, and especially on smartphones. Nevertheless, a great deal of evidence can be discovered from email communications. Some software programs store email in plaintext files, while others use proprietary formats that will require the digital evidence professional to use a number of tools in order to read the messages. Other email systems utilize online storage only and leave very little communications data on the filesystem of computers or devices. It is sometimes possible to recover email messages that have been deleted but have not been removed from the email files.¹ Where it is impossible or difficult to restore emails from a single computer or device, it might be possible to track email traffic through the network it has travelled.² Organizations are beginning to recognize the importance of their email communications, and many larger organizations have archives of email communications that can be investigated in the event of electronic disclosure or electronic discovery requests.

9.89 Instant messaging, in the meantime, has become the default method of communication for many people. This presents problems for the investigator. It is not only used on local desktop systems (where this technology is increasingly also used in business environments), but it has also seen a major surge in use on mobile devices in recent years. Due to the Snowden revelations in 2013 of the mass international surveillance by the NSA,¹ many instant messaging programs currently in widespread use have introduced end-to-end encryption, meaning that intermediaries do not have access to plaintext messages, but merely to an encrypted version of those messages. Each connected device has a unique public key and a private key that is unknown to the intermediary. In practice, this means that the only place where such communications can be viewed and decrypted to a readable format is at the end user’s device.

9.90 Mobile applications that are used for instant messaging typically include the ability to send photographs and videos. Social networks and mobile Internet messaging have become the default communication method used by children.¹ This creates an increased workload for investigators of child abuse-related cases, especially where they may need to view a home computer, as well as a multitude of other devices, to help determine why a child might have left home, or how he or she got into contact with a certain adult, for instance.² Another challenge is that these programs increasingly offer features that allow the user to determine a set time and date to destroy any images sent. Therefore, images are no longer stored on the filesystem of the device or telephone by default, but temporary copies only are displayed for a short period of time, after which they are deleted. This leaves fewer artefacts and creates further challenges in criminal investigations involving abusive images and children, particularly in relation to practices such as sexting, the sending of sexual images and messages, and grooming, where adults lure children typically for sexual abuse by acting as persons of the same age.

9.91 Voice over Internet Protocol (known as VoIP) is another computer-to-computer technology that has expanded rapidly, and will need to be considered when conducting an investigation.¹ Contrary to the old telephony system (often referred to as POTS or Plain Old Telephone System), Internet-based calls can be made fairly anonymously and it is easy to deceive a person into thinking that a telephone number is genuine (called ‘spoofing’), especially the number of the party initiating the call.² This makes telephone numbers increasingly unreliable as identifiers. The risk of wrongfully attributing the source of a telephone call on the basis of its originating telephone number has increased greatly, especially since many VoIP providers allow spoofing of outbound calls as a service feature, and special services have emerged that specialize in spoofing calls for various purposes. In most cases the connection will be encrypted, which means that the data packets flowing between the caller and the recipient of a VoIP call is not in decipherable voice form, and if intercepted midway, cannot be reconstructed to meaningful evidence.

9.92 Digital and online wealth A special category of data is related to financial investigations and digital evidence. Once a small field with limited overlap to digital forensics, the advent of cryptocurrencies such as Bitcoin, electronic money such as PayPal, as well as many other types of digital assets and wealth stored online, have increased the need for specialized investigations into electronic evidence pertaining to wealth that is accessible through computer systems. It should be noted that, in contrast to electronic money, where a database containing a ledger (denominated in fiat currency such as pound and euro) is typically stored with a service provider, cryptocurrencies make it possible to store values in local wallets that are hosted on software present on a computer system or device. A special property of these currencies is that the cryptographic values in the wallet can be copied in order to make it possible to spend the currency from either one of the copies made. This complicates search and seizure for this type of evidence. Digital evidence professionals will need to have a good knowledge of the way in which such wallets are stored, as well as the most common online services related to the various types of financial activities that can be employed online, in order to proficiently and, indeed, forensically conduct financial investigations into data. From a legal perspective, it should be noted that the existing international standards make frequent use of the reversal of the burden of proof in cases of ‘unexplained wealth’. These are cases where a predicate offence can be proven, yet significantly more ‘unexplained’ wealth is found to be present following a financial investigation. In such cases the burden of proof regarding the title to such wealth can be shifted to the suspect.¹

Reporting

9.93 The findings, and any conclusions made by the digital evidence professional, will be set out in a report. Whether prepared for criminal or civil proceedings, the report should include a range of information that is pertinent to the case, including, but not limited to:

9.94 Professor Casey refers to the following principles to guide the preparation of forensic reports: observation, hypothesis, prediction, experimentation/testing and conclusion.¹ Following from these principles, the report needs to reflect how the examination was conducted and what data were recovered. It may be that the digital evidence professional will have to give evidence about the conduct of the examination and the validity of the procedures and tools used. Essential to any report will be the conclusions reached by the professional. Where an opinion is offered, the opinion should set out the basis of the evidence. Consideration should also be given to rates of error, including the origin and timing of events that had been recorded, whether the digital evidence professional took care when reaching conclusions where data were lost, whether the professional was aware that digital evidence can be fabricated, and whether the professional evaluated the evidence based ‘on the reliability of the system and processes that generate the records’.²

9.95 As pointed out by Professor Sommer, it is important to be aware that digital evidence professionals have to use a variety of techniques to cope with the wide diversity of hardware and software encountered. Reliability is one factor to take into account. Another factor is the degree of reliance on the conclusions reached by a digital evidence professional. The digital evidence must be interpreted, and care should be taken to ensure the underlying rationale is sustainable.¹

9.96 Assumptions should not form part of any report (except in Australia¹) by a digital evidence professional, as occurred in some cases relating to the investigations by the UK police under the name Operation Ore. In this case, police forces in the UK investigated and prosecuted over 7,000 people for offences relating to the possession of abusive images of children and secured over 2,000 convictions.² This operation was instigated after the conviction of Thomas and Janice Reedy (the Landslide trial, named after their company) in the United States for operating a website selling access to abusive images of children.³ After the trial, a copy of the database recording details of the payments received by Landslide was shared with a number of police forces across the world. This information formed the initial evidence for the purposes of the investigations that subsequently took place. There was evidence to suggest that stolen credit card numbers were used to steal money by ‘buying’ access to the illegal websites hosted by Reedy, who tried to prevent this without success.⁴ Some of those prosecuted claimed that they did not use their credit cards to obtain access to abusive images of children, as in the case of Dr Paul Grout. No abusive images of children were found on his computers. He produced alibi evidence to demonstrate that at the time of the alleged links to the Landslide website, he was not at a computer terminal. The case was withdrawn from the jury.⁵ On occasions, it was also assumed that if a credit card number was in the Landslide database, the person whose number it was had therefore paid for abusive images of children. Brian Cooper used his credit card to buy bicycle parts from a US website. His card details were obtained by Akip Anshori, an Indonesian, who successfully subscribed to the Landslide website until Mr Cooper alerted his credit card provider to the unauthorized payments. The police failed to find any abusive images of children on his computers.⁶

9.97 A similar case involved Jeremy Clifford, who was charged with making and being in possession of indecent images of children. The images were found in the temporary cache folder with random names such as ‘FX7RA’. Such images generally appear as advertisements, and the user will not necessarily have clicked on them, nor will she be aware that they are on her machine. At his trial, Clifford was acquitted when the prosecution offered no evidence. Although he failed in his first legal action for malicious prosecution and misfeasance in public office,¹ his appeal succeeded,² and the police were subsequently found liable.³ It transpired that the police and the digital evidence professional had made a number of erroneous assumptions about the Landslide databases, the evidence of Internet browsing and site visit history on Clifford’s machine.⁴

9.98 Great care must be given to the nature of the technical evidence, as demonstrated by the case of R. v O’Shea (Anthony David),¹ a case that also centred on the Landslide database. The case had been publicized by the media as a public enquiry into the entire operation conducted by the police. It was not. It was an appeal against conviction by one man on the main ground that new evidence from one Bates, described as a computer expert, based on a forensic examination of the Landslide records, suggested that a third party had misappropriated the appellant’s identity. The members of the Court of Appeal held that there was no evidence to support Bates’ suggestion that the Landslide webmaster had access to the appellant’s personal data that were used in the transactions, that there was no evidence to prove that the hypothetical fraudulent webmaster had obtained access to the Freeserve proxy servers to assume the appellant’s identity, and noted the appellant had checked his credit card statements regularly and not challenged these transactions (he had challenged the debiting of his credit card account in relation to other amounts that were similar to those in question in this case).² Describing this additional evidence as ‘mere assertion, unsupported by any published or other material or any reasoning,’³ the members of the Court of Appeal concluded that the appellant’s conviction was safe and dismissed the appeal.

Analysis of a failure

9.99 A prosecution in Wales in 2015 offers an illustrative case study to demonstrate what can go wrong when the police do not conduct a careful investigation, and the prosecution’s failure to understand the weakness of the evidence upon which the charges are preferred. A number of nurses working at the Princess of Wales Hospital in Bridgend were indicted on charges relating to alleged falsification of patient notes regarding blood glucose levels. Professor Thimbleby, an expert witness for the defence, discussed the evidence in detail¹ where he outlined the correct, systematic procedure to be observed by the nurses.

9.100 The central record system had no records of many of the tests and their results the nurses had written on the paper notes for each patient. Because of this discrepancy, the police concluded that the nurses had written down fictitious readings and had not bothered to do their job. As an aside, nurses could not necessarily undertake the actions as set out above, because of problems with the software, and also because sometimes it was difficult for the software to read the patient’s identity number. It turned out that a practical solution was to type 000 on the glucometer keyboard, or for the nurse to scan her own barcode in order for the glucometer to accept the data to be input as a valid patient, or to manually type in the name of the patient – but this action would not prevent the nurse from misspelling the patient’s name. The glucometer accepted both of these methods of getting around the failure of the software code and would give a correct blood glucose reading. However, the hospital system rejected this data, the consequence of which required manual intervention for the data to be added to the central database – which might not happen or might introduce further errors.

9.101 On analysing the prosecution evidence – which was in the form of a CD of Excel spreadsheets and, on a later date, XML files of data logged on blood glucometers – it was discovered that the relevant data were not present. The prosecution asserted that because data was not present, it followed that the nurses had fabricated doing actual tests, because if they had actually done the tests, the data would be present in the spreadsheets.

9.102 The prosecution needed to prove that it was the failure of the nurses to input data that caused the data to be missing from the central database – that is, the absence of data proved fabrication, rather than any other possibility. The police and the prosecution lawyers assumed that the glucometers and hospital IT systems were reliable, even though they knew the systems required human intervention. The police did not question the management of the data, and there was no evidence about the day-to-day management of the data. The prosecution also claimed that the devices were accurate as blood glucose meters. This was not relevant. The relevant issue was whether the glucometers reliably transmitted test data to the hospital’s patient record system. It did not appear that the police or the prosecution bothered to research this topic – if they had, they would have discovered a number of relevant articles that included reference to issues which were noted by Professor Thimbleby regarding the practical problems of the device and getting the data to the central computer.¹ The judge concluded that the prosecution evidence was unreliable and was therefore excluded.² The prosecution response was to offer no evidence.³ In consequence, the nurses were acquitted.

Anti-forensics and interpretation of evidence

9.103 As with all fields of forensic analysis, computer forensics is part of a continuous race of catch-up between investigators and criminals. Just as criminals quickly started to wear gloves once fingerprint evidence had reached the awareness of the wider public, computer criminals too began to use tools to hide or alter the traces of their activities. Anti-computer forensics has become the term for the possible countermeasures that criminals may take to prevent, delay or invalidate computer forensic efforts, a problem increasingly recognized by the research community.¹ Deletion of data as a classic anti-forensic technique may serve as an initial example to illustrate some of the issues computer crime investigations are increasingly confronted with. In the early days of the Internet, software that securely wiped data from all parts of the computer was the preserve of the experts, or governmental organizations with special security needs. Today, tools that irretrievably delete files are now easily obtainable for free from various sources, and can be used quickly and reliably even by comparatively computer-illiterate users.² This example not only illustrates the proliferation of anti-forensic tools, it also highlights some of the complexities that are involved. Most anti-forensic tools are ‘dual nature’ tools, just as many hacking tools are. They have legitimate uses and are often even officially recommended, if not legally mandated, for instance, to protect the security and privacy of sensitive data. Computer software is regularly ‘purpose neutral’. In other words, what works as a protection against criminals trying to obtain access to credit card details also works as a protection from the police trying to obtain access to private emails; what works for system administrators seeking to detect misuse of a computer by an employee also works for criminals obtaining access to commercially sensitive secrets. This has implications for the legal responses to anti-computer forensics, and also for the probative weight of evidence affected by any counter measures that were used by a suspect, and is further discussed below.

9.104 As noted above, the social context is a crucial determinant for the interpretation of electronic evidence. In the early days of the Internet, finding that a suspect had acquired the specialist knowledge necessary to operate (or maybe even write) the software for a cleaning tool could be prima facie evidence that he had tried to hide traces of illegal activity. This inference is no longer sound, because secure cleaning of deleted data has become a standard operating procedure in many organizations to prevent data security breaches, and default settings on popular free tools such as CCleaner allow the effortless routine destruction of deleted files every time a computer is shut down.

9.105 The legal system and police investigators have reacted in several ways to this new reality. One approach is through technology – developing new investigative tools that either look for other types of data not yet protected by counter measures or are in some other way capable of undoing the damage of anti-forensic tools. However, this need to react rapidly to developments in the anti-computer forensic field can cause problems for the legal system, where rules on the admissibility of scientific evidence often require extensive testing and acceptance in the scientific community, supported by publication in peer-reviewed journals, together with robust methods of calibration, standardized procedures, accepted minimum criteria for training and proficiency with the new tools.¹ What is important to note for criminal prosecutions is that electronic evidence can serve a dual purpose: it can either directly support the prosecution’s case, or it can be indirect evidence that the suspect took actions to hide some form of criminal activity – which in turn may also be direct evidence that he committed one of the various statutory offences that have been created to prevent the destruction or spoliation of data.

9.106 With all this in mind, the following is an overview of the various approaches to anti-computer forensics, and the effects they have on the availability, reliability and interpretation of electronic evidence. Anti-computer forensics are understood here as any technique, hardware tool or software that prevents or delays the forensic analysis of a data carrier, and negatively affects the existence, amount, authenticity or quality of evidence from a computer or device. There are at least five different subcategories of anti-forensics: data destruction, data tampering, data hiding, trail obfuscation and attacks against the computer forensic tools themselves.

Data destruction

9.107 Data destruction is the most obvious and most widely discussed anti-forensics measure and has created a considerable legal and technological debate.¹ Unlike a physical object or piece of paper that can be destroyed effectively, it is much more difficult to completely obliterate a document in electronic form. A user simply clicks the ‘delete’ icon on a computer, in general terms, to remove the pointer to the data. The document or data remains, and it is possible to retrieve this data in certain circumstances, even if it is partly overwritten.² However, disk cleaning utilities that overwrite or ‘shred’ data have become increasingly available and easy to use for even unsophisticated users. These software-based tools write patterns of pseudo-random combinations of 1s and 0s (in other words, meaningless data) on to all of the sectors on a hard drive. This also includes a setting to wipe free space or unallocated or ‘slack’ space, which is where older ‘deleted’ data often reside. Slack space occurs when data is split between clusters on the hard disk. As files only rarely and by chance fill up every cluster, some space remains. Cleaning software also deletes much of the metadata that accumulates from using the computer – it wipes and cleans old file entries, recently used file lists and many other things including custom locations.

9.108 In practice, a person might delete emails and files as a matter of routine, and the organization might fail to realize that it has backup copies of all the relevant data,¹ or the organization might have backup data to deal with situations where data is deleted, whether inadvertently or deliberately. For instance, in Noble Resources SA v Gross,² Mr Gross attempted to delete SMS messages that might have incriminated him. Several thousand of these messages were recovered from various places: from backups of his personal mobile telephone and the BlackBerry of the person to whom the messages were sent. Copies were also found in a backup file on his laptop computer shortly before trial; they were also on the forensic image of his laptop taken by his forensic experts, and on a CD of his personal files that he only disclosed during the course of the trial. Mrs Justice Gloster DBE said: ‘with the assistance of one Jimmy Weston, an IT expert, Mr. Gross had deliberately changed the time settings on the laptop to conceal the fact that he himself had made the deletions; and that the last recorded logon time with his user ID reflected this’.³

9.109 Data destruction adds a great deal of complexity to both civil litigation and the investigation of alleged crimes. On occasions, a party may have a reasonable suspicion that the other party might intend to delete files, or has already deleted files, although the technical issues relating to such allegations can serve to confuse.¹ In United States of America v Triumph Capital Group, Inc.,² McCarthy, the CEO and controlling shareholder of Triumph, Spadoni, Triumph’s Vice President and General Counsel, together with a number of others, were accused of a variety of offences relating to racketeering, including bribery, obstruction of justice and witness tampering. It came to the notice of the US government that Spadoni was alleged to have purchased a software program to purge his computer of incriminating evidence. Triumph was ordered to deliver up the relevant computer for forensic tests. The tests revealed that relevant data had been deleted, and the deleted files were recovered. A search of the recovered Internet cache files revealed evidence of other offences. This caused the investigator to obtain a further warrant to search and seize evidence of the further crimes. In L C Services v Brown³ the operating system on Brown’s computer had been changed or re-installed at the time the claimants were pursuing disclosure of documents by the defendants, but a digital evidence professional was able to recover the remains of email communications. The recovered evidence was sufficient to incriminate him, and he was held liable for breach of fiduciary duties to the plaintiffs, his ex-employer.

9.110 Where there is a reasonable suspicion that a party might delete files, as in the proceedings leading up to divorce in the case of Ranta v Ranta,¹ it may be possible to obtain an order to prevent a party from deleting, removing or uninstalling any programs, files or folders.² Sanctions may follow for deleting files, depending on the seriousness of the action, where a party deliberately wipes hard drives after a court has ordered their production, as in Electronic Funds Solutions v Murphy.³ Furthermore, it is not inconceivable for a court to order a party to search for relevant documents in backup tapes and archives and to provide information about data that have been deleted.⁴

9.111 As indicated above, the use of these tools has been the result of legal requirements to ensure data security and privacy protection, which means that increasingly they come with official guarantees that promise that the wiped data cannot be reconstructed by criminals¹ – and as a side effect, the police cannot reconstruct the data either. For instance, to provide legal entities with the assurance that they comply with the law, such programs typically allow default settings that erase data automatically every time a computer is shut down, or every time someone tries to obtain access to a file without the password. This makes it increasingly problematic to infer criminal intent to hide data when evidence of disk cleaning is found.

9.112 The physical destruction of a computer, including the hard drive, will ensure the data (without investing in costly reconstruction and recovery services) is lost, as in Strasser v Yalamanchi.¹ In this case, it was claimed that a hard drive containing relevant data had been severely damaged by lightning, and an employee saw fit to dispose of the computer as a result. In response to the extensive pre-trial actions and the failure to provide an adequate reason for the destruction of the computer while litigation was under way, the trial judge subsequently instructed the members of the jury that the negligent destruction of evidence might be inferred from the failure of the appellant to preserve and maintain evidence. The appeal court subsequently upheld the decision.

9.113 Generally speaking, the most secure way to prevent computer forensics is the physical destruction of the hard drive, or short of that, degaussing in a strong magnetic field. Degaussing with an approved degausser is, for some highly sensitive military or national security applications, the required method of data destruction.¹ As discussed above, in comparison to the deliberate attempt at destruction to prevent others from obtaining evidence, paper copy files of underlying source documents may be destroyed for perfectly legitimate reasons, and reliance might subsequently be made on the version held in electronic form. This tends to occur when organizations attempt to reduce the cost of storage of paper documents but fail to consider the cost of electronic storage and the need to deal with old data when a system is upgraded. In the case of Heveafil Sdn. Bdh. v United States,² the US Department of Commerce refused to accept a copy of a database containing a bill of materials stored on a computer diskette as a means of verifying the cost information in an investigation into anti-dumping extruded rubber. Heveafil claimed that the database held on the diskette had been taken from the mainframe, that it used the previous version in the course of normal business and that the database on the diskette contained an exact duplicate of the database developed on the mainframe computer. In an appeal from the US Court of International Trade, the Court of Appeals for the Federal Circuit accepted the argument by the Department of Commerce that it could reject the data on the diskette as not having been properly authenticated, and a finding of adverse inference was admissible in the circumstances. The assertions by Heveafil were not sufficient, because it failed to provide evidence of the veracity of the contents of the diskette, such as explanations of how the copy was made. The company merely copied data from the mainframe and then deleted the first in time data as well as the underlying paper versions. In doing so, it failed to provide a trail of evidence to demonstrate the procedures undertaken to provide for the veracity of the diskette copy.

9.114 As mentioned above, the social context can be crucial in interpreting electronic evidence. While clicking on the delete icon is not a way actually to destroy evidence, and can furthermore be seen as an intentional attempt to destroy evidence and pervert the course of justice, the opposite question also arises: under what circumstances can the law interpret a user’s failed attempt to destroy a file as a sign that he wanted to rid himself of possession of an illegal item? An innocent user who accidentally downloads an illegal picture, or finds one on a second-hand computer, may think that by deleting the item he has successfully rid himself of it. The law on possession of illegal material may or may not take the same view, if, for an average user, it is very easy to recover the item in question, and it is thus possible to use the ‘paper bin’ as a convenient hidden storage space.

9.115 All the methods of data deletion described above have been developed for data stored on traditional magnetic media. But increasingly, new storage media look set to challenge anti-forensic measures and also thwart the efforts of investigators. With traditional magnetic storage media, ‘bad sectors’ can create inaccessible parts of the hard drive that are ‘accidentally’ protected from many cleaning utilities. Solid-state drives (SSDs), unlike traditional magnetic discs such as hard disk drives, do not have any moving mechanical components but use integrated circuits to store data persistently. Solid-state drives pose new problems for the recovery of data, because they store data in ways that are much more non-linear and complex than that of traditional hard disk drives.¹ However, programs such as Parted Magic claim to provide safe data cleaning for SSDs.

9.116 Several new filing systems increase data permanence either by design – to prevent accidental data loss – or by accident. For instance, journaling file systems record write operations in a number of different locations, which means data ‘leftovers’ may exist in places ‘outside’ the nominal file storage location. RAID and anti-fragmentation techniques may also result in file data being written to multiple locations. In SSDs, for instance, if the same part of the drive is written over and over again, this will have the effect of ‘wearing it out’ prematurely. To counteract that, technologies are built into SSDs called ‘wear levelling’, which relocates blocks of data between the time when they are originally written and the time when they are overwritten. This has the effect of preventing the ‘true’ erasure of data.

9.117 From a legal and evidential perspective, it is necessary to have some knowledge of the differences these storage media entail for data deletion and data retrieval to interpret correctly the findings of the digital evidence professional. The easier it is to securely delete data with off-the-shelf, easily customizable tools, the less convincing is the inference of an intentional attempt to hide evidence. Finding evidence for the deletion of data from traditional hard drives is therefore different from evidence of deletion from new and more advanced storage systems, where data erasure requires specialist knowledge and considerable efforts.

9.118 The question that remains is what inferences, if any, can be drawn from the absence of evidence if data have been successfully deleted. A defence lawyer may want to argue that according to the prosecution case, some traces of illegal activity ought to have been found on his client’s computer, using the absence of such evidence as an argument to undermine the prosecution case. How convincing the argument is may well depend on the type of storage medium used and the nature of file systems employed. As noted with wear levelling, there are also increasingly automated ‘housekeeping operations’ being carried out by computers on files. In the past, finding that an illegal file, say of images of child sexual abuse, had been moved and copied to several places of a hard drive would have been evidence that the suspect knew of, and knowingly handled, the file in question. Increasingly, this inference depends on the storage medium, and if a number of copies at different parts of the drive existed, it is possible that these could have been the result of automated actions by the computer. Finally, for several legal purposes, a party may have to prove that it either took all reasonable steps to delete certain files, for instance in an action for damages after a data security breach, or that it took every reasonable effort to produce data, for instance, in response to a court order as part of the disclosure or discovery process. The type of evidence required to document that all reasonable steps were taken to either securely delete the data, or to recover lost data, will depend on the precise nature of the storage medium.

9.119 A separate way of destroying data at the filesystem level is by the deletion of filesystem-wide encryption keys. Mobile telephones and several desktop operating systems increasingly feature encrypted filesystems that use a private key for unlocking the data in the filesystem. This key has to be unlocked and made available for encryption and decryption each time the computer or telephone is booted, turned on after a longer delay, or after the key memory-retention period has expired. Data that is written to the persistent filesystem is encrypted using a unique (system specific, locally generated) private key, which is then secured (and unlocked upon demand) using a PIN, swipe pattern or fingerprint. Upon unlocking the telephone, this key is decrypted to enable full access. Destroying the private key, however, makes it virtually impossible to retrieve the data on the telephone, provided the cryptography and the implementation of this feature is done to exacting security standards. A modern smartphone may then destroy all data if a certain number of attempts are made to unlock the private key with a wrong or false fingerprint or access code.¹

Falsifying data

9.120 Tampering with electronic evidence is not new. An early example of erasing part of a tape recording and re-recording part of a conversation occurred in the UK in 1955.¹ In R v Sinha (Arun Kumar),² medical data recorded on a computer was altered after the death of a patient, giving rise to a charge of perverting the course of justice. In the case of Freemont (Denbigh) Ltd v Knight Frank LLP,³ one witness concocted evidence by creating documents in the form of a series of notes of discussions, which included statements that had not been made during the course of the discussions,⁴ and to avoid detection, had the hard drives of older computers destroyed when the firm upgraded its computer systems.⁵ Attempts to adduce fraudulent evidence before a court are rare, but increasing.⁶ For instance, Bruce Hyman, who had been a prominent British television and radio producer before qualifying as a barrister later in life, created a false judgment for a friend. His deception was uncovered and he was subsequently convicted for perverting the course of justice and sentenced to a term of imprisonment of twelve months and ordered to pay £3,000 to his victim in compensation and Crown expenses of £3,745 – the first barrister to be so convicted, and he was subsequently disbarred by the Bar Standards Board.⁷ In another case in Japan, a prosecutor altered electronic evidence in a case he was investigating, and was subsequently convicted and imprisoned for 18 months.⁸

9.121 However, it is conceivable, given the ease with which electronic data is so easily manipulated and altered, that attempts will be made in the future to falsify and alter documents even before a trial ever takes place, or to create vast swathes of ‘evidence’ of a complete set of legal proceedings. This happened in Islamic Investment Company of the Gulf (Bahamas) Ltd v Symphony Gems NV.¹ As explained the in judgment of Hamblen J:²

9.122 Even such mundane matters such as proof of parking violations have been subject to the alteration of electronic evidence. In the case of Kevin Maguire, he had parked his car in Market Place in Bury town centre, Greater Manchester at 7.15 am on 31 August 2003. He returned at 5 pm to find he had been given a parking ticket at 9.15 am. Normally there were no restrictions on a Sunday, and when he parked his car, there were no signs to indicate there were any temporary restrictions in place. There were no signs because the NCP staff did not put them up on the previous night as there was a high likelihood that the signs could be pulled down or damaged by revellers overnight. In fact, the signs were put up after Mr Maguire had parked his car. When Mr Maguire complained to the NCP, it was asserted that he had parked illegally and he was sent a photograph of his parked car, which was dated 30 August 2003. Mr Maguire appealed against the parking fine. It transpired that one Gavin Moses, a member of the NCP staff, had altered the date on the digital photograph from 31 August to 30 August, so that it appeared that Mr Maguire had parked illegally. Mr Maguire was cleared of illegal parking and was awarded costs. Gavin Moses subsequently entered a plea of guilty when he was prosecuted for perverting the course of justice, and was sentenced to 150 hours of community service.¹

9.123 In Singapore, for use in salary negotiations with his prospective employer, a solicitor Ruddy Lim altered the monthly salary on his payslip from DLA Piper Singapore Pte Ltd to read $65,000, rather than $25,000. The description of his method is set out in the judgment:¹

9.124 Considerably more attention will have to be paid to demonstrate the integrity of electronic data in the future, which in turn will help substantiate the claim for authenticity to reflect the reliability of the data.¹ In all of these cases, the changes to the data were carried out manually. Anti-computer forensics increasingly provides tools to alter data automatically, and in particular the crucial metadata, thus diminishing the evidential value of the data that can be recovered. ‘Backtrack’ or ‘Transmogrify’, for instance, can change the extension of files by turning .exe (application) files into .docx (Word document) files, thereby hiding their malicious character. ‘Timestomp’ can change the timestamps of files, the metadata that records the creation and alteration of a file.² Randomizers can automatically generate random file names, and criminals can use tools that replace Roman letters with identical-looking Cyrillic ones. Both approaches defeat data-mining techniques that look for ‘known bad files’ or signatures of known illegal images. Software developers who wanted to test the reliability of common forensic tools such as Encase developed many of these tools. Vincent Lui, one of the most prolific developers of tools with anti-forensic implications, concludes that the ‘unfortunate truth’ is that the presumption of reliability is ‘unjustified’ and the justice system is ‘not sufficiently sceptical of that which is offered up as proof.’³

9.125 Other tools have legitimate objectives such as privacy protection. For instance, to prevent companies from obtaining data about individual behaviour when using a search engine, software can be used to create a large number of chance queries to create random noise.¹ A record of keyword searches can also have evidential value in a criminal trial. Thus to establish the interest of the suspect in certain poisons or drugs, these tools can be used to cast doubt on the reliability of the log data that documents the searches carried out on a suspect’s computer. Since the search terms had been automatically generated, any inference that the user of the machine intentionally searched for a specific term becomes problematic.

9.126 Lastly, a specific type of falsification should be given consideration. In many countries around the world state security and intelligence services operate malware (see also the paragraph on the use of legal intrusion, which is increasingly used as a police power) which is capable, not only of surveillance of their targets, but, with a simple addition, could be used to plant falsified data. The presence, use, or even the evidence of existence of the use of such tools creates significant technical challenges.¹ In cases where unscrupulous people acting on behalf of a government have the political motive to use such tools, consideration should be given to the possibility that such falsifications may have been used.

Hiding data

9.127 Tampering with and destroying data works best when the criminal no longer needs the data. For possession crimes such as the possession of illegal images, this is not possible. Hiding the data rather than destroying or altering it therefore becomes an important objective. Cryptography is the best known anti-forensic method to hide data from third parties. Due to its importance as a dual use technology with important roles for privacy and data security, and also because of the complex legal issues involved with cryptography, this is considered in the chapter on encrypted data.

9.128 Another well-known method of hiding data is steganography. Steganography is the method of hiding a message inside a digital object, which may be a graphic, a picture, a film or a sound clip. The sender is able to hide a message in a seemingly innocuous file, and the recipient can retrieve the message upon receipt. Other methods used to hide data include writing data to slack space or space that has not been allocated for use, hiding data on a hard drive in a secret partition, and the transmission of data under the cover of transmission protocols. Various types of commercial and free software are available to perform steganography on data. It can be relatively difficult to detect hidden data within a file, and the communication can be even more difficult to uncover if the message has been compressed and encrypted before being hidden in the carrier. At present, it is unlikely that many investigators will undertake a routine examination for hidden data.¹

9.129 There are now various tools available that facilitate the hiding of data in places on the hard drive that are less likely to be inspected. In this sense, they are the mirror images of the deletion tools discussed above. Deletion tools aim to securely delete any trace of an incriminating file, regardless of where on the computer a copy may be hiding. Conversely, ‘Slacker’ breaks up a file and stores individual pieces of it in the slack space left at the end of files, making it look like random noise to forensic tools – imagine just two digits each of a stolen credit card number stored in the unused part of a legitimate file. Slacker then enables the data to be reassembled as required.¹ One of the problems with these tools is that they develop faster than it is possible to train digital evidence professionals, and even more importantly, faster than the development of sound, tested and agreed standards. This not only makes the detection of evidence more difficult; it also raises issues about the admissibility of the opinion evidence of forensic experts.

Attacks against computer forensics

9.130 Arguably, the latest addition to the inventory of anti-computer forensics is attacks against the investigator’s tools. As noted above, digital forensics is highly dependent on software tools. To create evidence that is admissible, these tools have to be evaluated and tested, and the results ideally published in openly available, peer-reviewed scientific publications. Indeed, some of the most popular tools are open source: that is, their source code is freely available. One of the benefits of this approach is not only a high degree of transparency when it comes to assessing the reliability of data generated by these tools, but also the ability for security professionals to improve them and to adapt them to local situations.¹ However, it also enables criminals to develop tools that interfere directly with the evidence collection process and infiltrate the software that tries to analyse a suspect’s computer. This can either be done by undermining the integrity of the data that is collected, for instance by changing the hash value of the bit copy that the software creates (thus violating the continuity of evidence by casting reasonable doubt on the authenticity of the copy) or by forcing the analysis tool to either overlook incriminating data, or to report misleading information about it.² In doing so, it cannot be right to equate such a tool with, say, a photocopier.³

Trail obfuscation

9.131 Trail obfuscation combines the deliberate attempt at tampering, deleting and hiding data with the taking of measures to frustrate investigations, conceal identities and evade enforcement actions.¹ In many investigations, the data held on the suspect’s computer or device is only one part of the prosecution’s case. The other, equally important, set of data will come from the Internet and relate to the suspect’s browsing behaviour, or the victim’s computer or device in the case of a hacking offence: the origin of the data, the websites visited, and the activities undertaken. Obfuscating the trail that such activities leave behind on the Internet is therefore an important aspect of anti-computer forensics. It includes various anonymity-protection tools such as VPNs or anonymous remailers to hide browsing activity, or the use of spoofed or zombified accounts when sending malicious emails or spam, or the launch of a denial of service attack. ‘Zombified accounts’, as discussed in more detail below, demonstrate a specific side effect of anti-computer forensics. One way for a criminal to hide illegal activities is to take over the computer of a third party, for instance, after inserting a Trojan horse program, discussed in more detail below, and using this third party machine to carry out illegal activities. This not only hides the true perpetrator from the investigators, it also creates data that can falsely incriminate an innocent party.²

9.132 The range of tasks performed by such malicious software is probably only restricted by the imagination of the person who creates the program. A number of cases in the criminal courts where people have been accused of being in possession of abusive images of children on their computers have used the defence that some form of malicious software caused data to be downloaded to their computers or enabled a third party to obtain access to their computers without the permission of the computers’ owners.¹ In the case of R v Caffrey,² the defendant was charged with causing unauthorized modification of computer material under s 3(1) of the Computer Misuse Act 1990. The prosecution alleged that the defendant sent a deluge of electronic data from his computer to a computer server operated in the Port of Houston, Texas, USA, the effect of which was to cause the computer at the Port of Houston to shut down. The defendant claimed, in his defence, that unknown hackers obtained control of his computer and then launched a number of programs to attack the computer at the Port of Houston. The forensic examiner for the prosecution could not find any evidence of a Trojan horse on the computer. The defence claimed that it was impossible for every file to have been tested, and that the Trojan horse file might have had a facility to destroy itself, leaving no traces of having resided on his computer. The forensic examiner for the prosecution disputed that, stating that a Trojan horse would leave a trace on the computer. The jury acquitted Mr Caffrey.³

9.133 It should be noted that just because an individual may have such materials on his computer, it does not follow that he was responsible for downloading them. It is important for any digital evidence professional to report on findings within the context of what the technology is capable of doing. For instance, it is possible to introduce malicious software through web pages without the permission of the website owner. When a person visits a website, software could redirect the computer to undesirable websites, and the computer will automatically download unwanted material onto the temporary cache file of the computer without the user’s permission or knowledge.¹

9.134 A Trojan horse is a malicious software program containing hidden code that is designed to conceal itself in a computer as if it were legitimate software. When activated, the software will perform an operation that is not authorized by the user, such as the destruction of data (including the entire hard drive), the collection of data on a computer and transmission to a third party without the user being aware of what is happening, the counteraction of security measures installed on a computer, and the instruction of the computer to perform tasks such as to take part in a denial of service attack, or permit the creator of the program to obtain access to the computer. Just like the other large group of malware, viruses, Trojan horses pose a Janus-face conundrum for computer forensics. Finding a virus or a Trojan infection can be direct evidence amounting to an unauthorized modification of computer systems. At the same time, this can also be indirect evidence that the computer at the centre of an investigation has been tampered with and that the crime scene is ‘contaminated’.

9.135 The dual use nature of many of the tools used for anti-computer forensics has been noted above. On the one hand, these tools protect our privacy against criminals, but they also protect the privacy of criminals from police investigations. A similar analysis applies to spyware such as Trojan horses. On the one hand, they allow criminals to obtain access to credit card details or passwords. On the other, they have the potential to allow the police to obtain access to the activities of criminals – that is, if the police succeed in planting such a program on the suspect’s computer. Attempts to use malware for investigative purposes have caused legal controversy in some countries. In Germany, the Constitutional Court ruled against such clandestine surveillance after prosecutors applied for warrants to permit their use. In the discussion before the court, evidence was also given from computer specialists about the security and evidential implications of these ‘Federal Trojans’. To work efficiently, they must not be detected by commercial anti-virus software. This can only be achieved either by the tacit collaboration of the anti-virus software vendors, or by using the ingenuity of programmers employed by the police. In either case, the result will be malware that cannot be easily detected. One obvious danger is that criminals can get hold of and in turn hijack the code for this ‘official’ malware once it was planted on their machines, which would give them in effect a ‘master key’ for all computer systems. In such an event, it would become much easier for the defence to mount ‘Caffrey style’ arguments, and all computers could become crime scenes with compromised integrity.¹

9.136 A final complication is created by the desire to protect users against malware. The use of Trojans lies at the heart of distributed denial of service attacks, a significant threat to the functioning of the Internet. Preventing malware has therefore become a high priority for police and commerce. Ordinary users, who often fail to take appropriate steps to protect their computers and devices against interference by criminals, are the weakest link. The Trusted Computing Initiative is one possible answer to this problem. It would allow a coalition of software and hardware developers much more direct access to computers, ensuring that all their defence mechanisms work as specified, and that no unauthorized program is run on them. While this approach is promising in its potential to reduce computer criminality, for the interpretation of electronic evidence, it carries several challenges. Since computer forensic tools too are essentially a form of ‘spyware’, common forensic applications may not work any longer in a trusted computing environment. Even worse, the philosophy of trusted computing is premised on belief that to protect the user against criminal activities, the security and control of the computer or device is improved if it is determined by not just the user but also by organizations. This means that the number of people and organizations that at any given time would have access to users’ computers and the data held therein would increase considerably, especially if the keys to users’ computers and their devices are compromised. This could in turn cast doubt on the reliability and authenticity of the data found on a computer or device during a criminal investigation. At the moment, lawyers assume, often naively, that data found on a suspect’s computer or device must have been put there by the person in physical control of the machine (typically, the owner); this inference would look increasingly doubtful in a trusted computer environment.¹

An intellectual framework for analysing electronic evidence

9.137 However, as we have seen, despite these differences, evidence in digital form shares important features with other types of evidence. Eyewitness evidence, forensic trace evidence such as DNA and proof by document can all provide the basis for analogical reasoning to determine the evidentiary value of an item of digital evidence, if we are aware of the limitations of this analogy. The digital evidence professional, however, has a different job from that of a DNA analyst or a forensic entomologist and, in particular, deals with mathematical abstractions rather than empirical objects. Therefore, findings will not normally be in the form of matching probabilities or other quantifiable, generalized statements.¹ ‘Universal’ theories of evidence are regrettably either rare, or too abstract to be of much practical value. However, the ‘hierarchy of propositions’ promoted by the Forensic Science Service in the UK has the potential to provide such a framework, which can also help to illuminate further the distinguishing features of electronic evidence and what they mean for practice. To interpret evidence, the digital evidence professional (or the judge) has to consider propositions that represent respectively the prosecution or defence, or the pursuer or defendant. Evidential weight can only be ascertained if the propositions from both sides are considered, and the increase or decrease in likelihood for both is considered. Several studies have shown, with examples, how a hierarchical analysis can help in the evaluation of heterogeneous evidence, from eyewitnesses to DNA.² The nature of electronic evidence is such that on a like-by-like comparison and allowing for the machine-mediated nature of electronic evidence, the evidence will be several steps further removed from the reasoning associated with traditional evidence. All these steps have to be explored and the counterfactuals examined before electronic evidence can be said to be proved.

Conclusions and future considerations

9.138 The widespread use of computers, the Internet, mobile telephones and smartphones means that most lawyers now have to deal with electronic evidence.¹ Increased use of specialized law enforcement capacities, the more traditional criminal justice system and advanced security and intelligence capabilities has created a field that is in constant flux. The weighing of the probative value of the evidence, can be straightforward only in simple cases, for which ample precedent and standards exist, but not otherwise where the parties challenge the data or new and innovative methods are in play. In these cases, the court often has to rely upon digital evidence professionals. This implies the need for a thorough analysis of the merits of each piece of data given in evidence. For this reason, lawyers must familiarize themselves with electronic evidence and understand not only the need to scrutinize the qualifications and conclusions of digital evidence professionals, but also the need to scrutinize the very evidence that they present and the manner in which it was obtained.

9.139 Cloud computing and trusted computing affect the way digital evidence professionals obtain evidence, which means that great care must be taken over how such evidence is obtained, which will doubtless be the subject of careful cross-examination.¹ In addition, the methods used by attackers in the digital environment will mean it is increasingly necessary to take into consideration the use of rarer techniques to obtain evidence in the future.²

9.140 In response to these developments, anti-computer forensics has emerged over the last decade as a significant challenge to the investigation of crimes involving the use of computers and computer-like devices. The arms race between criminals and investigators on the one hand, and the dual use nature of the tools that permit and prevent digital investigations on the other, have created a highly complex interaction that requires careful reflection on the nature of electronic evidence in any individual case, a reflection that has to be constantly updated as new tools emerge. While this chapter posits various principles and standards for handling and analysing electronic evidence, technological advancements will undoubtedly create new challenges and conflicts for the process of collecting, evaluating and examining electronic evidence in a legal setting in the near future.