Tuesday, June 25, 2013

Daily Blog #2: What I wish I knew when I was starting out

(This entry is part of the Daily Blog series! Click Here for the previous entry.)

Howdy Reader,
                    BTW I'm from Texas, so we say howdy sometimes. Not a lot mind you, but its just something fun to say. I'm taking topics to blog about from readers and Karen Palmer among others submitted some great ideas! One of Karen's questions was ' what do you wish you knew when you first started?'. It's a great question and something I hope will help a lot of people get over some basic fears. This will likely be a multipart series as I think about things, but here is the first.

There is no such thing as a 'court approved' tool. No really, seriously, there is absolutely no such thing. Now, courts have accepted the results of several tools and those tools can now cite case law (meaning past cases) which shows their tools being accepted. What was important though in those cases was not the tool, but the expert who presented the tool and its results to the court. A tool on its own is not admissible, it requires an expert who is knowledgeable in its operation and can explain its results while answering questions about its meaning.

It is the expert, not the tool that defines what will be admissible. Now, the federal rules of evidence do specify the guidelines for a judge to consider what is admissible. For instance here is a rule that was not written with digital evidence in mind but has been adapted to suit it:

Rule 1003 (http://www.law.cornell.edu/rules/fre/rule_1003)
"A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate."
If that is not clear to you, any duplicate (and a forensic image is by definition a duplicate of the original evidence bit for bit) you create is admissible by rule 1003, unless there is a genuine question raised by either the opposing counsel or the judge.

So why do we have chain of custody? Well that goes to authenticating the evidence you are looking to get admitted. For a judge looking determine the admissibility of a challenged forensic image, his decision will be based on your testimony regarding the facts of how it came to be in your possession, what you did with it and how you know it is what you claim it to be:

Rule 901 (http://www.law.cornell.edu/rules/fre/rule_901)
(a) In General. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.

(b) Examples. The following are examples only — not a complete list — of evidence that satisfies the requirement:
 (1) Testimony of a Witness with Knowledge. Testimony that an item is what it is claimed to be.
combined with the following which is detailed in the chain of custody and shows the identifying information of the original evidence you made the forensic image of:
(4) Distinctive Characteristics and the Like. The appearance, contents, substance, internal patterns, or other distinctive characteristics of the item, taken together with all the circumstances." 
For the admission of the results of forensic tools the following applies:
(9) Evidence About a Process or System. Evidence describing a process or system and showing that it produces an accurate result.
A report generated by a tool is admissible with the following:

Rule 1006 (http://www.law.cornell.edu/rules/fre/rule_1006)
"The proponent may use a summary, chart, or calculation to prove the content of voluminous writings, recordings, or photographs that cannot be conveniently examined in court. The proponent must make the originals or duplicates available for examination or copying, or both, by other parties at a reasonable time and place. And the court may order the proponent to produce them in court."
So the report summarizes the findings, for example of the registry or file system in an understandable form, but other parties are allowed to validate your summary by reviewing the data that was used to produced it.

So there you go, criminal or civil the rules are the same.

What is important in your evidence's successful admission is not the tool you use, although lets be honest; a well known tool may be challenged less than an unknown tool. It is your ability to explain how the tool works, what you did to create the forensic image from the original evidence, and why it is admissible that is important. So don't restrict your choice of tools to those that others tell you is 'court approved' or have great marketing, use the tool that you have the greatest understanding of and can provide the best description of so you can feel confident of its admissibility in the face of a challenge.

I will say that those tools that provide certifications can be very helpful in showing your training and knowledge of the usage of the tool, so if your tool maker provides one it can't hurt to have it.

Talk to you tomorrow!

(This entry is part of the Daily Blog series! Click Here for the next entry.)