Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 3rd Edition

Practitioner's Tips from Digital Evidence and Computer Crime's Chapter on Digital Evidence in the Courtroom

• In practice, many searches are conducted with consent. One of the biggest problems with consensual searches is that digital investigators must cease the search when the owner withdraws consent. However, digital investigators may be able to use the evidence gathered from a consensual search to establish probable cause and obtain a search warrant.
• Once a search warrant is obtained, there is generally a limited amount of time to execute the search. Therefore, it is prudent to obtain a search warrant only after sufficient preparations have been made to perform the search in the allotted time period. Any evidence obtained under an expired search warrant may not be admissible.
• Many digital investigators use the terminology €œis consistent with€ inappropriately to mean that an item of digital evidence might have been due to a certain action or event. For many people, to say that something is consistent with something else means that the two things are identical, without any differences. To avoid confusion, digital investigators are encouraged only to state that something is consistent with something else if the two things are the same and to otherwise use the terminology €œis compatible with.€
• Given the complexity of modern computer systems, it is not unusual for digital investigators to encounter unexpected and undocumented behaviors during a forensic analysis of digital evidence. Such behaviors can cause unwary digital investigators to reach incorrect conclusions that can have a significant impact on a case, sometimes leading to false accusations. Thorough testing with as similar an environment to the original as possible can help avoid such mistakes and resolve differences in interpretation of digital evidence. Provided digital investigators can replicate the actions that led to the digital evidence in question, they can generally agree on what the evidence means. When it is not possible to replicate the exact environment or digital evidence under examination, digital investigators may need to rely on their understanding of the systems involved, which is where differences of opinion can arise.
• Careful use of language is needed to present digital evidence and associated conclusions as precisely as possible. Imprecise use of language in an expert report can give decision makers the wrong impression or create confusion. Therefore, digital investigators should carefully consider the level of certainty in their conclusions and should qualify their findings and conclusions appropriately.

Read a sample chapter on genesis and migration from Digital Evidence and Computer Crime