Computer Forensics: Admissibility of Evidence in Criminal Cases

Article excerpt

ABSTRACT

Computers and the Internet have become a pervasive element in modern life. This technology is also used by those who engage in crime and other misconduct. Effective investigation of these offenses requires evidence derived from computers, telecommunications and the Internet. The need for digital evidence has led to a new area of criminal investigation: Computer Forensics. Forensic investigators identify, extract, preserve and document computer and other digital evidence. This new field is less than fifteen years old, and is rapidly evolving. Education in this field has focused largely on its technical aspects. However, there are significant legal issues and ethical problems that investigators must deal with. Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court. As a result, a guilty criminal might go free. Failure to behave in an ethical manner will erode public confidence in law enforcement, making its job more difficult and less effective.

This paper will provide an introduction to the most significant legal issue in computer forensics: admissibility of evidence in criminal cases. The law of search and seizure, as it relates to digital equipment, will be reviewed. Interception of electronic communications and accessing stored digital information will be examined. Public policy in the form of federal legislation will be discussed. Finally, ethical concerns will be considered.

INTRODUCTION

On December 17, 2003 CSO (Chief Security Officer) Magazine predicted that "cybercrime will only get worse" (CSO 2003). On January 22, 2004 the Federal Trade Commission reported that in 2003 complaints of identity theft alone exceeded half a million (FTC 2004), up 40% from 2002. The Computer Security Institute's 2003 CSI/FBI Computer Crime & Security Survey reported that losses continued to climb and that "90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months" (CSI/FBI 2003).

The antidote to this problem is effective investigation and prosecution. Critical evidence needed to convict cyber-criminals is located on computers, networks and the Internet. However, this evidence is often difficult to obtain. It may have been deleted, overwritten, encrypted or hidden in a vast database (Schultz 2001). Nevertheless, cyber-detectives have developed techniques to salvage such information. A new investigative specialty has thus emerged: "Computer Forensics". This term, first used in 1991, refers to the identification, extraction, preservation and documentation of computer based evidence (Armstrong 2000).

An important legal challenge faces cyber- investigators: not only must they discover incriminating evidence they must also do it in a lawful manner. Otherwise, the evidence will not be admissible in court. As Marcella and Greenfield point out, an investigator "should always conduct the investigation as if you are going to trial, just in case you have to" (Marcella and Greenfield 2002).

Investigators must have a working knowledge of legal issues involved in computer forensics. They must know what constitutes a legal search of a stand-alone computer as opposed to a network; what laws govern obtaining evidence and securing it so that the chain of evidence is not compromised; what telecommunications may lawfully be intercepted or examined after they have been received; what legally protected privacy rights employees and other individuals possess. This paper will address all these concerns.

Because computer forensics is such a new field, investigative and legal norms are just now emerging. Little has been written about the legal requirements for admissibility of computer forensic evidence, or about the ethical and regulatory issues related to this new field. First we will examine the admissibility of evidence in a criminal prosecution, both with and without a search warrant. …