Summary
Like many of the chapters in this book, this chapter will succeed to the extent that it is able to raise many more questions than it can answer. Because of the constantly changing nature of the contemporary standards for the admission of highly technical digital forensic expert witness testimony, our subject matter is a fast-moving target. What is essential for the tyro who is interested in learning how to testify and how best to present clear and cogent testimony about complex technological issues, processes, or investigations is to develop a scientific attitude about every aspect of his or her forensic work. That attitude must be maintained without becoming overly concerned with the clear differences between evolving standards to ascertain the nature of digital forensics expertise and the long-standing traditions for providing provenance for experts in the hard sciences such as physics or chemistry.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
For purposes of this chapter, the terms electronic and digital are used interchangeably. Similarly, IT expert witness refers to experts skilled in some aspect of information technology, including computer/digital forensics, which is the application of computer science principles, techniques, and methods to the identification, collection, preservation, analysis, and presentation of evidence.
Examples of common logs that can be collected for audit purposes include, but are not limited to, the following: Netflow logs (records of unidirectional communications between computer ports across an instrumentation point on a network; data can include IP source/destination address pairs, packets per second, time stamps, byte count), syslogs (industry standard for capturing data about networked devices; data can include critical system events like reboots, login attempts, new account creation, termination of a particular host logging messages, etc.), firewall logs (computers that interface between the Internet and an internal network to implement a rule set derived from an organization’s access control policy), IDS logs (intrusion detection systems contain alerts that may indicate specific attacks on a host or network), ARP cache (tables containing data mapping IP addresses to physical hardware addresses, thus allowing computers to communicate with one another, useful for identifying IP addresses and devices connected to a network and determining connection activity of devices), DNS cache (tables that map IP addresses to hostnames), routing table logs (provide information on dropped or misrouted packets, false routing information, or disruption from worms), mail logs (containing data of completed and pending e-mail transactions, including sender and recipient address, subject, time stamp, and size), Web server logs (containing data on requests made to Web server and statistical information about network traffic; data may include source IP address of requesting host, confirmation and size of satisfied request, userid based on HTTP authentication), application software logs (activity related to use of particular software programs), DHCP logs (dynamic host configuration protocol data used to map a unique IP address to a device at a specific time), and so forth.
The role of the IT expert witness will be discussed in the context of how his or her role in assisting the trier of fact to understand the evidence or to determine a fact in issue comports with current legal rules governing evidence admissibility, as well as how this role fulfills conjectured yet probable trends in the application of evidence law to digital artifacts.
Hunter, P. (2002). World Without Secrets. New York: John Wiley & Sons.
Lyman, P., and Varian, H. (2003). How much information? Available at http://www.sims.berkeley.edu/research/ projects/how-much-info/how-much-info.pdf.
Webster’s Revised Unabridged Dictionary. Available at http://dictionary.reference.com/search?q=00-database-info&db=web1913.
Mearian, L. (2003). Trades at top speed. Computerworld, 3 March. Available at http://www.computerworld.com/ databasetopics/data/story/0,10801,78891,00.html
See, e.g., Violino, B. Web services: waves of change. Computerworld, 19 May. Available at http://www. computerworld.com/softwaretopics/crm/story/0,10801,81251,00.html.
Schwartz, M. (2001). Fraud busters: new technologies capable of handling secure, real-time transactions will help prevent, detect and prosecute B2B e-commerce fraud. Computerworld, 19 February. Available at http://www.computerworld.com/securitytopics/security/story/0,10801,57770,00.html.
Id. (Noting a Gartner Group Inc. forecast that the worldwide business-to-business exchange market will grow to 7.29 trillion by 2004.)
Id. (The average organization loses about 6% of its total annual revenue to fraud from customers and business partners and from abuses committed by its own employees, according to the Association of Certified Fraud Examiners in Austin, Texas. The association pegs the total fraud and abuse price tag for U.S. organizations at 400 billion annually.)
Thornton, J. (1997). The general assumptions and rationale of forensic identification. In: Modern Scientific Evidence: The Law and Science of Expert Testimony, Vol. 2. St. Paul: West Publishing Co. (Forensic scientists have almost universally accepted the Locard Exchange Principle. This doctrine was enunciated early in the twentieth century by Edmund Locard, the director of the first crime laboratory, in Lyon, France. Locard’s Exchange Principle states that with contact between two items, there will be an exchange. By recognizing, documenting, and examining the nature and extent of this evidentiary exchange, Locard observed that criminals could be associated with particular locations, items of evidence, and victims. The detection of the exchanged materials is interpreted to mean that the two objects were in contact.)
Chmielewski, D. (2003). Online file-sharing networks bring porn into workplaces. Mercury News, 17 March. Available at http://www.siliconvalley.com/mld/siliconvalley/5413422.htm.
See, e.g., Palisade Systems, Inc. (2003). Peer-to-peer study results: downloading porn tops peer-to-peer usage. Palisade Systems, Inc. Available at http://www.palisadesys.com/news&events/p2pstudy.pdf [cite case where woman claims sex harassment and court says no proof].
See Kenneally, E. (2000). The byte stops here: liability for negligent computer security. Computer Security Institute Annual Computer Security Journal, Fall. Available at www.gocsi.com/byte.pdf; see generally, CERT/CC-Computer Emergency Response Team/Coordination Center, available at http://www.cert.org; Security Alert for Enterprise Resources, available at http://www.safermag.com; Security Focus, available at www.securityfocus.com; Bugtraq, available at www.bugtraq.securepoint.com; SANS Security Newsletters and Digests Services, available at http://www.sans.org/newsletters/; Microsoft Technical Updates, Microsoft Security Bulletins, available at http://www.microsoft.com/technet/security; VulnWatch, available at www. vulnwatch.com.
Arms, W. (2000). Digital Libraries. Cambridge: MIT Press. Available at http://www.cs.cornell.edu/wya/DigLib/new/ Chapter7.html.
Schneier, B. (2000). Secrets & Lies: Digital Security in a Networked World, 1st ed. New York: John Wiley & Sons.
Lugashi, 205 Cal.App.3d 632 (1988).
US v. Whitaker, 127 F. 3d 602 (7th Cir. 1997).
US v. Glasser, 773 F.2d 1559 (11th Cir. 1985).
US v. Bonallo, 858 F.2d 1436 (9th Cir. 1998).
See United States v. Tank, 200 F.3d 627 (9th Cir. 2000).
See Wisconsin v. Schroeder 2000 WL 675942, citing United States v. Catabran, 836 F.2d 453, 458 (9th Cir. 1988) (“any question as to the accuracy of the printouts would have affected only the weight of the printouts, not their admissibility.”). As for challenges to completeness, Tank referenced United States v. Soulard , 730 F.2d 1292, 1298 (9th Cir. 1984) (“once adequate foundational showings of authenticity and relevancy have been made, the issue of completeness then bears on the Government’s burden of proof and is an issue for the jury to resolve.”).
Lugashi, 252 Cal.Rptr. 434, 440–43 (Cal.Ct.App. 1988).
Id. at 440–43.
Id. See also, California v. Martinez, 990 P.2d 563, 581 (2000) ([testimony on the] “acceptability, accuracy, maintenance, and reliability” of computer software is not required to admit computer records).
US v. Wilson, 322 F.3d 353, (5th Cir. 2003) (finding that the district court clearly erred in holding that the Government proved that the electronic document was sent by a preponderance of the evidence).
Blackston v. United States, Civil Action No. MJG-88–1454, United States District Court for the District of Maryland, 778 F. Supp. 244 (1991).
A similar contention had been rejected by the district court in the case of United States v. Berman, 825 F.2d 1053, 1056–57 (6th Cir. 1987).
Blackston, 778 F. Supp. 244 at 246.
“One way to establish [authenticity] is to show the ‘chain-of-custody.”’ United States v. Grant, 967 F.2d 81, 83 (2nd Cir. 1992). “[T]he purpose of the chain-of-custody rule is to insure that the substance offered into evidence is in substantially the same condition as when it was seized.” United States v. Santiago, 534 F.2d 768, 769 (7th Cir. 1976) [citing United States v. Brown, 482 F.2d 1226 (8th Cir. 1973)]. See generally, Sanett, S. Authenticity as a requirement of preserving digital data and records. Available at http://www.iassistdata.org/publications/iq/iq24/iqvol241sanett.pdf (discussing how authentication is the action or activities that demonstrate that something is authentic); Arms, W. (2000). Digital Libraries. Available at http://www.cs.cornell.edu/wya/DigLib/new/Chapter7.htm (discussing access management, authentication, and security).
Vide infra, Part III Anatomy of Law Applied to Logs; see Peritz, supra, note 8 at 983–1003; see generally, Kerr, supra, note 97; Sommer, P. (1998). Intrusion detection systems as evidence. Presented at RAID 98’: First International Workshop on the Recent Advances in Intrusion Detection. Available at http://www.raid-symposium.org/raid98/Prog_RAID98/Full_Papers/Sommer_text.pdf.
Id. Sommer.
See Fenner, supra, note 176 at 25 (quoting the late Irving Younger).
See Peritz, supra, at 984–1002.
This concept was discussed during a mock trial session lead by Professor Steven Cribari, University of Denver School of Law, ITRA Digital Evidence and Computer Forensics For Attorneys Conference, San Diego, CA (January 2003). Available at http://www.frallc.com/pdf/c110.pdf.
See McElhaney, supra, note 122.
See FED R. EVID. 803(6), supra, note 106.
For example, some popular data-wiping software programs available include Evidence Eliminator, BCWipe, Eraser, SecureClean,East-Tec Eraser, and PGPWipe.
198.254.14.128 is the Internet Protocol (IP) address for a computer. Recognizing obvious differences, the IP is a numerical identifier for a host computer on the Internet, analogous to the address of a house in the physical world. See generally, DARPA Information Processing Techniques Office. (1981). Internet Protocol. Available at http://spectral.mscs.mu.edu/RFC/rfc0791.html.
Peritz, supra, note 8 at 982.
See Kenneally, E.E., and Swienton, Anjali. (2005). Presented at American Academy of Forensic Sciences Annual Conference, “Digital Evidence Mock Trial Workshop”; “Poking the Wookie Defenses in Digital Evidence Cases,” New Orleans, LA; see generally, The Chewbacca defense, available at http://en.wikipedia. org/wiki/Chewbacca_Defense.
FED. R. EVID. 702 and 703; Paoli R.R. Yard PCB Litigation, 53 F.3d at 747.
Taylor v. State, 93 S.W.3d 487, 507 (Tex.App.Texarkana) (October 2002). (Here a law enforcement officer examined the defendant’s hard drive and opined on the accuracy of the computer evidence copying procedure via testimony that he observed matching hash marks (i.e., the acquisition hash matched the verification hash and was concurrent with copying the computer evidence) on his computer screen at the time the copying process was completed. The officer made no manual recording of this in any form, although the forensic software used a verification process that would have provided written documentation of the quality of the copying procedure). %%%%%%%%%% %%%%%%%%%% beginextract fontsize89selectfont The initial question is whether information observed on a computer screen, generated not by a human source but setting out the results of a computer program in analyzing data, is hearsay . Arguably, this should constitute such a statement. When the rules were written, computers were not capable of performing such analysis and at most would have provided raw data which would have to be analyzed by a human. Now, the computer program performs the analysis and a human only looks to see what result the program has reached . Under this scenario, there is arguably a statement being made – just not by a human – but by an artificial intelligence. hspace*12ptWithout going into the details of this type of analysis, however, as pointed out by the State, several courts of appeals have held that computer-generated information, whether on a display or paper, is simply not hearsay because it falls outside the strict language of the rule. This position is defensible and is apparently the sole position taken in Texas to date for materials not input into a computer and simply printed out, but that result from analysis done by the computer. The statement by Marshall was not hearsay. endextract %%%%%%%%%% endthebibliography 9. %showquery %%%[CE1]Au: Define acronym PKI. %%%[CE2]Au: Define acronym P2P. %%%[CE3]Au:Define acronym OIA. %%%[CE4]Au: Define acronym CSI. %%%[CE5]Au: In Ref. 5, provide year of publication. %%%[CE6]Au: In Ref. 7, provide Web address or page number of article. %%%[CE7]Au: In Ref. 9, provide date of article.
Editor information
Rights and permissions
Copyright information
© 2008 Humana Press
About this chapter
Cite this chapter
Smith, F.C., Kenneally, E.E. (2008). Electronic Evidence and Digital Forensics Testimony in Court. In: Barbara, J.J. (eds) Handbook of Digital and Multimedia Forensic Evidence. Humana Press. https://doi.org/10.1007/978-1-59745-577-0_8
Download citation
DOI: https://doi.org/10.1007/978-1-59745-577-0_8
Publisher Name: Humana Press
Print ISBN: 978-1-58829-782-2
Online ISBN: 978-1-59745-577-0
eBook Packages: Humanities, Social Sciences and LawSocial Sciences (R0)