Latest Expert Witness News
Digital fingerprinting
Digital fingerprinting is crucial to guaranteeing the integrity of electronic evidence in court. The right computer forensics expert is vital.
In today’s digital world, 93% of documents are drawn up electronically, and less than a third are ever printed. With so many devices available, and data in so many formats, harvesting, securing and guaranteeing the integrity of evidence becomes more of a challenge. And increasingly, data has to be handled to criminal evidential standards.
The ‘data universe’ encompasses not only PCs and laptops, but servers (network, e-mail, SAP), plus all mobile devices and storage devices (USB drives, mobile phones, external hard drives and personal organisers), not to mention backup drives and tapes. Any file on any of these devices can potentially yield vital evidence in a case. But the sheer scale of the search makes it daunting to undertake and prone to error and oversight.
With so much at stake, a managed approach is essential: one that considers every source of data, and that systematically and rigorously finds, verifies, catalogues and secures everything it discovers.
Mention ShA1 or MD5 to most IT professionals and you will most likely get a blank look. But digital fingerprinting, as it is more commonly known, is crucial to guaranteeing the integrity of electronic evidence in court; as is the chain of custody and the completely auditable and transparent process.
Quite apart from computer forensics and e-discovery, having to appear in court and defend electronic evidence can be a harrowing experience for most IT staff. This is where proven forensics detectives such as FoxData come in. Experienced in presenting and defending electronic evidence in court, they understand the importance of a clearly documented audit trail and data collected to the most demanding forensic standards.
The scope of the definitions of CPR Part 31 changes
In the digital world, everything changes – and those changes are reflected in last year’s amendments to the Civil Procedure Rules, Part 31. They dictate a more rigorous approach to data handling, and broaden the scope of documents that can be produced as evidence.
Backup systems are now included, as are deleted files - often thought of as lost forever, though in practice, easily recoverable. ‘Meta data’ now assumes a new importance. This could be document creation information (author, creation date, editing time) e-mail details (To, From, CC, BC) or even hidden formulae or columns in spreadsheets.
Different file types and applications are now included in the trawl of an organisation’s systems: e-mails, calendars, graphics, presentations and web-based applications. And all electronic devices (PCs, servers, backup systems, mobile phones, laptops, iPods and Blackberrys) are now included in searches.
With the need for agreement on what constitutes ‘reasonable search’, it is vital to understand the scope of the definitions of CPR Part 31 changes. Lawyers who aren’t familiar with client IT systems could be at a serious disadvantage, and could run the risk of missing crucial evidence.
A case in point
The importance of handling digital data correctly was clearly demonstrated in a recent case in which Expert Witness client, FoxData, was instructed.
When the company challenged the opposition on how certain data was acquired, the answer was “forensically”. When repeatedly challenged to explain in depth their forensic methodology the answer was that “gloves were worn to remove the hard drive”. The evidence was dismissed and the case thrown out.
This casual approach to electronic evidence is all too common. Without an identifiable chain of custody and an auditable process, electronic evidence can be challenged and discredited. When the act of copying or opening a file can change its digital fingerprint forever, it takes more than a pair of gloves to safeguard electronic evidence. It requires rigorous investigative standards - both human an
back