Contents
- Defending the integrity of digital evidence
- The importance of aligning digital evidence with existing legal standards
- How to determine whether digital evidence passes muster
- Ramifications for civil litigation
- Preservation of digital evidence is vital
- Conclusion
Perhaps the best paper I’ve read on forensic soundness in the context of digital evidence is When is Digital Evidence Forensically Sound?1 by Rodney McKemmish. In his review of the existing literature on the subject, McKemmish noticed the need to maintain the evidentiary weight of the resulting electronic evidence — and thus it’s admissibility — is a common element among all definitions and remains a fundamental requirement for digital forensics.
While his paper was written in 2008, when the proliferation of smartphones, virtualization and cloud computing were in their infancy, McKemmish’s own definition of digital forensics — “The application of a transparent digital forensic process that preserves the original meaning of the data for production in a court of law.” — has more than stood the test of time.
It may be surprising to discover that forensic soundness itself doesn’t often come up in case law. However, it is still vital to address forensic soundness as this helps to ensure legal issues such as admissibility, authentication, best evidence, and spoliation do not result in digital evidence being challenged.
Admissibility is usually the first legal test digital evidence will face in Canada, where there is a distinction made between “real evidence” and “documentary evidence.” Real evidence would include electronic records generated by an automated process — usually where there is no human interaction — such as billing records and cell phone connection logs held by a service provider.
Electronic records could also be tendered as real evidence in circumstances where they would be viewed as equivalent to a conventional paper document, where the paper document would also be considered real evidence. Otherwise, it would be viewed as documentary evidence, especially if it contains information created by humans. Documents are generally regarded as hearsay, which is rarely admissible under common law.
Defending the integrity of digital evidence
One Ontario Court of Justice criminal conspiracy case in 20152 had to rule on the admissibility of data extracted from a number of Blackberry phones, and addressed several legal issues surrounding digital evidence:
In 2013, the RCMP arrested and charged three individuals accused of importing drugs into Canada. During the arrest they also seized and analyzed two Blackberries purportedly belonging to the defendants. The phones were sent to a first-line lab where the analyst could not get around the password protection. They were subsequently delivered to a second-line lab to employ “chip-off” techniques to extract their contents — a process which involves desoldering the storage chips so they can be analyzed in a specialized reader. The contents of the Blackberries were extracted to binary files and burned to an optical disc which was returned to the first-line lab. From there, the data was parsed (i.e. converted from a digital to human-readable format) to recover the original files, including photos and text messages which were burned onto a new disc, provided to the investigators, and disclosed to the defence.
The defence argued the Crown had failed to prove the contents of the exhibit containing the photos and text messages had come from the Blackberries or that the evidence was reliable according to the electronic documents’ provisions of the Canada Evidence Act. The Crown in turn argued the Blackberry evidence was analogous to a briefcase the accused could have been carrying at the time of arrest and is thus admissible as real evidence seized from the accused. It supported this on the basis that continuity of the devices was maintained throughout the seizure, extraction, parsing and disc writing process.
The trial judge noted that there was a “technological gap” in the Crown’s evidence, with the contents of the DVD being “at a number of removes from the Blackberries.” From his perspective, the documents (on the DVD) were not “self-authenticating” and must be validated with evidence, pursuant to section 31.1 of the Canada Evidence Act which requires the tendering party demonstrate that the evidence is what they purport it to be. He added that documents must be authenticated regardless of whether they are real or documentary evidence.
This became a legal issue for the Crown, which was on notice it should seek one or more expert witnesses to qualify the accuracy, completeness, and reliability of the chip-off and parsing techniques used to generate the discs but did not do so. The judge noted his preference to have an expert introduce the exhibits and actively discouraged the Crown’s desired approach, which resulted in significant costs to all parties and to the administration of justice. It’s possible the Crown resisted putting the two experts on the stand because technological crimes units across the country are already overstretched and having the two analysts prepare, travel, and testify would have increased their already significant backlogs.
Despite his criticisms, the judge however noted the optical discs could be authenticated by circumstantial evidence and a witness was not strictly required — citing PIN numbers in the data matching those inscribed on the devices themselves as well as some of the photos recovered from the devices showing the accused and locations in question as examples. The RCMP had also used Part VI warrants to intercept phone calls and production orders to collect data from wireless service providers, all of which aligned with data found on the optical discs. On this basis, the judge ruled he was satisfied the Crown had met the standard required to authenticate the contents of the optical discs, “on a balance of probabilities,” which is a lower standard than “beyond a reasonable doubt.”
The importance of aligning digital evidence with existing legal standards
The judge also noted several possible errors on the part of the defense, which focused its arguments entirely on the data’s authenticity. Section 31.2 of the Canada Evidence Act says in sum that the Best Evidence Rule is satisfied by proof of the integrity of the electronic document system and offers numerous presumptions to this effect in Section 31.3. One such presumption holds the integrity of a system is proven if — in the absence of evidence to the contrary — it is established that the document was recorded or stored by a party adverse in interest to the party seeking to introduce it. This has the effect of transferring the burden of proving the system’s integrity (in this case the Blackberries which belonged to the accused) to the defence, who would have to produce evidence the devices were not operating properly. If this presumption did not apply, the Crown would have had to produce evidence to the contrary, that the Blackberries were indeed operating properly.
The judge noted the defence did not challenge the presumption in question; one has to wonder if that is because they could not provide an argument they felt would hold up to judicial scrutiny. One avenue the defence could have argued is the Crown did not establish the accused had in fact stored the data, in which case the presumption would not apply. However, they likely saw that as a stretch in the face of other circumstantial evidence the Crown presented.
How to determine whether digital evidence passes muster
So, what does all this have to do with forensic soundness? In addition to his focus on evidentiary weight, McKemmish also defined four criteria for assessing the forensic soundness of digital evidence:
1. Meaning
Has the meaning and therefore the interpretation of the electronic evidence been unaffected by the digital forensic process? This addresses authenticity and generally focuses on collecting data in a manner that can demonstrably preserve the original data.
Normally, a digital forensics examiner will use software to calculate hash values of the source and destination files / devices to confirm their contents are identical. The software employs a cryptographic hash function which compresses data of arbitrary size to a bit string (or digest) of fixed size. Cryptographic hash functions are deterministic. In other words, the same data will always calculate to the same hash value.
Another potential issue this deals with is presentation of the data. Most modern operating systems support time zones and different languages, so having the original data as it was stored on the host device usually means any issues regarding time zones and languages can be resolved.
2. Errors
Have all errors been reasonably identified and satisfactorily explained to remove any doubt over the reliability of the evidence? This addresses the integrity of the electronic documents system which is required to satisfy the best evidence rule.
The above analysis shows that, in criminal cases, the onus is transferred to the defence to produce evidence the computer system was not operating properly. However, in the absence of an agreement, civil actions may require the party owning the information system prove it was functioning properly. Some examples where this could be problematic are wrongful dismissal suits, matrimonial disputes, or soured business partnerships. In a case based on evidence from a company’s computer systems, the plaintiff could claim the former employer or partner had full access and control over the records and deleted or suppressed records which supported the plaintiff’s claim.
3. Transparency
Is the digital forensic process capable of being independently examined and verified in its entirety? This addresses admissibility and speaks to the “technological gap” the judge observed between the Blackberries and the data on the optical discs.
The judge viewed the process that copied the data from the Blackberries to the optical discs as a black box, where data is put in, processed and extracted without any knowledge of how it works or ability to inspect its internal logic. The judge viewed the Crown’s approach as translucent at best in the absence of the two experts and — although he ruled that there was enough other evidence to authenticate the data in this case — cautioned heavily against expecting similar leeway in future proceedings.
4. Experience
Has the digital forensic analysis been undertaken by an individual with sufficient and relevant experience?
An effective digital forensics examiner will be able to articulate the source from which the data originated, how they collected it, and the tools they used to recover the specific artifacts the court is focused on. They can also explain the meaning of the data, any errors that may have occurred, and the entire process used in a transparent way.
Ramifications for civil litigation
Many readers may be thinking the standards are higher in the case study above because it involves a criminal prosecution. What about civil matters?
There is a legal doctrine of spoliation in Canada which was inherited from the Common Law. Spoliation occurs when there has been alteration, concealment, or destruction of evidence. A 2008 Alberta Court of Appeal case (described below) can help to illustrate how this doctrine often works and its ramifications on digital evidence:
A house fire — which, according to the fire department, originated either from improper disposal of smoking materials or a malfunctioning cordless electric drill — destroyed a family home in 2004. By the time of the litigation (homeowner v. drill manufacturer), the house had been razed for rebuilding and an investigator hired by the plaintiff’s insurance company had taken what was left of the drill to be inspected by an engineer.
The fire department agreed to surrender the drill on the condition it receive a copy of the engineer’s findings so it could complete its final report on the incident. However, the drill went missing at some point in the chain of custody and the drill manufacturer subsequently argued it had been unfairly prejudiced by not having the opportunity to inspect the house or drill to mount a proper defence. The matter was initially ruled in favour of the drill manufacturer based on spoliation, which the homeowners sought to overturn on appeal leading to the 2008 case in question.
Here, the appellate judge defined spoliation under Canadian law as “...the intentional destruction of relevant evidence when litigation is existing or pending.” He ruled in favour of the plaintiffs and re-instated the litigation because:
- he found there was no evidence of deliberate spoliation,
- he believed spoliation is a matter best left to the trial judge including what remedies should be applied,
- the defendant had sent a representative to inspect the drill and the evidence of spoliation was based entirely on the company representative’s testimony.
Preservation of digital evidence is vital
Preservation is perhaps the most obvious way to avoid issues of spoliation. No surprise then, that this is the first step in digital forensics. Having a third party collect and preserve the original data will very likely result in side-stepping controversy or allegations surrounding spoliation.
That said, proportionality is another important consideration. Making forensic copies of all potential evidence in litigation can quickly become costly and disruptive. Collecting a single computer or phone can be comparatively inexpensive in juxtaposition to the legal costs potentially resulting from allegations of spoliation or questioning the authenticity of the data.
One of the Sedona Canada principles addresses proportionality and states the parties should ensure e-discovery steps are proportionate and account for the importance, relevance, and complexity of the issues — along with the costs, burden, and delay that may be imposed on the parties to deal with electronically stored information. This also applies to digital forensics, which requires a balance of forensic soundness with operational and financial impacts to deliver right-sized, risk-adjusted solutions.
Conclusion
The treatment of digital forensic evidence is a complex and highly nuanced process that will become increasingly consequential as technology continues to dominate our personal and professional worlds.
Seemingly trivial decisions made by businesses and service providers can have significant impacts on how evidence is treated in legal proceedings, the burden it places on both plaintiffs and defendants, the costs of litigation, and even the eventual outcome of a criminal or civil case.
At MNP, our process aligns your needs with industry and legal best practices to preserve your evidence, ensure it passes legal scrutiny, and presents your case accurately and compellingly.
1 McKemmish, R., 2008, in IFIP International Federation for Information Processing, Volume 285; Advances in Digital Forensics IV; Indrajit Ray, Sujeet Shenoi; (Boston: Springer), pp. 3–15.
2 R.v. Avanes et al., 2015 ONCJ 606 (CanLII)