Chapter 20 - 02 - Understand Digital Evidence - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

-!Tt f
Best Evidence Rule

It states that the court only allows the original
evidence of a document, photograph, or
recording at the trial rather than a copy.
However, the duplicate can be accepted as
evidence, provided the court finds the party’s
reasons for submitting the duplicate to be
genuine

¢— The principle underlying the best
evidence rule is that the original
evidence is considered as the best
evidence

Copyright © by EC- N,. All Rights Reserved. Reproductioniss Strictly Prohibited.

Best Evidence Rule

The best evidence rule states that the court only allows the original evidence of a document,
photograph, or recording at the trial and not a copy. However, the duplicate may be accepted
as evidence, provided the court finds the party’s reasons for submitting the duplicate to be
genuine.

For example, if the evidence is destroyed, lost, or inaccessible due to some reason (such as the
original being destroyed or being in possession of a third party), the court will be willing to
accept a copy of the evidence if a witness can testify and confirm that the submitted copy is in
fact an actual copy of the evidence.
The best evidence rule also states that the best or highest form of evidence available to any
party must be presented in a court of law. If a live or original testimony form of the evidence is
available, the court will not admit duplicate copies of that testimony as evidence.

Module 20 Page 2188 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
 Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Federal Rules of Evidence (United States)

1) § \T( N
( \
N

//!
4

These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense
and delay, and promotion of growth and development of the law of evidence to the end that the truth
may be ascertained and proceedings justly determined

hitps //www.rulesofevidence.org
//www.riesofevidence.org

Federal Rules of Evidence (United States)
https://www.rulesofevidence.org
Source: https.//www.
Rule 101: Scope

“These rules apply to proceedings in United States courts. The specific courts and proceedings
to which the rules apply, along with exceptions, are set out in Rule 1101.”

Rule 102: Purpose
“These rules should be construed so as to administer every proceeding fairly, eliminate
unjustifiable expense and delay, and promote the developmen
developmentt of evidence law, to the end of
ascertaining the truth and securing a just determination.”
determination.”
Rule 103: Rulings on Evidence
a. Preserving a claim of error
“A party may claim error in a ruling to admit or exclude evidence only if the error affects
a substantial right of the party and:
1. if the ruling admits evidence, a party, on the record:
i. timely objects or moves to strike; and
ii. states the specific ground, unless it was apparent from the context; or
2. if the ruling excludes evidence, a party informs the court of its substance by an offer
of proof, unless the substance was apparent from the context

Module 20 Page 2189 Certified Cybersecurity Technician Copyright ©© by E€-Eouncil
EG-Eouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

b. Not needing to renew an objection or offer of proof

Once the court rules definitively on the record — either before or at trial — a party need
not renew an objection or offer of proof to preserve a claim of error for appeal
c. Court’s statement about the ruling; directing an offer of proof
The court may make any statement about the character or form of the evidence, the
objection made, and the ruling. The court may direct that an offer of proof be made in
question-and-answer form
d. Preventing the jury from hearing inadmissible evidence
To the extent practicable, the court must conduct a jury trial so that inadmissible
evidence is not suggested to the jury by any means
e. Taking Notice of Plain Error

A court may take notice of a plain error affecting a substantial right, even if the claim of
error was not properly preserved”

Module 20 Page 2190 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

Principle 1 Standards and Criteria 1.1

*= Inorder to ensure that the digital evidence is = All agencies that seize and/or examine digital
collected, preserved, examined, or transferred evidence must maintain an appropriate SOP
in a manner safeguarding the accuracy and document. All elements of an agency's policies
reliability of the evidence, law enforcement and procedures concerning digital evidence
and forensic organizations must establish and must be clearly set forth in this SOP document,
maintain an effective quality system which must be issued under the agency's
management authority.

Standards and Criteria 1.2 Standards and Criteria 1.3

= Agency management must review the SOPs on an * Procedures used must be generally accepted in
annual basis to ensure their continued suitability the field or supported by data gathered and
and effectiveness recorded in a scientific manner

hitps:/fwsew swyde.org
hitps//fwww.swgde.org

Scientific Working Group on Digital Evidence
(SWGDE) (Cont’d)

o
o o
o Standards and
Standards and Criteria
Criteria 1.4
1.4
I The agency must maintain written copies of appropriate technical procedures H

Standards and Criteria 1.5 v
‘v’
@T @ The agency must use hardware and software that are appropriate and I) )
effective for
effective for the
the seizure
seizure or
or examination
examination procedure
procedure :
: :: ‘

Standards and Criteria 1.6
OT
01 @ All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be
recorded in writing and be available for review and testimony

Standards and Criteria 1.7
O’
O' @ Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be
performed by qualified persons in a forensically sound manner
B° https://www.swode.org
https//www.swode.org

Scientific Working Group on Digital Evidence (SWGDE)
Source: https://www.swgde.org
Principle 1

“In order to ensure that digital evidence is collected, preserved, examined, or transferred in a
manner that safeguards the accuracy and reliability of the evidence, law enforcement and
forensic organizations must establish and maintain an effective quality system.”

Module 20 Page 2191 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Standard Operating Procedures (SOPs)
“Standard Operating Procedures (SOPs) are documented quality-control guidelines that must
be supported by proper case records and broadly accepted procedures, equipment, and
materials.”

Implementation of SOPs allows you to operate company-compliant policies and plans. It is
important that no modifications are made to SOPs before implementation to achieve the
desired outputs. However, if any modifications are required, they must be communicated
before starting an investigation.
Standards and Criteria 1.1

All agencies that seize and/or examine digital evidence must maintain an appropriate SOP
document. All elements of an agency’s policies and procedures concerning digital evidence
must be clearly set forth in this SOP document, which must be issued under the agency’s
management authority.
Discussion: The use of SOPs is fundamental to both law enforcement and forensic science.
Guidelines that are consistent with scientific and legal principles are essential to the acceptance
of results and conclusions by courts and other agencies. The development and implementation
of these SOPs must be under an agency’s management authority.
Standards and Criteria 1.2

Agency management must review the SOPs on an annual basis to ensure their continued
suitability and effectiveness.

Discussion: Rapid technological changes are the hallmark of digital evidence, wherein the types,
formats, and methods for seizing and examining digital evidence change quickly. To ensure that
personnel, training, equipment, and procedures continue to be appropriate and effective, the
management must review and update SOP documents annually.
Standards and Criteria 1.3

Procedures used must be generally accepted in the field or supported by data gathered and
recorded scientifically.
Discussion: As a variety of scientific procedures may validly be applied to a given problem,
standards and criteria for assessing procedures need to be flexible. The validity of a procedure
may be established by demonstrating the accuracy and reliability of specific techniques. In the
digital evidence area, peer review of SOPs by other agencies may be useful.
Standards and Criteria 1.4

The agency must maintain written copies of appropriate technical procedures.

Discussion: Procedures should set forth their purpose and appropriate application. Required
elements such as hardware and software must be listed, and the proper steps for successful use
should be listed or discussed. Any limitations in the use of the procedure or the use or
interpretation of the results should be established. Personnel who use these procedures must
be familiar with them and have them available for reference.

Module 20 Page 2192 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Standards and Criteria 1.5

The agency must use hardware and software that are appropriate and effective for the seizure
or examination procedure.

Discussion: Although many acceptable procedures may be used to perform a task, considerable
variation among cases requires that personnel have the flexibility to exercise judgment in
selecting a method appropriate to the problem.

Hardware used in the seizure and/or examination of digital evidence should be in good
operating condition and be tested to ensure that it operates correctly. The software must be
tested to ensure that it produces reliable results for use in seizure and/or examination
purposes.
Standards and Criteria 1.6

All activity related to the seizure, storage, examination, or transfer of digital evidence must be
recorded in writing and be available for review and testimony.

Discussion: In general, documentation to support conclusions must be such that, in the absence
of the originator, another competent person can evaluate what was done, interpret the data,
and arrive at the same conclusions as the originator.
The requirement for evidence reliability necessitates a chain of custody for all items of
evidence. Chain-of-custody documentation must be maintained for all digital evidence. Case
notes and records of observations must be permanent. Handwritten notes and observations
must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or
making tracings. Any corrections to notes must be made by an initialed, single strikeout;
nothing in the handwritten information should be obliterated or erased. Notes and records
should be authenticated by handwritten signatures, initials, digital signatures, or other marking
systems.

Standards and Criteria 1.7

Any action that has the potential to alter, damage, or destroy any aspect of original evidence
must be performed by qualified persons in a forensically sound manner.

Discussion: As outlined in the preceding standards and criteria, evidence has value only if it can
be shown to be accurate, reliable, and controlled. A quality forensic program consists of
properly trained personnel and appropriate equipment, software, and procedures to
collectively ensure these attributes.

Module 20 Page 2193 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

The Association of Chief Police Officers
(ACPO) Principles of Digital Evidence

Principle 1: No action taken by law enforcement agencies or their agents should
change data held on a computer or storage media which may subsequently be relied
upon in court

Principle 2: In exceptional circumstances, where a person finds it necessary
to access original data held on a computer or on storage media, that person
must be competent to do so and be able to explain his/her actions and the
impact of those actions on the evidence, in the court

Principle 3: An audit trail or other record of all processes applied to computer based
electronic evidence should be created and preserved. An independent third party
should be able to examine those processes and achieve the same result

Principle 4: The person in charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to

hitps://www.college. police.uk

Copyright © by EC-Councll. All
All Rights Reserved. Reproductionis Strictly Prohibited.
Prohibited,

The Association of Chief Police Officers (ACPO) Principles of Digital Evidence
Source: https://www.college.police.uk
®®= Principle 1
“No action taken by law enforcement agencies, persons employed within those agencies
or their agents should change data, which may subsequently be relied upon in court.
= Principle 2
In circumstances where a person finds it necessary to access original data held on a
computer, that person must be competent to do so and be able to give evidence
explaining the relevance and the implications of their actions.
= Principle 3
An audit trail or other record of all processes applied to digital evidence should be
created and preserved. An independent third party should be able to examine those
processes and achieve the same result.
= Principle
Principle 4
The person in charge of the investigation has overall responsibility for ensuring that the
law and these principles are adhered to.”

Module 20 Page 2194 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.