Like HowStuffWorks on Facebook!

How Computer Forensics Works


Standards of Computer Evidence

In the United States, the rules are extensive for seizing and using computer evidence. The U.S. Department of Justice has a manual titled "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." The document explains when investigators are allowed to include computers in a search, what kind of information is admissible, how the rules of hearsay apply to computer information and guidelines for conducting a search.

If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered.

Although it's generally acknowledged that tampering with computer data is both possible and relatively simple to do, the courts of the United States so far haven't discounted computer evidence completely. Rather, the courts require proof or evidence of tampering before dismissing computer evidence.

Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible. If the computer records include human-generated statements like e-mail messages, the court must determine if the statements can be considered trustworthy before allowing them as evidence. Courts determine this on a case-by-case basis.

Computer forensics experts use some interesting tools and applications in their investigations. Learn more about them in the next section.