Standards of Computer Evidence

In the United States, the rules are extensive for seizing and using computer evidence. The U.S. Department of Justice has a manual titled "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations." The document explains when investigators are allowed to include computers in a search, what kind of information is admissible, how the rules of hearsay apply to computer information and guidelines for conducting a search.

Think Globally, Prosecute Locally
One challenge computer investigators face is that while computer crimes know no borders, laws do. What's illegal in one country may not be in another. Moreover, there are no standardized international rules regarding the collection of computer evidence. Some countries are trying to change that. The G8 group, which includes the United States, Canada, France, Germany, Great Britain, Japan, Italy and Russia, has identified six general guidelines regarding computer forensics. These guidelines concentrate on preserving evidence integrity.

If the investigators believe the computer system is only acting as a storage device, they usually aren't allowed to seize the hardware itself. This limits any evidence investigation to the field. On the other hand, if the investigators believe the hardware itself is evidence, they can seize the hardware and bring it to another location. For example, if the computer is stolen property, then the investigators could seize the hardware.

In order to use evidence from a computer system in court, the prosecution must authenticate the evidence. That is, the prosecution must be able to prove that the information presented as evidence came from the suspect's computer and that it remains unaltered.

Although it's generally acknowledged that tampering with computer data is both possible and relatively simple to do, the courts of the United States so far haven't discounted computer evidence completely. Rather, the courts require proof or evidence of tampering before dismissing computer evidence.

Another consideration the courts take into account with computer evidence is hearsay. Hearsay is a term referring to statements made outside of a court of law. In most cases, courts can't allow hearsay as evidence. The courts have determined that information on a computer does not constitute hearsay in most cases, and is therefore admissible. If the computer records include human-generated statements like e-mail messages, the court must determine if the statements can be considered trustworthy before allowing them as evidence. Courts determine this on a case-by-case basis.

Computer forensics experts use some interesting tools and applications in their investigations. Learn more about them in the next section.

This Whole Court is Out of Order
Vincent Liu, a computer security specialist, used to create anti-forensic applications. He didn't do it to hide his activities or make life more difficult for investigators. Instead, he did it to demonstrate that computer data is unreliable and shouldn't be used as evidence in a court of law. Liu is concerned that computer forensics tools aren't foolproof and that relying on computer evidence is a mistake [source: CSO].