This section discusses the challenges and the complexities that are faced if digital evidence is to be accepted in the courtroom. With digital evidence, like any form of indirect evidence, there are challenges to understanding more complex evidence artefacts recovered from a crime scene. Because of the technical complexity of digital evidence and its environment, some experience and specialized knowledge is required (BEGC, 2013). According to Saleem, (2015) these might includes the following:
Anonymity: Digital evidence can be more informative than physical evidence because it not only holds data but metadata. For instance, digital pictures of an incidence can contain information about when, how and where the incidence occurred. However, digital evidence mostly does not have any implicit information to tie it to its perpetrator. For example, a picture taken by a camera in exchangeable image format will contain actual bytes of data representing the image itself and metadata, such as location information, camera make and model, but no information about who took the image (Saleem, 2015). Nonetheless, there are a number of digital devices that are able to create very significant evidence such as digital signatures, video and audio (Harvey, 2011). Consequently, digital evidence is usually considered as circumstantial evidence in nature, as it is mostly difficult to refer a digital offence to an individual with only the information present in the digital devices (Casey, 2011).
Authenticity: Sommer (2012) defines the meaning of digital evidence authenticity as the recovered data which is the same as the original. Reed (1990) has defined the term more
75
precisely, noting that digital evidence is authentic only if it can satisfy the requirement of the courtroom with the following:
1. The content of the original is unchanged.
2. The data and information in it truly originates from the supposed source. 3. The associated metadata are correct and unaffected.
4. The essential level of authentication could be achieved by other circumstantial evidence or other technological features of the system or record.
With all these requirements, still there is no direct information to connect the digital evidence to an individual. Accordingly, it is obvious that the digital forensic process has many areas that could be improved, mainly the authentication of digital evidence (Yusoff, 2010). In the United Kingdom, examiners usually follow guidelines issued by the Association of Chief Police Officers (ACPO) for the authentication and for proving the integrity of evidence (ACPO, 2011).
Integrity: Mocas (2004) provided the definition of data integrity as, “Assuring that digital information is not modified (either intentionally or accidentally) without proper authorization”. Moreover, Mocas (2004) redefined integrity as, “Assuring that, given a data set, the process of creating a duplicate of the data does not modify the data (either intentionally or accidentally) and the duplicate is an exact bit copy of the original data set”. Duren and Hosmer (2002) provided a different perspective to achieve the integrity of digital evidence. They suggested using time stamps to ensure the integrity of digital evidence. Schatz et al (2006) state that, “Time stamps are increasingly used to relate events which happen in the digital realm to each other and to events which happen in the physical realm, helping to establish cause and effect”. Ahmad (2002) stated, “the link between each log is crucial to the establishment of a complete chain of evidence. Across all of the links the crucial factor upon which the integrity of the entire chain rests is the authenticity of the time-line. If the accuracy of the time in any of the links is questionable then the entire chain is rendered useless”. These statements confirm Saleem, (2015) argument that time stamping is the means whereby useful digital incidents may be linked to physical evidence in the real world.
76
Reproducibility: The importance of reproducibility is described in a statement made by Mocas (2004). He explained that, “…a key feature of science is that hypotheses are supported by reproducible experiments. Reproducibility strengthens the belief that a hypothesis is correct. Likewise, the reproducibility of investigative procedures lends credibility to the evidence produced”. Then, Mocas (2004) define reproducibility as, “Assuring that, given a data set or set of devices, the processes used to gather and/or examine evidence from the data set or devices are reproducible.”
Reproducibility is a concept which is not only important in the scientific field, but also significant in the field of digital forensics. Kenneally and Brown (2005) discussed the importance of reproducibility by stating that, “The volatile nature of computer networks and disk evidence and the potentially destructive nature of the analysis process make a convincing argument for investigators to not perform analysis on original evidence”. This statement can be regarded as the major reason for digital forensic investigators to reproduce the original digital evidence, and to point out the demand of reproducing digital evidence (Saleem,, 2015). Therefore, digital forensic investigators have to take different approaches to find out the necessary information within an investigation, without the modification of the original digital evidence.
Wang (2007) further stated that, “…copying evidence stored inside the digital device requires a special tool and must be carried out bit by bit; this is to say, the data must be copied using a bit-stream-copy method, which provides copied information in exactly the same format as the original data. By using this bit-stream-copy method, the data obtained are given more probative force. The most important thing is that the evidence is not amended or changed during the copying process” (Saleem,, 2015). Based on these explanations, the complexities of digital evidence are revealed.
Abstraction of Reality: Computers have layers and layers of abstraction rather than the bare hardware with which they are really built (Ami-Narh, 2008). Farmer and W. Venema (2000) state that, “Abstraction makes computers easy to understand and thus easy to use. For example, a computer disk at physical level in a magnetic domain is actual but not very
77
accessible. There are then layers of abstraction over this physical layer, such as directories, contiguous files, disk blocks and so on, to the level of numbers and letters. These layers of abstraction are formed by software that may or may not have been tampered with” (Forrester, J, 2007). Using digital forensic tools to recover deleted files from a hard disk involves many layers of abstraction from magnetic fields to numbers and letters (Carrier, 2002). These layers of abstraction could lead to serious errors during the investigations which consequently impact on the reliability of digital evidence and thus its admissibility (Carrier, 2002; Forrester, J, 2007).
In conclusion, digital evidence is a huge, messy and slippery form of evidence, as it is quite hard to handle (Casey, 2011). The volumes of data stored in the devices increase with time as some of them are capable of storing terabytes of data. However, very few pieces of data from this huge mixture are really relevant to a case. These features create difficulties in extracting, correlating and translating practical and significant portions of data and the information which may be necessary for improving the understanding, interpretation and resolution of a case (Saleem,, 2015). Consequently, digital evidence requires uniform and verified methods for searching, handling, validating and analysing it. These methods must protect the integrity and authenticity of the digital evidence. Such well validated and well-tested methods surely will help to obtain related and weighty digital evidence and thus increase the chances of its admissibility (Casey, 2011).