Recovery position
As digital evidence takes an increasingly important part in civil and criminal cases so lawyers should ensure they know how to obtain it, preserve it and present it convincingly, says Alexandra Harrison
Terrorist threats and the burgeoning increase of electronic crime and fraud have demonstrated that it is vital for lawyers to recognise the important role of electronic evidence in any criminal or terrorist investigation.
Digital traces
Everyday transactions, business and movements leave digital traces and parties must be able to produce this evidence untainted. Lawyers to enforcement agencies, suspects and even the organisations where the suspects worked, have to fully grasp the scope and nature of electronic evidence, because such evidence is now relevant in some way in most criminal cases.
Lawyers with strategic understanding of electronic evidence are in a significantly stronger position than lawyers who do not. With digital evidence forming now such a large proportion of any evidence base, it is impossible to fully establish a case without it.
So what are the practical steps lawyers need to take to ensure they have taken all reasonable steps to prepare evidence properly?
Collecting electronic evidence
When collecting electronic evidence it is crucial that lawyers and any outside legal technology experts they work with take steps to preserve the integrity of the evidence before attempting to access and interpret it.
The accessibility of evidence will depend on issues such as whether you are seeking access to domestic and office premises, whether access is required to protected files or break passwords and if there are jurisdictional issues and legislation relating to privacy and data protection.
Access may not be given voluntarily and information contained on laptops, PDAs, memory sticks and mobile phones that contain personal information or even documents may be subject to legal privilege.
It is vital to consider from the outset how best to collect the evidence, who needs to be involved in the planning and who needs to authorise that course of action. It may be that a search warrant, injunction or a delivery order from the court is required.
For example, a simple oversight such as not stipulating that you will be given access to a power supply could result in the custodian of the data refusing permission and the investigators having to come back again. If notice is given to the custodian there may be the opportunity to destroy or hide incriminating evidence before the next attempt to collect.
Once access to the electronic source is available, it will be necessary '“ subject to the court's approval '“ to use an appropriate method of harvesting the data. The most common, and appropriate, option is to take a forensically sound image of the hard drive of the computers in question.
Providing the correct procedures are followed, this forensic imaging, which captures all remaining data on a piece of media, is completely non-invasive and prevents any alteration to the electronic files as a result.
Once collected, it is important that there is a clear chain of custody and the application of sound investigation techniques. Once the image is secure it is then possible to use specialist tools to perform the searches for evidential material.
Gone but maybe not forgotten
In many cases, particularly criminal, attempts could be made or will have been made, to destroy evidence that could be crucial to the case. It may at first appear to be gone, but it is not necessarily forgotten.
Therefore, in many cases there is a need to retrieve and recover damaged or deleted data and if the computer files have been manipulated or deleted, it is possible to detect this under laboratory conditions.
Experts in the field have techniques and equipment to access active files and recover deleted full data files or fragments of files. From this, time-critical computer events can be tracked and resurrected. It is not widely known but deleting a file does not actually remove that file from the hard drive of a computer. What actually happens is the reference to that file is deleted from the directory that the computer's operating system uses to locate that file. When a user tries to retrieve a deleted item, the operating system cannot locate it, even though the file remains on the hard drive until it is overwritten by other data. Even after being overwritten, it is not unusual for fragments to remain which could have evidential value.
Locate a trail of activity
In one investigation, for example, two lines of a document were found on the recipient's hard drive which was enough to show that a particular document had been copied and then deleted. Simply by examining the surrounding file system's embedded metadata an expert can often locate a trail of activity like a bloodhound.
Not only will there be an inevitable inference drawn about any destruction of evidence or attempts to do so, but there may be sanctions for such conduct available to the judge, tribunal or adjudicator. An expert can sometimes find incriminating evidence that would not necessarily have been spotted.
For example, in one case, a computer forensic expert was called in to examine an established doctor's computer to try and find out how many patients he had referred. During the investigation the expert came across a deleted document containing the doctor's doctorate certificate. The next deleted document he came across was a second doctorate certificate. Both were identical except for the name.The second document was in the name of his father. This information was handed to the police and the authorities who confirmed he was not in fact a doctor and had forged his father's certificate.
Data has been recovered from hardware that has been subjected to viruses, exposed to the elements or subjected to intentional or unintentional damage from water, fire or even bullets.
Reviewing electronic material and case preparation
Further to a forensic investigation and collection, depending on the volume of data, a case can often develop into a large-scale paper and electronic disclosure and review exercise.
Planning is once again crucial to ensure that the project runs smoothly. Some of the key considerations in developing a review plan include:
Identifying how many documents you anticipate reviewing;
- How you are going to organise the review;
- Consider whether you need to incorporate paper documents;
- When is your deadline and what is achievable within that amount of time?
- How many reviewers will you need and where are they located?
- Will the reviews be done collaboratively with counsel or an external expert or experts;
- Whether the review should be conducted using a litigation support database or an online review tool;
- Production considerations '“ disclosure? and
- How are you going to present your evidence in court?
Courtroom presentation
Even the most accurately prepared case will only be as successful as the presentation of evidence in the courtroom.
Successfully communicating this type of evidence to a judge, jury or tribunal can be a turning point in a case. Visual representation of evidence can help overcome the difficulties in communicating complicated and technical concepts and evidence.
If 'smoking gun' evidence has been uncovered that assists the case or significantly undermines evidence to the contrary, this needs to be clearly highlighted. Using visual tools and techniques will hold attention and leave little room for misinterpretation and confusion.
This has been used to compelling effect in some of the most recent high-profile terrorism cases brought by the Crown Prosecution Service. It is also used in complex cases of all types such as large-scale fraud that often involve large volumes of paper and electronic data.
Conclusion
As significant as electronic data has become in all our lives, it is inevitable that it will be increasingly important to all lawyers, whatever their practice. There should be no hesitation to challenge the evidence of an expert in this field just as you would with any expert opinion whatever their expertise, experience and knowledge.
Mistakes can be made at a human level which could mean that the evidence has been collected in an incorrect manner or techniques which could have revealed contradictory evidence have not been implemented, which another expert may spot.
The Association of Chief Police Officers (ACPO) has produced a good practice guide for computer-based electronic evidence. This provides a comprehensive guide to the principles of investigation of computers and other data storage devices.
Reputable experts in this field will comply with these guidelines and will be mindful of their responsibilities under other acts or regulations for example PACE, Civil Procedure Investigations Act or the Protocol for the Instruction of Experts to give Evidence in Civil Claims.
Of course this would vary depending on the type of case but it is good to know that there is help available to deal with this challenging and developing area of evidence.