Computer Forensic Evidence

Computer forensic experts use software programs to aid the collection and analysis of electronic data. The output of a computer forensic program may be introduced as evidence by an expert and used as the basis of expert opinion. Courts and practitioners may expect that forensic programs are guaranteed to be reliable, but that is not the case. The qualifications of computer experts and reliability of the programs they use merit greater scrutiny from our courts.

No computer forensic program is guaranteed to be free from errors. Creators of forensic programs release periodic updates to fix known problems but new errors are discovered regularly. Some errors have existed for months or years before being rectified. Some have caused programs to produce incorrect results.

An interesting question is whether or not the creators of forensic programs should be required to disclose all known (current and past) errors in their products. Currently, there is no such requirement and disclosure of errors varies considerably.

The onus of establishing the reliability of a forensic program must fall upon the party offering the evidence, normally via their computer expert. A computer forensic program is clearly a “machine, device or technical process” in terms of s137 Evidence Act 2006. A party offering evidence from, or based on the output of, a forensic program is required to prove that the program “is of a kind that ordinarily does what [the] party asserts”.

It is rare for such evidence to be adduced in New Zealand. Computer forensic programs appear to have escaped close scrutiny in this country.

Forensic programs consist of hundreds of automated functions. If reliability of one function is established, that does not establish the reliability of other functions in the same program. Therefore it is difficult to support an assertion that “all functions of program X are reliable”.

The fact that one function in an earlier version of a forensic program was proven to be reliable does not mean the same function in a newer version will also be reliable. The new program is a different “machine, device or technical process” so questions of reliability must be considered for the exact version of the forensic program used by the expert.

Qualifications of computer experts, and the scope of their expertise, require careful consideration. Expert evidence is often considered to be scientific in nature, yet the field of computer forensics is very young. Many computer experts lack relevant tertiary qualifications, or indeed any scientific training at all.

Evidence of attendance at a training course for a forensic program can demonstrate expertise with that particular program but must be seen in context. Most forensic training courses are just a few days long and have no assessment. Certifications demonstrate a basic level of expertise, usually with a specific forensic program, but do not indicate a mastery of the entire field.

The field of computing is sufficiently broad that computer experts should be required to establish their qualifications in the particular matters at issue. Training in the use of a forensic program does not demonstrate expertise in internet technologies or computer programming, for example.

Computer experts can be divided into three categories.

First are “technicians”, those who have been instructed in the use of one or more computer forensic programs and who may hold certifications. Technicians may not recognise the limitations of forensic programs and may not adopt a critical attitude to their reliability since most of the technicians’ knowledge of the field comes from creators of forensic programs.

Next are the “developers”, people who create forensic programs to automate known analysis techniques.

And finally, the “scientists” who have a scientific background, publish in peer-reviewed journals and work to develop new computer forensic knowledge and techniques. Scientists adopt a critical attitude towards forensic programs, methods and results – their own and those of others. Each successive category of expert would be expected to have a wider scope of expertise and attract a greater evidentiary weight.

Computer forensics is a valuable but developing field of forensic expertise that will become more important as technology pervades homes and businesses. This frequently complex type of evidence must be thoroughly tested before it is relied upon in court.

Daniel Ayers BSc (Hons) MSc is a the owner of and principal consultant for Elementary Solutions Ltd, a nationwide provider of computer forensics, electronic discovery, data recovery and related services, www.elementary-solutions.com.He can be contacted at daniel.ayers@elementary-solutions.com.

This article was published in LawTalk 745, 1 March 2010 at page 11.