Magnet Forensics recently released a whitepaper entitled “12 Tips for Presenting Digital Evidence in Court.” The title of this article is a bit misleading, as many of the tips pertain to forensic examinations in general and not necessarily presenting the results before the Court. Rubio Digital Forensics will address each of these categories and whether the recommendations presented are valid and/or necessary.
The first seven recommendations presented in the whitepaper primarily focus on the examiner’s knowledge of legal principles, digital forensic tools and methods, and the physical seizure and acquisition of evidence. A basic knowledge of legal principles and their application to electronically stored information should be considered mandatory. Examiners must understand the laws surrounding the seizure of evidence, the need to maintain a chain of custody and its importance in the admissibility of evidence before the Court, and the volatility of digital evidence.
Examiners should also know the capabilities of the forensic tools in their toolkit. While Magnet Forensics suggests examiners be trained and certified in the forensic tools themselves, Rubio Digital Forensics’s experience has been that understanding how to use a tool does not mean that the examiner understands the origin or significance of the displayed artifacts. If the examiner does not understand the raw data, how can he or she determine if the forensic tool analyzed the data correctly?
The next two tips presented in the whitepaper deal with correlating artifacts and validating one’s results. As a forensic science, digital forensics relies on the ability to replicate results. Examiners must remember that digital forensic tools are simply tools. Examiners must be able to replicate the same artifacts using multiple tools to ensure that the results are valid. In addition, examiners must rely on multiple artifacts to properly correlate an activity or event.
The final three recommendations actually pertain to the reporting and presentation of one’s findings before the Court. Forensic reports must emphasize key findings and explain the significance of each finding and how it relates to the overall examination. Examiners must be cognizant of their audience and provide analogies and/or visual aids to clearly explain technical concepts. It is also important to provide summaries and timelines of events, so readers have a clear understanding of events. If examiners are able to explain technical information to a lay audience, they will inevitably project confidence and credibility in their testimony.