What if you did all that work to generate a report for presentation in court, only to discover it wasn’t usable in court?
Getting past security and encryption to acquire the data is important. Hopefully you now also appreciate the importance of good decoding too, but what about producing it as evidence?
We call this the ‘Chain of Custody.’ That’s because in many courts you need to be able to prove the origin and reliability of the evidence you present in court – from the moment it is first acquired until the day of the trial to demonstrate that it has not been interfered with or altered in any way.
Most law enforcement users understand the necessity for the preservation of physical evidence. It’s commonly understood that you should preserve and not contaminate DNA evidence. Equally that you should allow the defense the opportunity to examine the evidence to see if they get different results.
So how does this work in the realm of digital data evidence?
The Principles of Digital Evidence
The best guide written on this topic came from the Association of Chief Police Officers. The Good Practice Guide for Electronic Evidence outlined four principles when dealing with this type of evidence:
Principle 1: No action taken by law enforcement agencies or their agents should change data held on an electronic device or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on an electronic device or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are followed.
Look at Principle 3 again – an Audit Trail. Does your mobile forensic tool have one?
Seriously, check it out – is there a detailed log of all the processes applied to the device and the results that created the end report?
We know of at least one major tool that does not have an open, accessible audit trail that can be read and understood by an independent expert for the defense. An encrypted audit log of the extraction is not a transparent tool open to inquiry by the court.
Imagine taking all the time to acquire the data, decode it and then prepare a report in order to present the evidence at court – only to have it thrown out because nobody can make sense of what the tool is actually doing?
Impact of Privacy and Data Protection laws
It may seem obvious that by its very nature, the data recovered from a mobile device is often personal data.
Data Protection by design is important when you consider there is a piece of legislation with global reach that impacts law enforcement officers in the European Union as well as law enforcement officers anywhere in the world when handling personal data transferred from EU-based authorities.
The European Union’s data protection laws, require that personal data be protected so that it is not lost, unintentionally deleted or accessed by unauthorized personnel. And more and more countries, over 100 as of mid-2019, are enacting their own data protection laws and regulations, according to a United Nations tracking study.
The monetary fines for violating data protection laws can be significant – that should focus everyone’s mind on the importance of data protection.
Data Protection by Design
You may be surprised to learn that one of the most popular tools on the digital forensic market stores data in an open file format easily readable in its native format when stored on a computer.
That should be of immediate concern. Consider, for example, an investigation into indecent images; where the file format allows you to see the images natively in Windows or on a USB memory stick or DVD.
This type of data should be protected by default.
If you store digital evidence in an open file format, that leaves it open to accidental alteration. How can you show that it has not been interfered with prior to presentation in court? What if someone accidentally dropped images from another case into the wrong folder on the computer where the evidence is stored – how would you know?
Please be sure to check that your digital forensic tool is not susceptible to this basic oversight when considering the issue of data protection and integrity for presentation in court.