Certain legal and technical requirements must be met to ensure the admissibility of digital evidence in a court of law (Antwi-Boasiako and Venter, 2017). In regards to the former, the court examines the legal authorization to conduct searches and seizures of information and communication technology and related data, and the relevance, authenticity, integrity, and reliability of digital evidence (Antwi-Boasiako and Venter, 2017). With respect to the latter, the court critically examines the digital forensics procedures and tools used to extract, preserve, and analyse digital evidence; the digital laboratories whereby analyses are performed; the reports of digital forensic analysts; and the technical and academic qualifications of digital forensics analysts and expert witnesses (if required) (Antwi-Boasiako and Venter, 2017). Antwi-Boasiako and Venter (2017) developed a framework, the Harmonized Model for Digital Evidence Admissibility Assessment (HM-DEAA), that encapsulates the essential technical and legal requirements that determine evidence admissibility. Particularly, the HM-DEAA proposes a three-phase model for assessing evidence admissibility, which includes digital evidence assessment, consideration, and determination. The HM-DEAA framework is used in the next section of this Module to highlight the legal and technical requirements that are largely used across jurisdictions to ensure the admissibility of digital evidence in national courts.
In this phase, courts determine whether the appropriate legal authorization was used to search and seize information and communication technology (ICT) and related data. The types of legal authorization include a search warrant, court order, or subpoena. The legal order required to obtain ICT and ICT-related data varies by jurisdiction and is determined by national laws (see Cybercrime Module 7 on International Cooperation against Cybercrime). However, the legal order predominately used by countries to seize ICT is a search warrant. Nevertheless, national laws differ in the legal order requirements based on the circumstances of the case, circumstances surrounding the search and seizure, and the credentials of those conducting the search (see Cybercrime Module 7 on International Cooperation against Cybercrime for further information on the legal orders required to access data across jurisdictions).
The forensic relevance of the digital evidence is assessed in this phase as well. Forensic relevance is determined by whether the digital evidence: links or rules out a connection between the perpetrator and the target (e.g., victim, digital device, website, etc.) and/or the crime scene (the place where the crime or cybercrime occurred); supports or refutes perpetrator, victim and/or witness testimony; identifies the perpetrator(s) of the cybercrime; provides investigate leads; provides information about the method of operation ( modus operandi or M.O.) of the perpetrator (i.e., the habits, techniques and unique features of the perpetrator's behaviour); and shows that a crime has taken place ( corpus delicti) (Maras, 2014; Maras and Miranda, 2014).
Digital evidence can reveal signature behaviour of cybercriminals, such as malware developers and hackers (Casey, 2011). A signature behaviour is a recognizable and distinguishable pattern of activity (e.g., specific techniques, tools, and moniker) that can be attributed to a source, which provides some form of psychological or emotional benefit (e.g., gratification and recognition by peers) to the cybercriminal (Casey, 2011).
In this phase, an assessment is made as to the integrity of digital evidence by examining the digital forensics procedures and tools used to obtain the evidence, the competence and qualifications of the digital forensics experts who acquired, preserved, and analysed the digital evidence (the competence and qualifications of experts varies by country, see Cybercrime Module 5 on Cybercrime Investigations), and the digital forensics laboratories where the evidence was handled and examined (US National Institute of Justice; 2004a; Maras, 2014). Basically, this evaluation seeks to determine whether scientific principles were used to preserve, acquire, and analyse digital evidence, and standards were met to handle and examine digital evidence (e.g., whether digital forensics tools were validated, up-to-date, properly maintained, and tested before their use, to ensure their proper functioning).
Digital forensics experts provide testimony in court to explain their qualifications; how digital devices, online platforms and other ICT-related sources work; the digital forensics process; why a specific digital forensics tool was used and not others; how digital evidence was preserved acquired, and analysed; the interpretation and findings of the analyses performed, and the accuracy of these interpretations; and any alterations that may have occurred to the data and why these alterations occurred (US National Institute of Justice; 2004a; Maras, 2014).
The qualifications of digital forensics experts are also examined to establish the competency of the individuals handling and analysing digital evidence. This competency is essential to ensure work product quality and confidence in produced results ( SWGDE Overview of the Accreditation Process for Digital and Multimedia Forensic Labs , 2017). Nevertheless, there are no universal competency standards for digital forensics experts. The qualifications of digital forensics experts vary by country (UNODC, 2013). The certification of digital forensics experts may or may not be required; this depends on the jurisdiction (UNODC, 2013). This phase, therefore, evaluates whether experts have the necessary qualifications to serve as an expert witness and/or to perform the required examinations of ICT and ICT-related data. What is also determined is whether the competency of these experts and analysts were verified and tested.
The Daubert Tracker , named after the US case Daubert v. Merrell Dow Pharmaceuticals Inc. (1993) that set the criteria that US courts use to determine the reliability of a forensics test or evidence introduced in court, keeps track of reported and unreported legal cases where experts' methods and qualifications have been challenged (Maras, 2014).
The standards and protocols of the digital forensics laboratory are also examined to determine the competency of the laboratory in the handling and analysis of digital evidence and the production of reliable results. What is particularly examined is whether "a laboratory is using reliable methods, appropriate equipment and software, competent personnel, and drawing reasonable conclusions" (SWGDE Overview of the Accreditation Process for Digital and Multimedia Forensic Labs, 2017, p. 4). Accreditation assists in this endeavour "by provid[ing] a means to improve quality, assess performance, provide independent review, meet established standards, and serve to ensure the promotion, encouragement, and maintenance of the highest standards of forensic practice" (Barbara, 2012). Although the ISO/IEC 17025 "endeavours to standardize laboratories worldwide in terms of testing, quality control, [and] calibration," its support by the digital forensics community is mixed (Merriott, 2018). Furthermore, while accreditation provides the necessary oversight and accountability mechanisms to ensure that standards for forensic practice are met ( SWGDE Myths and Facts about Accreditation for Digital and Multimedia Evidence Labs , 2017), it is not universally practiced. In the United States, for example, accreditation is required by some but not all states (Barbara, 2012). In the United Kingdom, the Forensic Science Regulator accredits the organisations involved in digital forensics (Forensic Access, 2017), while in South Africa, the designated national agency for accreditation is the South African National Accreditation System (SANAS, 2016 ; see Act No. 19 of 2006; i.e., the Accreditation for Conformity Assessment, Calibration and Good Laboratory Practice Act of 2006).
In this phase, the authenticity, integrity, and reliability of digital evidence is assessed based on the outcomes of the assessment of the digital forensics process conducted in the previous phase (i.e., the digital evidence consideration phase), such as the use of forensically sound methods and tools to obtain digital evidence and the testimony of expert witnesses and digital forensics analysts to corroborate the authenticity, integrity, and reliability of this evidence (Antwi-Boasiako and Venter, 2017; US National Institute of Justice, 2004a). Digital evidence is admissible if it establishes a fact of matter asserted in the case, it remained unaltered during the digital forensics process, and the results of the examination are valid, reliable, and peer reviewed (Brezinski and Killalea, 2002; US National Institute of Justice, 2004a; European Network of Forensic Science Institute, 2015). To be admissible, the findings should be interpreted in an unbiased manner, and errors and uncertainties in the findings, as well as limitations in the interpretations of results, should be disclosed (Brezinski and Killalea, 2002; European Network of Forensic Science Institute, 2015).
Ultimately, this three-phase model consolidates common legal and technical requirements for evidence admissibility across jurisdictions (Antwi-Boasiako and Venter, 2017). The standardization of digital forensics practices is key to ensuring the admissibility of digital evidence across jurisdictions. Given the transnational nature of cybercrime, the harmonization of digital forensics practices is not only of paramount importance to the investigation of cybercrime, but is also essential to international cooperation on cybercrime matters (discussed in Cybercrime Module 7 on International Cooperation against Cybercrime).
Like digital forensics, e-Discovery is a process whereby digital data "is sought, located, secured, and searched with the intent of using it as evidence in a legal case" (Lawton, Stacey, and Dodd, 2014, p. 4). However, there are key differences between digital forensics and e-Discovery. Unlike digital forensics, e-Discovery is primarily focused on retaining data as a matter of record (in the most cost-effective manner) and in order to fulfil legal requirements to produce digital evidence in legal proceedings when compelled to do so by a court.