Skip to content

Page021

Corroborative Evidence

In order to strengthen a particular fact or element of a case there might be a need for corroborative evidence. This type of evidence provides additional support for a fact that might have been called into question. This evidence does not establish a particular fact on its own, but rather provides additional support for other facts.

Hearsay

Hearsay evidence constitutes second-hand evidence. As opposed to direct evidence, which someone has witnessed with her five senses, hearsay evidence involves indirect information. Hearsay evidence is normally considered inadmissible in court. Numerous rules including Rules 803 and 804 of the Federal Rules of Evidence of the United States provide for exceptions to the general inadmissibility of hearsay evidence that is defined in Rule 802.

Business and computer-generated records are generally considered hearsay evidence, but case law and updates to the Federal Rules of Evidence have established exceptions to the general rule of business records and computer-generated data and logs being hearsay. The exception defined in Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation”[^1].

An additional consideration important to computer investigations pertains to the admissibility of binary disk and physical memory images. The Rule of Evidence that is interpreted to allow for disk and memory images to be admissible is actually not an exception to the hearsay rule, Rule 802, but is rather found in Rule 1001, which defines what constitutes originals when dealing with writings, recordings, and photographs. Rule 1001 states that “if data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’”[^2]. This definition has been interpreted to allow for both forensic reports as well as memory and disk images to be considered even though they would not constitute the traditional business record exception of Rule 803.

Best Evidence Rule

Courts prefer the best evidence possible. Original documents are preferred over copies; conclusive tangible objects are preferred over oral testimony. Recall that the five desirable criteria for evidence suggest that, where possible, evidence should be: relevant, authentic, accurate, complete, and convincing. The best evidence rule prefers evidence that meets these criteria.

Secondary Evidence

With computer crimes and incidents best evidence might not always be attainable. Secondary evidence is a class of evidence common in cases involving computers. Secondary evidence consists of copies of original documents and oral descriptions. Computer-generated logs and documents might also constitute secondary rather than best evidence. However, Rule 1001 of the United States Federal Rules of Evidence can allow for readable reports of data stored on a computer to be considered original as opposed to secondary evidence.

Evidence Integrity

Evidence must be reliable. It is common during forensic and incident response investigations to analyze digital media. It is critical to maintain the integrity of the data during the course of its acquisition and analysis. Checksums can ensure that no data changes occurred as a result of the acquisition and analysis. One-way hash functions such as MD5 or SHA-1 are commonly used for this purpose. The hashing algorithm processes the entire disk or image (every single bit), and a resultant hash checksum is the output. After analysis is completed the entire disk can again be hashed. If even one bit of the disk or image has changed, then the resultant hash checksum will differ from the one that was originally obtained.