Evidence

Which electronic evidence is admissible and should therefore be included in your final report? Which evidence is authentic? What type of electronic evidence is likely to be challenged as hearsay?

Generally speaking, there are two types of electronic evidence: files generated by the computer without human intervention and files created by humans. Files created by the computer would include items such as activity logs, reports, and temporary files. Files created by humans would include items such as word processing documents, spreadsheets, and email.

There are also hybrid files, such as email files where the content of the message is created by a human, but the metadata is generated by the computer, such as the email routing data in the header.

Computer-generated files are typically admissible as evidence. Human-generated files are subject to hearsay and authenticity tests.

If the person who created files that are part of the evidence cannot testify or be cross-examined, any there any circumstances where the evidence may be admissible? Will the Federal Rules of Evidence (FRE) allow it?

Yes, since the FRE covers all evidence in court, certain exceptions may exist that allow evidence to be admissible under certain circumstances and for certain purposes. Some recent notable additions include FRE 902 (evidence that is self-authenticating), specifically 902 (13) and 902 (14).

FRE 902(13) speaks to "a record generated by an electronic process or system that produces an accurate result."  It also references the two previous paragraphs which require it be from a "regularly conducted activity." In digital forensics, in 902(13), this includes automatically generated logs, results from intrusion detection devices, email headers, GPS data, EXIF (exchangeable image file) data, computer system data and even user-entered data that the computer processes.

As for paragraph 14, "certified data copied from an electronic device, storage medium, or file” covers imaging (i.e., digital forensic images/copies) per accepted standard processes by a qualified person that complies with certification requirements. In sum, certain records that are normally maintained in the regular course of business and are certified as business records may be admissible in court and the custodian of records can testify to their authenticity.

Generally, the common definition of hearsay is an out-of-court statement made in court to prove the truth of the matter being discussed in court. When you go to court, you will be testifying on things pertaining to your own investigation and recorded in your digital forensics examiners’ report(s). You will provide the narrative, method, and/or explanation of your findings.   
 
One of the reasons hearsay is not admitted (minus some exceptions) into court is that it does not give the opposing side in court (usually defense counsel) an opportunity to cross-examine a witness who originally made the hearsay statement or created the hearsay evidence or document. In the United States, criminal defendants have a constitutional right under the Sixth Amendment’s Confrontation Clause to confront their accusers, and can question the reliability and truthfulness of any evidence presented against them.
 
As a consequence, witnesses are normally required to testify based upon their knowledge of the facts and their own observations unless a hearsay exception applies under the Federal Rules of Evidence to allow admissibility. This same general principle governing the inadmissibility of hearsay evidence applies in state criminal courts under state evidence rules. In addition to hearsay objections, as a digital forensics examiner, you may also hear words like "speculation" or other objections if you try to offer statements made by other people without any proof. 

References

Computer Crime and Intellectual Property Section, Criminal Division, US Department of Justice. (2009). Searching and seizing computers and obtaining electronic evidence in criminal investigations (3rd ed.). Office of Legal Education, Executive Office for United States Attorneys. https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf

Sherman, S. E. E. B. (2004, October 20). Hearsay and evidence in the computer emergency response team (CERT) [White paper]. https://www.sans.org/reading-room/whitepapers/legal/hearsay-evidence-computer-emergency-response-team-cert-1541 

Resources

Check Your Knowledge

Choose the best answer to each question:

Question 1
The investigator should focus his or her attention on user-created image or document files, not on operating system files and logs that are maintained by the computer automatically.
True
False
Question 2
Records stored in computers can be divided into three categories: nonhearsay, hearsay, and records that include both hearsay and nonhearsay. Which of the following is an example of nonhearsay evidence?
an internal memo document
internet service provider (ISP) activity logs
email message content
a shared document hosted by a cloud storage service
Question 3
The output of a computer-generated process such as an access log file does not implicate the Confrontation Clause because the files are not statements of persons.
True
False