Evidence turned over to the prosecuting authorities for examination ultimately may not be useful without establishing the authenticity and chain of custody of the evidence, according to Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors, U.S.
When gathering digital evidence, authentication is essential to documenting its trustworthiness. In most cases the best policy is to leave that harvesting to professionals with proper tools and background, so as not to taint the evidence. Will Paper Evidence Suffice?
Law enforcement officials may never need to present a particular electronic document in court. The U.S. Department of Justice’s instructions for obtaining electronic evidence point out that if data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original.”
An advantage of printouts is that they can be authenticated with familiar “low-tech” notary seal and custody records. Printouts are the best solution for courtroom distribution and display, and they make a good, if tedious, file backup. But the catch is in the words “shown to reflect the data accurately.” The Federal Rules of Evidence require, of course, that authentication provide evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.
Digital signatures are the solution to the problem of showing accurate results; in fact they are the industry standard. Digital signatures are the sine qua non. Unless you can show that the hard drive is identical to the defendant’s hard drive found on the date in question, you can’t present it in court,” said Peter Pizzi, former Co-Chair of the Internet and Computer Law special committee of the New Jersey State Bar Association. Pizzi is currently a partner at Connell Foley LLC in Roseland, NJ, practicing Internet and Information Technology law. He is also co-chair of the Internet and IP Litigation committee of the New York State Bar Association’s Commercial and Federal Litigation Section.
Pizzi said that by using proper digital signatures, he hasn’t run into a case that the authentication process has been disputed or debated. In order to protect the evidence, he said, investigators need to involve forensics experts. How Do Forensics Experts Authenticate Files?
Specialists are needed to get involved in gathering electronic evidence at the inception of an investigation,” Pizzi said. “With electronic evidence, someone must do a bit-by-bit copy of the hard drive and put the actual hard drive under lock and key,” Pizzi said. The bit-by-bit copy is necessary, he said, because it reveals not only what is on the hard drive, but what may have been erased.
After forensic experts copy the drive they use a hash value on the copy and compare it to the original. Hash values break down the information in the file to strings of ones and zeroes. The two files must be absolutely identical. Both copies of the hash values receive digital signatures, which would disappear if the documents were later altered.
Digital signatures are also known as digital fingerprints or hash checks. Digital signatures represent a one-way hash (encryption) of the binary data content of the disk, document, file or message being investigated. Using the computer owner’s public and private key pair this process creates a signature that only the owner’s public key can validate. When the document is later examined with the digital certificate containing the owner’s public key, a successful signature check attests to the integrity of the contents. Altering the document breaks the electronic signature; if the signature check fails, the document has been tampered with.
Hash comparisons are commonly used in the prosecution of child pornography cases, said Joseph V. DeMarco, partner at DeVore & DeMarco, LLP, in New York City. DeMarco is a former Assistant U.S. Attorney, U.S. Attorney’s Office Southern District of New York. He teaches Internet and Computer Crime at Columbia University School of Law.
It would be possible for computer users to create virtual pornography that was not an actual photo of a child, he said. On the other hand, investigating officers are familiar with many actual pornographic pictures on the Internet. If the photo on the defendant’s computer resembled known pornography, investigators could compare the hash values of each picture. “If they match, it would be evidence that the PC user is in possession of actual pornography,” DeMarco stated.
Digital signatures are like DNA tests for computer files. If the electronic evidence matches, it matches completely. Thanks to their ubiquity and their virtually unforgeable nature, digital signatures are now recognized by the federal government as legal signatures.
Manipulating the algorithms necessary to sign and authenticate documents was more difficult before the introduction of public key cryptography and third-party validated digital certificates. Digital certificates are electronic files that, among other uses, can be attached to “seal” electronic evidence once the algorithm has been run.
“The use of digital signatures for authenticating online documents and e-mail has historically required advanced tools for managing encryption technology known as digital certificates. Electronic keys stored in these certificates make digital signatures possible, but often require sophisticated IT expertise to obtain, deploy and maintain,” said Jim Fulton, vice president of marketing, at DigitalPersona Inc., which offers software and hardware that protects people and businesses by enabling them to control their digital identities.
Before digital certificates, lack of IT expertise has limited the availability of digital signatures for day-to-day as well as evidentiary security, Fulton said. “However, software vendors are now taking advantage of the Internet and new features within Microsoft Office and Outlook to make the distribution and administration of digital certificates simple for anybody to use.” What Can Go Wrong: Spoliation
Matt Yarbrough wrote in an article for Law Practice Today that many IT experts simply “don’t understand how easy it is to taint electronic evidence. When copying client data for production or review, failing to make sector-by-sector images prior to viewing may result in spoliation. Simply forwarding an e-mail can cause data to be overwritten or metadata (e.g. dates) to be changed.”
If the system or process produces inaccurate results, the data is considered tainted. With widely available digital certification software in Microsoft Office, Adobe Acrobat and OpenOffice, an investigating officer could carry a digital certificate on a USB key, and digitally sign information on the spot. When investigating electronic evidence, the officer could insert the key into the computer’s USB drive and use the digital signature software available on many computers. For forensic investigations, third-party digital signature software, which adds its own controlled date and time stamp, is preferable. In practice, Pizzi recommends leaving authentication to the experts. “Look for similar expertise,” Pizzi said, “Someone who has a track record in handling electronic evidence, and someone who doesn’t mess up. Some forensic experts may have learned their trade just by doing, not with a traditional educational background, but rather decades of working with PCs. Forensics is not an inexpensive process. They need facilities and equipment to process the information, and expertise and horsepower behind them.”
For an extra layer of assurance, software packages can authenticate the authenticator. For example, DigitalPersona
’s software uses these Web-based digital certificates to enable simple digital signature authentication through fingerprint biometrics, allowing discovery and forensics teams to know for sure that the person who signed is who they say they are. Faster Than a Speeding Fax Machine
One important advantage of electronically authenticated documents is that they can be instantaneously, securely and privately transferred by e-mail. A copy of the digital certificate used to create the hash is attached to the document, allowing the recipient to validate that the document has not been altered.
More information is available at Legal Technology Resource Center of the American Bar Association.
Resources for law enforcement professionals are also located online at www.Justnet.org
, the Web site of the Office of Justice Programs’ National Institute of Justice (NIJ) National Law Enforcement and Corrections Technology Center (NLECTC) program. The NIJ is a research and development agency of the U.S. Department of Justice.
For information about using digital certificates for authentication, visit www.enterprise.comodo.com
is the second-largest issuer of high-assurance digital certificates, trusted by governments and businesses around the world. Len Gangi is Vice President of Enterprise Solutions at Comodo in Jersey City, NJ. Mr. Gangi is an ISACA-certified information systems auditor. Katharine Hadow is Manager of Public Relations at Comodo. Photos courtesy of New Providence, NJ, Police Department.