Evidence is an important part of digital forensics.
Standard of Evidence
The standard of evidence is the level of certainty and the degree of evidence necessary to establish proof in a proceeding.
Evidence collected during investigations needs to follow standards in order to be admitted. This standard varies on the type of investigation.
Criminal Standard of Evidence
Most criminal cases must meet the beyond a reasonable doubt standard of evidence.
The reasonable doubt standard implies that the prosecutor must demonstrate that the defendant committed the crime by presenting facts from which there are no other logical conclusions.
Civil Standard of Evidence
Civil cases follow the preponderance of the evidence standard.
The preponderance of the evidence requires that the evidence demonstrate that the outcome of the case is more likely than not.
Preponderance of the evidence standard is weaker than the reasonable doubt standard.
Regulatory Standard of Evidence
These investigations are conducted with a standard of proof commensurate with the venue where they expect to try their case.
Administrative Standard of Evidence
Operational does not require that the collection of evidence is thorough, because resolving the issue is the primary goal.
Not operation investigations may require a stronger standard of evidence.
Industry Standard of Evidence
An example of industry investigation is PCI DSS.
Admissible Evidence
Conditions for an evidence to be admitted:
- Evidence must be relevant to determining a fact
- Evidence must be material (i.e. related) to the case
- Evidence must be competent (i.e. obtained legally)
Types of Evidence
Types of evidence:
- Real
- Documentary
- Testimonial
- Demonstrative
Real Evidence
Real evidence or object evidence consists of objects that can be brought into a court of law.
In case of computer crimes, it may be a keyboard with fingerprints or a hard drive.
Documentary Evidence
Documentary evidence includes any written items that can be brought into a court of law.
Rules applying to Documentary Evidence
Rules applying to documentary evidence:
- Best evidence rule
- Parol evidence rule
Best Evidence Rule
Best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced.
Parol Evidence Rule
Parole evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreement may modify the written agreement.
Testimonial Evidence
Testimonial evidence consists of testimony of a witness.
Rules applying to Testimonial Evidence
Rules applying to Testimonial Evidence:
- Hearsay rule
Hearysay Rule
Hearsay rule states that when a witness offers testimony in court, they must normally avoid the act of hearsay, meaning that they cannot testify about what someone else told them outside of court.
This rule has several exceptions.
One of them is business records, such as computer logs, under certain circumstances.
Demonstrative
Demonstrative evidence is used to support testimonial evidence. They help a witness explain a concept or clarify an issue. For example, a diagram.
Electronic Disovery
Discovery is a process that must be followed to preserve evidence, both paper and electronic.
Electronic discovery (eDiscovery) refers to the preservation of electronic evidence.
The Electronic Discovery Reference Model (EDRM) describe a standard process for conducting
EDRM steps:
- Information Governance
- Identification
- Preservation
- Collection
- Processing
- Review
- Analysis
- Production
- Presentation
You can read more about EDRM on this external link.
You might also be interested in…
External References
- M. Chapman et al; “CISSP Study Guide 9th Edition”, pp. 912-916; Wiley, 2021