Academic - index

Digital Evidence

(17 February 2003)


If somebody is attacking your computer system, then there is a short-term problem and a long-term problem. The short-term problem is that you want to limit (and ideally prevent) any unauthorised access, and resulting damage. The long-term problem is that you may want to take legal action against them - in this case, you will need records of the event, which are admissible in court.

In other cases, e.g. when someone is suspected of being a paedophile, the goal is simply to gather information about that person. This could be done at the time, e.g. by monitoring a discussion on IRC, or after the fact, e.g. by inspecting a computer's web cache.

This paper only addresses the gathering of evidence. While security measures to limit access to systems are important, they are not relevant to this discussion.

Computer Forensics

In order to detect unauthorised access, you need to have some form of intrusion detection system. These generally fall into two categories - some are quite useful at the time, but less help later, whereas others provide a good audit trail but won't alert you when the attempted access is in progress. For instance, when Clifford Stoll first discovered that someone had been breaking into the computer network at his university, this was due to a 75 cent mismatch in the accounting system (a user had been connected, who wasn't attached to any department). So, this would fall into the second category.

If the police are examining a computer, then it is important to preserve the evidence. However, just by booting up a Windows PC, this will result in multiple files being written to the hard drive. So, at this point, the computer is no longer in the same state that it was in before. One solution is to take an image of the hard drive. A copy of this can then be archived immediately (e.g. onto CD-ROMs), sealed in a bag, and marked as evidence. Another copy can be examined on a separate machine, without needing to use the original PC. Unfortunately, while this approach is valid for individual computers (e.g. a home user accused of storing child pornography), it becomes impractical in a corporate environment. If you have 1000 computers on a LAN, and the company has been accused of tax evasion, then the network is simply too complex to seize. There are also associated problems, such as attempting to ensure completeness/reliability.

The ACPO (Association of Chief Police Officers) Good Practice Guide lays out five principles for disk forensics, with respect to preserving evidence for use in court:

Principle 1: No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.

Principle 2: In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer based evidence should be created and preserved. An independent third party should be able to repeat those processes and achieve the same result.

Principle 4: The onus rests with the Officer in charge of the case to ensure compliance with any law pertaining to the possession of, or access to, information contained on a computer. The officer must be satisfied that the use of any copying device or actions of any person having access to the computer complies with these laws.

Principle 5: The onus of ensuring that these principles are adhered to and that the evidence is admissible rests with the Officer in charge of the case. The officer must be satisfied that the use of any copying device or actions of any person having access to the computer complies with these principles.

With regard to indecent photographs, the two offences which are easiest to prove are "possession" and "making". It is significant to note that "pseudo-photographs" (images which have been digitally manipulated) are treated the same as photographs of actual children. (See s 84(4), Criminal Justice and Public Order Act, 1994.)

For "possession", i.e. having the image on your computer, the key issue is the balance of probability - they must be uniquely associated with you, and you must have had knowledge of their existence. Essentially, if you receive unsolicited images via email, and then delete them, then you haven't broken the law. Similarly, if you have images in your web-cache, then they could plausibly be there without your knowledge. By contrast, if you have set up a folder structure on your hard drive, and copied the images there, then this is more incriminating. For instance: "The married PC with the Nottinghamshire force carefully filed the images using the codes PT for pre-teenagers and YT for young teens." (Report in "The Sun" on Monday 17th February 2003, regarding a policeman who was convicted of making indecent photos of children.)

For "making", the files need to be uniquely associated with the accused, and there needs to be some indication that they have been copied or modified. Copying can include voluntary viewing. It is rather unfortunate that this would incriminate any police officer who takes an image of a suspect's hard drive! However, there have been recent discussions about amending this legislation, as of November 2002.


Once you have collected information, you need to make sure that it is admissible in court. There are legal rules which determine whether potential evidence can be considered by a court for its probative value.

Probably the best known rule of admissibility is hearsay. This essentially means that if someone confesses a crime to me, and I report that in court, then it's admissible. If I tell a third person, and he reports it in court, then it is only hearsay, since he has only been told about the confession, rather than hearing it himself. In the context of computer forensics, this means that the person who gathers evidence should then present that evidence in court.

One problem is that log files are typically stored as plain text, which means that they can easily be modified. A similar issue applies to web pages in a cache, since they can be modified by the same tools which were used to create them in the first place. Having a hard copy (i.e. a print-out) can be useful here.

One thing which is easy to do (but often overlooked) is to make sure that the program which generated the log file is documented. E.g. "These are logs of an IRC discussion, as generated by mIRC".

It helps if you have the same information from multiple sources, e.g. if the computer shows that a person connected to a remote computer at a certain time of the day, and the phone company can confirm that he was dialled up to his ISP at the same time. Similarly, you may have multiple people who can offer logs of the same IRC conversation.

A related issue is that the proper procedures must be followed when obtaining evidence. An example of this is the 2001 case of Andrew Aspinall in Scotland. "In this particular case, the police had obtained a warrant allowing police officers to search Mr Aspinall's house. But when the police went to Mr Aspinall's house on 2 September 1998, they took with them a civilian who was a computer expert." (Source: Since the computer evidence had been obtained by this unauthorised civilian, it became inadmissible in the trial court. Mr Aspinall's lawyers objected to the evidence, partly on the basis of the European Convention on Human Rights; specifically, Article 8 ("Right to respect for private and family life"), which states:

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.

  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The same principle applies to each step of the police investigation. E.g. if the police have obtained the IP address of a suspect, then they will need to ask the relevant ISP to identify that customer. It is essential that this action be carried out under the relevant legal powers (such as having a warrant).

Another aspect of evidence is the (technical) source - is this an established method? For instance, if the prosecution can produce a phone bill, showing that the defendant phoned his ISP (through a modem) at a certain time of day, then this will be readily accepted. By contrast, if they say "The defendant deleted all the files on his hard drive, reformatted it, then threw it out of a 10-storey window, but we've been able to reconstruct the files by going to a data recovery firm", then it would be reasonable for the defence to question the validity of this recovery method.

The issue here is that you need to strike the right balance. On the one hand, it is unreasonable to expect the jury to understand technical minutiae. On the other hand, it is inappropriate to expect them to accept data recovery techniques as "magic". In the UK, the standard solution to this impasse is peer review - if other experts in the field have studied the technique, tested it, and validated the results, then the court will accept the evidence. The implication of this is that you can find a conflict arising between the need for peer review and the desire for confidentiality. An example of this came in the case of Richard Pryce, who was accused of illegally accessing USAF computers. The problem was that USAF didn't want to release the source code for their network monitoring tools, and this weakened their case.

Again, there is a trade-off here. If you use established technology, then it is more likely to be admissible in court. On the other hand, if you use cutting-edge technology, then it is more likely to actually gather the evidence you need.

It is worth noting that the rules are slightly different in the US, where the judge acts as a "gatekeeper" for novel scientific evidence (see Daubert vs Merrell Dow in 1993). This ruling tests:

Expert witness

An expert witness can't say "This is scientifically true". Instead, the correct phrasing is "As an expert, I am satisfied that this is true." The key point is that the expert can't force a decision on the jury.

Although an expert witness might be brought in by the defence, if he actually appears in court (as opposed to just advising the defence before the trial) then his duty is to the court, not to the defence. I.e. he must answer questions truthfully and completely, rather than being a "gun for hire". (Mind you, I would assume that this guideline applies to any witness in a court case, after he has made the affirmation.)

One key issue is that an expert witness is not allowed to state whether he believes the defendant to be innocent or guilty. In fact, the lawyers aren't allowed to ask him this "ultimate question".


Peter Sommer. Digital Evidence - Emerging Problems in Forensic Computing
(Seminar given at Kings College London on 27 November 2002, copy of slides obtained from speaker)

Peter Sommer. Intrusion Detection Systems as Evidence
Available: [accessed 17 Feb 2003]

Peter Sommer. Evidence in Internet Paedophilia Cases
Available: [accessed 17 Feb 2003]

Clifford Stoll. (1991) The Cuckoo's Egg. 6th ed.

This page was last updated on 2004-09-05 by John C. Kirk

Valid XHTML 1.0! Valid CSS! Level Double-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 Labelled with ICRA