Chapter 3
Digital Evidence in the Courtroom
Objectives
On completing this chapter, the student will:
Be aware of the difference between concerns of the law and scientific knowledge.
Be aware of the concerns of the court in regard to forensic examination of digital
evidence
The integrity of the digital investigator
Authenticity of the digital evidence they present
Be aware of the US Federal Rules of Evidence and how they relate to the authenticity
of evidence.
Be aware that in the courts, theories based on scientific truth are subordinate to the
legal judgment.
Be aware of the connection between proper evidence handling and admissibility.
Be aware of the connection between authorization to search and admissibility.
Be aware of four considerations when searching and seizing digital evidence:
Does the Fourth Amendment and/or Electronic Communications Privacy Act
Multiple Choice Questions
1. Having a member of the search team trained to handle digital evidence:
2. An attorney asking a digital investigator to find evidence supporting a particular line of
inquiry is an example of:
3. A digital investigator pursuing a line of investigation in a case because that line of
investigation proved successful in two previous cases is an example of:
5. Regarding the admissibility of evidence, which of the following is not a consideration:
6. According to the text, the most common mistake that prevents evidence seized from
being admitted is:
7. In obtaining a warrant, an investigator must convince the judge on all of the following
points except:
8. If, while searching a computer for evidence of a specific crime, evidence of a new,
unrelated crime is discovered, the best course of action is:
9. The process of documenting the seizure of digital evidence and, in particular, when that
evidence changes hands, is known as:
10. When assessing the reliability of digital evidence, the investigator is concerned with
whether the computer that generated the evidence was functioning normally, and:
11. The fact that with modern technology, a photocopy of a document has become acceptable
in place of the original is known as:
12. Evidence contained in a document provided to prove that statements made in court are
13. Business records are considered to be an exception to:
14. Which of the following is not one of the levels of certainty associated with a particular
finding?
15. Direct evidence establishes a:
True or False Questions
1. There is no need for any specialized training in the collection of digital evidence.
2. It is the duty of a digital investigator to ignore influences from any source.
3. The application of preconceived theories to a particular case is a good method of
reducing caseload.
4. In the United States, the prosecution must prove guilt beyond a reasonable doubt.
5. Chain of custody is the process of documenting who has handled evidence, where and
when, as it travels from the crime scene to the courts.
6. Typically, a photocopy of a document is considered hearsay evidence and is not
admissible in court.
7. Direct evidence establishes a fact.
8. Coerced testimony is the most common mistake that prevents evidence seized from being
admitted.
9. Determining whether digital evidence has been tampered with is a major concern of the
digital examiner.
10. Exceeding the scope of a warrant is not likely to affect the admissibility of the evidence
collected.
11. Digital evidence cannot be direct evidence because of its separation from the events it
represents.
12. When creating an expert report, digital investigators should support assertions in their
reports with multiple independent sources of evidence.
13. Voir dire is the process of becoming accepted as an expert by the court.
14. During testimony, when a lawyer appears not to be tech savvy, it is a good practice to
guess what the attorney is trying to ask.
15. A proper response to a question that you do not
Essay Questions
Develop a procedure for systematically examining a crime scene for digital evidence.
Develop a format for a digital examination report.
Hold a mock court, with the instructor acting as opposing counsel, and testify under cross-
examination.
Scenario
You are accompanying a raid on a suspected software pirate. What would you be looking for?
What precautions would you be taking? What evidence collection considerations would you be
considering?