 |
|
|
|
|
USE OF DIGITAL EVIDENCE IN AN INVESTIGATION (29th June 2007)
What is digital evidence?
Generally it consists of digital or binary representations of an image obtained for evidentiary purposes. That image can be an audio or visual file such as covert video footage from a DV type camera or the recording of an interview obtained by consent using a digital recorder. Common to all formats is that digital image files are made up of bits or, put another way, a series of 1’s and 0’s.
You may have seen CCTV footage on the television of an assault or crime taking place. This footage is usually taken by a digital closed circuit video camera but may actually be used in criminal court proceedings. Most investigators at LKA will have used some sort of digital camera, whether obtaining photographs of an accident site or video recording activities. These days most interviews are recorded using a digital recorder which is then transcribed onto paper. The original interview recording is kept to verify the transcript and show how the interview was actually conducted. At all times, the digital images were designed to be used in court as evidence.
Is digital evidence safe?
Because the digital video footage or the recording isn’t on a tape the natural questions arise: How do I know that this is the original image? How do I know that it hasn’t been tampered with? What happens if the other side challenges the veracity of my evidence?
These questions were first answered in detail in Great Britain by the House of Lords Science and Technology Select Committee into “Digital Images as Evidence” in their February 1998 report. The report discussed a number of issues including ways of verifying that the image is consistent with the original. This is important, as one of the major tenets of evidence law is the rule of “best evidence”. That is, the best form of evidence is the original or the next best thing if the original does not exist. Where an image is digital there is no real “original” as such unless of course the image remains in the camera or recording device. This is not practical in almost any situation and the law recognizes this by allowing the original image to be considered as the “primary source” and any verified copy can be called the “original”. This is when the copy is made as a binary (bit for bit) identical to the original. There is no distinction between the primary or original files because they are exactly the same.
How can the image be verified as original?
An image can usually be admissible as evidence if it is properly authenticated by the person who captured the image. Documentation, in the form of audit trail (chain of custody), should be used to record the details of the case, description of the images (including a log where appropriate), details of the creation and defining of the original image such as the date/time and type of format and details of how the image was verified after copying.
Reusable media such as flash drives and memory sticks can be removed from the capture device (e.g. camera) for copying and then re-used after erasing the primary image. The same is also done where the media cannot be removed such as hard drive type media used on video cameras and digital voice recorders. Once the primary images are binary copied the copied images can be verified, usually using a “hash verification” method.
Hash verification
A hash function is a unique numerical value calculated using an algorithm such as SHA256, MD5, CRC or similar checksum. Using a simple software program a hash value (written in hexadecimal form) of the primary image is calculated and compared with that of the copy. Any changes to pixel value, date, time, image orientation, etc will cause the hash function to change and the original will no longer be verified. The best way to avoid this and secure the original is to record the image on a WORM (write once, read many) type of archival media such as a CD-R or DVD-R.
It is also important to understand that compressing an image to transmit over the internet or by email can sometimes affect the integrity of the image. This is because there are two types of compression methods. One is the “lossy” method where some data is removed to make the file smaller. It is then de-compressed by an algorithm used in media such as streaming which then plays the file. Unfortunately, the file is changed forever and continues to change every time it is further compressed. The other compression method is “lossless” which is used in ZIP files and some other formats. In this method nothing is removed from the file permanently and it remains in its original form after de-compression.
Handling and storage
Following the bit by bit copying the images must be protected from accidental deletion or alteration. Again, the original copy should be placed onto a WORM medium such as CD-R or DVD-R and kept in safe storage with the written audit trail. This can be used to provide further originals where required. A second, hash verified copy can be kept on a server or stand alone PC to be used as a working copy.
To conclude, electronic evidence can most certainly be used in Court but it important to follow set guidelines to prevent any embarrassment should the integrity of your evidence be tested.
For further reading I recommend you obtain a copy of the Guidelines for the Management of IT Evidence (HB 171-2003) published by Australian Standards or you may also wish to view the Australasian Guidelines for Digital Imaging Processes (version 2 – 2004) from the Senior Managers Australian and New Zealand Forensic Laboratories.
- David Howard, Victorian Operations Manager
© Copyright LKA Group Pty Ltd
|
|
|
|
|
|
|
|
