Federal rules of evidence serve as the basis by which evidence can be admitted or excluded during a criminal or civil proceeding. Having knowledge of the following rules is important for CSIRT members so that any evidence collected is handled in a manner that prevents contamination and the possibility of the evidence being barred from being seen in court:
- Rule 402—Test for Relevant Evidence: This rule has two parts. First, the evidence to be admitted into the proceedings must have a tendency to make a fact more or less probable than it would be without the evidence. Second, the evidence (or the facts the evidence proves) is of consequence to the proceedings. This makes clear that not only should the evidence be relevant to the proceedings, but also it should prove or disprove a facet of the case.
- Rule 502—Attorney-Client Privilege and Work Product: One of the most sacrosanct tenets of modern law is the relationship between a client and his/her attorney. One of the provisions of the attorney-client privilege is that what is said between the two is not admissible in court. This not only applies to spoken communications, but to written communications as well. In the world of digital forensics, reports are often written concerning actions taken and information obtained. Oftentimes, incident responders will be working directly for attorneys on behalf of their clients. As a result, these reports prepared in conjunction with an incident may fall under attorney work product rules. It is important to understand this when you work under the auspices of an attorney, and when these rules may apply to your work.
- Rule 702—Testimony by Expert Witnesses: Through the acquisition of experience and knowledge in digital forensics, an analyst may be allowed to testify as an expert witness. This rule of evidence outlines the specifics concerning expert witness testimony.
- Rule 902—Evidence that is Self-Authenticating: This rule has recently undergone a revision, as it relates to digital forensics. A new subpart has been added, as of December 1, 2017. This new subpart allows the verification of digital evidence integrity through hashing (we will discuss the role that hashing has in later chapters). Furthermore, this rule requires that a qualified person presents the evidence and that the evidence being presented has been collected according to best practices.
- Rule 1002—Best Evidence Rule: In civil or criminal proceedings, the original writings, recordings, or photographs need to be offered up as evidence, unless a reasonable exception can be made. In the physical realm, it is fairly easy to produce physical evidence. Parties to a case can easily present a knife used in an assault. It becomes a bit more complex when the evidence is essentially magnetic polarity on a hard drive, or log files that came from a router. In this case, courts have held that a forensically sound image of a hard drive is a reasonable substitute for the actual hard drive that was examined.
- Rule 1003—Admissibility of Duplicates: One of the most critical steps when conducting a forensic examination of digital media is to make an image or forensic copy of the media. This rule of evidence allows for such an image to be admitted into court. It is important to note that, if an image or forensic copy is to be admitted, the analyst who performed that action will most likely have to testify to having performed the action correctly.
Next, we will have a look at the fundamentals of digital forensics.