Chapter 8

Establish Legal Admissibility

Abstract

Significant data sources have been identified based on the digital evidence relevant to mitigating the known business risk scenarios. With the collection requirements understood and documented, mechanisms must be implemented to preserve gathered digital evidence as authentic records to uphold legal admissibility.

Keywords

Admissibility; Authenticity; Integrity; Preservation; Security controls

 

This chapter discusses the fourth step for implementing a digital forensic readiness program as guaranteeing the authenticity of digital evidence for admissibility in a court of law. Though the implementing of controls to ensure digital evidence gathered is authentic, organizations can effectively demonstrate their due diligence when digital evidence is being admitted to a court of law.

Introduction

At this stage of implementing a digital forensic program, organizations will have a grasp on the totality of digital evidence available for proactive collection and have determined which of it, based on the business risk scenarios discussed in chapter “Define Business Risk Scenarios,” can be gathered within the scope justified through the completion of a cost–benefit analysis.

With the organization’s collection requirements defined, steps must now be taken to implement a series of controls to guarantee that the secure preservation of digital evidence is maintained when it is being gathered from relevant data sources. These steps are important for organizations to establish so they can ensure that data has been preserved as authentic records and cannot be disputed when admitted to a court of law as digital evidence.

Legal Admissibility

Essentially, admissibility is the determination of whether information that is presented before the trier of fact¹ (ie, judge, jury) is worthy to be accepted in court of law as evidence. Generally, in order for digital evidence to be admissible in a court of law it must be proven to have relevance (ie, material, factual) and is not overshadowed by invalidating considerations (ie, unfairly prejudicial, hearsay²).

Within the legal system, there are a set of rules that is used as precedence for governing whether, when, how, and for what purpose digital evidence can be placed before a trier of fact. Traditionally, the legal system viewed digital evidence as being hearsay because its authenticity could not be proven, beyond a reasonable doubt, to be factual. However, exceptions do exist under the Federal Rules of Evidence 803(6) where digital evidence can be admitted into a legal proceeding only if it demonstrates “records of regularly conducted activity” as a business record; such as an act, event, condition, opinion, or diagnosis.

In order for digital evidence to qualify under this exception, organizations have to demonstrate that their business records are authentic, reliable, and trustworthy. As stated in the Federal Rules of Evidence, in order to attain these qualifying properties, organizations must be able to demonstrate that their business records:

• was created as a regular practice of that activity;

• were created at or near the time by—or from information transmitted by— someone with knowledge;

• have been preserved in the course of a regularly conducted activity of a business, organization, occupation, or calling;

• are being presented by the custodian, another qualified witness, by a certification that complies with either Rule 902(11) or Rule 902(12), or with a statute granting certification;

• do not show that the source of information or method or circumstances of its preparation indicate a lack of trustworthiness.

Furthermore, even if a business record qualifies under these exceptions, organizations must still determine if the business record falls within the context of being either:

• Technology-generated data that has been created and is being maintained as a result of programmatic processes or algorithms (eg, log files). These records fall within the rules of hearsay exception on the basis that the data is proven to be authentic as a result of properly functioning programmatic processes or algorithms.

• Technology-stored data that has been created and is being maintained as a result of user input and interactions (eg, word processor document). These records fall within the rules of hearsay exception on the basis that author of the data is reliable, trustworthy, and has not altered it.

Even if a business record meets the above criteria for being admissible as digital evidence, there is the potential that it will be challenged during legal proceedings. The basis for these contests is directed at the authenticity of the data and whether it has been altered or damaged either after it was created or as a result of interactions and exchanges with the data.

In an effort to reduce these oppositions the Federal Rules of Evidence 1002 described the need for proving, beyond a reasonable doubt, that the trustworthiness of digital evidence must be demonstrated through the production of the authentic and original business record. Meeting this rule requires that organizations demonstrate their due diligence in preserving the authenticity of the original data source through the implementation of safeguards, precautions, and controls to guarantee that business records can be admitted as digital evidence during legal proceeding.

Preservation Challenges

Collecting business records is not as straight forward as it seems. As an example, where organizations operate in multiple jurisdictions and countries, they are bound in each location to multiple factors that determine how they can effectively preserve their business records.

First and foremost, organizations need to answer two preliminary questions before determining how they will guarantee the authenticity of their business records.

Can digital evidence be gathered without interfering with business operations and function?

The overall strategy for implementing digital forensic readiness, summarized as “the ability to maximize potential use of digital evidence while minimizing investigative costs,” includes an objective to gather admissible digital evidence without interrupting business operations and functions.

Typically, forensic investigations are performed in reaction to an event and requires the assistance of several support resources to gather relevant digital evidence. In some instance, this reactive approach commonly results in roadblocks where business records are not readily available which requires support resources to be removed from the day-to-day business operations to assist. Where gathering business records has been identified as beneficial to digital forensic readiness, organizations need to assess the work effort required of resources to implement the proactive collection requirements while not impeding their day-to-day business operations.

Can digital evidence be gathered legally?

Aligned with the overall strategy for implementing digital forensic readiness noted above, another objective of gathering admissible digital evidence is to do it in a way that does not violate any laws or regulations. This determination should not be done without obtaining legal advice to ensure that the evidence collection requirements are met and upheld.

In some countries, there are relevant laws around data protection, privacy, and human rights that will dictate what business records can be collected and, if it can be collected, where or how it is stored. For organizations to ensure that they demonstrate a reasonable assurance, the collection of all business records must adhere to all applicable laws or regulations.

Preservation Strategies

Having answered these questions and knowing the constraints around what, how, and where business records can be gathered, organizations can now implement strategies to ensure they are compliant with applicable laws and regulations. As these strategies are being identified and developed, it is important to keep in mind that they should encompass a series of complimentary administrative, physical, and technical security controls.

Administrative Controls

Before any type of technical or physical security controls can be implemented, there must first and foremost be a foundational governance structure in place. This governance structure is established in the form of administrative controls that include the creation and approval of organizational policies, standards, and guidelines that support the preservation of digital evidence authenticity and integrity.

Policies

These documents are created with the intent of building a formal blueprint that describes the goals for preserving digital evidence. They are designed to provide generalized direction that allows organizations to consider any subsequent physical or technical security controls that are required to safeguard their digital evidence.

Guidelines

Building off of the policy documentation, guidelines can now be created as documents that provide recommendations for how to implement the generalized direction set previously. The context of these documents is intended to be subjective where organizations will use the recommendations as a way of gathering requirements for how to preserve the authenticity and integrity of their digital evidence.

Standards

Following the interpretation of the guidelines, standard documents are created to outline the minimum level of technical and physical security controls necessary. These documents should contain the exact configurations, architectures, and specifications for implementing technical and physical security controls in support of policies and guidelines.

Procedures

The previously noted administrative controls do not have direct oversight of interactions with collected digital evidence. Through the implementation of standard operating procedures, the exchanges and interfaces between administrators, operators, and investigators and digital evidence are documented.

For further information about how these administrative controls support the overall evidence management life cycle, including specific examples of governance documentation, refer to chapter “Evidence Management” of this book.

Technical Controls

Stated previously in this chapter, even if a business record meets the criteria for being admissible during a legal proceeding, organizations will still be faced with the challenge of proving it has not been altered or damaged after it was created or as a result of interactions and exchanges with it.

As a means to mitigate the potential for the authenticity of business records being challenged in a court of law, organizations should implement several technical controls to guarantee that business records can be admitted as digital evidence. Understanding that every organization’s business environment is different, at a minimum the following technical controls must be in place to ensure secure preservation of business records as digital evidence.

Storage Security

Organizations can select any different type of electronic storage medium to preserve their collected digital evidence, such as hard drives or backup tapes. Regardless of how the information is being stored, organizations must consider the data-at-rest⁴ implications by ensuring the preserved digital evidence is not exposed if unauthorized access to the storage medium is gained. Through the use of cryptography, inactive data can be protected through one of the following implementations.

• Full-disk encryption applies cryptographic algorithms to the physical storage medium, regardless of its content, to encrypt all information.

• Encrypted file system applies cryptographic algorithms at the file system level to encrypt logical data sets.

The use of disk encryption does not replace the need for file encryption in all situations. In some instances, the two can be used in conjunctions with each other to provide a more layered defense to guaranteeing the authenticity and integrity of digital evidence.

Integrity Monitoring

All types of digital data, whether technology-generated or technology-stored, are prone to issues of trustworthiness where the content and context of the information cannot be easily validated and is often challenged for its authenticity. These issues of data integrity and authenticity are some of the contributors that render business records inadmissible as digital evidence in a court of law.

However, organizations can get the upper hand on the matter of data integrity and authenticity through the use of solutions such as file integrity monitoring. With these technologies, validation of both system and data integrity can be achieved by authenticating specific data properties of the current data state against the known-good state of the data. Examples of data properties that can be used in as part of this verification and validation include the following:

• Subject³ permissions and entitlements

• Actual data content of files

• Metadata attributes (ie, size, creation date/time)

• Cryptographic values (ie, Message Digest Algorithm family⁵ (MD5), Secure Hashing Algorithm (SHA) family⁶)

Implementation of integrity monitoring is an essential security control to guarantee the authenticity and integrity of business records as digital evidence. In addition to the use of integrity monitoring as means of proving authenticity of data, these solutions have also been established as a requirement for several regulatory compliance objectives, including:

• Payment Card Industry Data Security Standard—Requirement 11.5

• Sarbanes–Oxley Act—Section 404

• Federal Information Security Management Act—National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev3

• Health Insurance Portability and Accountability Act of 1996—NIST SP800-66

The online reference to the above regulatory objectives can be found in the Resources section at the end of this chapter.

Cryptographic Algorithms

Every interaction with and exchange of digital information introduces the potential of that data being modified; whether knowingly or unintentionally. Proving the authenticity of digital information to the original source and maintaining that level of integrity throughout a forensic investigation is critical for it to be admissible as digital evidence.

Cryptography supports many information security-centric services, such as authentication and nonrepudiation that are fundamental to the digital forensic science discipline and digital evidence management, as discussed in chapter “Evidence Management.” Examples of common cryptographic algorithms that are used in digital forensics as part of evidence management are the following:

• The Message Digest Algorithm family (eg, MD5) is commonly used during a forensic investigation to generate a unique cryptographic identifier of files, data streams, and other digital evidence. However, in 2010, researchers were able to generate collisions where the same 128-bit hexadecimal value could be generated for two distinctively different pieces of digital information.

• The SHA family (eg, SHA-2) is also used during forensic investigations to generate a unique cryptographic identifier for digital evidence. From the collisions identified within specific versions of the Message Digest Algorithm family, specifically MD5, the SHA family of hash functions has become popular as a means of establishing the integrity and authenticity of digital evidence.

• Cyclic Redundancy Check⁷ is commonly used during the forensic duplication of digital evidence to detect modifications to the underlying data. Using these calculations allows forensic investigators to use the duplicate data during analysis instead of risking potential contamination of the original evidence source.

When implemented correctly, cryptography provides organizations with an acceptable level of assurance that the integrity of collected business records can be proven when authenticated to the original data source.

Remote Logging

Technology-generated data stored on local systems, such as security or audit log files, is inevitably more vulnerable to being (1) manipulated to conceal activities or events or (2) planted to incriminate other individuals. These data integrity issues lessen the credibility of the information and render it inadmissible as evidence in a court of law.

As a best practice, remote logging capabilities should be leveraged to redirect the logging of technology-generated data off local systems and into a centralized remote logging infrastructure, such as a data warehouse as discussed in Appendix E: Cost-Benefit Analysis.

Enforcing this safeguard will reduce the likelihood of data tampering on local systems and maintain the integrity of technology-generated data as admissible digital evidence.

Secure Delivery

Where remote logging capabilities exist, organizations must consider the data-in-transit⁸ implications for collected digital evidence. Regardless of whether information is traveling across a public or private network, there is a need to ensure the secure delivery of digital evidence to maintain its authenticity and integrity.

Network communications are, in general, insecure where information traveling across them can readily be accessed or modified by unauthorized subjects if appropriate controls are not in place. Knowing this, organizations should be concerned with the confidentiality and integrity of digital evidence as it is being collected into their remote logging solution(s). As a countermeasure, organizations should implement an encrypted communication channel using, as an example, Internet Protocol Security⁹ to mitigate the risk of data-in-transit security concerns.

Physical Controls

Generally, physical security controls are designed to control and protect an organization’s physical assets (ie, building, systems, etc.) by reducing the risk of damage or loss. As organizations design their approach to ensure the secure preservation of digital evidence, they must take into account the costs of building, operating, and maintaining physical security controls that work in conjunction with their administrative and technical security controls.

While physical security controls may not always have the same direct interaction with digital evidence that technical controls have, they provide an additional layer of defense to safeguard the physical medium (ie, tapes, hard drives) where digital evidence is stored. Physical security controls indirectly contribute to preserving the authenticity and integrity of digital evidence as implemented in one of the following categories.

Deter

The goal of these physical security controls is to convince potential intruders and attackers that the likelihood of success is low because of strong defenses. Typically, the implementation of deterrent security controls are found in the combined use of physical barriers (ie, walls), surveillance (ie, closed caption television (CCTV)), and lighting (ie, spot lights).

Crime Prevention Through Environmental Design

Crime prevention through environmental design (CPTED) is an approach to planning and developing physical security controls that use natural or environmental surroundings to reduce the opportunities for crime. As part of a comprehensive approach to guaranteeing the authenticity and integrity of digital evidence, examples of CPTED controls that can be implemented include, but are not limited to:

• Natural surveillance such as implementing lighting designed to illuminate points of interest that do not generate glare or blind spots

• Natural access controls such as multilevel fencing to control access and enhance visibility

• Natural territorial reinforcements such as restricting activities to defined areas through the use of signage

Detect

Generally, detective controls are intended to discover and interrupt potential intruders and attackers before an incident or event occurs. Optimally, these controls should be implemented to reveal the presence of potential intruders and attackers while they are collecting information about how they can gain access to the physical medium where digital evidence is being stored.

While it also plays a part in the deterrence of potential intruders and attackers, the use of CCTV is one of the most common physical controls for discovering an incident or event. Additionally, physical alarm systems and sensors can be used in combination with other types of controls (ie, barriers, guards) to trigger a response when a breach has been detected.

Deny

Identical to the use of authentication and authorization mechanisms to control logical access to systems and data, the same type of restrictive security controls must be used to deny physical access to the organization’s assets. The primary objective of these physical controls is to deny potential intruders and attackers the ability to cause damage to systems and information.

Within the context of preserving authenticity and integrity, examples of physical controls that can be used to deny access to collected digital evidence including, but are not limited:

• Constructing secure storage facilities, such as lockers and restricted areas, that have true floor-to-ceiling walls

• Entrances that are constructed of material resistant to tampering and have internally facing hinges

• Mechanisms to control and restrict access into secure lockers and restricted areas; such as lock and key, biometric scanner, or card/badge readers

Delay

Where the implementation of physical security controls is unable to deter or detect potential intruders and attackers, such as having obtained a key that provides access into the secure storage area, additional controls must ensure that their ability to easily gain access to digital evidence is delayed.

Typically, these types of controls are the last line of defense when all previous implementation (deter, detect, delay) have failed to deliver the level of protection that they were intended for. Examples of how these security controls provide the last line of defense in physical protecting digital evidence include the following:

• placing secure lockers inside restricted areas that located away from the exterior of the building and requiring multiple checkpoints in order to gain access

• requiring security guards to conduct searches and inspection of people, parcels, and vehicles as they leave buildings

Implementing physical safeguards provides organizations with a layer of security controls complimentary to their administrative and technical controls. Not only do these physical security controls help to guarantee the authenticity and integrity of collected digital evidence, but it also support data protection requirements as part of the overall evidence management life cycle.

Summary

In order for business records to be admissible in legal proceedings, organizations must prove its authenticity by meeting specific criteria that direct rules for digital evidence. Through a layered implementation of safeguards, precautions, and controls that encompass the administrative, technical, and physical requirements for ensuring secure evidence preservation, organizations can guarantee that their business records can be admitted as digital evidence during legal proceedings.

Resources

PCI-DSS: Requirements and Security Assessment Procedures v3.1. Requirement 11.5. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf. PCI Security Standards Council, 2015.

SOX Act of 2002. Section 404. https://www.sec.gov/about/laws/soa2002.pdf. US Securities and Exchange Commissions, 2002.

FISMA SP800-53 R4. Requirement SI-7. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf. NIST, 2013.

HIPAA SP800-66. Section 4.16. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf. NIST, 2008.

Taxonomy

1 Trier of fact, or finder of fact, is any person or group of persons in a legal proceeding who determines whether, from presented evidence whether something existed or some event occurred.

2 Hearsay evidence is secondhand or indirect evidence that is offered by a witness of which they do not have direct knowledge but, rather, their testimony is based on what others have said to them.

3 Subject is an active element that operates on information or the system state.

4 Data-at-rest refers to the protection of inactive data that is physically stored in any digital form (ie, database, enterprise data warehouse, tapes, hard drives, etc.).

5 Message digest algorithm (MD) is a family of one-way cryptographic hashing functions commonly used to creation a unique digital fingerprint with hash lengths that vary, depending on version, between 128-bit and 512-bit.

6 Secure hashing algorithm (SHA) is a family of one-way cryptographic hashing functions commonly used to create a unique digital fingerprint with hash lengths that vary, depending on version, between 160-bit and 512-bit.

7 Cyclic redundancy check is an error-detecting calculation that is commonly used in digital networks and storage devices to identify accidental changes to raw data.

8 Data-in-transit is the flow of information over any type of public or private network environment.

9 Internet protocol security is a protocol suite for securing network communications by establishing mutual authentication between nodes by encrypting each data packet of an entire communication session.