Showing Your Hand

By Zaithyn Galter Published 06/10/2009 | Computer

Having imaged and analysed the suspects computer disks and found the evidence all that remains is the process of presenting that evidence for use in any criminal, civil or disciplinary hearings.

It might sound easy but the significance of taking compelling physical evidence and presenting it badly should not be underestimated. To the average man in the street computers are still largely a technical mystery and presenting computer evidence in too much detail may serve only to confuse a jury. This leaves them with only two options: to make judgements based upon misunderstanding or to tempt them to ignore detail which is too complex for them to fully understand but which may be the pivotal point of the case.

Evidence is usually presented in the form of a witness statement accompanied by "productions" or "exhibits" which may be printouts, reproductions of images or sometimes hardware items. Such statements must be written in accordance with legal requirements for them to be truly admissible. And this begs another question;

Who should be asked to examine the evidence? A technical support person may be well versed in the technology and a security consultant will be able to provide valuable insight into the nature of the offence. However, when questioned about the principles of data storage at the Bit or Byte level or the finer points of forensic imaging, they may not have sufficient background , or credentials, to withstand vigorous cross examination by a tenacious barrister.

The End Game

There are several other important factors which must also be considered when analysing evidence. Is the problem restricted to just internal staff or is there external involvement. This may be discovered, for example, through the examination of e-mails. The extent of corporate liability must be established as early as possible, enabling decisions regarding possible actions to be made with due diligence.

Finally, if you think you may have a problem it is better to act quickly, computer evidence is volatile and can be destroyed in a blink. It is also better to know for sure than to ignore possible consequences. If you are unfortunate to uncover a potential problem, it may be prudent to seek confidential advice from an experienced forensic examiner before rushing in. The "do it yourself" route is a risky strategy which may have far reaching effects. If you are committed to using in house staff, remember the basics of evidential integrity and don't be tempted to use short cuts.

When carried out correctly, forensic analysis of computer systems involved in abuse can provide valuable evidence which might otherwise have been lost or overlooked. Performed wrongly but with good intent and your evidence could give the guilty the opportunity they need to get a case dismissed.

Elizabeth Sheldon is a director of Evidence Talks, One of the most highly regarded computer forensics consultancies in the UK, Evidence Talks lead the way with unique solutions to some of the problems faced by industry today. More information visit-