3 Words Never To Use When Talking About Digital Evidence in a Courtroom
At work, a “copy”, “ghost” or “mirror” of your data can help you collaborate with coworkers or quickly recover a lost or corrupted file.
In a courtroom, any of these three terms can get you into trouble.
WHAT EXACTLY ARE YOU COPYING, GHOSTING OR MIRRORING?
The trouble arises from what exactly is being copied. Most ways of copying, ghosting or mirroring a drive focus on what is called the “allocated data”. That is, all the data that your computer uses and can be easily found on the drive. The problem is, this allocated data is only part of the story and isn’t typically part of a copy, ghost or mirror of a device. This is where you can get into trouble in court when using these terms.
Drives also have “unallocated data” or what most operating systems call “free space”. This unallocated data can include deleted files, system log files, Internet search history and other hardware-related data. This unallocated data can be a treasure trove of evidence for forensic examiners, especially in cases where someone may have tried to destroy, delete or tamper with digital records. If a copy, ghost or mirror of a drive is introduced as evidence in a court, it may not include this valuable unallocated data.
“VERIFIED FORENSIC IMAGE”
Instead of using a copy, ghost or mirror, digital forensic examiners use what is called a “verified forensic image” when working with and presenting digital evidence.
A forensic image is an exact copy of all the 1s and 0s on every physical sector on a piece of media (hard drive, flash drive, etc) including allocated and unallocated data.
An examiner can “verify” a forensic image by comparing the “hash value” of the drive copy to that of the original. The hash value of a drive is a numeric value of fixed length that uniquely identifies the data on that drive. If the hash value of the copy matches that of the original, then the copy is a “verified forensic image”.
USE IN THE COURTS
In contentious cases or those that involve attempts to destroy or tamper with evidence, using digital evidence that is based on a “copy”, “ghost” or “mirror” of an original drive is an invitation to have that evidence declared inadmissible. Using a “verified forensic image” can avoid these traps in the courtroom.
If you’re concerned about your department’s ability to manage complex digital evidence in ways that will hold up in court, CONTACT FLASHBACK DATA. Our digital crime lab is accredited under the same program as the FBI and state crime labs. We can help you plan, gather, protect, examine and defend almost any form of digital evidence.