21 May 2017

Computer forensics can be used in many different situations today, and is used in a variety of cases including computer hacking, computer trespass, data fraud, child pornography, and many more. Computer forensics is used in a lot of Intellectual Property cases, which may include corporate espionage, trade secrets, or any other situation where there has been unlawful access to data. Computer forensics can be used to gather information about a victim, or a suspect, and just like any evidence, the information gathered must maintain “. . . the necessary chain of custody and data integrity.”[1]

Computer forensics is a specialized field for computer experts. Computer forensics is also referred to as digital forensics because there is a wide variety of items that can be examined that people will not necessarily think of as computers. This includes, but is not limited to, “ . . . computers, laptops, smart phones, storage media”[2] and many more items that may store any kind of digital information.

Getting Computer Forensics Admitted: Daubert

“To enter scientific evidence into a United States court, a tool must be reliable and relevant. The reliability of evidence is tested by applying “Daubert” guidelines.”[3] With computer forensics, there are three major steps, acquisition, analysis, and presentation.[4]

The first step, acquisition, saves all of the digital information for later analysis. During this step, the information must also be transferred to a storage device that is known to be safe. This step is the equivalent of taking photos of the crime scene.[5] The next two steps are pretty self-explanatory. You first analyze the data that has been acquired, and then present the data in a way that explains what it is, and how it was used.

The court has stated that scientific testimony, in order to be admissible, must be examined, and the judge may determine if the testimony will be admitted. The court stated:

“[T]he trial judge, pursuant to Rule 104(a), must make a preliminary assessment of whether the testimony’s underlying reasoning or methodology is scientifically valid and properly can be applied to the facts at issue. Many considerations will bear on the inquiry, including whether the theory or technique in question can be (and has been) tested, whether it has been subjected to peer review and publication, its known or potential error rate and the existence and maintenance of standards controlling its operation, and whether it has attracted widespread acceptance within a relevant scientific community.”[6]

When applying the Daubert factors to computer forensics, you must apply each factor to each stage in the process (acquisition, analysis, and presentation).

When testing computer forensics, there are two types of tests that they use, “false positives,” and “false negatives.”[7] Both of these tests are exactly how they sound. False positives test the tester will place certain data on the computer, then use the forensic tool to search for data. The tester then reviews the results, and makes ensures that the tool did not present data that was not on the computer.[8] The false negative test is the opposite to the false positive. The tester will place data on the computer, then use the forensic tool to search for that data, and ensure that it is all produced in the results. The National Institute of Standards and Technology “. . . develop[s] test methodologies for a category of tools and conduct tests using specific input cases.”[9]

The error rate in computer forensics is done similarly to the way to find any other error rate. You conduct the test a number of times, and see how many instances there is an error, and use this number to calculate the error rate. In computer forensics there are two ways an error generally can occur. The first is “tool implementation error.”[10] This is an error that will occur because of “bugs in the code or from using the wrong specification.”[11] Essentially, this means that the developer made an error when he/she wrote the program. The other error that can occur is “an abstraction error.”[12] This error happens when the forensic tool makes “decisions that do not have 100% certainty.”[13] This error “typically occurs from data reduction techniques or by processing data in a way that it was not originally designed for.”[14] A computer program has to be written to make certain assumptions, so when it is analyzing data it may use one of those assumptions that may eliminate data based on a wrong assumption.

The tool also has to be published, and reviewed by others in the industry. The developer of the program has a choice as to whether to publish his code or not. However, in order to be reviewed and used in a court room, the code has to be published so that others can see exactly how the program works. In an FBI forensic journal that was referencing using digital forensics stated that the code for the software needed to be published and that “[f]ailure on the part of the manufacturer to provide this information to litigants could result in the exclusion of imaging evidence in court proceedings.”[15] This suggests that if the code is not published, then it will not be authenticated to be used as evidence in court.

The tools must also be accepted. This also suggests that it requires publication in order to be accepted. If the tool has not published its code, it would be impossible for it to be accepted because the users would not know exactly how the tool works, and what possible defects there may be. It has been suggested that wide use will equate to acceptance, however, without the publication of the code the use of these tools may be based on something more superficial, and not the functionality, and accuracy of the tool.[16]

Therefore, in order to be admitted in court, the digital forensics tools must go through a rigorous examination to be verified as legitimate evidence.

FRE 901(b)(9)

If someone argues that Daubert does not apply to digital forensics, FRE 901(b)(9) may put the tools through a similar test. That rule says “[t]o satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is. . . Evidence describing a process or system and showing that it produces an accurate result.”[17]

As I read the statute, it seems that the developer of the computer program will have to show exactly how the program works, which means making the code available to other experts in order to analyze it, and that it gives accurate results. This rule essentially makes any system or procedure run through the Daubert test.

The 4th Amendment:

The 4th Amendment to the U.S. Constitution says “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. . .”[18] This amendment is supposed to make the people feel free from unwarranted intrusion into their private matters. The right to “be secure in their persons, houses, papers, and effects . . .” is becoming harder to decide what is included. In reference to computer forensics, the term “papers” is becoming an ambiguous term. Instead of mail, there is email; instead of hard copies of documents there are digital copies; and as the world plunges further into becoming paperless, this term becomes more ambiguous.

Illegal search and seizure has been at issue numerous times, and it will continue to be so. The 4th amendment took a pretty substantial hit in 2009 by the Department of Homeland Security (DHS). DHS has decided that, in order to protect Americans, they are allowed to seize and search all digital devices with a 100-mile radius of the nation’s borders. DHS stated:

‘The overall authority to conduct border searches without suspicion or warrant is clear and longstanding, and courts have not treated searches of electronic devices any differently than searches of other objects. We conclude that CBP’s and ICE’s current border search policies comply with the Fourth Amendment.”[19]

This statement by DHS says that they feel that searching electronic devices “without suspicion” fully complies with the fourth amendment. However, the two seem to be in direct contradiction of each other. The fourth amendment says people are free from “unreasonable searches” and DHS says they are free to conduct searches without suspicion. A search that is done with any suspicion seems to be unreasonable. DHS goes on to say “[w]e also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits.”[20] DHS is saying that making officers have suspicion in order to conduct a search will be harmful to society. So, in DHS’s words allowing unreasonable searches is not only in the nation’s best interest, it fully complies with the fourth amendment, which protects people from unreasonable searches.

The Court has also played its part in minimizing the protections of the fourth amendment. It has recently been ruled that there is no expectation of privacy in an email account. This case, Jennings v Jennings; Broome; Cook, although doesn’t involve a government actor, has made a serious decision about the expectation of privacy.

This case involves a divorce between the parties, and emails that give the petitioner an advantage. “After finding a card for flowers for another woman in her husband’s car, Gail Jennings confronted him. Jennings confessed he had fallen in love with someone else, and although he refused to divulge her name, he admitted the two had been corresponding via e-mail for some time.”[21] Lee Jennings (Respondent), had these emails saved in his Yahoo email account, which was protected by a password. Gail Jennings (Petitioner) had revealed her husbands affair to her daughter-in-law, Holly Broom. Broom used to work for the Respondent, and used her knowledge of his email passwords to access the Yahoo account. “Broome then printed out copies of the incriminating e-mails and gave them to Thomas Neal, Gail’s attorney in the divorce proceedings, and Brenda Cooke, a private investigator Gail hired.”[22] This case was being argued under the Stored Communications Act that states:

“[A]nyone who:(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or *5 (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.”[23]

The Court focused on “electronic storage” and what exactly that is and what is covered. “The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.””[24]

The court of appeals ruled that the emails were in electronic storage, and therefore protected. However, this decision was overturned. The Court said “[w]e decline to hold that retaining an opened email constitutes storing it for backup protection under the Act. The ordinary meaning of the word “backup” is “one that serves as a substitute or support.”[25]

The Court here, in my opinion, has skirted the privacy laws by saying that storing your private emails in an online server, as opposed to a local storage device, means that those emails are no longer entitled to privacy, even though they are protected with passwords. Essentially, protecting your digital information is not enough to make that information private. You must also store that information on a private device, and remove it from the third-party server. As mentioned above, this case did not deal with a government actor, but it does open the door for the argument that online content has no rights of privacy.


Computer forensics is becoming more prevalent in today’s paperless world. Digital information may, if it hasn’t already, surpass non-digital forms of information. This being the case, there is a need for computer forensics, and there is a definite need to define its limitations.

Although there is an obvious need for computer forensics, there is also, and has been, and need for the citizens to feel free from unreasonable search and seizures. The Fourth Amendment clearly says that any search and seizure needs to be reasonable, in other words, there has to be some reason for the search and seizure. DHS is tiptoeing, if not crossed, the line from reasonable to unreasonable. Although there is a need for protection at the countries borders, arbitrarily searching any device near the border may be unreasonable. Citizens who merely live in this zone can have their digital devices seized and searched at any moment, and for no other reason than they live near the border (or in Michigan, anywhere in the state).  The Court in the Jennings case, not wanting DHS to have all the invasion of privacy fun, decided that emails stored in an online account are not protected. It is my hope that the Court will respect a person’s privacy, and uphold the reasonableness of search and seizures. There will always be dangers in this country, from outside our borders, as well as from within, but the citizens should not fear the prying eyes of our Government at anytime, anywhere, and for any or no reason at all. It is said that Benjamin Franklin once said “[t]hey who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”[26] We are losing liberties at an excessive rate in today’s society; we need to slow, if not stop this, and it starts with the Court upholding the Fourth Amendment that indeed there is “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. . .”[27]

[1] http://www.swailes.com/service-computerforensics.htm

[2] http://www.infosecusa.com/what-is-computer-forensics

[3] http://www.digital-evidence.org/papers/opensrc_legal.pdf

[4] Id.

[5] Id.

[6]Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 580 (1993)


[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17]Fed. R. Evid. 901

[18]USCA CONST Amend. IV-Search and Seizure

[19] http://www.theblaze.com/stories/2013/02/10/new-dhs-report-announces-auth...

[20] Id.

[21]Jennings v. Jennings, 736 S.E.2d 242, 243 (S.C. 2012)

[22] Id.

[23] Id at 244

[24] Id. Quoting 18 U.S.C. § 2510(17).

[25] Id at 245

[26] http://en.wikiquote.org/wiki/Benjamin_Franklin

[27]USCA CONST Amend. IV-Search and Seizure