Presenting Digital Evidence To Court Criminology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Forensic technology is the application of scientifically proven methods to gather, process and interprete digital evidence to provide a conclusive description of electronic activities and it is an approach to capture and analyse evidence to identify relevant items and present these to a court or regulator (Fran and Suzanne, 2009).

Digital evidence has been previously defined as any data that can establish that a crime has been committed or can provide a link between a crime and its perpetrator (Eoghan 2004, adapted from Casey 2000). For the purpose of this study digital evidence will be defined as information or data retrieved from electronic devices, for example, computers, mobile phones, 'hard disc, usb sticks, e-mails, cache of internet sites, log files and in some cases databases, invoices, documents, meta data and many more' (David, 2008:pp ), which could be required in court to further prove the perpetrator guilty of a crime (Katie, 2001).

The Police and Criminal Evidence Act (PACE) 1984 and the Computer Misuse Act (CMA)1990 have been used to resolve cases of digital evidence in court.

The Association of Chief Police Offices (ACPO) in England, Wales and Ireland developed guidelines on how digital evidence should be retrieved and handled in order to be acceptable in court without any doubts whatsoever. The challenges of the law however in England and Wales to meet up with digital evidence with regards to e-crime seem ineffective because of the emergence of different devices that can store data and the consistent use of the internet to perpetrate crime.


Forensic techniques can often recover data from personal computers and a host of other devices that the author of the document thought had been deleted, or capture data that is not generally available to user (Fran and Suzanne, 2009).

When presenting a crime case in court that involves the use of digital devices before a United Kingdom court especially in England and Wales, certain rules and guidelines must be adhered to in order to convince the court that the defendant is guilty of the crime he is accused of beyond all reasonable doubt (Ian, 2006).

Authenticity, Reliability and Admissibility

The process however of determining whether evidence is worthy is called authentication (Eoghan, 2004).

'Authentication means satisfying the court that the contents of the record have remained unchanged, also that the information in the record does in fact originate from its purported source, whether human or machine, and that the information is indeed accurate' (Eoghan, 2004 adapted from Reed 1990-91). It may also be necessary to show that a computer system or device that generated the digital evidence was working properly during the time of its use. 'Once the evidence is admitted in court, the reliability is then assessed to establish its probative worth'(Eoghan, 2004:pp 174); For example, if there is concern that the evidence was believed to have been tampered with before collection then its reliability will raise doubts in court, 'subsequently, attorneys have in different cases argued that digital evidence was not trustworthy merely because there were possibilities that it could actually have been changed, and in some instances, fabricated' (Eoghan, 2004).

Although there are no set down standards or protocols for handling of computer evidence certain measures are taken into consideration (Ian 2006). Some guidelines have been laid down by ACPO in England, Wales and Northern Ireland on the best practice in recovering digital based evidence to ascertain its reliability ad authenticity (David, 2008).

Methodology and Procedure

The ACPO guidelines have being discussed in many articles in the past and is being followed during investigations that produce digital evidence in court (Ian, 2006). The guidelines read thus;

Principle 1: The data held on the exhibit must not be changed.

Principle 2: Any person accessing the exhibit must be competent to do so and explain the reliance and the implications of their actions.

Principle 3: A record of all processes applied to an exhibit should be kept. This record must be repeatable to an independent third party.

Principle 4: The person in charge of the investigation has responsibility for ensuring that the law and these principles are adhered to.

(Ian, 2006)

One of the most important aspects of authentication in the ACPO guideline is maintaining what is known as chain of custody (Eoghan, 2004), so with the enactment of these principles it becomes critical to be able to account for all that happened to an exhibit during the time you were in possession of it. Take for instance a mobile phone; you should be able to account for it from the time it was seized to the time it was examined by a forensic examiner (Ian, 2006). Any loophole or gap in this chain of evidence could mean that one or more unknown persons could have had access to the exhibit and thus may have interfered with the integrity of the exhibit (Ian, 2006).

The court will most likely accept if as stated by Ian in his report for the British Computer Society (BCS), any actions performed by the examiner that could be deemed to alter the data on the original exhibit and be described in enough detail to demonstrate these principles have being followed. Therefore in creating a forensic copy of a hard drive, for example, it must be clearly stated that suitable precautions were taken to prevent any data being written to the disk, which will typically be the use of a hardware write-blocking device as a precaution (Ian, 2006).

However, these procedures may have had complications in relation to the nature and complexity of wireless networks which raises a host of criminal and legal issues (Curt et al 2002). The procedure listed above becomes very difficult to follow with wireless or internet crime as time is of the essence when collecting or retrieving such evidence as the case may be.


In the United Kingdom, the PACE Act of 1984 have been used to establish and evaluate evidence in court but this Act applies England and Wales and not Scotland. The CMA of 1990 (as amended by the Police and Justice Act 2006) has also been applied when issues of computer crime arise in UK courts (David, 2008).

The 1990 Act holds that a suspect must be suspected of committing serious arrestable offences and the application usually must go to a magistrate or judge. Depending on the type of offence, the warrant will then be issued which gives the police the authority to seize property related to the offence (Eoghan, 2004). So in the case of computer crime or where digital evidence will be required, mobile phones, computers or any device present can be seized.

Role of Digital Evidence

Digital evidence can be useful in a wide range of criminal investigations such as homicides, sex offences, missing persons, child abuse, drug dealing and harassment (Eoghan, 2004).

The role of digital evidence in a computer crime case is attributing the crime to the suspect by uncovering link between the offender, victim and crime scene (Eoghan, 2004: pp 96). This report discusses the roles digital evidence has played in making the connection between offenders and the crime in past cases.

In the World Trade Centre bombings in the United States in 2001, computers played a role in the planning and subsequent investigations of both attacks. The suspects, Ramsey Yousef's and Zacarias Moussaoui's laptops were discovered to have contained plans for the first bombing and during the investigation of the second attack , over 100 hard drives were examined (Eoghan, 2004: pp 10).

The case of Daniel Pearl, an American journalist in Pakistan, who was murdered, e-mail ransom notes sent by Islamists who kidnapped him were instrumental in identifying the individuals responsible in Pakistan (Eoghan, 2004: pp 10).

In 1996 another e-mail investigation happened also in the case of one Sharon Lopatka, from Maryland in the United States. Investigations led the police to find hundreds of e-mail messages between Lopatka and a man named Robert Glass about their torture and death fantasies. These led investigators to North Carolina where Lopatka's shallow grave was found (Eoghan, 2004: pp 11).

While in some instances a simple piece of digital evidence can win a case (Alistair 2009). Alistair's report in the New Law Journal of 2009, in a Uk case held in 2003, Dr Harold Shipman was jailed for life for murdering fifteen of his patients. Subsequently further investigation ascribed 218 murders to him even though the numbers may well be higher. The main convincing piece of evidence at his trial was a forensic examination of his patient record system which showed that, after killing someone, Shipman amended that patient's record by backdating and inserting a false history of an illness which could be blamed for the death. However, unknown to him, his computer's operating system kept multiple hidden logs of dates of amendment. A forensic examination of the computer gave the prosecution the evidence they needed for a conviction (Alistair, 2009).

Challenges of the Law

The statutes of England and Wales are faced with increasing challenges especially when it comes to retrieving this kind of evidence from the growing world of information technology.

In an article written by Michael J L Turner in 2001 which he entitled 'Beware; Computer Evidence Quicksand', the case of Sergeant Gurpal Virdi of the Metropolitan Police (MPS) who was accused of sending racist hate mail to ethnic minority police officers, including himself, in 1997 gives a clear picture of the treatment of computer evidence in court. The investigation concentrated mainly on the computer evidence particularly the emails sent to the other officers (Michael, 2001). They were analysed by investigators but failed to prove a connection between the emails sent and Virdi. The failure of this trial was in the investigative procedure used by the forensics analyst and the law was also not compatible with internet evidence such as failing to admit that any computer evidence which just records times and dates as will be found in CCTV recordings and in mobile phone forensics should be admitted as real evidence (David, 2008, pp 490 adapted from Levin (1997) AC 741).

Assessment and Suggestions

As a member of this Association (Association of Police Force Chiefs England and Wales), the critical assessment regarding the issue at hand will be thus;

The statutes of the PACE Act S69(1) states that as computer evidence shall not be admissible unless shown that there are no reasonable grounds for believing the statement is not accurate because of improper use of the computer, I will advise and suggest that the ACPO guidelines be strictly adhered to since 'it seem some lawyers are using S69 as a tool to obstruct the course of justice (David, 2005: pp 486).

In resolving the issue of whether the computer was operating properly or was out of operation, someone very knowledgeable of the system in question who can testify and address the court regarding the process that generated the given piece of evidence should be consulted as in the case of R v Sherphard 1999 were the house of Lords held that oral evidence be given by one familiar with the computer who could give evidence of its reliability (Andrew, 1996).

The law should readdress internet and wireless evidence since the crime involving computers and wireless systems are on the increase. Also, the law should have improved statues especially in relation to mobile phone forensics which is already having an increasingly significant role in determining the outcome of many legal cases (Tony, 2005).


The different changes in the growth of technology in the past have required lawyers and judges for instance, to get acquainted with the Health DNA analysis procedure (Phillip and Michael, 1998). Therefore they should also face the challenges of educating themselves about digital evidence from computer crime.

To also avoid evidence not being admissible in court, the most important thing is that it should be clear to the court that the evidence submitted is exactly the same as when it was first taken into custody by the investigatory authority stating it was not altered (David, 2008).

It will also be important to note that it is essential for the law to keep abreast of developments as this dynamic area unfolds rapidly (Tony, 2005).