• EnCase Legal Journal


  •   
  • FileName: EnCase Legal Journal.pdf [read-online]
    • Abstract: EnCase Legal JournalSecond EditionCopyright © 2001 Guidance Software, Inc.All rights reserved. PrefaceC omputer forensics is a discipline dedicated to the collection of computer evidence forjudicial purposes. Those who practice computer forensics should be very familiar

Download the ebook

EnCase Legal Journal
Second Edition
Copyright © 2001 Guidance Software, Inc.
All rights reserved.
Preface
C omputer forensics is a discipline dedicated to the collection of computer evidence for
judicial purposes. Those who practice computer forensics should be very familiar
with the laws of evidence in their relevant jurisdictions so that they may correctly employ
the proper procedures, tools and methodologies used to collect and process computer
evidence. While there has been some excellent research and writing on search and seizure
and privacy issues related to computer data, there has been comparatively little guidance
on the authentication and presentation of electronic evidence at trial.
Computer investigation experts uncertain of what the law required often received
unclear direction from counsel who were equally unfamiliar with the complex technical
issues and nuances that must be applied to the laws of evidence. Consequently, there has
been no clear consensus on issues such as what is required to establish a sufficient
foundation for computer evidence, whether a computer forensic investigator is considered
a scientific expert, and how the Best Evidence rule applies to computer data.
In response to these concerns, Guidance Software launched The EnCase Legal
Journal (“ELJ”), which is provided with two goals in mind. First, the ELJ reports on
recent trial court developments involving EnCase as well as notable court decisions
involving computer evidence in general. Secondly, the ELJ addresses how the EnCase
process facilitates the authentication and admission of electronic evidence in light of past
industry practices and the current status of the law, providing investigators and their
counsel with an added resource when addressing questions involving computer forensics
and the use of EnCase.
The ELJ is provided for informational purposes and is not intended as legal
advice and should not be construed or relied upon as such. Each set of circumstances may
be different and all cited legal authorities should be confirmed and updated.
Just as Guidance Software is committed to ongoing product research and
development, so must we also be on top of the latest legal developments impacting this
field. As such, this journal should be considered as a work perpetually in progress. If you
have any questions, comments or suggestions for future revisions, please feel free to
contact me at [email protected]
John Patzakis
Guidance Software
June 2001
2001 Guidance Software i June 2001
Table of Contents
Authentication of Computer Evidence ............................................ 1
§1.0 Overview..................................................................................................................................... 1
§1.1 Authentication of Computer Data............................................................................................... 1
§1.2 Authentication of the Recovery Process ..................................................................................... 3
§1.3 Authentication of the EnCase Recovery Process ........................................................................ 7
§1.4 Challenges to Foundation Must Have Foundation..................................................................... 7
Validation of Computer Forensic Tools ......................................... 8
§ 2.0 Overview..................................................................................................................................... 8
§ 2.1 Frye/Daubert Standard............................................................................................................... 8
§ 2.2 Computer Forensics as an Automated Process ........................................................................ 11
§ 2.3 Commercial vs. Custom Forensic Software and Authentication Issues.................................... 13
Expert Witness Testimony.................................................................................. 15
§ 3.0 Overview................................................................................................................................... 15
§ 3.1 Threshold Under Rule 702........................................................................................................ 15
§ 3.2 Illustrations of Testimony ......................................................................................................... 17
DIRECT EXAMINATION -- PRE-TRIAL EVIDENTIARY HEARING........................................... 17
DIRECT EXAMINATION FOR THE PRESENTATION OF COMPUTER EVIDENCE BEFORE A
JURY .................................................................................................................................................... 22
The Best Evidence Rule........................................................................................ 31
§ 4.0 Overview................................................................................................................................... 31
§ 4.1 “Original” Electronic Evidence............................................................................................... 31
§ 4.2 Presenting Electronic Evidence at Trial................................................................................... 32
§ 4.3 Compression And the Best Evidence Rule ................................................................................ 33
§ 4.4 US v. Naparst – The EnCase Evidence File Validated As Best Evidence................................. 36
Legal Analysis of the EnCase Evidence File ...................... 39
§ 5.0 Overview................................................................................................................................... 39
§ 5.1 Evidence File Format ............................................................................................................... 39
§ 5.2 CRC and MD5 Hash Value Storage and Case Information Header ........................................ 40
§ 5.3 Chain of Custody Documentation............................................................................................. 41
2001 Guidance Software ii June 2001
§ 5.4 The Purpose of Sterile Media and The EnCase Process .......................................................... 42
§ 5.5 Analyzing The Evidence File Outside of the EnCase Process .................................................. 42
Challenges to EnCase and Other Litigated EnCase
Issues.................................................................................................................................................. 45
Matthew Dickey v. Steris Corporation ..................................................................................................... 45
State of Washington v. Leavell ................................................................................................................. 46
People v. Rodriguez.................................................................................................................................. 47
People v. Merken ...................................................................................................................................... 48
Search and Seizure Issues and EnCase ...................................... 49
§ 7.0 Overview................................................................................................................................... 49
§ 7.1 Computer Files and the Plain View Doctrine........................................................................... 49
§ 7.2 United States v. Carey .............................................................................................................. 51
§ 7.3 Post-Carey Case Law ............................................................................................................... 53
§ 7.4 Post-Carey Practice ................................................................................................................. 56
§ 7.5 Warrant Return Requirements.................................................................................................. 57
Complying with Discovery Requirements when
Utilizing the EnCase Process ....................................................................... 59
§ 8.0 Overview................................................................................................................................... 59
§ 8.1 Production of Entire EnCase Images ....................................................................................... 59
§ 8.2 Production of Restored Drives ................................................................................................. 60
§ 8.3 Production of Exported Files.................................................................................................... 60
§ 8.4 Supervised Examination ........................................................................................................... 60
§ 8.5 Discovery Referee in Civil Litigation Matters .......................................................................... 61
§ 8.6 Example Form Letter Demanding Preservation of Computer Evidence .................................. 64
Employee Privacy and Workplace Searches of
Computer Files and E-mail ............................................................................ 66
§ 9.0 Overview................................................................................................................................... 66
§ 9.1 Employee Monitoring in the Private Sector.............................................................................. 66
§ 9.2 The Electronic Communications Privacy Act of 1986 .............................................................. 67
§ 9.3 Other Important Considerations for Employers ....................................................................... 69
§ 9.4 Monitoring of Government Employees ..................................................................................... 70
2001 Guidance Software iii June 2001
1
Authentication of Computer Evidence
§1.0 Overview
D ocuments and writings must be authenticated before they may be introduced into
evidence. The US Federal Rules of Evidence, as well as the laws of many other
jurisdictions, define computer data as documents.1 Electronic evidence presents particular
challenges for authentication as such data can be easily altered without proper handling.
The proponent of evidence normally carries the burden of offering sufficient evidence to
authenticate documents or writings, and electronic evidence is no exception.
What testimony is required to authenticate computer data? How does a witness
establish that the data he or she recovered from a hard drive is not only genuine but
completely accurate? Are there guidelines or checklists that should be followed? How
familiar with the software used in the investigation must the examiner be in order to
establish a proper foundation for the recovered data? These are some of the questions that
face computer investigators and counsel when seeking to introduce electronic evidence.
This chapter will address these questions.
§1.1 Authentication of Computer Data
Oftentimes, the admission of computer evidence, typically in the form of active
(“non-deleted”) text or graphical image files, is accomplished without the use of
specialized computer forensic software. Federal Rule of Evidence 901(a) provides that
the authentication of a document “satisfied by evidence sufficient to support a finding
that the matter in question is what the proponent claims.” The Canada Evidence Act
specifically addresses the authentication of computer evidence, providing that an
electronic document can be authenticated “by evidence capable of supporting a finding
that the electronic document is that which it is purported to be.”2 Under these statutes, a
printout of an e-mail message can often be authenticated simply through direct testimony
from the recipient or the author.3
The US Federal Courts have thus far addressed the authentication of computer-
generated evidence based upon Rule 901(a), much in the same manner as statutes that
have existed before computer usage became widespread.4 United States v. Tank,5 which
involves evidence of Internet chat room conversation logs, is an important illustration.
In Tank, the Defendant appealed from his convictions for conspiring to engage in
the receipt and distribution of sexually explicit images of children and other offenses.
Among the issues addressed on appeal was whether the government made an adequate
foundational showing of the relevance and the authenticity of a co-conspirator’s Internet
2001 Guidance Software 1 June 2001
chat room log printouts. A search of a computer belonging to one of Defendant Tank’s
co-conspirators, Riva, revealed computer text files containing "recorded" online chat
room discussions that took place among members of the Orchard Club, an Internet chat
room group to which Tank and Riva belonged.6 Riva's computer was programmed to
save all of the conversations among Orchid Club members as text files whenever he was
online.
At an evidentiary hearing, Tank argued that the district court should not admit the
chat room logs into evidence because the government failed to establish a sufficient
foundation. Tank contended that the chat room log printouts should not be entered into
evidence because: (1) they were not complete documents, and (2) undetectable "material
alterations," such as changes in either the substance or the names appearing in the chat
room logs, could have been made by Riva prior to the government’s seizure of his
computer.7 The district court ruled that Tank's objection went to the evidentiary weight of
the logs rather than to their admissibility, and allowed the logs into evidence. Tank
appealed, and the appellate court addressed the issue of whether the government
established a sufficient foundation for the chat room logs.
The appellate court considered the issue in the context of Federal Rule of
Evidence 901(a), noting that “[t]he rule requires only that the court admit evidence if
sufficient proof has been introduced so that a reasonable juror could find in favor of
authenticity or identification . . . The government must also establish a connection
between the proffered evidence and the defendant.”8
In authenticating the chat room text files, the prosecution presented testimony
from Tank’s co-conspirator Riva, who explained how he created the logs with his
computer and stated that the printouts appeared to be an accurate representation of the
chat room conversations among members of the Orchid Club. The government also
established a connection between Tank and the chat room log printouts. Tank admitted
that he used the screen name "Cessna" when he participated in one of the conversations
recorded in the chat room log printouts. Additionally, several co-conspirators testified
that Tank used the chat room screen name "Cessna" that appeared throughout the
printouts. They further testified that when they arranged a meeting with the person who
used the screen name "Cessna," it was Tank who showed up.9
Based upon these facts, the court found that the government made an adequate
foundational showing of the authenticity of the chat room log printouts under Rule
901(a). Specifically, the government “presented evidence sufficient to allow a reasonable
juror to find that the chat room log printouts were authenticated.”10
The Tank decision is consistent with other cases that have addressed the issue of
the authenticity of computer evidence in the general context of Fed.R.Evid. 901(a).11
Tank illustrates that there are no specific requirements or set procedures for the
authentication of chat room conversation logs, but that the facts and circumstances of the
creation and recovery of the evidence as applied to Rule 901(a) is the approach generally
favored by the courts. (See also United States v. Scott-Emuakpor,12 [Government
2001 Guidance Software 2 June 2001
properly authenticated documents recovered from a computer forensic examination under
Rule 901(a)]).
§1.2 Authentication of the Recovery Process
Where direct testimony is not available, a document may be authenticated through
circumstantial evidence. A computer forensic examination is often an effective means to
authenticate electronic evidence through circumstantial evidence. The examiner must be
able to provide competent and sufficient testimony to connect the recovered data to the
matter in question.
Courts have recognized the importance of computer forensic investigations to
authenticate computer evidence. Gates Rubber Co. v. Bando Chemical Indus., Ltd.,13 is a
particularly important published decision involving competing computer forensic expert
testimony, where the court essentially defines a mandatory legal duty on the part of
litigants or potential litigants to perform proper computer forensic investigations. There,
one party’s examiner failed to make a mirror image copy of the target hard drive and
instead performed a “file-by-file” copy in an invasive manner, resulting in lost
information.14 The opposing expert noted that the technology needed for a mirror image
backup was available at the time (February 1992), even though not widely used. In its
ruling issuing harsh evidentiary sanctions, the court criticized the errant examiner for
failing to make an image copy of the target drive, finding that when processing evidence
for judicial purposes a party has "a duty to utilize the method which would yield the most
complete and accurate results."15
Some courts have required only minimal testimony concerning the recovery
process, particularly where the defense fails to raise significant or adequate objections to
the admission of the computer evidence. In United Sates v. Whitaker16 an FBI agent
obtained a printout of business records from a suspect’s computer by simply operating
the computer, installing Microsoft Money and printing the records.17 The court affirmed
the admission of the printouts, finding that testimony of the agent with personal
knowledge of the process used to retrieve and print the data provided sufficient
authentication of the records.18 However, in an apparent admonition to the defense bar,
the court noted that the defense conspicuously failed to question the FBI agent “about
how the disks were formatted, what type of computer was used, or any other questions of
a technical nature.”19
Other cases have involved more extensive objections to computer-based evidence.
People v. Lugashi20 is a particularly notable case involving a detailed analysis by the
court on this subject. Although not involving a computer forensic investigation per se, the
Court addressed issues concerning the authentication of computer-based evidence
challenged by the defense in a criminal prosecution. Lugashi involved a credit card fraud
investigation, where a bank’s internal computer system recorded and stored relevant data
relating to a series of transactions in question. Each night, the bank's computer systems
ran a program known as a "data dump," which retrieved and organized the daily credit
card transactions reported to the bank. Shortly thereafter, a backup tape was made of the
2001 Guidance Software 3 June 2001
"dump" from which a microfiche record was prepared and maintained.21
The prosecution sought to introduce the computer-generated evidence generated
by this process largely through the testimony of one of the bank’s systems administrators,
who conceded that she was not a computer expert. She did, however, work with those
who ran the “data dumps," maintained the microfiche records, and was familiar with the
system. She personally produced the data in question from the microfiche records and
knew how to interpret it.22 The defense contended that as the systems administrator was
not a computer expert she was incompetent to authenticate the data in question and that,
essentially, only the computer programmers involved in the design and operation of the
bank’s computer systems could adequately establish that the systems and programs in
question were reliable and free from error. The defense also asserted that because the
systems administrator’s understanding of how the system worked came from her
discussions with the bank’s programmers and other technical staff, her testimony
constituted hearsay and thus should not be allowed.23
The court rejected the defense’s argument, noting that the defense’s position
incorrectly assumed that only a computer expert “who could personally perform the
programming, inspect and maintain the software and hardware, and compare competing
products, could supply the required testimony.”24 Instead the court ruled that “a person
who generally understands the system's operation and possesses sufficient knowledge and
skill to properly use the system and explain the resultant data, even if unable to perform
every task from initial design and programming to final printout, is a ‘qualified witness’”
for purposes of establishing a foundation for the computer evidence.25 The court noted
that if the defense’s proposed test were applied to conventional hand-entered accounting
records, for example, the proposal “would require not only the testimony of the
bookkeeper records custodian, but that of an expert in accounting theory that the
particular system employed, if properly applied, would yield accurate and relevant
information.”26 Further, if the defense’s position were correct, “only the original
hardware and software designers could testify since everyone else necessarily could
understand the system only through hearsay.” The Lugashi court also commented that the
Defense’s proposed test would require production of “hordes” of technical witnesses that
would unduly burden both the already crowded trial courts and the business employing
such technical witnesses “to no real benefit.”27
It should be noted that there are some factors and aspects of the Lugashi decision
that may not be completely applicable to computer forensics. For instance, Lugashi deals
with records created in the normal course of business, which courts in the United States
generally presume to be authentic, subject to the presentation of any direct evidence to
the contrary. Further, a disinterested third party to the litigation generated the computer
records in Lugashi, while courts would likely apply increased scrutiny to records
generated by a law enforcement investigator or retained party expert. However, certain
aspects the Lugashi decision seem applicable to questions regarding what is required to
establish a proper foundation for evidence obtained from a computer forensic
examination. (See also Federal Deposit Insurance Corporation v. Carabetta28 [similar
facts and holding to Lugashi]).
2001 Guidance Software 4 June 2001
In addition to the citations provided throughout this text relating to the admission
of recovered computer data, other court rulings concerning various forms of electronic
evidence provide additional and important insight regarding what many courts require for
establishing a proper foundation for such data. Many of these cases frame the same issues
as to what extent the investigator must be familiar with the process used to obtain or
generate the electronic evidence.
Bray v. Bi-State Development Corp.29 addressed whether an expert’s testimony
provided a sufficient foundation to establish the validity of computer software that
produced a chart depicting light intensity levels to determine adequate lighting for
commercial areas. The software program utilized photometric data to accurately calculate
light intensity based on general parameters and inputted data. The expert testified that he
was familiar with the software and its general functionality and that the program was
known to produce accurate results and was generally used by lighting manufacturer
representatives and lighting engineers. He also testified that while he had personal
knowledge of the data that was inputted into the program, he generally relied on the
manufacturer’s representative to actually operate the computer.30 The objecting party
contended that the expert failed to establish a sufficient foundation because the expert did
not program the computer software, did not actually operate the program in question, and
offered no specific evidence that the software was accurate or reliable.
The court in its opinion determined that the "[r]elevant technical or scientific
community's use of or reliance on particular computer software is sufficient to establish
accuracy of that software for purposes of admissibility of computer-generated
evidence."31 The court also noted Federal Rule of Evidence 901(b)(9) and ultimately
relied on both concepts in its ruling, finding testimony that the “software was a program
which produced accurate results and was used generally by the lighting manufacturer’s
representative and relied on by engineers to design light and make lighting decisions was
sufficient under these circumstances.”32
In State of Arizona v. Rivers,33 the Defendant’s terms of parole subjected him to
electronic monitoring to verify compliance with his house arrest. The monitoring
equipment included an ankle-bracelet transmitter and a receiver connected to the
defendant's telephone. The receiver was programmed with the defendant's schedule and
was designed to automatically notify a parole office computer if the defendant left his
home or failed to return to his home during curfew hours.34 After the monitoring
equipment detected multiple curfew violations, the defendant was apprehended and
charged with various parole violations. At trial, the defendant argued that because the
parole officers were not qualified to testify "from a scientific standpoint" about how the
subject monitoring equipment functioned, the state was unable to demonstrate that the
equipment was in proper working condition when it registered his failure to return home.
The parole officer acknowledged that he did not consider himself to be an "expert" on
how the monitoring equipment worked, but did testify that he had worked with
approximately 200 to 300 parolees on home arrest and that he did not recall ever having
received incorrect information from the equipment. He told the jury that, to the best of his
2001 Guidance Software 5 June 2001
knowledge, the equipment was working properly when it registered the defendant's
failure to return on the day in question.35 Based upon this testimony, the trial court ruled
that the state established a sufficient foundation for the electronic evidence of curfew
violations.
On appeal, the appellate court found no error in the trial court's conclusion that
the state provided sufficient foundation and evidence from which the jurors could
reasonably conclude that the monitoring equipment was functioning properly when it
registered the defendant's curfew violation. The court cited key testimony provided by the
parole officers concerning the equipment's general accuracy and reliability. Additionally,
the court noted that the officers testified that the equipment was correctly installed and in
proper working condition on the date in question.36 The court relied on the case of Ly v.
State of Texas,37 which involved a nearly identical fact scenario, and where that court
similarly rejected a defendant’s contention that because the government witness was not
familiar with the scientific principles behind the electronic-monitoring equipment, the
state could not demonstrate that the equipment was reliable and that it had worked
properly in his case.
In United States v. Sanchez,38 the defendants contended that the government
failed to establish that a forward-looking infrared device ("FLIR") attached to a
surveillance aircraft was functioning properly when a United States Customs agent
observed an aircraft engage in a night-time delivery of narcotics on a remote airstrip.
Specifically, the defendants argued that because the agent admitted that he was not an
expert in how the FLIR worked, the government had failed to demonstrate that the device
functioned properly, and thus the testimony was insufficient to lay a proper foundation
for introduction of the evidence obtained through the use of the FLIR. Rejecting the
defendants' argument, the court concluded that the agent's "significant experience as a
pilot in a FLIR-equipped plane" was sufficient to enable him to testify that the device
"appeared to be functioning properly" at the time.39 The court also noted that the agent
was able to describe the basic principles upon which the FLIR operated. Thus, the trial
court did not abuse its discretion in admitting the agent's testimony concerning the events
viewed through the FLIR.
These cases demonstrate that when addressing proper foundation for electronic
evidence generated by complex devices or software, the courts generally apply the same
analysis of “sufficient familiarly” by the user, general acceptance, and whether the
process involved is standard and commercially available. The general acceptance
standard, which is more fully addressed in the next chapter, is clearly a predominant
consideration. Additionally, whether the expert is experienced and/or trained in the
software and process involved is also important consideration.
However, while experience and proper training are clearly important, it is also
clear that the courts do not mandate that the expert be intimately familiar with the
scientific principles or detailed inner workings of these technical processes that generate
electronic evidence.
2001 Guidance Software 6 June 2001
§1.3 Authentication of the EnCase Recovery Process
Under the standard articulated under Lugashi and several other similar cases, the
examiner need not be able to intricately explain how each and every function of EnCase
works in order to provide sufficient testimony regarding the EnCase process. There are
no known authorities requiring otherwise for software that is both commercially available
and generally accepted. A skilled and trained examiner with a strong familiarity with the
EnCase process should be able to competently present EnCase-based evidence obtained
through a forensic examination.40
An examiner should have a strong working familiarity of how the program is used
and what the EnCase process involves when seeking to introduce evidence recovered by
the program. This means that the examiner should ideally have received training on
EnCase, although such training should not be strictly required, especially where the
witness is an experienced computer forensic investigator and has received computer
forensic training on computer systems in the past. Examiners should also conduct their
own testing and validation of the software to confirm that the program functions as
advertised. However, a “strong working familiarity” does not mean that an examiner
must obtain and be able to decipher all 300,000 lines of the program source code or be
able to essentially reverse engineer the program on the witness stand.
§1.4 Challenges to Foundation Must Have Foundation
In the event the initial evidentiary foundation established by the computer
forensic examiner’s testimony is sufficiently rebutted, so as to challenge the admissibility
or the weight of the evidence, expert testimony to, in turn, rebut such contentions may be
required. However, courts will normally disallow challenges to the authenticity of
computer-based evidence absent a specific showing that the computer data in question
may not be accurate or genuine—mere speculation and unsupported theories generally
will not suffice.41 There is ample precedent reflecting that unsupported claims of possible
tampering or overlooked exculpatory data are both relatively common and met with
considerable skepticism by the courts. One federal court refused to consider allegations
of tampering that was “almost wild-eyed speculation . . . [without] evidence to support
such a scenario.” Another court noted that the mere possibility that computer data could
have been altered computer data is “plainly insufficient to establish untrustworthiness.”42
One court suggests that the defense should perform its own credible computer
forensic examination to support any allegation of overlooked exculpatory evidence or
tampering.43 Another court noted that while some unidentified data may have been
inadvertently altered during the course of an exam, the defendant failed to establish how
such alteration, even if true, affected the data actually relevant to the case.44 As such, in
order for a court to even allow a challenge based upon alleged tampering or alteration of
the computer data, the defense should be required to establish both specific evidence of
alteration or tampering and that such alteration affected data actually relevant to the case.
Further, even if some basis to allegations that relevant computer records have been
altered, such evidence would go to the weight of the evidence, not its admissibility. 45
2001 Guidance Software 7 June 2001
2
Validation of Computer Forensic Tools
§ 2.0 Overview
C hapter 1 addressed authenticating computer evidence through direct or circumstantial
evidence in order to establish that the recovered data is genuine and accurate.
Another form of an objection to authenticity may involve questioning the reliability of
the computer program that generated or processed the computer evidence in question. In
such cases, the proponent of the evidence must testify to the validity of the program or
programs utilized in the process. This chapter discusses what standards the courts are
actually applying in such challenges, and what testimony the examiner may need to
provide to validate computer forensic tools.
§ 2.1 Frye/Daubert Standard
Daubert v. Merrell Dow Pharmaceuticals, Inc,46 is an important federal court
decision that sets forth a legal test to determine the validity of scientific evidence and its
relevance to the case at issue. Many state court jurisdictions in the US follow the Frye47
test, which is very similar, but not identical to Daubert. The introduction of DNA
evidence is a typical scenario where a court may require a Daubert/Frye analysis,
although many courts now take judicial notice of the accuracy of DNA typing procedures
as the science is no longer considered “novel.”48
We have seen Daubert/Frye raised in most all concerted challenges to EnCase.
However, a corporate defendant advocating the EnCase-based evidence in Mathew
Dickey v. Steris Corporation49 (further discussed at §6.01) successfully asserted that
EnCase constituted an automated process that produces accurate results, and thus
evidence obtained from that process would be subject to a presumption of authenticity
under Rule 901(b)(9). Rule 901(b)(9) provides that evidence produced by an automated
process, including computer-generated evidence, may be authenticated if such an
automated process is shown to produce accurate results. However, the court also
addressed the Daubert factors. Although it is clear that EnCase meets both the standards
under both Rule 901 and Daubert,50 the recent trend of the courts is to include “non-
scientific” technical evidence within the purview of Daubert/Frye, in addition to the
purely scientific forms of evidence, such as DNA analysis, that are more traditionally
subject to Daubert. The judicial analysis applied in recent notable challenges to EnCase
is clearly consistent with this trend. As such, a computer forensic examiner should be
very familiar with the basic elements of the Daubert analysis, which are as follows:
1) Whether a “theory or technique … can be (and has been) tested;”
2001 Guidance Software 8 June 2001
2) Whether it “has been subjected to peer review and publication;”
3) Whether, in respect to a particular technique, there is a high “known or
potential rate of error;” and
4) Whether the theory or technique enjoys “general acceptance” within the
“relevant scientific community.”51
Under the first prong of the test, courts have expressly noted that EnCase is a
commercially available program that can be easily tested and validated. This is in contrast
to tools that are not commercially available to the general public or are custom tools with
arcane command line functionality that are not easily tested by third parties unfamiliar
with those processes. The law is clear that in the context of computer-generated evidence,
the courts favor commercially available and standard software.52 Further, many agencies
have tested EnCase in their labs before standardizing their agents with the software.
Importantly, the widespread adoption of EnCase by the computer forensics community
serves as a crucial factor for authentication, as the community generally knows the
capabilities and accuracy of the program through such extensive usage. Additionally,
recent publications have featured EnCase as the highest-rated tool in testing and
comparisons among other commercially available software tools.53
These reviews are among several industry publications featuring EnCase, and are
relevant to the second prong of the Daubert test. Peer review and publication in the
relevant industry is an important factor looked to by the Courts in considering the validity
of a technical process under Daubert/Frye. Various published articles in the information
security and high-tech crime investigation industries favorably review or mention EnCase
favorably.54 Among the more notable articles is the recent IEEE Computer Society
publication, Computer Magazine, which featured a “case study” of the EnCase
technology and reported on its widespread use and acceptance in the computer forensics
community. It is important for computer


Use: 0.4101