Ch17 - 17.01 - Working with Evidence Flashcards
Chapter 17 - Introduction to Computer Forensics and Incident Response
Forensics Investigations - Corporate Investigation
A corporate investigation arises because an employee is suspected of violating a corporate policy or misusing a corporate asset such as e-mail or the Internet
It is important to seek legal advice before starting your investigation to ensure that you follow proper procedures for obtaining evidence so that it will be admissible in court should the case go to trial.
Your job as a computer forensics investigator is to ensure that you collect the digital evidence needed to prove or disprove that an employee has violated corporate policy.
Forensics Investigations - Public Investigation
A public investigation arises due to the suspicion that a law has been broken
It is important to seek legal advice before starting your investigation to ensure that you follow proper procedures for obtaining evidence so that it will be admissible in court should the case go to trial.
Your job as a computer forensics investigator is to ensure that you collect the digital evidence needed to prove or disprove that someone has broken a law
Three Conditions to Be Admissible in Court
For evidence to be admissible in court, the evidence must meet three conditions—it must be sufficient evidence, it must be competent evidence, and it must be relevant evidence. For evidence to be considered sufficient, it must prove a fact by itself, without the need for supporting evidence to prove the point. The evidence must also be competent evidence, which means that the evidence must have been legally obtained. If the evidence has been illegally obtained, it is inadmissible in court. Finally, the evidence must have relevance—meaning that the evidence must be related to and have meaning to the case.
Types of Evidence
- Real Evidence
- Direct Evidence
- Documentary Evidence
- Demonstrative Evidence
- Real Evidence
Real evidence, also known as physical evidence, is a tangible object presented in court. An example of real evidence in a murder trial such as a stabbing would be the actual murder knife.
- Direct Evidence
Direct evidence is testimony from a witness who has seen or experienced the event firsthand. For example, if someone saw the murder and tells how it happened, that is direct evidence.
- Documentary Evidence
Documentary evidence, which is typically a printed document. Examples of documentary evidence are contracts, an invoice for some form of service or product, or a printed e-mail supporting something communicated through electronic mail. Documentary evidence could also be evidence such as voice recordings, video recordings, or photographs.
- Demonstrative Evidence
Demonstrative evidence is evidence that involves presenting a physical object that displays the results of some form of event occurring. For example, in a number of injury cases, a medical exhibit may be used to display the results of malpractice. Another example of demonstrative evidence may be a model of an intersection where model cars show the location of the plaintiff and defendant.
Chain of Custody
Chain of custody is a document that records where the evidence is at all times. It is imperative that you have a chain of custody in place for the evidence so that you can account for the whereabouts of the evidence at all
times.
