Computer Forensics in Criminal Cases Shows Differences

In the field of computer forensics, as in the field of law, procedures in civil cases differ somewhat from those in criminal cases. The collection of data and presentation of evidence may be held to different standards, the process of data collection and imaging can be quite different, and the consequences of the case may have very different impacts.

A couple of quick definitions may be in order. Criminal law deals with offenses against the state - the prosecution of a person accused of breaking a law. These offenses may include crimes perpetrated against an individual. A government body, or the representative of a government body accuses the person of having committed the offense, and the resources of the state are brought to bear against the accused. Guilty outcomes can result in fines, probation, incarceration, or even death.

Violations of contracts and lawsuits between two or more parties, and other non-criminal concerns or offenses are the concerns of Civil law. The prevailing party often is entitled to payment, property or services from the loser. Imprisonment is not at issue in civil cases. As a result, the standard for evidence is not as high in civil cases as in criminal cases.

For the law enforcement computer forensics specialist, a certain amount of extra care should be taken in collecting data and producing results, for the standard of proof is higher. There are advantages on the data collection end, however. For once a court has authorized a search warrant, an officer (and possibly several) with badge and gun can go seize the defendant's computer by surprise and by force. When a computer is taken as evidence, imaged and analyzed, any data on the computer is accessible. As a result, new and additional charges may be generated.

By contrast, in a civil case, there tends to be a lot of negotiation over what computers and what data can be inspected, as well as where and when. There is not likely to be any seizing of computers, and quite a long time may take place between the time the request to inspect a computer is made and the time the computer is made available to be inspected. It is common for one party to have access to a very limited area of data from the other party's computer. During this time, a defendant may take the opportunity to attempt to hide or destroy data. The author has had several cases wherein the computer needed for analysis was destroyed before the plaintiff had the opportunity to inspect. Such attempts at hiding data are often discovered by the digital forensic sleuth, who may in turn present evidence of such further wrongdoing in expert witness testimony.

Opportunities for learning techniques and interacting with other professionals may differ as well. While some computer forensic software suites and training, such as Access FTK, EnCase, or SMART Forensics are available to most who can pay, others, such as iLook are available only to law enforcement and military personnel. While many support and professional organizations and groups are available to all, some, such as the High Technology Crime Investigation Association (HTCIA) are not open to professionals who provide for criminal defense (with a few minor exceptions).

Police, Homeland Security, and other law enforcement personnel's goal is to generate a body of evidence significant enough (presuming such evidence exists) to find the criminal defendant guilty. The standard for information presented to the court and jury in such a case is fairly high. From the time digital data or hardware is seized and acquired, Rules of Evidence must be kept in mind (Cornell University has the complete and voluminous code on its website). Law enforcement personnel must follow accepted procedures or evidence could be thrown out. Acquisition of data and discovery in criminal cases often must follow sometimes strict and differing procedures depending upon whether the jurisdiction is federal, state, or municipality and at times depending upon a judge's preferences.

The expert in a civil case may not analyze all of the data on a computer at a very deep level Initial efforts may rather be a kind of fact-finding mission, intended to determine the value of digging deeper and at greater expense. This allows the initial presentation of data to be somewhat informal, and be just enough to urge a settling of the case. On the other hand, the data found may be so minimal the line of inquiry into electronic evidence is dropped.

Although we use many of the same tools, computer forensic professionals in private practice and those in law enforcement are held to different standards, have access to different resources, and their work results in substantially different outcomes between the criminal and civil cases to which they contribute.

Copyright (c) 2008 Steve Burgess

Article Source: http://www.articlegoldmine.com

Steve Burgess is a freelance technology writer, a practicing computer forensics specialist, a testifying expert witness as the principal of Burgess Forensics, and a contributor to recently released Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al.

Please Rate this Article

5 out of 54 out of 53 out of 52 out of 51 out of 5 

Not yet Rated