-
- Types of evidence:
- Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.
- Direct Evidence: Testimony from a first hand witness, what they experienced with their 5 senses.
- Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.
- Collaborative Evidence: Supports facts or elements of the case, not a fact on its own, but support other facts.
- Hearsay: Not first and knowledge – normally inadmissible in a case.
- Computer generated records and with that Log Files were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”
- Best Evidence Rule – The courts prefer the best evidence possible.
- Evidence should be accurate, complete, relevant, authentic, and convincing.
- Secondary Evidence – This is common in cases involving IT.
- Logs and documents from the systems are considered secondary evidence.
- Evidence Integrity – It is vital that the evidence’s integrity cannot be questioned.
- We do this with hashes. Any forensics is done on copies and never the originals.
- We check hash on both original and copy before and after the forensics.
- Chain of Custody – This is done to prove the integrity of the data; that no tampering was done.
- Who handled it?
- When did they handle it?
- What did they do with it?
- Where did they handle it?
- Types of evidence: