In this short video from our Introduction to eDiscovery course by Dauda Sule we take a look at the intersection of digital forensics and the law. After watching you will know exactly what eDiscovery, how it is different from digital forensics, what are the similarities, and why it's important to know about them. Dive in!
The world has widely gone digital. There is hardly any aspect of our lives that is not in one way or another linked to information technology. The most visible area of digital influence is communication, even in many remote places you find people using mobile phones. This becomes even more evident in the corporate environment; in the modern workplace a lot of digital information is generated constantly. That digital information can be used, for example, to prove or disprove whether an organization’s rules and regulations have been breached or even stolen, not necessarily in IT-related cases. eDiscovery is required for such situations.
What is Digital evidence?
The National Institute of Justice (2015) simply defined digital evidence as being information stored or transmitted in binary form that may be relied on in court. As previously mentioned, a lot of our day-to-day activities involve digital devices, like mobile phones, tablets, PCs, digital cameras, and so on, which all leave digital footprints in the form of electronic data, either stored on the devices (electronically stored information – ESI) or transmitted through them; these digital footprints can be sorted out to pick out relevant information for a case, and become digital evidence. Such digital evidence can be retrieved using digital forensics tools and techniques, and then used to prove or disprove a claim. When digital evidence is mentioned, there is a tendency to think it is required for looking into an IT-related misdeed or crime, like hacking, but in reality, digital evidence can be used to prove cases that are not directly IT-related. Cases like kidnapping or even murder could be proven by obtaining digital evidence, for example:
- searches carried out on a search engine by the suspect regarding the victim tools used in effecting such a crime
- geolocation can be used to establish the whereabouts of a suspect at the time of a crime
An example is the murder of Taylor Latham, a case where Curtis King’s mobile phone records were used as evidence of murder against him (Schmatlz, 2015). In this case, Latham was murdered, and until her dead body was found no one knew what happened to her; however, King, who had been calling her for as much as eighteen time a day for a month before she was killed, suddenly stopped calling her after she was killed, and also he had sent threatening text messages to her some hours before the murder. The evidence from the phone records were pieced together to prove he had motive to murder her and the fact that he stopped calling her after constantly calling her showed he was aware that she could no longer answer calls.
Another instance of digital evidence being used in a non cybercrime case was the discovery of hidden documents relating to potential terrorist attacks hidden inside pornographic material on a thumb drive carried by an al-Qaeda operative in 2012 (Robertson et al, 2012). Digital forensic techniques were used to crack software used to hide over a hundred documents within pornographic videos on the thumb drive.
What is Digital Evidence used for?
Digital evidence is required for proving or disproving cases. In addition to its use in law enforcement, it is also required in cases within an organization (like a company, for example) where a breach of an organization’s policy occurred that needs to be internally investigated, copyright infringement and the like.
The case of Zubulake v. UBS Warbug (which is a groundbreaking case in terms of eDiscovery), where unfair treatment of employees was proved by digital evidence, is a perfect example of the latter. A synopsis of the Zubulake v. UBS Warbug case will be given under the development of eDiscovery section.
A lot can be determined from digital evidence: call logs, CCTV footage, network logs, systems logs, office documents (word processing, spreadsheets, etc.) metadata, and so on. Such digital evidence can be used to determine when an action took place, where it took place, and reveal signs of evidence manipulation and tampering. Digital evidence can also be used to obtain a profile of a suspect or victim or both, as might be required. It may be used to reconstruct an event in a bid to get to the bottom of how the event came about and try to mitigate the occurrence of such or similar event.
To learn more check out the course!