Rules of evidence

The federal rules of evidence serve as the basis by which evidence can be admitted or excluded during a criminal or civil proceeding. Having knowledge of these rules is important for the CSIRT so that any evidence collected is handled in a manner that prevents contamination and the possibility that the evidence will be barred from being seen in court:

• Rule 402: Test for relevant evidence - This rule has two parts. First, the evidence to be admitted into the proceedings would have a tendency to make the fact more or less probable than it would be without the evidence. Second, that the evidence or the facts the evidence proves is of consequence to the proceeding. This makes clear that not only the evidence should be relevant to the proceeding, but also it has the value to prove or disapprove a facet of the case.
• Rule 502: Attorney-Client privilege and work product- One of the most sacrosanct tenets of modern law is the relationship between a client and their attorney. One of the provisions of the attorney-client privilege is that what is said between the two is not admissible in court. This not only applies to spoken communications, but written communications as well. In the world of digital forensics, reports are often written concerning actions taken and information obtained. Many times, incident responders will be working directly for attorneys on behalf of their clients. As a result, these reports prepared in conjunction with an incident may fall under attorney work product rules. It is important to have an understanding of when you may be working under an attorney, and when these rules may apply to your work.
• Rule 702: Testimony by expert witnesses- Through the acquisition of experience and knowledge in digital forensics, an analyst may be allowed to testify as an expert witness. This rule of evidence outlines the specifics concerning expert witness testimony.
• Rule 902: Evidence that is self -authenticating - This rule has recently undergone a revision in regards to digital forensics. A new subpart will be added and will take effect on December 1, 2017. This new subpart will allow verification of digital evidence integrity through hashing (we will discuss the role that hashing has in later chapters). Furthermore, this rule requires that a qualified person and that evidence being presented having been collected according to best practices.
• Rule 1002:Best evidence rule- In civil or criminal proceedings, the original writings, recordings, or photographs need to be offered up as evidence unless there is a reasonable exception that can be made. In the physical realm, this is fairly easy. Parties to a case can easily present a knife used in an assault. It becomes a bit more complex when the evidence is essentially magnetic polarity on a hard drive or log files that came from a router. In this case, courts have held that a forensically sound image of a hard drive is a reasonable substitute to the actual hard drive that was examined.
• Rule 1003: Admissibility of duplicates- One of the most critical steps when conducting a forensic examine of digital media is to make an image or forensic copy of the media. This rule of evidence allows for such an image to be admitted into court. It is important to note that if an image or forensic copy is to be admitted, the analyst who performed that action will most likely have to testify to performing the action correctly.