The Legal Context

Digital forensic evidence is and must be considered in light of the legal context of the matter at hand. This context includes, without limit:

Availability of witnesses and evidence is often limited. In some cases evidence may only be examined in a specific location and under specific supervision, while in most cases, witnesses are only available to the attorneys during limited time frames and under limited circumstances. For the opposition to the party bringing the witness, these may be very limited and restricted to testimony under oath in depositions and elsewhere. Stipulations often limit the utility and applicability of digital forensic evidence. For example, if there is a stipulation as to a factual matter, even if the digital forensic evidence would seem to refute that stipulation, it can be given no weight because the stipulation is, legally speaking, a fact that is agreed to by all parties and therefore cannot be refuted. Prior statements of witnesses often create situations in which digital forensic evidence is applied to confirm or refute those statements. In these cases, the goal is to find evidence that would tend to refute the statements and thereby make the witness and their prior testimony incredible. Notes and other related materials are potentially subject to subpoena in legal matters, and therefore, conjectures on notes, FAXes, and drafts of expert reports as well as other similar material might be discoverable and used to refute the work of the experts. This tends to limit the manner in which the expert can work without endangering the case for their client. There are many other similar legal contextual issues that drive the digital forensics process and the work of those who undertake those processes. And without this context, it is very difficult if not impossible to do the job properly. While it is the task of the lawyers to limit the efforts of the digital forensics evidence workers in these regard

The legal matter determines the jurisdictions involved and thus the applicable laws and legal processes, the legal theories, methodologies, and applications of those methodologies that will be accepted, the requirements for admissibility of evidence, the requirements for acceptance of expert witnesses, the standards of proof, and many other similar things that impact the digital forensic evidence and its use.

Legal Theory: Legal counsel typically identifies the legal theories of the case that are applicable to the digital forensic examiner and the work they are doing; however, a good examiner may identify their own theories of the case as well a confirm or refute different theories held by others. Legal theories generally stem from laws and their application, and are not scientific theories. rather, the expert uses science to establish facts and draw opinions that may support different legal theories.

Methodology: In order to be worthy of consideration, the scientific methods used by the digital forensic examiner must follow a methodology based on scientific principals.

The Daubert case [4] dominates in US Federal cases. Frye [5] may apply in many states for non-Federal cases. The Frye standard is basically: (1) whether or not the findings presented are generally accepted within the relevant field; and (2) whether they are beyond the general knowledge of the jurors. Daubert also allows accepted methods of analysis that properly reflect the data they rely on.

Application: In addition, the examiner must apply the methodology in a proper manner in order for the results of its application to be admitted as evidence. Daubert [4] and Frye [5] essentially require that the expert use accepted methods of analysis that properly reflect the data they rely on.

Jurisdiction: Limitations on elements of the case such as searches and seizures, which may be real-time or after the fact, compulsory or permission, and limited in various ways so as to prevent them from becoming "fishing expeditions" are informed by and help to form the context within which the digital forensic examiner must operate. These are determined largely by the jurisdiction in which the matter rests.

CaseType: The nature of the case, whether it is civil or criminal, and sub-distinctions within these broad categories, affects the standards of proof and admissible, the rules of evidence, the rules for trials, and many other aspects of what can and cannot be used in the legal matter and supported or refuted through digital forensic evidence. Procedural requirements of legal cases may constrain certain arguments and evidence so that it can only be used at particular times or in particular types of hearings.

ProofStandard: The two most common standards of proof are the "preponderance of the evidence" standard typically required in civil matters, and the "beyond a reasonable doubt" standard that typically applies to criminal cases. Depending on the standard that applies, greater or lesser detail and attention may have to be paid to make or break a case.

Calendar: The calendar is often daunting in legal matters, and in many cases there is very little time to do the things that have to be done with regard to digital forensic evidence. The calendar of the case may also impact the sequence in which evidence is dealt with, and this may result in additional complexities relating to the ordering of activities undertaken.

Strategies: Strategies and tactics of the case may limit the approaches that may be taken to the digital forensic evidence. For example, even though some sorts of analysis may be feasible, they may be potentially harmful to the side of the case the forensic examiner is involved in, and therefore not undertaken by that side.

Cost: Cost is an important factor because only finite available financial resource is available. While there may be an enormous range of analysis that could be undertaken, much of it may not be undertaken because of cost constraints.