Computer Forensics, Electronic Evidence and the Courts in Canada


The role of computer forensic technology and electronic evidence as it as it relates to the Courts will be addressed throughout this paper. Beginning with a high-level overview of computer forensics, the paper will discuss proper crime scene and incident scene processing including consideration of the computer as an evidence site, evidence collection and data seizure, duplication and preservation of electronic evidence, verification and authentication of electronic evidence, and discovery of electronic evidence. Next, the Courts of Law and their views on the subject of computer crime, disclosure obligations regarding electronic evidence, preservation of electronic evidence, and admissibility at trial will be considered.

High-Level Overview of Computer Forensics

Computer forensics is the collection, preservation, analysis, and presentation of computer-related evidence. A number of terms have come to be associated with computer forensics, some more descriptive and accurate than others, such as computer forensic analysis, electronic evidence discovery, data recovery, data discovery, and computer analysis. In fact, computer forensics incorporates most of the activities relating to these terms.

Evidence remains on a computer system which can subsequently be used in both civil and criminal cases; these days it takes special effort to erase your electronic footprint. The goal of computer forensics is to retrieve the data and interpret as much information as possible about the collected data; merely recovering the data is not sufficient.

If there is a computer at the scene of the crime, the probability is quite favorable that the computer contains valuable evidence. Examination of the computer system or the data contained therein must be conducted by a competent computer forensics professional; the validity and credibility of any seized evidence is of utmost importance.

Processing Crime and Incident Scenes

From the point of view of the investigator each of the computer systems accessed by a computer-criminal (cyber-criminal) represents a potential source of evidence – an evidence site. A digital footprint, similar to human fingerprints, is left behind in most cases even unbeknownst to the criminal. In computer crime cases, system-generated logs are as important a source of potential evidence as any other transaction, process, or file effected by the computer-criminal.

The processing of a crime scene, sometimes called an incident scene, requires a methodical approach to maximize the potential evidentiary value of any discovered physical evidence. Once at the scene it is imperative that evidence collection and seizure be initiated as soon as practicable so as to prevent its loss or destruction. The computer forensics professional should make a copy of the electronic data and work from this duplicate instance to preserve the original physical evidence thereby avoiding contamination. Whether the physical evidence is admissible in a court of law depends in part on proving through verification the authenticity of the evidence.

Electronic evidence poses a unique challenge in that unlike most other forms of physical evidence it lacks permanence and hence can be lost forever. Electronic evidence must meet the following criteria (properties) to be meaningful to an investigation: admissible, authentic, complete, reliable, and believable. These properties are so vital to a successful investigation they have become de facto rules.

Admissibility is the most basic of these criteria especially from the perspective of the Courts. Failure to comply with this rule carries the same consequences as not collecting the evidence at all except the cost is higher.

Authenticity of the evidence relates to showing the connection between the physical evidence and the crime or incident. Failure to prove a relevant connection between the evidence and the event eliminates the evidentiary value.

Completeness of the evidence collected is essential for two fundamental purposes: the evidence could prove the innocence of the suspect or it could be used to prove the suspect had indeed committed the offense to the exclusion of other parties. It is not sufficient to only document one perspective of the incident. Failure to take this dual perspective into account leaves evidence collection incomplete.

Reliability of the evidence is paramount. Failure to adhere to well-documented collection and analysis procedures could cast doubt on the authenticity and veracity of the evidence.

Believability at trial hinges upon presenting the evidence in a clear and understandable manner to the Court. Failure to present the evidence such that the Court can draw their own conclusions consistent with the evidence requires special skills and attention.

When collecting and analyzing evidence a general four-step procedure should be followed, but adapted to the situation at-hand: identification of evidence, preservation of evidence, analysis of evidence, and presentation of evidence. Distinguishing between evidence and garbage is vital; knowing what data is sought, where it is located, and how it is stored aids in this distinction. The evidence must be preserved in an unaltered state whenever practicable and in those cases where such preservation is not possible the evidence must be preserved as close to its original state as possible; any state change has to be documented and justified to preserve the evidentiary value. Presenting the evidence in a meaningful way facilitates communication to persons outside the realm of the criminalist, particularly in the Courts.

To preserve the potential evidence stored in a computer system the criminalist must not only understand the visible data storage areas but the hidden or less obvious data storage areas within a computer system. Electronic evidence is fragile and can be inadvertently destroyed or at the very least unintentionally altered if proper safeguards are not in place. Many of the problems associated with computer evidence processing vanish when time-tested procedures are followed. Preservation of evidence is the primary element of all criminal investigations including evidence stored within a computer system.

As previously stated, computer evidence is fragile by its very nature and the problem is exacerbated by the existence of destructive means by which the crime scene can be destroyed from an evidentiary standpoint. Additionally, most computer systems contain data storage areas not normally available to the user but which are used during the routine operation of the computer system.

Steps in computer evidence processing are not hard-and-fast rules; instead these guidelines are offered:

  • shutdown the computer,
  • document the hardware configuration of the system,
  • transport the computer system to a secure location when possible or practicable,
  • make complete (low-level or bit-stream-level) backups of the storage media attached to or seized along with the computer system,
  • authenticate the data on all storage media through mathematical checksums,
  • document the system date and file (hardware clock or time-of-day clock),
  • document filenames and date-and-time stamps associated with each file,
  • classify each file as program, data, or system, and
  • document all observations and actions.

The investigation team assigned to the case requires the necessary tools to collect and preserve the physical evidence as well as incident-handling procedure manual, notebook to document evidence collection, and evidence tags. Situations dictate whether the evidence is to be collected at the incident scene or in a controlled laboratory setting. In certain cases, it is necessary to keep the entire computer system or components thereof as evidence. The evidence notebook is a crucial component in maintaining the chain of custody. Therefore, it must be as detailed as possible to assist in maintaining a written record of this chain.

Once all evidence has been analyzed and the observations recorded in the evidence notebook, a copy of the notebook should be made available to the prosecution. If sufficient evidence exists to proceed with legal action, maintenance of the chain of custody for the physical evidence continues to play a vital role.

Procedures have been developed to deal with the issues surrounding the integrity of the electronic physical evidence collected at crime scenes. Although these procedures are effective under the current rules of evidence and as advocated by the Courts, it is anticipated that alternative procedures will be necessary in the future. Authentication of electronic physical evidence raises some unique and special considerations for the criminalist as well as the criminal justice system as a whole. To avoid situations in which the accused would have their presumption of “innocent until proven guilty” violated it is possible to capture a copy of the content of their computer system without depriving that person of access to their computer system pending trial or litigation. All information from the computer system can be extracted in such a way as to leave the system unaltered and using this duplicate for subsequent forensic analysis. The Courts in view of the aforementioned capability to duplicate potential evidence frequently insist that such copy of the evidence be protected from modification. Thus, it is not the content that needs protection, but its integrity. The protection takes two forms: a secure method of determining the data has not been altered in any way, and a secure method of determining the copy genuinely originated on the suspect computer system and at the prescribed time as noted in the evidence notebook.

Computer systems are increasingly being considered as a primary source of evidence in both civil and criminal cases. Some take the view that electronic data is merely logical evidence in stark contrast to others in the legal community who view electronic data as the equivalent of physical evidence. For those taking the former position, it is argued investigators can therefore avoid many of the provisions of traditional search and seizure to ensure evidence integrity and the chain of custody.

The Courts and Their Response

Until the early 1970s, the Courts typically regarded each forensic scientist and their testimony on the basis of the recognition of the forensic scientist as an expert among his/her peers. While each criminalist usually brought their own methodology to the case it was typical to base their practices on the works of others when describing their methods.

“Today it is black letter law that computerized data is discoverable if relevant.” (Gathan, p.94).

In addressing the issue of admissibility of electronic evidence in the Courts, the United Kingdom Court of Appeal noted that in the case of R. v. Minors,

“The law of evidence must be adapted to the realities of contemporary business practice. Mainframes, minicomputers and microcomputers play a pervasive role in our society. Often the only record of a transaction, which nobody can be expected to remember, will be in the memory of a computer…. in criminal cases, much crime (and notably offences involving dishonesty) will in practice be immune from prosecution.” (Gathan, p.138)

The most significant challenge to the introduction of computer-produced data as evidence at trial is that it does not fall within the traditional classification of evidence. If admission of the electronic evidence is sought on the basis of it being real evidence to equivalent to physical evidence, such evidence required authentication. Authentication of real evidence could entail having a witness identify the item in question, relate it to the issues or establish its condition as the same then and now in relevant aspects. Particularly in criminal proceedings, the Court may disallow evidence which may have been contaminated or if gaps in the chain of custody can be shown.

The potential for falsification, fabrication, tampering, and alteration of electronic evidence is extremely high and special safeguards must be in place to protect that evidence at all times. In one case, a computer forensic investigator described how he was asked by a State Attorney’s Office in Florida to review evidence in a child pornography prosecution, and after a thorough forensic examination of the defendant’s computer system it was concluded that the defendant was being framed and therefore had no knowledge of the existence of such pornography on his computer system.

The Court when presented with electronic evidence usually accepts such evidence provided it can be authenticated by admission by one party (stipulation to the facts) or witness accounts (sworn statement and/or testimony).

The Courts have generally resisted the temptation to introduce computer-specific statutory responses to criminal acts involving the use of computer systems or computing devices. For example, after the hasty introduction by the British Parliament, the English Law Commission recommended that a section of the Police and Criminal Evidence Act (U.K.) be repealed without replacement and thereby allow common law to address the situation. (Davis, p.211)

Another Court suggested that the need for an expert in computing was mitigated by the wide-spread usage of computer systems in society and “the process by which they produce records might ordinarily be evidenced by persons familiar with the business operation of the machine…” (Davis, p.210)

“Computers vary immensely in their complexity and in the operations they perform. The nature of the evidence to discharge the burden of showing that there has been no improper use of the computer and that it was operating properly will inevitably vary from case to case. I suspect that it will very rarely be necessary to call an expert and…in the vast majority of cases it will be possible to discharge the burden by calling a witness who is familiar with the operation of the computer…” (Davis, p.210)

Expert evidence will be necessary in some cases regardless of the previous position stated by Lord Griffiths. This need will undoubtedly arise because of the operation or existence of some hidden or non-obvious aspect of a program, data repository or media format. Additionally, other cases will necessitate some form of forensic examination to discover evidence which in turn provide references to events associated with the computer system and /or the data stored therein. The evolving discipline of forensic computing has begun to address these situations. However, the field of computer forensics raises some questions for the Courts to consider in the future. Normally, expert testimony is admitted into evidence when it is shown that, among other things, the underlying science or area of expertise is well established and accepted by the professional community. Peter Sommers has suggested that due to the unique nature of computer forensics and the constant evolution of technology the area ought to be approached from a standards basis regarding the collection of computer-driven evidence and its presentation to the courts without reference to particular technologies.

From this brief survey of the topic of computer forensics, electronic evidence, and the courts it is apparent this relatively new field of forensic science will continue to evolve both as a profession and in the courts. Some judges have ruled the need for the computer forensic specialist is limited while others have pointed out the necessity of competent practioners in the field of computer forensics. In any new area of exploration many changes lay ahead for society, forensic science, and the courts.

Works Cited

Gathan, Alan M. “Electronic Evidence”, Carswell, 1999
Davis W.K. Robert et al. “Computer Crime in Canada”, Carswell, 1997
Nelson Bill et al. Computer Forensics and Investigations, Thomson, 2004


About this entry