Computer Evidence Admissibility in Court

Computer Evidence Admissibility

Prev Question Next Question

Question

To be admissible in court, computer evidence must be which of the following?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

Before any evidence can be admissible in court, the evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

This holds true for computer evidence as well.

While there are no absolute means to ensure that evidence will be allowed and helpful in a court of law, information security professionals should understand the basic rules of evidence.

Evidence should be relevant, authentic, accurate, complete, and convincing.

Evidence gathering should emphasize these criteria.

As stated in CISSP for Dummies: Because computer-generated evidence can sometimes be easily manipulated, altered , or tampered with, and because its not easily and commonly understood, this type of evidence is usually considered suspect in a court of law.

In order to be admissible, evidence must be Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable.

This is accomplished, in part, through proper evidence handling and the chain of custody.

(We discuss this in the upcoming section "Chain of custody and the evidence life cycle.") Legally permissible: It must be obtained through legal means.

Evidence thats not legally permissible may include evidence obtained through the following means: Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.

Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing.

Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that individual has already committed a crime.

Enticement is not necessarily illegal but does raise certain ethical arguments and may not be admissible in court.

Coercion: Coerced testimony or confessions are not legally permissible.

Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.

The following answers are incorrect: decrypted.

Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

edited.

Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

Edited evidence violates the rules of evidence.

incriminating.

Is incorrect because evidence has to be relevant, material to the issue, and it must be presented in compliance with the rules of evidence.

Reference(s) used for this question: CISSP STudy Guide (Conrad, Misenar, Feldman) Elsevier.

2012

Page 423 and Mc Graw Hill, Shon Harris CISSP All In One (AIO), 6th Edition , Pages 1051-1056 and CISSP for Dummies , Peter Gregory.

Computer evidence is electronic evidence that is used in court to prove or disprove a legal issue. Such evidence may include digital files, emails, chat logs, system logs, metadata, and other electronic data.

To be admissible in court, computer evidence must meet certain standards. These standards are generally based on the Federal Rules of Evidence (FRE) and are intended to ensure the reliability and accuracy of the evidence.

The answer to the question is A. Relevant.

This means that the evidence must be related to the case and must have some probative value, which means it must tend to prove or disprove a fact that is relevant to the case. For example, if the case is about a computer crime, such as hacking or unauthorized access, then evidence that shows the defendant's access to the system may be relevant.

The other options listed in the question are not correct.

B. Decrypted - While encrypted data may need to be decrypted to be used as evidence, the evidence does not need to be decrypted to be admissible. However, if the data is encrypted, then the party seeking to admit the evidence may need to show that the decryption process was reliable and did not alter the data in any way.

C. Edited - Computer evidence should not be edited or tampered with, as this could compromise the reliability and authenticity of the evidence. If the evidence has been edited, then it may not be admissible.

D. Incriminating - Computer evidence does not need to be incriminating to be admissible. It may be used to prove innocence as well as guilt.

In summary, to be admissible in court, computer evidence must be relevant and not edited or tampered with. It does not need to be decrypted or incriminating to be admissible.