Brazil, September  15, 2004


For Law Enforcement Use Only



 Refuting Digital Evidence in Court

Boaz Guttman, Attorney



The author serves as a   defense attorney specializing in cyber crime, is a lecturer on computer law at the Ruppin Academic Center and a member of the Israeli Council for the Protection of Privacy. Formerly, he was the officer in charge of the Cyber Crime Unit in the Israel Police force.


Note: In the presentation that accompanies my talk, you can see authentic examples of the questions raised here


1. Evidence

Alongside the basic legal knowledge required of all defense attorneys, their role as defense attorneys in cases featuring cyber crime also calls for a sound understanding of the terms used and the processes taking place in the court. Not many judges and prosecutors are fond of trials at which unfamiliar terms are used (usually by the defense) – intended, at worst, to confuse the judge or, at best, to impress him into accepting the evidence. In the nature of things, most trials end in a plea bargain, the main reason being that everyone is already exhausted by the third evidence session.

The paper aims to explain in simple terms some of the key areas where the defense attorney’s role calls for providing close protection at every stage - before the indictment is presented and thereafter.

This is unlike the customary procedure in trials where evidence is available in the form of fingerprints or a partner’s evidence. For investigators, the immediate conclusion is that one member of the investigation team is given the role of the “bad guy.” His task is to present the defense’s position at each stage, so it will be possible to correct what is discovered in a timely manner.


2- Preliminary consultations before the trialat this stage, in a meeting with the suspect who will shortly be examined at the trial, the defense attorney explains what his rights are during the examination.

The offence of disseminating a computer virus, for example, rests mainly on the suspect’s admission. So the defense attorney informs the potential suspect that he has three options. The first is admission – and from then on, the suspect transfers the decision on his fate to the prosecution. Another option is to remain silent – if the police don't find anything on the hard disk, it could take them as much as two years to obtain the evidence from overseas. The third option is to give a cloudy version that sends the police to Honduras or Korea to make inquiries  – a procedure that’s also likely to take some time.

The defense attorney makes it clear to the suspect that it is his right, according to customary rulings, to be present when the hard disk is copied, the same as during the search of a house. If the detectives do not comply with the law or the procedure, this is likely to have an effect on the trial itself – each country, according to its own exclusionary regulations.

The client is not obliged to hand over a password to access a file or a computer – this is covered by the right to remain silent. To date, draft bills that have debated this matter were inconclusive.

At the time of the arrest, if possible, the defense attorney must immediately examine the relevant server or site. Such an examination can reduce the suspect’s arrest from hours to minutes. 

Next, he must use every existing technology to transfer all the evidence from a foreign court of law to the present court of law, and thereby enable a faster investigation. Using those technologies, he transfers every application in a communications pipeline, regardless of the application used at the other end.

If the investigators or prosecution do not respond correctly at this stage, it will be helpful for the defense in future.

The expert who is called in at an early stage, usually explains to the judge that there is no need for continued arrest, since the server itself was attacked and is “knocked-out.” Right away, the expert should suggest to the investigators that they fly to the country where the server is down and seize evidence. If they refrain from doing so, it will help the defense at a future date. The defense attorney must wait patiently before filing an indictment at a time when he can reveal the investigators’ inaction and lack of response.


3- The trial itself – Criminal thinking requires proof as one of the basic elements of the offence. A pedophile caught on a booby-trapped site, at the other end of the line or the other side of the ocean, may claim “I thought there was another pervert, fantasizing like me, at the other end of the line...of course I had no serious intentions towards a five-year old girl…”.

Another common claim - “Someone took over my computer and did what he did by means of it” - may obtain some sort of evidentiary infrastructure if and when the investigators shortcomings (failing to document everything adequately) are discovered.

Reasonable doubt is sufficient for a defense lawyer to clear the suspect.


In terms of the evidence – in this sort of crime, we do not make such a point of procedures and evidence. When it is a matter of digital evidence, the rules of admissibility are more flexible, because we cannot differentiate between an original printout and a copy of it. Instead, conditions for admissibility are more strongly emphasized, and this has an impact on how the case is handled.


4- Digital evidence – the definitions and language used are known in every country - information that can supply proof, and which is digitally transferred and stored.

It is obtained when the information and/or physical object is retrieved or stored so it can be examined.

The copy of the information must be an exact one, regardless of the physical medium where it is stored. Whenever digital evidence can be manipulated so as to modify, damage or destroy it -  an appropriately trained person must handle the matter.


5- Uniformity – evidence must be understood in every language because of international jurisdiction. Non-uniform evidence must not be allowed to slip into the courtroom via the “back-door.”

Uniformity is vital throughout the whole procedure - in the definitions used, the basic process for obtaining evidence, the findings, and the common language used.

If evidence is not clear and understandable, we must object to it immediately.

Piles of material should not  be crammed into the court file.

Since all cyber offences cross continents, a standard for evidence-collection is needed, and for its introduction into the courtroom. If no standard exists –  an expert should be called.


6- Some problems – What should we ask for? What must investigators ask their distinguished colleagues in a timely way? Was it a Novell, UNIX, or a LINUX network? If they don’t ask, the defense will  - he has an expert.

And again, the proof will be rejected. Did we get what we really wanted? Can I use what they gave me, or is it only for internal purposes? Has the investigator discovered what I have to find out? Have they imposed legal immunity? This is the time to find out.


7 – Time  Like in any criminal trial, here too the defense has an inferior status. The prosecution initiates and corrects its mistakes during the trial, as long as it has the time to do so. The investigator enjoys access to the judge at any time and sometimes the judge is more flexible than a rubber-stamp, to put it mildly. An average district judge just has to be told how to eavesdrop on the internet – you simply make a sketch and explain. By the time the defense realizes what has happened, it’ll be too late for the client.

A good and clear explanation to the judge, in good time, saves cold sweat in the courtroom. So a good investigator documents every move and step in the file.

The prosecution has a double task… when the investigator meets the network administrator, he is a colleague not an adversary. He is the key to well-arranged and clear evidence, obtained at the right time, because the administrator knows every point and intersection in the network. In the courtroom, his explanations – whether  recorded, photocopied, or filmed - will improve the prosecutor’s mood.


8 – The qualities of good evidence – it must be authentic, accurate and complete. A computer printout that’s printed diagonally on the page, or a double printout inside the package of outputs, makes the defense work easier – and the work of an appeal, too.

Handling the evidence – is it stored in a properly ventilated area, or in a room where it could be damaged?

The entire process must be totally transparent.

The procedures used, the content of the evidence, and the explanations around it  must all be precise and accurate. 

When the evidence is clearly and properly documented – the defense expert find it harder to identify weak points.


9 – Questions – how does the prosecution prove the connection to the break-in? The connections between the computers? After all, in this case, it’s not a matter of fingerprints? What are the variables that intervene in the process? How exactly was the computer hacked into? How was the break-in monitored and discovered?


10 – The expert – explains the evidence to the defense: where does the weakness of the conception lie, and of the evidence collected by the investigators.

In a trial itself, the expert helps by giving evidence where necessary.

The expert  provides advice according to clearly defined instructions, deriving from the court proceedings.

He must disregard admissions by the accused or by a witness, and indicate the weakness of the digital evidence.

He must scrutinize the statements given by the ISP, point out the weakness in its testimony, in the testimony of the victim’s network administrators, in any records that were made or collected. 

When cross-examining as an expert witness, he may - if necessary -  use a police-officer against his colleagues and/or against the prosecution’s position.


11- Often-heard claims – “An amazing quantity of information”…we also have to explain to the distinguished lady serving as the deputy-president of the court… “Before your honor is the five gigabytes that was seized. Each floppy disk can contain 4,000 printed pages. Multiplied by 5,000, this is the quantity of information that the defense must be given and which it must examine…”. In these cases, we are often granted a deferral.

Incomplete logs - evidence that was ostensibly taken from another computer. We must relate to the process in which the information was reproduced and removed,  the output, corrupt files, access to the files or to the password – was it exclusive? Dates and times of eavesdropping, not the content. Examining the match between them and the printouts.

Was the eavesdropping method automatic or semi-automatic?

How was the evidence generated and/or stored?

Which member of the team is reporting? Is it a question of hearsay? The security measures in place at the eavesdropping facility will reveal it.

The software programs used to eavesdrop must be discovered and their dependability must be evaluated.

Making a “ghost” of the electronic arena – was this done, and if so, how?

Were traps laid, and if so, where?

Examples from other cases.

When a software program is used to collect digital evidence, we have to find out if it is well-known. What is its error rate? Has it been discussed in the professional literature?

These are just some of the challenges that the defense attorney must cope with later in the trial, and his chief tool is cross-examination.


12 – Summary


The objective of this paper is to illuminate in everyday language taken from the courtroom some issues that the defense attorney must address in cyber crime cases. There are two principal tools - (1) documentation or the lack of it and (2) common sense. In a given timeframe, the cyber crime investigator must relate to these considerations too. They will save bothering the prosecution unnecessarily and will simplify the court’s ruling in the matter. 

Simplifying matters is the key issue.


Attached to the material given to the organizers with the presentation are appendices detailing and illustrating my remarks today.


Thank you very much.