Law Forum
  Law Books

Adverts from Google:

Computer Evidence - General

This paper contains the unfinished notes which accompanied a talk I gave at Hewlett Packard in Cheshire, in September 1997, at a joint meeting of the Society for Computers and Law (Northern Branch) and the British Computer Society. Whilst polite, this audience can be difficult. I was surrounded by some very heavyweight lawyers (and I refer not merely to girth), and by others whose knowledge of the world of computers will always be more detailed than mine. The lecture will be, in turns, unconvincing to either or both.

The paper discusses some of the ways in which computers are finding their ways into court now, and how things may develop. We discuss first the law as it currently applies, and secondly the questions which arise from the investigation of the contents of computers - how systems managers and computer owners should prepare themselves and what may be found and how on many computers. Last we come to issues for the future as computers produce more evidence further distant from human 'statement', how will decisions be made as to what is acceptable in court?

Feb 2000. Though the paper remains untidy, some updating has taken place.

The Law

The law of evidence in this area, has been the law of hearsay. Hearsay is common to both civil and criminal courts, though the law differs. We also face some questions about what is coming to be called 'original evidence', and also look at a section of the Police and Criminal Evidence Act 1984.

Evidence is what a person, a real live and above all questionable individual, says in court. A statement has to be about what that individual knows at first hand. He talks about what he has seen or heard. He asks the court to believe what he says, because, and just and only because, he saw it happen. In ordinary life we attach weight, not just to what others say they saw and heard. We pay heed also to Person A saying he heard Person B say something. 'George said that Fred was there' is typical.

Computer evidence is usually an individual producing a printout from a computer. He produces it as evidence of the truth of what it says. The print-out cannot be cross-examined, only the witness. The print out is, in its nature, hearsay. The facts underlying the statement, when this invoice was sent out, or when this payment was received, are not known directly to the person producing the statement to the court. He saw neither invoice nor cheque. Under common law, and as a general rule, such evidence was inadmissible. Computer records have additional problems, since they typically bring together many statements by many different individuals within an organisation, each of whom may only be repeating ('entering information') what they have been told, and who are more often than not untraceable.

They are known as 'combination statements'; statements made by several people, and at the same time. 'Compound hearsay', or hearsay upon hearsay, is where one person reports another saying that a third (or worse) has asserted the fact sought to be proved. All possibility of challenge by cross-examination is lost.

The lawyer, needs to be quite sure with all evidence:

  • What it is that is to be proved - precisely.
  • Who could stand up in court and say it - precisely and from first hand knowledge.

Hearsay is a rule of law by which evidence is excluded, by which, at its worth, a court refuses to listen to it. A court says that it will not allow the evidence to be entered. There are various definitions of hearsay, and some of the very technical distinctions made make medieval theologians look like intellectual navvies.

One or two definitions:

'Former statements of any person may not be given in evidence if the purpose is to tender them as evidence of the truth of the matters asserted in them. '


'An assertion other than one made by a person while giving oral evidence in the proceedings is inadmissible as evidence of any fact asserted'

and again in more detail:

"Evidence of a statement made to a witness ... may or may not be hearsay. It is hearsay and inadmissible when the object of the evidence is to establish the truth of what is contained in the statement. It is not hearsay and is admissible when it is proposed to establish by the evidence, not the truth of the statement, but the fact that it was made": Subramaniam v. Public Prosecutor [1956] 1 W.L.R. 956 at 969, P.C.; and Ratten v. R., ante.

Statements need not only be words making up a sentence; but can also include nods, grunts or questions in humans and perhaps balances in a computer printout.

Though the general rule has always been against hearsay, commercials needs have driven the courts, for almost as long, to acknowledge the need for exceptions. In statute this began with the Bankers Books Acts in the last century, but common law exceptions also grew, and the law became complicated and unwieldy. Computer evidence was admitted by one or two specific measures and we end up where we are today.

Before discussing the actual law, it is important to get a proper feel for the tension in these issues. We need to understand the questions which lie at its root. We are talking about fairness. Non-lawyers talk about justice, but we lawyers shift uncomfortably in our chairs on mention of the 'J' word.

The proposer of evidence tends to believe in its accuracy. A challenge to that evidence can mean very expensive investigations into the background of the assertion to support it. A party may be justifiably certain of their case, but quite unable to improve the evidence by bringing to court an individual who could justify a central assertion. The evidence itself may be a tiny but crucial link in a long chain of statements which go together to prove that A owes B fifty pounds. This is typical of the situation in most cases where a debt is collected by a business, where there has been anything more complicated to the transaction than a single unpaid invoice. The need to admit such business documents easily goes back a long way - to the early nineteenth century with the Bankers Books Evidence Acts. Unless such account statements can be admitted easily, the world will crumble to a stop.

On the other hand we all now how malleable are computer records, and we all know how, once a mistake (worst of all a deliberate mistake) finds it's way into computer software, the errors it creates can be of almost any variety, intermittent, or once only, untraceable, unfindable, insidious and occasionally disastrous It may be perfectly possible to hide a routine in many computer programs, which will generate and post say a false invoice on every month when the third is a Monday to every account where the fourth digit of the account number is a '1'. In other words you do not know that there are no errors from the fact that your test results seem ok. The bigger the computer system, the more difficult it is to be sure when you say 'It's ok' and the greater is the need to assert it whether or not it is true. If you ask a major financial institution if their software is reliable and secure, they will say 'Yes' whatever the truth.

In other words the bigger they are the less reason you have to trust what is said. A major company will say its software works, whatever the truth of it. What is the point of asking someone a question if you know that they can only answer in one way?

There is a case which does illustrate this problem, and the issues it raises in court.

The case is one which involves the familiar questions which have been raised and denied with regard to bank cash machines. A policeman, a sergeant, claimed that entries in his bank statements relating to withdrawals made from a cash machine were not made by him. The bank said that the withdrawals can only have been paid by him. Instead that the computer must be wrong, that there must be weaknesses in the software which allowed somebody else to take his money. He asked for his money back, the Bank called the police and he was charged with attempting to obtain a pecuniary advantage by deception.

He was convicted by the magistrates who accepted the evidence of bank that the software was working

correctly. He appealed against the decision of until the Crown Court and in the crown court his lawyers pressed again for the innermost details of the banking system to be made verbal to their experts for examination. The defendant said that only if this happened could he receive a fair trial.

In this case the court listened.

The bank were ordered to make greater disclosure. The bank was faced with a terrible choice. The very security it needed to guaranteed to customers that their accounts were not going to be attacked would be threatened if disclosure was made and they innermost secrets of the software revealed to all and sundry. The Bank withdrew rather than have the software examined.

We must have sympathy for the defendant who is presumed to be innocent. At the same time the bank must not be required to compromise its security in order to deny a thief

The case exemplifies splendidly the difficulties which legislators face. They have a fine balance to strike and however they choose, wherever the line is placed, will be uncomfortable. RF over the years, as computers have formed a larger and larger part in a liars, the courts and parliament have been happier and more relaxed about the admission of computer generated evidence without leaving other parties to litigation the freedom to challenge that evidence.

The Law Commission set out to simplify the admission of hearsay, and this culminated in the Civil Evidence Act 1995. The history of the various changes in the law is complicated, but this Act at last brought some simplicity. In practice many more documents are admitted with much less fuss and knee trembling than before.

Gone are the days when all you needed to do to defend a debt action was to point to one or two inaccuracies in the Plaintiff's computer printout, ask innocently about the question about whether the computer was functioning properly, and hey presto - silence, and a debt forgiven. The technicalities of pursuing debt whilst satisfying the courts rules of evidence were beyond all but the most determined of litigating solicitors, and then only when the debt justified the considerable expense. It was unsatisfactory, and the changes were needed.

It must be understood that the law, in the civil courts at least, hypnotic designed entirely or even principally with computer generated evidence in mind. The civil inspect of 1965 creates a new regime under which hearsay evidence can be admitted into court. The way in which the Act works creates its own difficulties. It starts with its own definition of hearsay and continues disarray to say that such evidence is to be admitted if resented in a way which compliance with the code set out in attacked. Compact the Act.

What the Act does not suggest is how evidence which is hearsay under common law provision, but which is not hearsay within the definition given in the Act is to be dealt with in future. I can only say with great confidence that there are very substantial complications arising from this logical trap. Greater minds than mine will have to unravel them

Mercifully, these very fine distinctions are not of direct relevance to the guidelines we now discuss. Section 2 of that of the Act relates the conditions under which hearsay evidence will be admitted. It says, almost immediately, that the court may admit evidence not presented in accordance with the rules, but that in doing so the court may penalise the offending party, perhaps in costs, so long as the court has the opportunity to determine the issues between the parties and the truth of there assertions. Section 3 provides for the admission of hearsay evidence as a general rule

Note that the fact of the definition of hearsay used by the act causes many problems. What about elements of the law relating to hearsay falling outside the definition. Hearsay is a common law concept. The Act merely defines and uses the word for its own purposes and within its own terms.

In the past, it was the procedure for bringing in documents which caused the greatest problem, not the actual admissibility. This Act relaxes and simplifies the procedure

Penalties for failure to follow may still be draconian - can be in costs - an adjournment on terms and may be allowed to affect the weight given to the evidence.

This is only fair. If I say to you 'Believe X to be the case because John told me so', and hope to get away without calling John, it is only fair if the other side can call John to ask him themselves.

There are fearsome implications for organisations. Who, precisely, is responsible for in-putting transactions - in principle that person whoever it might be can be called. It is their statement which is being, asserted as true. A large organisation would in truth have great difficulty in producing all the people involved. This was not, in practice a great fear since the failure to abide by the rules was not usually challenged.

Lists the various factors which the court will take into account when assessing the evidence

must be understood that what Act does is to say that a judge will listen to the hearsay evidence. It does not mean that it will be believed, or even that

As we get become more and more acquainted with computer systems we go through a little cycle. The more sophisticated amongst the audience may just have forgotten it.

We perhaps start by disbelieving all things computerised - they are a threat to our non-computerised world and ways of working.

We learn a bit - and hey presto - the computer is king - if the computer says it is true, it must be.

We learn some more - we see how computer records can be altered sometimes apparently without any trace. The records are seen to mean nothing.

Those who go further and become involved

We listen to a talk by me, and implement digital signatures and or other authentication procedures and sit comfortably assured that our records are accurate.

Finally we see that some recalcitrant office junior has cracked the authentication system (often in a completely non-intelligent way) and we see that in fact nothing can quite be guaranteed.

Does this include your back-up systems?

This relates to the proof of the content of a document whereas the following section provides for the document itself.

At last the saving grace Need for certificate by an officer of the business - but in extreme cases that may in fact be the tea lady.

This is the section which is designed to remove most of the difficulties experienced by businesses in having computer records admitted - fast track procedure

Being admitted does not mean unchallengable, and does not refer to the content of the document, merely to the document itself.

Four current sources

The principal source of the present law. Again the principles are relating to the admissibility of what would otherwise be excluded because of hearsay.

Higher standard required because of criminal sanction

Proof beyond reasonable doubt rather than on balance of probabilities - though I sometimes think magistrates wouldn't know a reasonable doubt if it stood naked before them and pleaded guilty to all charges.

The main code admitting computer evidence. Provides a framework which includes all computer based evidence, including (where necessary) non hearsay evidence

The 'Custers last Stand' of the defence advocate. Probably just as hopeless. When all else fails

Introduced to replace and simplify the requirements of s68 of PACE

Fact not opinion

No restriction as to source of document (civil - business record et cetera)

Any representation of fact - need not be in words - eg measurement

This might include documents prepared by forensic examination of computer by expert

Leaves it open for party to argue that document should not be admitted, or if admitted should not be believed

Simplifies proof of contents of document

Summary. Probably creates an unfair situation for a defendant seeking to reject documentary evidence. Not properly in a position to challenge it. The defences allowed are not sufficient.

Original v Hearsay

I have referred all along to computer evidence as being in the nature of hearsay. It is right to say that there is a category of evidence where it has been claimed and decided that what is produced is not produced as hearsay. It is stated that where for example a computer is used to measure some effect. That 'pure' measurement can be admitted without it being treated as hearsay, but instead as 'original evidence' This seems to me to be equating a computerised weighing scale with an old fashioned weights balance.

I think this is likely to be bad law. It is naive. We all know that such machines need to be calibrated at best, and that in designing a system, a software engineer builds in a description - a 'statement' about the relation between certain measurements. He makes assumptions about the ranges of measurement

Earlier case DPP v Darby QBD (reported in the Times 4 November 1994.

Case decided in February this year, DPP v McKeown by the House of Lords. To do with interpretation of s69. Question asked was - if there is clearly a malfunction of the computer in some part can it be right according to the words of the section to include evidence produced by another part of the computer. This may sound a trifle daft, but at one stage of the development of the case law suggested that if you wanted to rely upon a print out from a Tesco's till to establish a theft, you might have to prove that the entire computer system to which it is connected (and that is a big one) was in full working order.

In any event the case established that this was not the case. A defendant would have to show some possible link between the malfunction and the evidence being asserted. The section is not to be interpreted literally - as I agree must be correct - the Tescos example shows why.

It is worth pausing to consider the details of the case. D arrested for drunk driving and tested by the Intoximeter breathalyser - a computer

The calibration of the measurement seemed ok, but the times shown on the print out were wrong. This partly explained by the change to British Summer Time, but not entirely. In any event there were two case a couple of hours apart and the timing differed by a few minutes. In other words it was gaining time quite rapidly - for a clock.

The Judge quite happily asserted that computer clocks are notorious for being wrong. I think here that he means incorrectly set (or not set at all) I do not know however how the 'clock' in this case was driven. Was it driven by the same CPU which carried out the analysis? If so an explanation of the malfunctioning of the clock might also have provided an indication that the process of analysis might be affected, where for example the calibration depended upon signals from the same CPU.

In any event the defence were refused access to any information about the internal workings of the Intoximeter which might have tested the existence of such a link.

There may or may not be a link, I do not know, but I think it wrong that the defence should be is allowed the possibility of satisfying themselves on this point.

Another case in point goes back a few years and involves the possibility of the malfunction of a cash dispenser. A policeman (a sergeant no less) receives a statement showing what he asserts are phantom withdrawals from his account. He makes a claim, but is told that his claim is fraudulent. He is prosecuted, and in the magistrates court convicted. He goes to the crown court where his counsel make strenuous and repeated applications for sufficient disclosure of the details of the system involved to allow an independent assessment to be made of the possibilities of someone within the institution or otherwise themselves making the withdrawals.

The institution is faced with a very difficult decision. It wants to the prosecution to proceed, but cannot afford its systems to be compromised. It makes the only possible decision and refuses to provide the information. They withdraw, and the case is dismissed. The policeman (now a former policeman) remains unhappy but there is no way forward.

There is clearly a substantial difficulty here. There are computer systems upon which we all depend and the details of which need genuinely to be kept confidential. At the same time anyone who asserts the utter reliability of such a system presumably also believes in fairies. How is a defendant to be protected if he genuinely believes the system is wrong?

"In a judgment loaded with significance for the evidential value of cryptography and secure systems generally, His Honour Justice John Turner, sitting with two assessors, said that `when a case turns on computers or similar equipment then, as a matter of common justice, the defence must have access to test and see whether there is anything making the computers fallible'. In the absence of such access, the court would not allow any evidence emanating from computers."

There is a stand off, which in this case was mercifully resolved in favour of the defendant. Sadly it probably serves as the high point of defence successes in this area.

Similar difficulties also affect for example BT who assert that all sorts of reputable people are content to run up huge telephone bills suddenly calling sex lines in the far east

The law remains in need of simplification - though some argue it is usually Law Commission reports which leave us in need of simplification in the first place.

Put simply s69 of PACE is to go. Instead will be a regime which mirrors that in the civil courts as described above.

It often takes many years for such things to work their way through into legislation (many proposals never do), and the report was requested before the McKeown decision so the urgency has gone out of it for the moment.

Law Commission, 1995

'... determined defence lawyers can and do examine the prosecution's computer expert at great length. The complexity of modern computer systems makes it relatively easy to establish a reasonable doubt in a juror's mind as to whether a computer is working properly.

... we are concerned at smoke screens being raised ... focussing upon the general fallibility of computers rather than the reliability of the particular evidence'

Computer experts seeing this as a business opportunity, the forensic examination of computers for litigation whether civil or criminal, should be aware the smiling, ever so friendly face of the lawyer who instructs him will not be matched by his and later your opponent.

We now turn to the design and maintenance of computer systems.

In fact much of what is done now as best practice in systems management is what is required, not a lot more. Much of what I say here is obvious, a are many of the things we know we should do but equally know in private that in fact we do not do them.

The procedures and checks are becoming easier to comply with.

I do want to emphasise however that when something along these lines goes wrong, it may go wrong with a flourish, and an under-managed system could prove expensive

Will your documentation stand up to a full and aggressive examination. You cannot predict what questions may arise or how and when it will arise. The single most consistent facet of litigation is its variety. All life is before you and any part of life may be caught up in it.

Your documentation should establish in particular audit trails, and authorities for the entering of transactions

Document changes to the system, keeping documentation as to how it ran three years ago as well as the current system.

The single thing we all learn right from the day we first sit at a computer is to make a damn back-up. We know that many do not, but of course everyone in the room will keep them. The general rule must in fact be to keep them, but it has to be acknowledged that in litigation, backups may be used as much against you as for you.

Recognise the problem of old back up data needing to be transferred as systems move on and hardware becomes obsolete and unmaintainable. This is a genuine problem for many organisations. They have vast quantities of data on semi obsolete equipment. Nobody is interested in it except those of the archivist persuasion, and it will take many many hours of costly time to transfer data to a new system.

In every organisation there are things the organisation no longer needs for any business reason, and which for any of many reasons the organisation would rather forget. Who am I to say what that might be. I would only say that you should not be the only and unwitting memory.

This now goes well beyond what used to be considered as those matters properly the field of the data processing department and must now include copies of all sorts of documents created in the relatively disorganised and unruly world of staff using word processing equipment.

In particular I would question the desirability of keeping all e-mails ever sent within the firm - a topic to which I shall return.

In summary I do not suggest that you necessarily limit your back-ups, just that at the very least you protect your own back by ensuring that what you keep is properly documented and that procedures for clearing out data or not are made with the full involvement of other departments. The obvious answer, the ingrained one, may not always be correct.

Relatively simple procedures exist to guarantee the authenticity of your archives. If a back up is taken, then a digital signature should also be taken, and stored elsewhere and on paper to attempt to guarantee that nobody interferes with what can after all be entirely malleable data and records.

There are many such programs around, and they take only a short time to use. You may not wish or need to do this for all old files, but a selective policy of authentication is probably of value.

When you as IT head are challenged in court as to the validity of your records, accept that a judge will understand entirely just how easy it is to alter this or that electronic data. There is a history even if I may say so within the legal profession of judges refusing to take any notice of time records produced by professionals. I am sure this must be wrong, but the ability to stand in court and assert with confidence your data's integrity is to be valued.

What I urge you to do is not to get into a mind set where you think of your organisation only as the good guys. You do not know whether at any time you will be asserting or defending your integrity. You may as easily be tomorrow's sheep as you are today's wolf.

I will come back to the hows and why's of computer forensics in a moment, but I repeat that clearing out old data from your staffs' computers is just as virtuous as retaining it.

One or two obvious possibilities for regular maintenance:

Automatic routines which search out and delete out of date .tmp files, '.chk' files and others of a like nature

Checking windows directories for tell tale inappropriate '.ini' files

Carrying out whatever is the equivalent of a defragmentation of hard drives

Software audits using software

You will appreciate there are good reasons for these steps in any event

If you manage a network, and your staff or users are allowed any freedom at all, somebody somewhere will abuse that freedom.

Are any members of your staff storing naughty pictures on your system? There have been well known cases where a systems administrator has suffered at best acute embarrassment at what his users have kept on their system. Look for people using making excessive and unexplained demands on the disk space

A user who should have no need for anything more than WP or spreadsheets will not need (perhaps) more than 5Mb of hard disk usage.

How 'lively' is your email and how is it backed up? E-mail in particular is the smoking gun of modern computer litigation. People use it as equivalent to chatting. There are many things we might say to each other in chatting which we would be quite reluctant to commit to paper. Unfortunately they do commit them to permanence in an e-mail.

The recent case involving Norwich Union is a case in point, here a false rumour started among the staff at NU about the financial viability of another company. The rumour was spread by e-mail, and the e-mails were extracted during the court case and provided overwhelming evidence of the defamation. The case was settled very expensively.

I cannot say that the result might have been any different, but NU were backing up data which did not deserve that amount of respect.

You may say they should not be chatting anyway, but they will.

Defamation is certainly not the only risk. Almost any issue might arise between staff where e-mails are part of the battle. There might be racist or other discriminatory material, or bullying. A perfectly organised company might view the opportunity provided by e-mail to stamp on these things as an opportunity not to be missed, but we have few perfectly organised companies.


Overhaul series of use arise

The whole series of new issues arise when we come to discuss e-mail and Internet. Well, they seem to arise. The truth is that the same principles are applied by the lawyers. The context may be different and constantly tending, but the rules are the same.

I come firm specifically that there is no reason why electronic marrow should not be admissible. You call from earlier parts of this discussion that one has to look each time at what it is that is trying to optimism renaissance is trying to prove. McGregor

You should recall from earlier parts of this discussion that one must look, each time, but what it is that one is trying to establish. With electric a the issue which people get caught up in is whether own e-mail can be 'a "legal document" we have seen that they are treated in civil war in the cellar worry as other documents. A course is entitled - bequests

A court is entitled to ask of that document what is its problems provenance? Where does the document, from? Where did it get to? And is the document that was sent, the same as the document which arrived.? In these questions that we're are not reporting what lighthouse been soured by summary in an attempt to prove the content of what was said, we are asking if a particular event occurred.

There are specific court rules and issues of . in providing convincing answers to the three questions raced. The court rules provide working assumptions which apply to established methods of communication. If a letter is sent by post newcomer the court globe will then assume, less there is evidence to the contrary, that it arrived within a certain number of days. No such rules apply to electronic mail. It must the understood that this does not mean that such documents are inadmissible. They merely do not have the ready made . assumptions which aid proof.

There are certain companies which appear to be cutting their services touting their services of document escrow. There are reported to suggest that by asking people to follow certain protocols, excluding the advances of educated copies of documents with them, e-mail becomes legally admissible. Make no mistake, RA advocate the use of sensible protocols and encryption to assist those seeking to prove the delivery and integrity of electronic mail but it would be nonsense yet to claim that such systems will guarantee legal disabilities. The court on buckle decisions may not be far away, the rule changes may even get than before the court decisions, but they are not there yet and in the absence of such rules or decisions, guarantees are baseless.

Are users running bootleg copies of software on your machines? If so, and it is being used or might possibly be used in any way which might be part of the business, you might become subject of a copyright misuse investigation


Computers, as they record and store more and more of our lives, are inevitably being used as a source of material to put before court. This may be civil or criminal courts in the usual sense or even more so now industrial and other tribunals. We are talking here not just about records designed to provide evidence, but particularly all the evidence which lies about on a computer hard disc revealing all the little things people have been up to. We are talking forensics.

I therefore move over now to the position taken by a person investigating a computer system.

We are talking about examination, particularly of hard disks to discover evidence of misbehaviour. This can be the search of the obvious, but I wish to persuade you of the depths of detail which can be gone into, and also the possible huge expense.

Whether on the hunt or being hunted, the key is decisiveness. Whatever happens in the few seconds after a search is announced can determine the success or failure of a hunt. A knowledgeable staff member can do much within a very short time to remove most traces of his or her mis-doings. If complete surprise is obtained then an examination of lists of recently opened files, or of memory caches can be useful.

Sometime you will just have to make a choice. One approach may produce certain results, but destroy other evidence, other approaches will produce similar problems but with different losses and gains. An intelligent assessment needs to be made before a search is made and the choices made will vary according to the subject matter of the search.

I had assumed that no-one in my audience would ever have done anything with their computers of which they could feel at all ashamed, and that you would therefore be puzzled by my talk. Looking about me now, I give in, and can only say that I shall have to treat this merely as a working assumption.

The first task is to preserve the evidence - ensure that no further entries or deletions are made. You will need to know just which other computers have access to the hard drive(s) under examination.

Even turning the machine on without running it from an independent disk may destroy evidence. The hard disk will often have many temporary files which shave r

The standard then is to take a copy of the hard disk; not just a copy of the files, but of each and every sector on it - in effect an electronic photocopy of the disk surface. Take another. One is needed to be preserved for future evidence, and another might be used to work from.

This was not a great problem before, but the progressively larger and larger hard disks are making life harder and harder for forensic experts and those instructing them. 10 Gigabyte disks are now available for about 170 dollars.

I remember a splendid article by a journalist now a member of parliament (or perhaps ex). He was an investigative journalist exposing UK government duplicity on nuclear weapons procurement and development. He had all sorts of information he should not have and was having fun embarrassing the authorities as was only right and proper.

He was raided by the police. This was in the mid 70's, and at a time of almost zero appreciation by Mr Plod of computers. The officers happily piled papers on the desk on top of his computer and disks, and then left - leaving all the disks abnd all the info behind.

Back years later


I go back here to the issues which arose before on the admission of computer evidence. Here we are rarely talking about hearsay, you are dealing first with just what is on a disk. Expect to have to justify each and every move and to show above all that the source evidence has not been contaminated by your own intervention.

Equally the expert must consider how he can and will justify each of the documents he produces. If a printout is produced, just how is it produced and what does it represent.

At first, the enquiry may be just that - can anything be found? You may not expect to take it much further if anything is found, and therefore the temptation must be, for very good reason, not to follow what may be very expensive and detailed procedures. But the expert must cut corners only if he is re-assured entirely by those instructing him that evidence will not be going to court. Circumstances differ. This may sometimes be quite clear most of the time it will not. The difference in costs may be substantial.

There are utilities about which will do much to assist your search. This is a fast moving picture. What was adequate a year ago may not be adequate now. The utilities are very much

Whoever the forensics expert you bring in is, his first requirement is a close knowledge of the actual operating system in use. Knowledge about the intricacies of unix means very little when you are looking at a Mac or a Windows 95 system

Modern give-aways are several

Logs produced by faxing software - identifying often who has been called and sometimes usefully their answering Call ID

Those connected to internet may be unaware of the vast quantities of data held on their behalf in hidden files on the computer

Speaking as the parent of a youth given (until stopped) to letting his pals use my internet access, a trawl produced timestamped old html pages and assorted picture files.


Windows, particularly Windows 95, has in some ways taken the fun out of this forensic process. Deleted files now sit there in a bin on full display - but even when the bin is emptied, have the contents really disappeared. Quite possibly not

.tmp files

Caching files

swap files

Word processing files - may be of most interest

Cannot give a lecture now about computers without bringing in Internet

Staff policy on using firm name on Internet postings - the need for disclaimers and the understanding that they may in fact be of little use.

All Usenet postings are archived forever deja-news and Alta vista- unless positive decision is made by the poster to avoid this - even so not necessarily effective


The future.

Computers already are used for some of the most precise and detailed evidence put before our courts. DNA testing for example

Suggestion that for example video images can be enhanced by computer technology to produce better images.

One suggested application which I think is very dangerous is the use of the computer enhanced video films. We are, and perhaps thankfully so, surrounded by video cameras. They are capable of making a substantial contribution to law enforcement and the preservation of the peace. The images produced are necessarily of a fairly low quality. Computer programs have been written to "enhance" such images. A car registration plate can look usefully be analysed by a computer. We know that there is a limited range of possible "solutions" to the problem faced by the computer. The analysis will produce either a capital letter or a number. From this, the car can be traced and the other identifying features, such as colour and car type and vacation, can location, can be added back in to help verify the allowances analysis used. Quite properly, police officers ask a computer system to try to provide more detail of a face shown by the computer. We all understand the that such images are constructed from the many small dots The enhancement starts, naturally enough, by enlarging the image. As this happens repeatedly, the dots become blobs. The policemen asks for better "resolution" and the computer scientist says "that is the resolution we have" It is. That is all he has, and he should go no further.

It is possible, using artificial intelligence processes, to split the blobs back down into smaller dots, assigning new colours to the dots produced. The apparent result is a better picture.

I am not against such images being used, subject to two conditions. First, the user must understand that he is looking at a fairy tale, and second such an image can be used only to assist officers in investigation and not, at any time, in evidence. The trouble is that the image produced is a normative analysis. then the computer interprets a blob asking what sort of what Peter is feature is this. Is it part of an era or a nose. Having made the judgement, and computed the angle from which the feature is being viewed, the computer can create, not in any useful sense re-create, a feature underlying up original blob. It is vital to understand that the information that available to the computer is limited to the original blob. An example might be if your bank lost of trace of concessions on your account for Labour that a period of surly two weeks. An Alice might show a change in balance of x pounds. A sophisticated analysis by the computer might provide a back statements which is typical of your activities for similar periods. However clever the computer and its programme, you would not wish to have such a bank statement foisted anew upon you. When applied widely, such techniques would lead to the arrest of people with standard type facial features and not those who might have distinctive faces. You or I seeing a fase would notice immediately if the face had one eyebrow only. The computer would put one back. This may be unfair description, but you can see the danger. The computer knows what most faces look like and can create standard type features from the blobs, but the result is purely a computer creation, it should not be evidence. If we return to our original understanding, ask with computer evidence not just 'Is this hearsay evidence?', but in particular who it is we listen to. We hear a very tiny part of what he says.

It is as if the computer program is a thesis produced to answer the question before the court, but the court is allowed only to look at the answer, not to examine the thesis nor the thinking in the thesis which provides the answer. Historically artificial intelligence programs have set out to listen to human experts and to reduce their wisdom to statements in Algol or Lisp. Nowadays, and for the future, neural network programmes will learn to understand the world and will build into themselves rules and statements which can never be made explicit. The computer calculates the best way of achieving a particular result. It may learn from its mistakes, but it may, and in principle, be impossible even to begin to question how the result was achieved. It is not the application of discernible reason, merely another insidious normative analysis, the devaluation of difference.

Already such programmes affect us everyday. You may be assessed for credit worthiness by such a system; the value of your shares may be affected by computer based trading systems applying artificial intelligence and neural network type programming solutions. I have no objection at all to somebody using such a programme to make a decision on how to spend their own money. I would object strenuously when an assessment made by such a system is imposed as an arbitration on the truth of an issue. I suppose that it may be a fundamental question for this society as to whether we come to believe that our activities as skilled humans can be summed up in sets of rules for normative analysis, or whether it is our creativity, our very ability to fracture the rules to make links between the previously un-associated which makes us worthy of our hire. If this is the case, and I believe it to be so, then the computer scientist must be extremely cautious before asserting the value of his systems. How much progress would have been made in the computer industry if only normative thought processes were allowed, or does the computer scientist assert that only his profession requires creativity?

One of the issues which I think that courts have run away from but which will certainly have to be faced is what to do when an expert produces computer based calculations to justify his analysis and conclusions.

This may seem simple, but it is not. There are many examples. We all understand the basis of fingerprint evidence. The expert fingerprint analyst examines the prints and devines a number of points of similarity. His evidence is usually unchallenged because we understand the way in which he works and, or can at least see what his reasoning might be. We know that he can be called to give evidence to justify the analysis. His job is now being taken by a computer. It analyses the same fingerprints with the possibly the same expert skills as exemplified by rules there incorporated into the software.

There is, perhaps, a more fundamental and general problem here. How do we treat our experts? How much do we expect them to know? We live in a world where, increasingly, the range and depth of knowledge available to one individual is not enough to take a court from the fundamentals of a situation right through to the practical reality of the facts before a court. One analysis stands upon the shoulders of another. This will be more and more so as computers internalise rules, and indeed this already clearly applies where computers create their own rules. Where a computer has learnt the rules it will apply when making decisions, how can a human expert represent those rules in court?

I for one am very much more reluctant to rely upon such evidence, or to accept its propriety. We will not see for ever have the right under existing and future rules of court to see and challenge the rules which are to be applied by the programme nor to challenge the way in which the rules are applied. I believe that there is a fallacious assumption that first of all we can properly simplify the assessments made by the expert into a list of blindly applied and hidden rules. Anyone who ever learned to programme a computer has learnt how precisely computers interpret their instructions. One common experience on first trying to persuade a computer to do something, is a sense of frustration that it is, or should be done obvious what you want. A human would re-interpret my sentence in an intelligent way. A computer, perversely, is obstinate, precise, and quite unintelligent. The processes which come under the general title of general title of 'artificial intelligence' are in essence reductive processes. It seems to me that any expert worth his salt in fact applies as much creativity and new analysis in each task he faces as can fairly or properly be summed up as a set of rules.


  1. Camden London Borough Council v Hobson Independent Han 28, 1982 - CLY 1992 2057. Computer records of a community charge-payer's indebtedness were of human, and not purely mechanical origin, and were therefore inadmissible in liability order proceedings.
  2. R v Coventry Justices ex p Bullard [1992] RA 79 DC [1992] CLY 2058 Computer printout rejected as hearsay. The only evidence put forward was an uncertified computer print-out. The modern provisions which mitigate the full terror of the law of hearsay do not apply to civil proceedings in Magistrates Courts.

Evidence Links
Why Cryptosystems Fail by Ross Anderson John Munden is acquitted at last! by Ross Anderson Card Fraud and Computer Evidence by Ross Anderson
Kent Law School (Mr Snipe - a law lecturer specialising in evidence law) The Evidence Site (US) US (Federal) Rules of Evidence
Texas Criminal Evidence Rules New Zealand Evidence legislation Californian Legislation
The use of PII claims in criminal cases (Scott) Expert Testimony (links) A page of procedural and evidence links.
Evidence Course at Murdoch in Australia Links on forensic topics (UK) Yahoo's Evidence page
Go Prog_RAID98/Full_Papers/Sommer_text.pdf Intrusion Detection Systems as Evidence RAID 98 Conference, Louvain-la-Neuve, Belgium. Peter Sommer's Article raises and discusses the differences between Legal and Scientific Proof. Peter is a regular and respected contributor to these debates. See also his article Digital Footprints: Assessing Computer Evidence. Criminal Law Review (Special Edition, December 1998, pp 61-78)
Important: Please note that our law-bytes are retained for archival purposes only. The law changes, and these notes are often, now, out of date. You must take direct advice on your own personal situation and the law as it currently stands.
All information on this site is in general and summary form only. The content of any page on this site may be out of date and or incomplete, and you should not not rely directly upon it. Take direct professional legal advice which reflects your own particular situation.
Home |  lawindexpro |  Forum | 
| Two Doves Counselling | Faulty Flipper
Copyright and Database Rights: David Swarbrick 2012
18 October 2013 47 18 October 2013