In recent years forensic computing has greatly evolved, moving from a pseudoscience to a recognized discipline with skilled practitioners and guiding principles relating to the conduct of their activities. The law states that “possession is nine-tenths of the law,” and because computer based data can be so easily and undetectably modified during its collection, impounding, and analysis; certain new “rules of evidence” have been enacted, evolving from more general codes of practice. These new rules deal with a verifiable chain of custody that must exist in regard to digital evidence. For example, according to the U.S. House Advisory Committee on Rules, its rule 1003 (Admissibility of Duplicates), “a counterpart serves equally as well as the original, if the counterpart is the product of a method which insures accuracy and genuineness.”
Although these Rules are only required in Federal court proceedings, many State codes are modeled after them, making them comparatively rather consistent. Violations of these rules will surely be the focus of defense attorneys, in an effort to raise suspicion as to the accuracy or authenticity of the digital materials. For many years forensic investigators have tried to keep up with criminals, in regard to new technologies. Law enforcement officials are usually at a disadvantage in this area, because they often fail to recognize the criminal potentiality of budding technologies, giving criminals a head-start in terms of knowledge and know-how. It is hard enough for law enforcement to comprehend the nature of emerging technologies, let alone be able to overcome this without the proper, state-of-the-art technologies at their disposal.
When law enforcement officials execute a search warrant, they are regulated to searching only areas in which the listed object of the search could be found or concealed, known as the “scope” of the search warrant. Moreover, even the smallest hard disk drives and digital drivers can contain tens of thousands of files, making many impossible to find without state-of-the-art technologies. With such technologies, forensic investigators can yield exemplary, concise results. For example, by using software such as “KFF (Known File Filter), which allows users to search with keywords or take advantage of drive indexing using the dtSearch. KFF was actually used in a recent Supreme Court Case, United States v. Mann (2010), and uncovering child pornography in Mathew Eric Mann’s computer. Without this state-of-the-art technology, this information would have never been recovered.
The Mann case, mentioned above, is a good example of a case in which the forensic investigator failed to follow forensic evidence procedures, which resulted in suppression of certain evidentiary items. In May of 2007, Matthew Eric Mann was working as a life guard when he covertly installed a video camera in the women’s locker room. Detective Paul Huff of the Lafayette Police Department executed a search warrant, the scope of which was regulated to voyeurism of a women’s locker room, and found child pornography as well. Mann filed a motion to suppress the child porn images, but the district court denied the motion, using the “plain view” exception as their reasoning. Mann, however, later appealed to the Seventh Circuit Court of Appeals. They noted that the Fourth Amendment requires that a search warrant should describe the things to be seized with sufficient particularity or detail as to prevent general exploratory searches of a person’s belongings. The court held that the files found with the KFF system were to be suppressed, and they suggested that Detective Huff should have stopped his search and sought a search warrant for additional child porn after he stumbled upon the first images.