ELECTRONIC EVIDENCE Chapter 7

CONTENTS
❖Introduction
❖Forensic analysis Techniques
❖Law in Malaysia
❖Challenges
INTRODUCTION
•Evidence: anything that demonstrates, clarifies or shows the truth of a fact or
point in question.
•Electronic evidence: any probative information stored or transmitted
in digital form that a party to a court case may use at trial.
•Digital forensics: sometimes known as digital forensic science, is a branch of
forensic science encompassing the recovery and investigation of material found
in digital devices.
•The term digital forensics was originally used as a synonym for computer
forensics but has expanded to cover investigation of all devices capable of
storing digital data.
FORENSIC ANALYSIS TECHNIQUES
Evidence Acquisition
•This step is where policies related to preserving the integrity of potential evidence are most
applicable.

Evidence Examination
•Investigators typically examine data from designated archives, using a variety of methods and
approaches to analyze information.

Documenting and Reporting

•Must keep an accurate record and final documents reported in a form suitable for non-
technical individuals.
ONLINE-BASED FORENSIC
Email
•A forensic investigation of e-mail can
examine both email header and body.
•An investigation should have the
following:
1. Examining sender’s e-mail address
2. Examining message initiation
protocol (HTTP, SMTP)
3. Examining Message ID
4. Examining sender’s IP address
Browsers
•On a PC, most webmail activity is conducted through the browser so it’s no
surprise that the majority of your evidence will consist of browser artifacts.
•Depending on the browser used, the data will be stored differently but
typically the cache, history, and cookies are your best sources of evidence.
NETWORK BASED FORENSIC
•Network forensics: capture, recording, and analysis of network events in order
to discover the source of security attacks or other problem incidents.

•Network forensics systems can be one of two kinds:

o"Catch-it-as-you-can" systems
All packets passing through a certain traffic point are captured and written to
storage with analysis being done subsequently in batch mode.

o"Stop, look and listen" systems

In which each packet is analyzed in a rudimentary way in memory and only
certain information saved for future analysis.
LAW IN MALAYSIA
S3 of Evidence Act 1950
•“Evidence”, “Documents”, “Computer”

However…
Section 2(1) of Computer Crime Act 1997
• The definitions are different

Therefore…
•Evidence (Amendment) (No 2) Act 2012
Admissibility of ‘computer-generated documents’

•Sections 90A of Evidence Act 1950 (admissibility and certificate)

•Azilah Hadri & Anor v. PP [2013] 7 CLJ 577…and appeal case.

•Sections 90B of Evidence Act 1950 (the weight of a document)

•Sections 90C of Evidence Act 1950 (affirms ss90A and 90B and shall be
determined by EA 1950)

•Sections 114A of Evidence Act 1950 (presumed to be the publisher unless the
contrary is proved)
CASES
•Gnanasegaran a/l Perarajasigam v PP [1997]
3 MLJ 1
•Public Prosecutor v Hanafi Mat Hassan [2006]
4 MLJ 134
CHALLENGES
Identity Management Challenge
 Who Is the Author of the Records?

Reliability
 Is the Computer Program That Generated the Records Reliable? Was the output of
the computer what it is purported to be?

Alteration
 Were the records altered, manipulated, or damaged after they were created?

Incompleteness
 Is the evidence the entire record or conversation?
 United States v. Jackson, 2007 WL 1381772 (D. Neb. 2007)