With the advance of a digital society, the need to protect the integrity and privacy of digital information has grown, particularly in the context of digital evidence preservation. However, searching hard drives and other storage media is limited by law in the United States, and many other countries. Furthermore, the dynamic nature of digital evidence can pose problems for establishing its credibility in court, and rules of evidence such as authentication and hearsay may limit its admissibility altogether.
Authentication of evidence is a threshold test for the admissibility of all evidence, including digital evidence. For example, under the Federal Rules of Evidence, it must be shown that the matter in question is what its proponent claims. In the case of digital evidence, this can be satisfied, for instance, by a law-enforcement agent's testimony that he or she was present when the data was seized. However, even when evidence has been authenticated, its credibility is not assumed, and its proponent must be prepared to defend against attacks on its accuracy and reliability by opponents. The more opportunity for human error or tampering, the less credible a judge or jury may find a particular piece of evidence. See generally Searching & Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, U.S. Department of Justice (3d ed. 2009), available at www.cybercrime.gov/ssmanual/, the entire contents of which are incorporated by reference herein.
There is therefore a need for digital preservation systems comprising hard drives, flash drives, or other non-volatile storage media or devices (SDs) having a self-protecting mode that can be set once the SD is determined to contain digital evidence, with the ability to recover secured data limited to properly authorized individuals.
One common method of digital evidence preservation is to seize the source drive (D0), removing it from its computer system in the case of a hard drive, and storing it for preservation, without booting the drive or otherwise altering its contents. A copy of D0 (D1) is made, which serves as the source drive for making additional copies for various parties, such as law enforcement, attorneys, custodians, etc. In such cases, personnel involved with the preservation of the data or its copying manually record relevant metadata such as time, date, location, identities of those involved, etc.
Unfortunately, these and similar approaches have problems that raise questions as to the integrity of the digital evidence. If access to the data on the SD is not limited in some way, such as by engaging the self-protecting features to convert the SD to a read-only state, the data is susceptible to spoliation, and whenever the agents involved with securing digital evidence manually record relevant metadata, human error may be introduced. Parties opposed to the introduction of certain digital evidence can rely on these weaknesses to attack its admissibility or credibility. It would therefore be beneficial to provide an evidence preservation system comprising a self-protecting SD that, once triggered, can prevent spoliation of digital evidence, and that has a means of limiting recovery of the digital evidence to authorized individuals.