Log in

Site menu:



Site search

August 2020



Forensic Soundness

While Solera Networks’ technology is commonly used in network forensic examinations for the purposes of incident review and response, we are also often asked if our platform can produce “court admissible” evidence. Before this can be addressed, a distinction must first be made between the two main classes of electronic information currently recognized by courts:

  • Human generated — Records that are created by humans, such as emails, IM conversations, word processing documents, spreadsheets, digital photos/audio/video,  etc. that are transmitted or stored electronically. These sorts of records fall into and must comply with hearsay rules for admissibility.
  • Computer generated — Records that are produced programmatically by a computing device, such as logs, netflow output, content analysis, packet captures, reconstructed artifacts, etc. Since some, if not most, computer data and network traffic content is incepted by humans, this class may be inclusive of the former, but its admissibility is unrelated to the reliability and trustworthiness of the statements of any human-generated content; its admissibility depends entirely upon its own authenticity.

Therefore, as becomes the concern with any computer generated electronically stored information, the question of admissibility is fundamentally a question of whether or not the information was acquired, retained, retrieved and delivered in a “forensically sound” fashion. For the purposes of this article, evidence may be considered “forensically sound” when it remains “complete and materially unaltered.”

In that respect, the Solera Network platform does employ forensically sound methods: the network capture (unless otherwise configured or indicated) is a complete and lossless record of all network transmissions; the patented DSFS file system in which the captured packets are stored is of an opaque, proprietary design, and does not allow data to be written by any means other than the capture system itself; all data retrieval is access-controlled, and all access is logged for documentation purposes; and artifacts reconstructed by DeepSee are MD5 and SHA1 hashed. These methods will continue to evolve as additional layers of hashing, encryption, and access controls are developed and added.

But what about court admissibility of computer generated electronic evidence? The good news is that this topic is very well defined by the (relatively terse) Federal Rules of Evidence. The FRE provides guidelines for the authentication and identification of evidence for admissibility under sections 901 and (somewhat less directly to electronic evidence) 902 and the more detailed “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations“Â  (digest here).

The bad news? June 2009. Two events occurred this past June that are likely to make the topic of “the admissibility of evidence” just a little murkier.

The first is the recently media-covered publication of a paper in the “Forensic Science International: Genetics” journal which describes how DNA, the gold-standard for forensic evidence, can be faked:

“Nucleix scientists have demonstrated the viability of creating artificial DNA and “˜biological identify theft.’ Using basic equipment and know-how, DNA with any desired profile can be fabricated in the lab, and this artificial DNA can then be planted in crime scenes as fake evidence.”

This is rather alarming since, as the article rightly states “we’re creating a criminal justice system that is increasingly relying on this [DNA] technology.” But just when things seem darkest, there appears hope:

“Until recently, there has been no way to distinguish between genetic profiles obtained from falsified DNA samples, which can appear identical to real biological profiles based on current analytical protocols and technologies.  Nucleix’s proprietary assays can distinguish between “fake” (in-vitro synthesized) DNA, and “real” (in-vivo generated) DNA.  The company is committed to developing state-of-the-art “DNA authentication” assays that can be integrated into the standard forensic procedure, in order to maintain the high credibility of DNA evidence in the courtroom and other uses.  For additional information on Nucleix, please visit the company’s website at”

Wait a minute. Nucleix both developed the “DNA Authentication” technology as well as the methods of falsifying DNA? Brilliant! That’s like an IPS vendor developing and launching attacks concurrent with their zero-day signatures, or George Went Hensley holding the patent on anti-venom. To be fair, if Nucleix hadn’t devised the falsification methods, someone else would have, but it’s irresistible to consider the pharmaceutical industry conspiracy theory implications.

The second is the recent Supreme Court decision in Melendez-Diaz v. Massachusetts (07-591) which extends the Confrontation Clause ( “¦the accused shall enjoy the right “¦ to be confronted with the witnesses against him;”) of the Sixth Amendment to include forensic analyst reports as “testimonial” evidence rather than “business records“. The chief repercussion to the forensic sciences, should this stand, is that any forensic evidence presented in a case could require the investigating analyst to provide in-court testimony about the findings, or that the defense be allowed to cross-examine the analyst on the findings.

Never mind that it overturns over 200 years of understanding of the Sixth Amendment. Never mind that it begs for abuse by unscrupulous defense attorneys. Never mind that it is rationally incomprehensible. The economic implications of Melendez-Diaz v. Massachusetts alone would suggest that its days are numbered, but the two cited events nonetheless intensify the need for understanding and emphasizing the distinction between human-generated and computer-generated evidence, as well as for maintaining the strongest “forensic soundness” of evidence practicable.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Reddit
  • Slashdot
  • LinkedIn
  • Facebook
  • email
  • Print

You must be logged in to post a comment.