What Does It Mean to Be Forensically Sound?

Defining Forensic Soundness

The generally accepted definition of forensic soundness is “the application of a transparent digital forensics process that preserves the original meaning of data for production in a court of law.”

To meet that standard, and therefore be “forensically sound,” an investigation must be conducted in such a manner that the digital evidence (and all associated metadata) is identical at both the start and completion of the process. This can be established using hash codes, also known as hash values, which can be thought of as unique digital fingerprints for electronic files. To be forensically sound, the data collection and analysis processes must be defensible, consistent, repeatable, well documented, and authenticated.

Characteristics of Forensic Soundness

For an investigation to be "forensically sound," it means that the process of collecting, preserving, analyzing, and presenting evidence follows established forensic principles and best practices. This approach ensures that the evidence gathered is accurate, reliable, and admissible in a court of law, both for civil and criminal matters.

Accuracy and Reliability

A forensically sound investigation ensures that evidence is collected and handled in a way that minimizes contamination, tampering, or alteration. This helps maintain the integrity and reliability of the evidence, making it more likely to withstand challenges during legal proceedings.

Objectivity

Forensic investigations aim to be unbiased and objective. Following standardized procedures helps reduce the influence of personal biases or subjective judgments, increasing the credibility of the findings.

Transparency

A forensically sound investigation is transparent, allowing other experts to review and potentially replicate the results. This peer review process adds further validity to the findings.

Ensuring Forensic Soundness with the Chain of Custody

A forensically sound investigation preserves evidence in its original state throughout the investigation, preventing degradation or loss of critical information over time. To do this, digital forensic investigators take steps that might be considered unnecessary or overkill in a less rigorous type of investigation. These steps, which include thorough documentation of transfers in control of the evidence and investigative steps taken, for what is known as “the chain of custody.”

The chain of custody refers to the process through which physical or digital evidence is handled during an investigation. Proving that an item has been properly handled through an unbroken chain of custody is required for it to be legally accepted as evidence in court. It documents how, when, and by whom items have been collected, handled, analyzed, or otherwise controlled during an investigation.

Gaps in the chain of custody can result in the evidence being inadmissible. In the infamous OJ Simpson murder trial, several items of evidence, including blood samples linking Simpson to the crime scene, remained in officers’ possession for considerable amounts of time before being entered into the chain of custody by being immediately logged. This mistake allowed the defense attorneys to argue that evidence linking him to the scene could have been planted or contaminated, introducing a layer of doubt into the jurors’ minds.

For digital evidence, forensic investigators will often make use of a hardware write blocker. These devices ensure that no changes are made to the media being imaged, thus supporting the chain of custody.

The Importance of Forensic Soundness

Forensically sound investigations play a vital role in supporting the justice system by providing reliable evidence that aids in determining guilt or innocence and contributing to just and fair legal outcomes.

For civil matters, which are adjudicated to a standard of “a preponderance of the evidence,” meaning only that a reasonable assessment of the evidence indicates that the supposition is more likely true than not, digital evidence does not always need to be “forensically sound.” In such cases, what is known as a logical collection suffices. Logical collections include all the data and metadata associated with a given file and are validated through hash values, but they do not include associated volatile, deleted, or encrypted data.

For an example of how not to conduct a forensically sound data collection, see Leidig v. BuzzFeed, Inc., (S.D.N.Y. Dec. 19, 2017). In that case, the plaintiffs produced screenshots of websites and other documents with incorrect or missing metadata. The plaintiffs’ witness admitted that he “inadvertently changed or deleted the metadata” for some files when he tried to move them to a hard drive for production. The court imposed sanctions on the plaintiffs for their “amateurish collection” efforts.

In criminal cases, though, there is a different, stricter evidentiary standard — “beyond a reasonable doubt.” In keeping with that standard, criminal trials demand a stricter standard of forensic soundness for digital evidence. Courts require evidence to meet specific standards and chain-of-custody protocols to be considered valid during criminal trials—and a forensically sound investigation meets those standards.

To learn more about how to conduct a forensically sound investigation, download Chapter 2 of Exterro’s Basics of Digital Forensics.