SciELO - Scientific Electronic Library Online

 
vol.22 número1Challenges Surrounding the Adjudication of Women's Rights in Relation to Customary Law and Practices in TanzaniaGender Inequality and Land Rights: The Situation of Indigenous Women in Cameroon índice de autoresíndice de materiabúsqueda de artículos
Home Pagelista alfabética de revistas  

Servicios Personalizados

Articulo

Indicadores

Links relacionados

  • En proceso de indezaciónCitado por Google
  • En proceso de indezaciónSimilares en Google

Compartir


PER: Potchefstroomse Elektroniese Regsblad

versión On-line ISSN 1727-3781

PER vol.22 no.1 Potchefstroom  2019

http://dx.doi.org/10.17159/1727-3781/2019/v22i0a4886 

ARTICLES

 

The Search and Seizure of Digital Evidence by Forensic Investigators in South Africa

 

 

JGJ Nortjé*; DC Myburgh**

North-West University South Africa. Email: Koos.Nortjie@nwu.ac.za; dc@cyanre.co.za

 

 


ABSTRACT

The discipline of digital forensics requires a combination of skills, qualifications and knowledge in the area of forensic investigation, legal aspects and information technology. The uniqueness of digital evidence makes the adoption of traditional legal approaches problematic.
Information technology terminology is currently used interchangeably without any regard to being unambiguous and consistent in relation to legal texts. Many of the information technology terms or concepts have not yet achieved legal recognition.
The recognition and standardisation of terminology within a legal context are of the utmost importance to ensure that miscommunication does not occur.
To provide clarity or guidance on some of the terms and concepts applicable to digital forensics and for the search and seizure of digital evidence, some of the concepts and terms are reviewed and discussed, using the Criminal Procedure Act 51 of 1977 as a point of departure.
Digital evidence is often collected incorrectly and analysed ineffectively or simply overlooked due to the complexities that digital evidence poses to forensic investigators. As with any forensic science, specific regulations, guidelines, principles or procedures should be followed to meet the objectives of investigations and to ensure the accuracy and acceptance of findings. These regulations, guidelines, principles or procedures are discussed within the context of digital forensics: what processes should be followed and how these processes ensure the acceptability of digital evidence. These processes include international principles and standards such as those of the Association of Chiefs of Police Officers and the International Organisation of Standardisation. A summary is also provided of the most influential or best-recognised international (IOS) standards on digital forensics.
It is concluded that the originality, reliability, integrity and admissibility of digital evidence should be maintained as follows:
Data should not be changed or altered.
Original evidence should not be directly examined.
Forensically sound duplicates should be created.
Digital forensic analyses should be performed by competent persons.
Digital forensic analyses should adhere to relevant local legal requirements.
Audit trails should exist consisting of all required documents and actions.
The chain of custody should be protected.
Processes and procedures should be proper, while recognised and accepted by the industry.
If the ACPO (1997) principles and ISO/IEC 27043 and 27037 Standards are followed as a forensic framework, then digital forensic investigators should follow these standards as a legal framework.

Keywords: Digital forensics; digital devices; digital search and seizure; digital evidence; forensic investigation; international standards.


 

 

1 Introduction

The discipline of digital forensics requires a combination of skills, qualifications and knowledge in the area of forensic investigation, legal aspects and information technology.1 In many academic papers and court cases information technology terminology is used interchangeably without any regard to its being unambiguous and conducive to consistent interpretation of terminology in a legal context, which is why information technology terminology is largely unknown in the legal system.2 Many information technology terms or concepts have not yet achieved legal recognition. This notion is supported by the South African Law Reform Commission (hereafter SALRC),3 which has expressed the opinion that the earlier opinion that computers are "just like" filing cabinets does not hold true in the light of new technological capabilities. This was also the opinion of the Supreme Court in the Canadian case R v Vu.4

Accurate legal definitions are vital to the operation of legal instruments, where words signify concepts in law, and the vocabulary consists of technical or legal terms and non-technical terms found in everyday language.5 Many of the words used in legal discourse are derived from ordinary language, but the true development of legal terminology - to a great extent - is derived from legal discourse in courts and depends less on the parameters set for communication with regard to generally recognised legal science principles.6 The recognition of terminology within a legal context is of the utmost importance to ensure that miscommunication does not occur. One should bear in mind that an initial understanding of texts may not be the only plausible interpretation.7 This can especially be true in a digital environment where technical aspects can have an influence on the normal interpretation or understanding of terms. Although one acceptable meaning is the ideal, the interpretation of legal texts causes frequent problems, as the meaning denoted in texts may not be the same for all addressees.8 In 1958 Hart9 encapsulated this issue perfectly by stating that in the most elementary form of law, the terms used should exist in some standard instance in which no doubt exists about their interpretation. Hart10is of the opinion that there should be a "core of settled meaning".

In an attempt to provide clarity or guidance on some of the terms and concepts applicable to digital forensics and for the search and seizure of digital evidence, some of the concepts and terms are reviewed and discussed below.

In the early 1900s Dr Edmond Locard developed one of the cornerstones of modern-day forensic science, the Locard's exchange principle.11 While studying medicine Locard developed an interest in the application of science to legal matters.12 Locard theorised that every time a person or an object comes into contact with another, this results in an exchange of physical materials. Locard believed that during this contact all sorts of evidence, including human deoxyribonucleic acid (DNA), fingerprints, footprints, hair, skin cells, blood, bodily fluids, pieces of clothing, fibres and more are exchanged.13 As early as in 1997 Silvernail14 stated that when persons start to use a computer, evidence of activities is created. It is therefore recognised that the Locard principle also applies to computers15 due to the evidential traces or artefacts exchanged between the network of victims and the computers of perpetrators. This is confirmed by Wang,16 who emphasises the fact that digital evidence can prove crucial links between victims and perpetrators.

If it is recognised that computers have become an attractive medium for criminals17 and that their activities on computers result in evidence that can be linked to the crimes of suspects,18 it is essential to recognise the need for a discipline in the field of digital forensics.

Digital evidence is often collected incorrectly and analysed ineffectively or simply overlooked due to the complexities that digital evidence poses to forensic investigators.19 This "new" type of evidence has prompted the beginning of a "new" type of forensic science - digital forensics.20 As with any forensic science, specific regulations, guidelines, principles or procedures should be followed to meet the objectives of investigations, namely the accuracy and acceptance of findings.21 These regulations, guidelines, principles or procedures are discussed in the context of digital forensics: what processes should be followed and how these processes ensure the acceptability of digital evidence.

A summary is also provided of the most influential or best-recognised international standards on digital forensics.

 

2 Terminology

2.1 Sections 20 and 21 of the Criminal Procedure Act 51 of 1977

Section 21 of the Criminal Procedure Act 51 of 1977 relates to the power of authorised officials to issue search and seizure warrants.

The section furthermore authorises the police official to search and seize section 20 articles:

• which are concerned;

• which may afford evidence;

• which are intended to be used in the commission of a crime.

From this section, four concepts require further scrutiny on how these definitions relate to the digital environment, namely:

search;

seize;

articles;

premises.

The intrusive nature of search and seizure warrants and the obligation of the judicial system to guard against the misuse of this authority are well-documented in the case of Powell v Van der Merwe.22During this case, it was said that South African law has a long history of scrutinising search and seizure warrants with rigour and exactitude and that the common law rights are now enshrined in section 14 of the Constitution of the Republic of South Africa, 1996. Because of the danger of misuse during the application of authority with regard to search and seizure warrants, the judiciary scrutinises the validity of warrants with jealous regard for the liberty of suspects and their rights. The scope of the terms is even more relevant in cases involving digital evidence due to the wide scope of personal and confidential information kept on the digital devices of persons.23

The Explanatory Report to the Convention on Cybercrime of the Council of Europe suggests that additional procedural provisions are necessary in order to ensure that data can be secured in a manner as effective as in the case of the search and seizure of tangible objects.24 This is firstly because the data are intangible - they are in an electromagnetic medium. Secondly, while data can be read by making use of computer equipment, data cannot be taken away in the same sense as paper records.25 Kerr26 captures some of the complexities of digital evidence as follows: "How can the old rules fit the new facts? For example, what does it mean to 'search' computer data, or when is computer data 'seized'?" The Explanatory Report to the Convention on Cybercrime further suggests that data can be "seized" in only a specific number of ways, namely data can be printed and seized; the tangible medium upon which data is stored can be seized; or a forensic duplicate can be made of the data and the tangible form upon which the copy is saved can be seized. It is suggested that domestic law should provide for the power to create such duplicates.27

2.1.1 Defining the search for digital evidence

Kerr28 suggests that forensic investigators should first search for and locate physical devices ("search one"). Then, forensic investigators should access and search these physical devices for relevant information or data ("search two"). For the purpose of this article, references to "search" are extended from Kerr's two-step process to include three phases, namely:

The traditional process in which forensic investigators search for or locate physical computers on a scene.

The forensic investigators search for or segregate relevant and nonrelevant information/data on these computers.

The analysis or interpretation of relevant information within the context of a larger investigation.

This discussion of the definition of "search" relates to the later steps followed when data is searched, since it is acknowledged that the search for physical articles on premises is well-defined and understood in the law.

The phenomenon of seizing's taking place before a search has taken place is discussed by Brenner and Fredericksen,29 who state that a search and seizure of digital evidence turns a normal search and seizure on its head in the sense that computers are normally first seized and then searched. In the case of the Minister of Safety and Security v Bennett,30it was recognised that in instances where large collections of physical documents are located on a scene, and when it is impractical to separate or effectively search these documents on the scene, a broad seizure of the collection of physical documents is permitted, pending a later search to segregate relevant and non-relevant information.

The Explanatory Report to the Convention on Cybercrime proposes that traditional words such as "search" and "seize" should be replaced with more technological-orientated computer terms, such as "access" and "copy".31This proposal is supported by Nieman,32 who is of the opinion that "search and seize" can more accurately described when computer terminology is used that is more neutral in meaning and can include actions, such as the creation of forensic duplicates of data. Currently, in the consultation draft of the proposed South African Cybercrimes and Cybersecurity Bill dated 19 June 2016 the term "access" is included and is defined as follows: "to make use of, to gain entry to, to view, display, instruct, or communicate with, to store data in or retrieve data from, to copy, move, add, change, or remove data or otherwise to make use of, configure or reconfigure any resources of a computer device".33

In the Minister of Safety and Security v Xaba case34 it was stated that the concept of "search" should be given its ordinary meaning. The National Instruction 2/2002 of the South African Police Service (SAPS)35 states that "search" entails any action whereby a person, premise or container is visually or physically examined with the aim of establishing whether an item or article is in, on or upon such a person, premises or container. However, Basdeo36 is of the opinion that this approach is questionable since "visually" is not defined and can include merely looking at something. Furthermore, the question of what constitutes a search is left to common sense -accessed on a case-by-case basis. Basdeo continues and argues that an element of physical intrusion is required to constitute a search of persons, premises or properties.

Merely observing a room does not constitute a fully-fledged search.37 Kerr38proposes that an "exposure-based approach" should be adopted and that data should be considered to have been "searched" only when the data were exposed to human observation.

Basdeo39 states that the Council of Europe Convention on Cybercrime (2001) in Budapest (hereafter Budapest Convention) constitutes the current international agreed-upon benchmark for procedural powers in terms of digital evidence collection. The Budapest Convention proposes that "search" should include "to seek, read, inspect or review data", which includes the searching or examining of data.40

The interpretation of "search" as an "exposure-based approach" is supported and based on any action in which forensic investigators access data by whatever means and take notice of information or observe information in a humanly readable format. It is recognised that the term "search" is extraordinarily broad, and a differentiation is made between the different contexts of search, as an action to firstly locate or look for devices on a scene; secondly, to locate and separate relevant and non-relevant data; and lastly, to analyse or interpret the data within the context of a larger investigation.

2.1.2 Defining the seizure of digital evidence

In the Rudolph v Commissioner for Inland Revenue case41 the court held that the term "seize" should be given its natural meaning. This ruling was supported in the case of Ntoyakhe v Minister of Safety and Security,42when the court held that "seize" means not only to take possession of articles but also to retain them and, according to Steytler,43 to deprive persons of subsequent control over the articles. Nieman44 adds that a seizure takes place when persons are deprived of their control over articles, and without the subsequent right of retention of the articles section 21 of the Criminal Procedure Act would be worthless. In the Ntoyakhe v Minister of Safety and Security case, it was cautioned that the right of retention is not unlimited and does not authorise the State to deprive persons of their lawful possession of articles indefinitely.45 This is a very important issue raised by the court. Although sections 31 to 36 of the Criminal Procedure Act govern the disposal of articles under various conditions, no explicit reference is made to the duration in days for which articles may be retained after the point of seizure, or when forensic duplicates are made when the original articles are to be returned following the creation of the duplicates. The situation with computers differs from that of other classes of articles because computers and other digital devices such as cellular phones play such a large role in our everyday lives. The retention period under discussion does not refer to the retention of forensic duplicates of computers during an analysis phase, but to the period between the seizure of computers on a scene, the creation of off-site forensic duplicates, and the subsequent return of the original computers to the owners. In many countries, legislation stipulates a time period in a number of days for this retention period. In an unstructured interview,46 it was established that the practice in South Africa - due to there being limited resources - is that police officials in the most cases seize computers on scenes and then transfer articles to central digital forensic laboratories. During this interview, it was stated that some of the digital forensic laboratories are months - even more than a year - behind in their workload.47 The interviewee48 estimated that on average persons are deprived of their computers (or cellular phones) for between five days to two years.

In the light of the unique way in which digital evidence is normally collected or "seized", Kerr49 poses a number of questions with regard to the interpretation of when digital evidence is considered seized, namely:

Does the creation of forensic duplicates constitute a seizure?

Does the creation of forensic duplicates constitute a seizure of original evidence?

If forensic duplicates are searched, does this constitute a seizure?

Kerr50 states that these aspects are surprisingly difficult to interpret and at first sight it seems sensible to say that the creation of forensic duplicates constitutes a seizure of evidence. In the United States case of Arizona v Hicks51an investigator copied the serial number on a stereo system to establish later whether or not it was stolen goods. The court held that the copying of this information did not constitute a seizure. The court also held that the recording, copying or taking of a photograph of information on a scene does not consti