Tim Ebringer CA
Computer forensics has traditionally focused on the acquisition, analysis and presentation of 'images' of storage media, with a view to its later presentation as evidence in a court or law. This analysis sometimes reveals executable software which may be of interest to the forensic analyst; indeed it may be a key link in associating a relatively unskilled user with a sophisticated offence.
Prosecuting or defending a case against a user who allegedly used such an application presents particular evidentiary challenges. This paper relates our experience in forensic examination, documentation and legal presentation of executable applications. We detail the workflow of such an examination, from initial acquisition to eventual presentation in court. We explain how to compile and present findings of fact such that they will satisfy the requirements of computer evidence, and offer the reader suggestions on how to successfully navigate a potentially gruelling cross-examination.