In our second webinar hosted by Kenya Cyber Security & Forensics Association (KCSFA) & Kenya Magistrates & Judges Association (KMJA) on June 18th 2020, we covered the aspects that guide digital forensics investigations both legally & technically. The session was moderated by KMJA President Hon Justice Jacqueline Kamau with the panelists Hon Justice William Musyoki (High Court Judge) and Mr Peter Mbatha from DCI CyberCrime Department.
An exhibit is an material & in this case a digital appliance from which we can extract digital evidence. Before any evidence is extracted from the exhibit, we need to ensure that we have legal custody of the exhibit. And this is achieved in 2 ways:
- Owner’s Consent: The legal owner of the electronic device in writing surrenders the device to another party for the purposes of analysis. This could be in the by filling our a Consent Form.
- Court Order: In this case, law enforcement acquires a written document from a judge or magistrate authorizing the seizure of a particular digital device.
Once this is done, the chain of custody has to be established every step of the way as well as documentation of all identifiable & distinguishing feature of what is now an exhibit. The process of establishing a proper chain of custody ensures that the integrity of the exhibit & digital evidence contained therein is maintained.
Where possible, analysis is never done on our original exhibit. A copy of the exhibit is made & analysis is performed on the copy. This is to ensure that there’s no interference with the original & that the analysis process can be replicated.In addition to this, once analysis is complete, documentation of the analytical processes & results obtained is done. The integrity of the pieces of evidence is further maintained by hashing which is a form of digital fingerprinting.
A certificate is also made that captures the requirements laid out in Section 106B(4) of the Evidence Act. These requirements are:
|(a)||identifying the electronic record containing the statement and describing the manner in which it was produced;|
|(b)||giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;|
|(c)||dealing with any matters to which conditions mentioned in subsection (2) relate; and|
|(d)||purporting to be signed by a person occupying a responsible position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate),|
Legal Statutes & Case Law.
The production of digital evidence in court is guided by the Evidence Act in sections 65(8), 78A, 106B(4). Sections 65(8) & 106B(4) deal with the production of an accompanying certificate & what should be contained therein. The requirements set out in S65(8) in addition to those set out in S106B(4) are:
|(a)||identifying a document containing a print-out or statement and describing the manner in which it was produced;|
|(b)||giving such particulars of any device involved in the production of that document as may be appropriate for the purpose of showing that the document was produced by a computer;|
Under S65(8) it further states that also to be included in the certificate are issues pertaining to certain conditions set out in S68(6):
|(a)||the computer print-out containing the statement must have been produced by the computer during the period in which the computer was regularly used to store or process information for the purposes of any activities regularly carried on over that period by a person having lawful control over the use of the computer;|
|(b)||the computer was, during the period to which the proceedings relate, used in the ordinary course of business regularly and was supplied with information of the kind contained in the document or of the kind from which the information so contained is derived;|
|(c)||the computer was operating properly or, if not, that any respect in which it was not operating properly was not such as to affect the production of the document or the accuracy of its content;|
|(d)||the information contained in the statement reproduces or is derived from information supplied to the computer in the ordinary course of business.|
S78A of the Evidence Act further states that Electronic Evidence shall be admissible & doesn’t have to be in it’s original form for it to be admissible. Additionally, it sets out that the weight attached to Electronic evidence shall be dependent on certain factors:
|(a)||the reliability of the manner in which the electronic and digital evidence was generated, stored or communicated;|
|(b)||the reliability of the manner in which the integrity of the electronic and digital evidence was maintained;|
|(c)||the manner in which the originator of the electronic and digital evidence was identified; and|
|(d)||any other relevant factor.|
In addition to these statutes, case law further guides us on the necessity of the “Certificate”. In the matter of Dr. Julius Makau Malombe(found here), the court rules that:
“… In the premises, given that no certificate has been produced showing compliance and authentication as required by section 106B of the Evidence Act in relation to the photograph annexed as Annexure “BNM3” to the affidavit of Benson Mulandi Nyamai sworn on 7th September 2017 in support of the Petitioner’s Petition, the said photograph is found to be inadmissible as evidence .”. This is due to the fact that electronic evidence is easily tampered with hence it is of the utmost importance that a certificate is produced.
Additionally in the matter of Idris Abdi Abdullahi (found here), the court determined:
“… although the requirement of the certificate is a procedural and technical matter, Section 106B (4) of the Act is mandatory and cannot be ousted by Article 159 (2) (d) of COK2010. The Constitution of Kenya is supreme law but in application of Article 159 2(d) matters of form the Court may rely on the provision. This Court finds that the mandatory Provisions of the Evidence Act are about form and substance. “ Article 159 (2) (d) states:
“In exercising judicial authority, the courts and tribunals shall be guided by the following principles-
(d) Justice shall be administered without undue regard to procedural technicalities;..”
The determination further states:
“… Before the Court can admit electronic records/evidence a certificate is mandatory to confirm source, process, custody and delivery of the said electronic record before admission so as to preempt manipulation of the record… “
In addition to this, the format by which a “Certificate” is to take is addressed in the matter between The County Assembly of Kisumu vs Kisumu County Service board (found here). The ruling states:
“… The Evidence Act does not provide the format the certificate required under sub-section 106B(2) thereof should take. The certificate can therefore take any form including averments in the affidavit of the recorder… “
In conclusion, in the matter of expertise vis a vis the judges/magistrates, the adversarial nature of our court system should ideally provide for the respondent or defense to challenge the findings of analysis reports or certificate contents by having their own experts rebut presented evidence. The judge/magistrate listens to the two arguments and makes a determination based on the different presentations made.