COMPUTER RELATED

EVIDENCE

THE BEST EVIDENCE RULE

The key to identify this potential evidence lies not in

the tangible or intangible but in the application of very

traditional evidentiary standards.

Computer related evidence must pass the established

admissibility tests faced by all direct and circumstantial

evidence.

One of the evidence issues: the best evidence rule.

The term best evidence is used in many circumstances

under the law, but is generally applied when dealing with

copies or reproductions of evidence.

One of the most common circumstances where the rule is

applied is in cases using documents or copies of documents.

The best evidence rule provides that: ”to prove the content

of a writing, recording, or photograph, the original writing,

recording, or photograph is required, except as otherwise

provided in the rules or by Act of Parliament."

In the computer realm this issue arises when we deal with

copies of electronic evidence.

For instance, when investigators seize a computer they might

make archival copies of the files on the hard disk drive.

These reproductions are, in most instances, exact duplicates

of the original file.

From an evidentiary standpoint, though, there are issues of

alteration that might be raised and the primary question is

whether the duplicate is good enough or must we actually

present the file on the original hard disk?

In answering this question the courts often turn to a

reliability analysis.

Is the offered evidence, even though a copy, reliable for

what it contains?

If the answer is yes then the evidence may be admitted.

If the answer is no, or there is a significant question as to

reliability, then the best evidence rule might require the use of

the original.

Some of the earliest issues of this type arose from business records.

Many businesses kept copies of records such as receipts and other documents.

The original was given to a customer and a copy, usually a carbon copy, was

kept in the business’s file.

Later, when questions of best evidence arose, the business owner merely

pointed to specific exceptions in the law for support of the records.

Many of the early decisions arising in computer cases, and the records or

copies kept on computers, focused on these same principles.

Specifically, the rules required the prosecutor to show that the record was

made "at or near the time by, or from information transmitted by, a person with

knowledge. . . ."

An issue that arises frequently focuses on the nature of the

computer evidence.

While we can easily manipulate and identify the copy of an

original document it is much harder to fathom the copy of an

electronic file.

Altering a physical document is something we can easily

understand and for the courts it is something that can be readily

identified.

Courts are more willing to accept a copy of a document as the

best evidence when it is easily authenticated, but the very nature

of computer files often becomes the issue rather than the

reproduction.

On the surface one might argue that all computer related

evidence must be authenticated.

Such a rule of thumb would certainly do the investigator good

in the long run since there would be less debate on the material

than for material not easily authenticated.

But is that truly what the law requires?

To better understand that we must look to specifics in the law

itself, and for that we will turn to the Evidence Act.

Before applying the Act it is important to note that the Act

does not stand alone.

The application of the best evidence rule is not contingent on

the Act itself but on the application of the Act in conjunction with

other statutes.

The impact of best evidence rule is softened considerably by

its reference to other statutes and the need to meet so many

standards.

What this means is that the application of the Act is not a

simple matter of applying specific language in the Act, but is

instead an application wound through the words of other statutes

and many court cases interpreting the Act.

90C. SECTIONS 90A AND 90B TO PREVAIL OVER

OTHER PROVISIONS OF THIS ACT, THE BANKERS'

BOOKS (EVIDENCE) ACT 1949, AND ANY WRITTEN

LAW

The provisions of sections 90a and 90b shall prevail and have full

force and effect notwithstanding anything inconsistent therewith,

or contrary thereto, contained in any other provision of this Act,

or in the Bankers' Books (Evidence) Act 1949 [Act 33], or in any

provision of any written law relating to certification, production

or extraction of documents or in any rule of law or practice

relating to production, admission, or proof, of evidence in any

criminal or civil proceeding.

The biggest issue when dealing with best evidence is the

definition of original.

"evidence" includes--

(a) all statements which the court permits or requires to be made

before it by witnesses in relation to matters of fact under inquiry:

such statements are called oral evidence;

(b) all documents produced for the inspection of the court: such

documents are called documentary evidence;

3. INTERPRETATION

"document" means any matter expressed, described, or howsoever represented,

upon any substance, material, thing or article, including any matter embodied in

a disc, tape, film, sound track or other device whatsoever, by means of--

(a) letters, figures, marks, symbols, signals, signs, or other forms of expression,

description, or representation whatsoever;

(b) any visual recording (whether of still or moving images);

(c) any sound recording, or any electronic, magnetic, mechanical or other

recording whatsoever and howsoever made, or any sounds, electronic impulses, or

other data whatsoever;

(d) a recording, or transmission, over a distance of any matter by any, or any

combination, of the means mentioned in paragraph (a), (b) or (c),or by more than

one of the means mentioned in paragraphs (a), (b), (c) and (d), intended to be used

or which may be used for the purpose of expressing, describing, or howsoever

representing, that matter;

ILLUSTRATIONS

A writing is a document.

Words printed, lithographed or photographed are documents.

A map, plan, graph or sketch is a document.

An inscription on wood, metal, stone or any other substance, material or thing is a

document.

A drawing, painting, picture or caricature is a document.

A photograph or a negative is a document.

A tape recording of a telephonic communication, including a recording of such

communication transmitted over distance, is a document.

A photographic or other visual recording, including a recording of a photographic or other

visual transmission over a distance, is a document.

A matter recorded, stored, processed, retrieved or produced by a computer is a

document;

“computer" means any device for recording, storing, processing,

retrieving or producing any information or other matter, or for

performing any one or more of those functions, by whatever name or

description such device is called; and where two or more computers

carry out any one or more of those functions in combination or in

succession or otherwise howsoever conjointly, they shall be treated

as a single computer;

["computer" 1993 – 2012 ]

“computer” means an electronic, magnetic, optical,

electrochemical, or other data processing device, or a group of such

interconnected or related devices, performing logical, arithmetic,

storage and display functions, and includes any data storage facility

or communications facility directly related to or operating in

conjunction with such device or group of such interconnected or

related devices, but does not include an automated typewriter or

typesetter, or a portable hand held calculator or other similar device

which is non-programmable or which does not contain any data

storage facility;

["computer" Subs. Act A1432 of the year 2012]

Applying this provision to the computer means that when

someone creates a document on a computer hard drive, for

example, the electronic data stored on that drive is an admissible

document. The question now is in what form must that evidence

be offered.

The most obvious choice is to produce the "document" itself

to the court by bringing forth the hard drive and displaying the

contents with a monitor.

But that somewhat cumbersome process is not the only

choice. In telling us what constitutes an "original" writing or

recording, section. 62, Explanation 3 states "a document

produced by a computer is primary evidence".

What this means, from a practical standpoint, is that so long

as the copied file is accurate, paper printouts from electronic

storage devices qualify as "originals" under the rule, and it

appears other means of displaying -- such as overhead

projection, LCD projection, etc., might also be admissible.

Under section 61 of the Evidence Act 1950, the contents of

documents may be proved either by primary or secondary evidence.

Primary evidence means the document itself must be produced for

the inspection of the court.

This means that if documents are scanned into an imaging system,

then for litigation purpose it is the original document that must be

produced, not the image.

However, section. 62, explanation (3) states "a document

produced by a computer is primary evidence".

Details of such documents are listed by section 90A - 90C.

A document shall be deemed to have been produced by a computer whether

it was produced directly by it or by means of any appropriate equipment or

device and whether there was any direct or indirect human intervention.

Human intervention, here is limited to mean operation of the equipment or

device and excludes "doctoring" the document to make or effect unlawful

alterations.

A computer document can be produced for evidence, after the

commencement of the criminal or civil proceeding or investigation or inquiry

provided that it is a document produced by the computer in the course of its

ordinary use.

The computer or the software must not be manipulated to produce anything

not ordinarily produced in the normal course of administration.

Section 90A allows a computer document produced by a computer in

good working order in the course of its ordinary use, (e.g. a bank

statement) to be admissible as primary evidence provided it is accompanied

by a certificate from the person responsible for the management of the

operation of the computer who may not be the maker of the document.

It shall be sufficient to obtain a certificate to certify that the matter to be

stated is correct to the best of the knowledge and belief of the person stating

it and such a certificate is always supported by the presumption that the

computer referred to in the certificate was in good working order and

operated properly in all respects throughout the material part of the period

during which the document was produced.

In other words, the body of law on fraud and material misrepresentation is

fully applicable to the act of adducing or presenting computer documents as

evidence.

This certificate is essential for admissibility as it proves that the computer

hardware system from which the document emanates and the procedures for

entering records and of the storage and retrieval system itself is able to

printout an authentic copy of the original or to prove that the printout

documents the real and actual information.

While this relaxed standard appears to help when it comes to

presenting computer generated files in court there are some

additional provisions relating to secondary evidence that help as

well.

This appears to take care of the problem of archival copies of

files taken from a computer hard disk, the files of which were

copied from another hard disk/downloaded from servers.

Unless authenticity or some "unfairness" is at issue, courts

may freely admit duplicate electronic documents.

”Secondary Evidence" as defined in section 63, means:

Secondary evidence includes--

(a) certified copies given under the provisions hereinafter

contained;

(b) copies made from the original by mechanical processes,

which in themselves ensure the accuracy of the copy, and

copies compared with such copies;

(c) copies made from or compared with the original;

(d) counterparts of documents as against the parties who did

not execute them;

(e) oral accounts of the contents of a document given by some

person who has himself seen or heard it or perceived it by

whatever means.

Secondary evidence may be given of the existence, condition or contents of

a document admissible in evidence when a certified copy is permitted by the

Evidence Act 1950 or other law in force in Malaysia or when the original has

been destroyed or lost and evidence may be given by any person who has

examined them and who is skilled in the examination of such documents.

Whenever, the original no longer exists, copies or even copies of copies are

admissible as evidence especially if the authenticity of the document is

admitted during discovery.

Where from inception the electronic information is recorded in electronic

form (copied from some other electronic sources), the electronic document is

the original document and its conversion into a printout or image is a hard

copy of it.

Hence, the requirement of a certificate from the person responsible for the

management of the operation of the computer system or network facility

under section 90A(3(a)).

Many investigative agencies analyze data evidence from

exact electronic copies (called "bit-stream" copies) made with

commercial or custom-made software.

So long as the copies have been properly made and

maintained, it appears that the law allow judges to accept these

copies as readily as the originals.

This also means that expert opinions, those of investigators

especially, may be based on the copies of the files and not

always on the original file itself.

Of course, the obvious reason we would deal with the copy rather

than the original is safety.

Analyzing and manipulating an original file puts that file in

jeopardy.

So investigators often rely on the use of copies rather than the

original.

What this means is that even while the common law best evidence

rule appears to be alive and kicking it has been substantially

abbreviated by the rules of evidence.

Questions of admissibility turn not on whether the data before a

court is on a hard-drive, duplicate floppy disk, or a printout, but

instead on whether the original data is authentic and whether any

copies offered are accurate.

AUTHENTICATING

ELECTRONIC DOCUMENTS

While the task of authenticating a document in court

often rests with the trial lawyers the reality is that it is

the investigator who must do the work.

For that reason it is important that investigators

understand what is necessary in order to authenticate a

document in court.

To this end there is some guidance

(a) "Distinctive" Evidence

One of the most common methods for authenticating

evidence is to show the item's identity through some

distinctive characteristic or quality.

The authentication requirement is satisfied if an item

is "distinctive" in its "appearance, contents, substance,

internal patterns, or other distinctive characteristics,

taken in conjunction with circumstances."

One of the most common practices is the authentication of the

document through a witness with knowledge of the document.

For instance, photographs are often taken of crimes scenes and

then introduced at trial.

Authentication through the photographer is not required but

instead allows the authentication through a witness who has

knowledge of the scene.

Thus, the authenticating question might be whether a particular

photo is "a fair and accurate representation" of the scene.

So long as the witness authenticating the photograph has

knowledge of the scene they can say whether such is the case or

not.

The practice in court is to use this method to authenticate

different types of evidence which may now be digitally created,

stored, and reproduced.

For example, lawyers offering evidence obtained through a

reproduced computer file may offer the authentication through an

investigator "with knowledge" of the file and its contents.

"Is this a fair and accurate representation of the original

computer file?" Will be the most likely question.

Where this type of authentication becomes a problem is in the

modern age of computer-generated prints and digital

photography.

Take this for example, there is a gruesome photograph of a

dead body. Blood on the chest indicated that the victim has been

stabbed and the presence of a knife on the floor tended to support

the finding. But what will happen if with a few quick keystrokes,

a few daft swipes of the mouse, and a little touch up work the

wounds an the chest are gone, the knife is replaced with a gun,

and a new bullet wound appears in the temple.

To make things even more convincing the gun is now in the

hand of the "victim" and the murder is now a suicide?

The fact that the original picture was digital made the

authentication even more difficult.

At this point digital photography is still not as good as film

photography.

And where a medium grade digital camera was used the

"bitmap" photograph can be easily altered.

How, then, is a photograph such as this authenticated?

This is where the issue of "distinctive characteristics" alone is

not enough.

The true issue will be the veracity of the witness who is

authenticating the document.

The question for the courts will be the witness's ability and

veracity in observing and recalling the original person, photo,

scene, or document with which he compares the in-court version.

It is not enough that a document could be altered.

The issue will be whether the authenticating witness is

independently sure from observing the document that it is in fact

a "fair and accurate representation" of the original.

One issue that investigators and lawyers alike must be

cognizant of is the question of whether the "distinctive

characteristics" must be also relevant.

Take for example a witness who can remember the type style

of a note but not the content. Is the authentication by

remembering the type style enough when the note in question

actually states something different from the original?

Perhaps judges will find themselves admitting digital

photographs and documents based on "distinctive characteristics"

if a witness with knowledge can identify and authenticate the

item in all relevant detail.

But that, of course, requires a judge to know in advance which

details will be relevant to the case and which are insignificant.

If the characteristic that makes the item distinctive is not the

same one that makes it relevant, judges might and should be

wary about admitting digital evidence merely because it is

distinctive.

After all, the relevant issue in the murder to suicide example

was the nature of the death.

A witness who remembers distinctive characteristics about the

victim's clothes or the room's dimensions might miss altogether

the relevant evidence as to swap of a gun for a knife.

Such a witness could certainly authenticate that this is the

place where the death took place, but are they also then

authenticating the nature of the death?

For the lawyers the issue turns to one of asking the

right questions.

If the witness authenticates a document or other

evidence on its characteristics then certainly someone

needs to verify that the characteristics are relevant to the

legal issues at hand.

Without such additional authentication there is a

likelihood that otherwise inadmissible evidence is

allowed simply because it was "authenticated."

(b) Chain of Custody

The term chain of custody refers to the link between those

persons who seized the evidence and the route it has taken to the

courthouse for presentation at trial.

The links in this chain may include the initial officer on the

scene, the investigator, the crime lab technician, and the evidence

room attendant.

At each stage the person accessing the evidence will be held

accountable for its condition and any alterations, tests, or other

work done with it.

When prosecutors present evidence to a court, they must be

ready to show that the evidence they offer is the same as that

seized by the investigators and if it has changed why or how.

Chain of evidence does not mean that a piece of evidence can

not be tested or altered.

It simply means that we can account for all who have had

contact with the evidence.

It means that we can account for the condition of the evidence

and authenticate that it is in substantially the same condition as

when seized.

When dealing with the chain of evidence the first rule for

investigators is to document clearly all who have had contact with

the evidence.

This is traditionally done with a pen and paper log kept with

the evidence or maintained by an "evidence officer."

The evidence officer on a crime scene is responsible for

logging all evidence, seized and otherwise, and securing that

which is taken.

Regardless of how many people have handled the evidence the

evidence log is used to document those having access.

Typically this log is also used to maintain comments on any

testing or changes made to the evidence.

As a general rule today's investigative agencies use a hand-to-

hand chain of evidence to guarantee accountability.

Whether it be a pen and paper log or a series of electronic

entries on a computer the investigator must show that the evidence

has been maintained in a strong chain of custody.

(c) Electronic Processing of Evidence

When data goes into computers, there are many methods and forms

for getting it out.

To the extent that computers simply store information for later

retrieval, a data printout may qualify as an original document.

Where the computer has merely acted as a technological file

cabinet, lawyers must be ready to authenticate the in-court version

of the document as genuine, but the evidentiary issues (at least

those connected to the computer) do not pertain to the substance or

content of the document

One of the issues common to the processing of electronic evidence

is the method or manner used.

For this reason investigators will need to log the methods used for

storage as well as those used for processing the data on the system.

If the computer, its operating system, and its applications software

have been reorganized in order to obtain relevant information then

this processing should be logged as well.

The concept is that the alteration of file structure may in some way

affect the ultimate structure of the content.

One of the best methods for processing this type of evidence is to

maintain a log of all file structures.

Where possible, a hard copy -- usually a printed copy -- is maintained

each time the computer system is accessed.

By comparing, calculating, evaluating, re-grouping, or selectively

retrieving the material the log is used to verify the content of the system.

One might think of this in much the same way as we would if

authenticating a photograph. If a photograph is altered then the person

altering is responsible for explaining such alteration. It does not mean

that a photograph can not be altered, it just means that we must account

for the alteration.

The fact that the computer system has changed in some way does not make

the resulting product inadmissible, but it does require another analytical step.

The computer processing itself may in fact create a new file structure or

other document.

For instance, many word processing documents created in Microsoft Word

have a "version" file associated with them.

This addendum logs the number of times the file has been accessed and how

many times it has been modified.

The simple change in that number, though probably not relevant to the file

content, may create an evidentiary issue which is avoided by keeping a

simple log.

Because computers process data in many different ways by

running programs, which can be commercially or privately

written, there is always the underlying issue of how was that

particular data accessed or evaluated.

Any of these programs can contain logical errors, called

"bugs," which could significantly affect the accuracy of the

computer process.

And even if there is no error in the code, a technician may run

the program in a way that creates a false result.

For example, a particular computer search program may be "case

sensitive," which means that the upper- and lower-case versions

of any given letter are not interchangeable.

If an author working in WordPerfect, searches a document for

the word "Evidence," the computer will not find the word

"evidence," because the letter "e" was not capitalized.

What does it mean, then, when the computer reports that the

word was "not found"?

Under what circumstances should a computer's conclusion be

admissible in court? This is an issue often answered in the rules

of hearsay.

(d) The Hearsay Rule

The hearsay rule itself is relatively simple.

Hearsay, which is a statement made out of

court and offered later in court to prove the

truth of a matter asserted, is generally

inadmissible. One reason for this is that

hearsay often removes the ability of the

defendant to confront his accusers and examine

those witnesses against him. Over the years,

though, it has been recognized that certain

exceptions exists which would allow such

statements, especially when justice demands it.

There are a few items worth noting before

getting to an analysis of the rule as it relates to

computers. One should first note that the

hearsay rule is generally divided into two

distinct groups of exceptions. The first group

deals with statements made where the declarant

(the person making the statement) is available to

testify. The second set of exceptions deals with

statements made by a declarant who is

unavailable -- for any reason -- to testify.

(section 32)

A business computer's processing and re-arranging of

digital information is often part of a company's overall

practice of recording its regularly conducted activity.

Information from telephone calls, bank transactions,

and employee time sheets is regularly processed, as a

fundamental part of the business, into customer phone

bills, bank account statements, and payroll checks.

Logic argues that if the business relies on the accuracy

of the computer process, the court probably can as

well.

This is different, however, from using a company's

raw data (collected and stored in the course of

business, perhaps) and electronically processing it in a

new or unusual way to create an exhibit for trial.

For example, banks regularly process data to show

each account-holder's transactions for the month, and

most courts would readily accept that monthly

statement as a qualifying business record.

But may a court presume a similar regularity when the

same bank runs a special data search for all checks

paid from the account-holder's account over the past

year to an account in Switzerland?

In this case, even though the report was not made at

or near the time of the event, the document is

probably admissible as a summary. That rule allows

courts to admit a "chart, summary, or calculation" as a

substitute for "voluminous writing, recordings, or

photographs." It should be noted as well that other

parties still have the right to examine and copy the

unabridged original data, and to challenge the

accuracy of the summary. Of course, this also opens

the way to challenges of any computer process which

created the summary.

In most other respects the hearsay rule operates with computer

evidence exactly as it does with any other sort of evidence.

For instance, statements for purposes of medical treatment,

vital statistics, or statements against interest may all qualify as

exceptions to the hearsay rule, whether they are oral, written,

or electronic.

Clearly, an electronic statement against interest must also be

authenticated properly, but it does not fail as hearsay.

Conversely, a correctly authenticated electronic message may

contain all sorts of hearsay statements for which there are no

exceptions.

COMPUTER EVIDENCE PROCESSING

1. Computer Time and Date Settings

The time and date that files were created can be important in

cases involving computer evidence. However, the accuracy

of the time and date stamps on files is directly tied to the

accuracy of the time and date stored in the CMOS chip of

the computer. Consequently, documenting the accuracy of

these settings on the seized computer is important. Without

such information, it will be all but impossible to validate the

accuracy of the times and dates associated with relevant

computer files.

As a result, it is recommended that the current time and date be

compared with the same information stored in the computer.

The current time can be obtained from the telephone company.

File dates and times are particularly important in documenting

the backdating of computer files. When the settings on the

computer are inaccurate, the times and dates associated with

relevant files can be interpolated by the computer specialist.

Before running the computer or checking the time and date,

making a bit stream backup of the computer hard disk drive is

important.

2. Hard Disk Partitions

The potential for hidden or missing data exists when computer

hard disk drives are involved. As a result, it is important to

document the make, model and size of all hard disk drives

contained in the seized computers. This is accomplished by

conducting a physical examination of the hard disk drive. The

factory information recorded on the outside of the hard disk

drive should be documented. It is important that hidden

partitions and data are found and documented.

3. Operating System and Version

The seized computer may rely upon one or more operating

systems. The operating system(s) involved should be

documented. This can be determined by examining the boot

sector of each partition. It can also be determined by using a

program like Norton Utilities. The results of findings should be

noted and the software and version used should be documented.

The versions of the software used should also be retained and

stored with the documentation.

4. Data and Operating System Integrity

The accuracy of any data found will be directly tied to the

integrity of the operating system, directory, FAT and data storage

areas. Therefore, it is important to document the results of

running a scandisk program. In the event errors are found, they

should be documented. At the discretion of the computer

specialist, errors should be corrected and/or repaired. Any such

corrective actions taken should be documented and the version of

the software used should be retained and stored with the

documentation.

5. Computer Virus Evaluation

It is important that computer viruses are not introduced into the seized

computer storage devices by the computer specialist. Consequently, all

processing software should be scanned by a NIST certified virus

scanning utility. Ideally two separate virus scanning utilities should be

used and the results of the scan should be documented. The seized

computer hard disk drives and floppy diskettes should also be scanned

and any viruses found should be documented. At the discretion of the

computer specialist the computer virus should be removed. As with the

other software used, the version of the software used should be

retained and stored with the documentation pending trial. It is also

important to realize that infected programs and word processing files

can be stored within compressed files, e.g., zip files. Some computer

virus scanning programs automatically search inside zip files, e.g.,

Norton Anti virus. Other programs do not evaluate the contents of zip

files. This should be taken into account regarding the creation of

documentation.

6. File Catalog

The files stored on the computer hard disk drive(s) and floppy

diskettes should be listed and cataloged. The dates and times that the

files were created and/or updated should also be recorded. Many times

relevant leads can be obtained through the sorting of the files by file

date and time. The combination of such information from multiple

computers seized as evidence in the same case can also prove valuable

for leads. Such information can be helpful in documenting a

conspiracy when sorted file dates and times are evaluated.

7. Software Licensing

All too often, law enforcement agencies are under funded when it

comes to the purchase of computers and software. Often this

translates into law enforcement computer specialists being forced to

use software that they did not purchase in the processing of

computer related evidence. If this practice is discovered by the

defense lawyer through legal discovery or during trial, the case can

be lost. Worse yet, the reputation and credibility of the law

enforcement computer specialists can be tarnished forever. Such

problems should be avoided at all costs. The essential software tools

used in computer evidence processing are relatively inexpensive and

some software companies support law enforcement agencies with

free and discounted forensic software. Be sure that you are licensed

to use the software and document that fact in your reports. Also, be

sure to register your software with the software publisher after

purchase. Smart defense lawyers will contact the software publishers

involved and verify that you are a licensed user of their software.

8. Retention of Software, Input Files and Output Files

As technology moves forward most software manufacturers enhance and

upgrade their software. Over the course of just one year a program will

probably be upgraded several times. Therefore, it is important that you retain

the exact version and copy of software used in the processing of computer

evidence. It may be necessary for you to duplicate the results of your

processing and without the exact version of software originally used, this task

may be impossible. When processing results cannot be duplicated, it raises

doubts about the accuracy of the processing. Furthermore, it also makes it

difficult to rebut claims by the defense lawyer that the evidence was not

tampered with by the police, etc. Source files, text search files, output files

and forensic software be archived on the same storage device until after trial.

Ideally these items should be retained until all possibilities of appeal have

been exhausted. The storage media or another external storage device that

allows file access should be there. This is very inexpensive insurance when it

comes to the failure or success of a criminal case. Your documentation should

clearly list the software used, the names of the source files, the names of the

output files and the software names and version numbers. These lists should

conform to the contents of your archive disk.