Skip to main content

Evidence Types

Updated Jan 30, 2024 ·

Overview

Cybersecurity experts must understand the types of evidence collected and how they may be used in legal proceedings. There are three main types of evidences:

  • Real evidence
  • Documentary evidence
  • Testimonial evidence

Real Evidence

Real evidence consists of tangible objects that can be presented in court.

  • Physical items relevant to the case (e.g., computer equipment)
  • Can be examined by all parties involved.
  • Real evidence may consist of actual computer equipment.
  • Example: An attorney showing a knife to the jury

Documentary Evidence

Documentary evidence includes information presented in written or digital form.

  • Helps demonstrate facts to the court.
  • Can be traditional documents or digital files (e.g., contracts, logs)
  • May include digital evidence such as computer logs.

There are some legal rules that apply to the use of documentary evidence:

  • Authentication Rule

    • Authentication must be verified by testimony (e.g., confirming signatures)
    • Someone must testify as to the legitimacy of the document.

  • Best Evidence Rule

    • Original documents are superior to copies
    • Document copies may only be admitted to evidence when the original document is no longer available.

  • Parol Evidence Rule

    • Only written agreements are valid; verbal changes aren't accepted
    • Any modifications require another written agreement.

Testimonial Evidence

Testimonial evidence involves statements made by witnesses in court. The information may be provided by a witness, which can be direct or an expert.

Testimonial Evidence may come in two forms:

  • Direct Evidence
    • Based on personal observations (e.g., incident investigations)
  • Expert Opinion
    • Professionals interpreting evidence (e.g., logs indicating intrusions)
    • Cybersecurity expert may look at logs and offer an expert opinion

When giving testimonial evidence, witnesses must avoid violations of the hearsay rule. This means that they may not testify about what someone else told them outside of court.

Conclusion

Understanding these evidence types and their applications is crucial for cybersecurity experts involved in investigations.