Does anybody have a specific case example of digital evidence being thrown out because it was handled by an internal IT department? Thanks!
I would check out the Encase Legal Journal from Guidance Software's web site. You have to register to get it, but there is no cost. It does include a discussion on case law and eDiscovery by an internal IT department as well as cases related to the handling of electronic evidence.
On the basis of my experience, your question is a bit broad in that you don't describe what is meant by "handling". A couple of general rules, however
First, civilians are not bound by the same restrictions as law enforcement with respect to the handling of digital evidence.
Second, the Courts are far more likely to call into question the weight given to evidence rather than the admissibility of the evidence (unless it can be shown that the process of acquiring the evidence rendered it useless).
For example, an IT department seizes the computer of an employee who left to go to a competitor, boots it, and discovers (by opening them), that there are company confidential documents on his computer. A judge might direct a jury to disregard any significance of the Last Accessed dates but allow the fact that the files were there to be admitted.
Thus, the question becomes less of who handled it than what they did with it when they handled it. If the internal IT team followed standard forensic procedure and can document what they did and why they did it, it is less likely that the evidence would be excluded simply because it was handled, internally. Even if the IT department didn't follow such procedures, a judge might determine that the impact of such handling was not sufficient to exclude the data from being admitted, altogether.
Of course, there are likely other opinions and experiences out there.
Finally, I should mention that the situation may differ in the case where the organization is under a preservation order. In such cases, an inexperienced IT department might not realize the full implication of this insofar as the preservation of system artifacts are concerned.
seanmcl,
Thanks that PDF is very useful. I understand that my question was broad but I had been asked for a couple of examples by a potential client and was looking for anything relevant. IT departments have proven to be my greatest enemy as they are always "poking around" before contacting council. Thanks again!