VALIDAZIONE FORENSE DI DATI DIGITALI: LA STRUMENTAZIONE NON BASTA.

Le procedure di produzione dei dati in una procedimento legale, civile, penale o industriale, sono precisato nella normativa vigente, italiana ed europea ed extra europea. In Italia abbiamo la legge 48/2008.

La procedura di copia forense è un termine ombrello che comprende varie tecniche, strumenti ed opzioni di tipo scientifico: l’uso del solo strumento non è sufficiente. E’ il CT che valida la copia acquisita, non semplicemente dichiarandola ma dimostrando e descrivendo strumenti, procedure e successive verifiche.

La completezza dei dati va cercata, ma non sempre è un requisito che può essere soddisfatto o verificato. La identità tra dati sorgente e destinazione si, calcolando e confrontando i rispettivi codici HASH .

Il CTU o CTP (nella consulenza Informatica legale) deve poter riscontrare la “Reliability”dei dati digitali da produrre agli atti del processo, partendo dalla identificazione e descrizione della sorgente dei dati

I dati acquisiti dovranno essere messi in relazione con la narrazione dei fatti distinguendo il piano reale (persone, luoghi, eccetera) da quello digitale (username, profilo, eccetera).

*-*

Il Council Of Europe, ha una divisione informatica forense che si occupa anche delle questioni di ammissibilità di dati digitali. Vorrei concludere riportando alcuni paragrafi recentemente pubblicati su https://rm.coe.int/0900001680902e0e

28. Electronic evidence, by its very nature, is fragile and can be altered, damaged or destroyed by improper handling or examination. For these reasons, special precautions may be taken to properly collect this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion. In principle, the parties are responsible for proper collection of electronic evidence … Different types of data may require different methods of collection. Actions taken to secure and collect electronic evidence should not affect the integrity of that evidence. In matters of considerable importance, the parties should consider capturing the electronic evidence with the support of an IT specialist ….”

*-*

37. Separation of the digital identity from the physical may generate problems related to the reliability of the evidence. In the first place, courts should seek to establish the identity of the author of electronic data. If the applicable law does not specify the manner of establishing the identity, it may be determined in any objective way, such as electronic signature or by checking the e-mail address from which the document was sent.

38. Trust services may provide technological mechanisms that ensure the reliability of evidence. For example, certificates to electronic signatures, sometimes referred to as the “digital ID” of a person, may guarantee both authenticity and integrity of the data. Where the identity of the signatory with an electronic signature is doubtful, a court may request the service provider related to the electronic signature to make a statement in relation to the matters upon which it is competent to provide evidence. Timestamping (certification of time) may be equally important for evidencing the integrity of an electronic data.

Example of trust service Timestamp (example Timestamp in CDR Record of Digitalkcalculated on NTP server and trusted services) is a mechanism that allows to prove the integrity of data. It demonstrates that data existed in a specific moment and have not been modified. The timestamp provides a value to the electronic evidence, as it includes relevant metadata about the moment of its creation.

39.          As far as the applicable law allows for it, and subject to the court’s discretion, the acceptance as evidence of all types of electronic evidence is encouraged and recommended for court practice. If there is a dispute, the parties generally identify the issues to be resolved, and unless a party raises the issue of the authenticity of the electronic evidence, the court does not need to raise the issue on its own initiative. Only where a party challenges the electronic evidence, the party seeking to rely on the evidence may be required to demonstrate its authenticity, for example by submitting metadata or seeking an appropriate order to obtain additional data from other persons, such as trust services providers.