Forensic IT and computer forensics is big business. There are now many forensic investigators. Especially because most business documents are created electronically nowadays.

The need for electronic evidence is not confined to obvious cybercrime events such as hacking, fraud and denial of service attacks, but also non-cybercrime events  such disputed transactions in commercial matters. Understanding the nature of electronic evidence has become more and more important particularly when one has to rely on it in court.

A recent case that deal with electronic evidence in a commercial transaction is the 2009 case of  La Consortium & Vending CC t/a LA Enterprises v MTN Service Provider (Pty) Ltd (the appeal judgment was reported in 2011). This case not only looked at some of the legal evidential issues, but also issues relating to how the electronic evidence was obtained.

In this case MTN sued LA Enterprises for R3 403 903,30 for cellular handset kits and airtime sold to LA Enterprises. LA Enterprises argued that since MTN was claiming the balance owing on a running account the respondent should have proved the opening balance. In addition, it argued that the evidence presented on behalf of MTN constituted hearsay evidence and that it was inadmissible. LAC lost the case in the trial court and on appeal.

The MTN case provides some useful practical pointers on how an organisation should set up its accounting, record management and storage systems to assist ensure that electronic documents are admissible (see below). However, this pre-supposes that an organisation has systems in place that are as advanced as MTN’s (an Oracle Accounting System).  A set of practical pointers should be developed that apply to less advanced systems as well. In this regard the case is lacking.

Suggested solutions for system configuration

As a general statement it is difficult to deduce principles that could be of general application and guide all organisations on how to configure their systems that generate electronic documents. The MTN case focused specifically on whether computer generated printouts amounted to hearsay evidence (hearsay evidence being oral or written evidence whose evidential value depends on the credibility of any person other than the person giving evidence). Its focus was on evidence directed at proving delivery of airtime (an intangible product) and MTN’s accounting system used to manage its stock and debtors. The focus in another case might be on aspects not dealt with in this case.

The following 12 general principles can be extracted from the MTN case:

  1.  the type of systems used is important in terms of functionality and ability to track the lifecycle of a transaction from the placing of a purchase order to the delivery of the goods;
  2. the integrity of the system is important ;
  3. the system must be audited on a regular basis;
  4. there should be a separation of duties (for example, the creation of transactions). Each each staff member should deal with a portion of the transaction so that a single staff member cannot alter the overall transaction. For example customer information inputted from the customer agreement should not be capable of being changed (for example delivery address, pricing structure);
  5. try and make sure that whilst different members of staff perform different tasks (e.g data capturing), one person should be accountable for all those members of staff (and the ‘buck must stop with him’). In this way his evidence on any document generated from the computer system will constitute direct (and not hearsay) evidence regarding the correctness of the information (and the law would regard it as if he had dealt with each incoming order);
  6. this person should provide a certificate in terms of section 15(4) of the ECT Act certifying the information to be correct;
  7. audit logs and procedures must be used to track that the transaction is not altered (which includes the sending of notifications if certain transactions are amended on the system);
  8. a proper purchase order generation procedure (via fax, email or EDI) must be in place and attendant checks (of email and delivery address mentioned in the customer agreement);
  9. there should be a mechanism for purchase order approval by the debtors management system (e.g if there is sufficient credit);
  10. the systems should provide for proof of delivery: by way of signature for physical goods and an email acknowledgement of receipt of an encrypted file;
  11. the tax invoice should be generated from purchase order and not beforehand;
  12. the system must have an ability to retrieve documents (which includes an email archiving component or system for email records for example).

Forensic Readiness Program

A practical pointer for any organisation regardless of the type of systems it has, is to have what the Information Assurance Advisory Council (IAAC) calls  a corporate “Forensic Readiness Program”. The aim of the program is to identify and preserve important electronic evidence from e-mail, web transactions, PCs, tablets and smartphones – and have a broad understanding of some of the associated legal problems such as admissibility and evidential weight. Often what is technically easy may be illegal or inadmissible.

The third edition of its free Guide to Forensic Readiness was published in March 2012. The full title is “Digital Evidence, Digital Investigation and E-Disclosure: A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers”.

The Guide identifies an eight-step process for creating a Readiness Program. The first third of the Guide gives general management advice; the remainder provides details of procedures, techniques, applicable law and sources of further information. It is well worth reading and is free.