Presentation on theme: "Computer Forensics BACS 371"— Presentation transcript:
1 Computer Forensics BACS 371 Constitutional Amendments & Digital Forensics
2 Topic Outline 1st, 4th, 5th, and 14th Amendments Probable Cause Search & Seizure4th Amendment ExceptionsWarrantsSubpoenas
3 Constitutional Amendments The U.S. Constitution was originally ratified with 10 Amendments, now called “The Bill of Rights”The 4 Amendments that most closely relate to digital forensics are:1st Amendment – Freedom of religion, speech, & press4th Amendment – Protection against search & seizure5th Amendment – Self incrimination, due process14th Amendment – Equal protection, due processOf these, the 4th Amendment has the most influence on law enforcement and forensic investigation
4 Constitutional Amendments 1st Amendment“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.”
5 Forensics and the 1st Amendment Privileged information and obscenity/child pornography are the main forensic concern that the 1st Amendment embodies.Search warrants are not generally issued for anything that falls under the current definition of “the press.”Subpoenas can be obtained for specific information held by a “press” entity.There is some dispute as to whether an ISP is a provider of information or a medium of transport.Law on ISPs is still in flux. Common carry companies (i.e., telephone companies) really do not want to be involved policing how the content of the data they carry is used. They want to be considered as neutral data pipelines.Child porn laws are very strict and have harsh penalties. So much so that the forensic analyst must be careful when doing analysis that may involve this material.
6 Constitutional Amendments 4th Amendment“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”The main Amendment of concern for forensic analysts
7 Forensics and the 4th Amendment Key forensic impact includes:“Reasonable” search and seizureWarrantsProbable causePlaces to be searchedThings to be seized~Details on this later in the presentation~
8 Constitutional Amendments 5th Amendment"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."Due process of the law – a fundamental principle to ensure that all civil and criminal cases follow federal or state rules to prevent any prejudicial or unequal treatment.
9 Forensics and the 5th Amendment Protects the right to “due process of law” at federal levelProtects against testifying against yourself (“self incrimination”)Forcing someone to give up a password (for encryption or login purposes) can be considered as forcing them to testify against themselves.You can, however, require them to provide fingerprints, retina scans, voice samples which, if used to protect a system, would make evidence available for search.Basically, if it is something that you know (like a password), it comes under the “closed container” rule and is not generally subject to being compelled from the subject. If it is something about you (i.e., biometric), you can be compelled to comply (as in give fingerprints, …). Subtle difference that likely will be court challenged as biometric protection becomes more popular.
10 Constitutional Amendments 14th Amendment“Section. 1. All persons born or naturalized in the United States and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.”
11 Forensics and the 14th Amendment Amendment was created primarily in response to the Civil WarReinforces the concept of “due process of law” (this time at state level)Makes most of the original bill of rights also apply to the states. Prior to this, it was technically only applicable at the federal level.This Amendment was intended to correct problems caused by the Civil War and, to a certain extent, punish those states that participated (see section 3). The longer term effect (from a digital forensic perspective) was to pull the bill of rights down to also apply to states.
12 Constitutional Amendments The 4th Amendment deserves special attention as it relates to digital forensics.“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
13 4th Amendment to U.S. Constitution It does not specify citizens of the U.S. It says “people”; consequently, anyone physically in the boundaries of the country has this protection.It includes corporations (since they are treated as people legally).It does not apply to foreign nationals within the boundary of their own country.It only applies to searches conducted by the government, not private individuals.Has been interpreted as protecting people, not places.Only applies in situations where person has a “reasonable expectation of privacy.”Physically in the country implies legal or illegal. Also has some ramifications when it comes to the grounds of embassies (since they are not technically “in” the US).Corporations recently were also given equal “free speech” rights as it relates to political contributions (i.e., speech).3rd point implies that someone captured or searched in a foreign country does not automatically have these rights.Private individuals have much greater latitude for legal search than law enforcement. A danger for forensic examiners is that they act as an agent for law enforcement. This means they have to also obey all the rules (called “acting under color of authority”). It is acceptable for private search fruits to be shared with law enforcement. Law enforcement agents can also repeat same search without a warrantThe “reasonable expectation of privacy” language came from Katz v United States. This case involved evidence gathered from a public phone booth. The ruling stated that when you enter a phone booth and close the door you have a reasonable expectation of privacy. The opposite of this implies that if you state information in a public forum (like the Internet), you do NOT have a reasonable expectation of privacy. is a trickier case. If you go out of your way to keep something private, you may have reasonable expectation of privacy.
14 Key Components to 4th Amendment Reasonable search and seizureProbable causeThe place to be searchedThe things to be seizedEach of these has very specific legal meaning and a good deal of historical case law to back them up.4th Amendment protects people, not places.It protects both tangible and intangible items (even oral communication)Physical intrusion is not necessary to establish a constitutional violation (so you need a warrant to collect electronic information)Only applies to government searches. Does not apply to private individuals unless they are acting under the supervision of law enforcement.
15 Notes on Key Components The right to be secure is not unlimited. The government has the right to perform searches and seize items if it is “reasonable”. What is “reasonable” is viewed in the totality of the circumstances.A “search” and a “seizure” are 2 separate things. Search is an infringement of a person’s privacy (including tangible and intangible).“Seizure” is the legal act of taking something that could constitute evidence. Can be tangible (i.e., computer) or intangible (i.e., digital artifacts). (Electronic surveillance within a search has been deemed the seizure of words).
16 Notes on Key Components cont. Any evidence collected by illegal search is normally inadmissible (so called “fruits of the poisonous tree”). This is to discourage overly aggressive search and seizure.Probable cause is the reasonable belief that a crime has been, is being, or is about to be committed. This belief must be reliable and reasonable enough to convince a judge, court commissioner, or magistrate that it is valid.Probable cause information is detailed in a written affidavit. It must be sworn to in front of somebody who has the power to give oaths or affirmations. (Oaths invoke “God” as a witness while affirmations do not).Extreme details about where to search and what to look for are contained in the affidavit. This poses some problems when trying to get digital data.Prior to “Weeks v United States” (1914), all evidence regardless how acquired was admissible.Probable Cause is when a reasonable person would conclude:1) a crime has been committed2) evidence of that crime exists3) evidence presently exists at the place to be searched
17 Key Exceptions to the 4th Amendment The 4th Amendment is not absolute. There are several exceptions where search can take place without a warrant.No “reasonable expectation of privacy”ConsentPlain viewSearch incident to a lawful arrestExigent CircumstancesWorkplace searchesInventory searchesBorder searchersOther notable exceptions:Inevitable discovery exception – allows evidence illegally obtained to be introduced if it would have inevitably been discovered through lawful means.Good faith exception – holds that illegally seized evidence is admissible if the law enforcement agent acted in good faith belief that he or she was acting in a accordance with a valid search warrant that is later found to be defective.
18 No Expectation of Privacy Exception Katz v. United States (1967). Case that reexamined what “reasonable expectation of privacy” means.Case dealt with recordings made in a public phone booth.Ruling stated that going into a phone booth and closing the door gave one the expectation of privacy.Inverse of this ruling is that statements made in a public forum (i.e., Internet, Facebook) do not have the expectation of privacy.Key points of this ruling:"The Government's activities in electronically listening to and recording the petitioner's words violated the privacy upon which he justifiably relied while using the telephone booth and thus constituted a 'search and seizure' within the meaning of the Fourth Amendment." – Justice StewartRegardless of the location, a conversation is protected from unreasonable search and seizure under the Fourth Amendment if it is made with a “reasonable expectation of privacy”.Wiretapping counts as a search (physical intrusion is not necessary).
19 Consent ExceptionIf you give permission, no warrant is necessary. At any time, consent can be revoked.Consent must be given knowingly and voluntary.The scope must be understood based upon what a “typical reasonable person” would understand it to be.The more specific and detailed the request for consent, the better.If necessary to remove computer from its original location, you also need consent to seize.While not required, consent in writing is best and should notify party how to revoke consent.When joint ownership occurs, all must agree (applies to computer with multiple sign-ons).It is not required to tell the person that they have the right to refuse consent, but it may be a factor later in determining if it was voluntary. There is no law to tell people that they have the right to revoke consent. Written and signed consent are best. If multiple parties are involved, all must agree and give consent (one ‘no’ vote overrules).
20 Plain View ExceptionApparent evidence in plain view can be seized without a warrant.The officer must be in the area legally.Computers with visible contraband showing can be seized without a warrant (but you can’t open any files manually to look for more without a warrant).Observations of potential evidence on the Internet are public domain and may be “searched” and “seized” without a warrant.
21 Lawful Arrest Exception Incident to a lawful arrest, officers are permitted to conduct a full search of a person’s person and the area immediately under their control.The limited area is called the “lunge-reach-rule” and extends to the distance a person could lunge to reach a weapon or destroy evidence.The search must be contemporaneous to the lawful arrest.It is “reasonable” to search a pager at arrest time. No formal rules for PDA’s or cell phones (yet). So, you still need a warrant for these devices.
22 Exigent Circumstances Exception Exigent (that is, emergency) circumstances can allow a warrantless search if the officer believes that physical harm could come to someone or evidence will be destroyed.Frequently applies to computer equipment because it is easy to destroy.If the officer believes that the delay needed to get the warrant will allow the evidence to be destroyed, this rule can be used.Exigent circumstances should be viewed more like a seizure than a search doctrine.When in doubt, officers should seize evidence and apply for a warrant to search it.
23 Workplace Search Exception Law Enforcement personnel may search without a warrant with consent of the business in the workplace.3rd party searches can be re-created for law enforcement (but not go beyond original search). If the 3rd party acts under the instruction of the officer, they become an “agent” of the government and have to follow the standard search rules.Work computers can usually be searched without a warrant if there is implied consent and no expectation of privacy.The extent of private sector search is determined by the expectation of privacy within the work environment.“Warrantless workplace searches by private employers rarely violate the Fourth Amendment. So long as the employer is not acting as an instrument or agent of the Government at the time of the search, the search is a private search and the Fourth Amendment does not apply.”The 4th Amendment does not apply to private persons who might conduct searches on their own and report criminal activity.Contraband obtained by a private party can be turned over to law enforcement and used to support request for search warrant.The extent of private sector search is determined by the expectation of privacy within the work environment.Work related searches in the public sector are typically lawful when done for work-related misconduct.
24 Official Banners Eliminate Reasonable Expectation of Privacy
25 Inventory Search Exception Routine collection of personal effects for inventory purposes does not require a warrant.If obvious contraband is found, it can be seized.Locked containers may not be searched for evidence without a warrant.Electronic media discovered during an inventory search cannot be accessed without a search warrant.
26 Border Search Exception Allows searches and seizures at international borders and their functional equivalent without a warrant or probable cause.The expectation of privacy is less at the border than in the interior of the country.Consequently, the balance between the interests of the Government and the privacy right of the individual is weighted much more favorably to the Government at the border.This doctrine is not actually an exception to the 4th Amendment, but rather to the Amendment's requirement for a warrant or probable cause.The Government asserts that it may open, login, and search through all the electronic information stored on traveler's electronic devices. “Reasonable suspicion is not needed for customs officials to search a laptop or other electronic device at the international border.“Routine searches of the persons and effects of entrants are not subject to any requirement of reasonable suspicion, probable cause, or warrant. More invasive searches or seizures of a person's body require some suspicion.
27 Search WarrantsTo legally search in situations that are not covered by the exceptions, you generally need a warrant.
28 Fundamentals of Warrants In cases where there is no 4th Amendment exception, a search warrant is generally needed to perform a legal search.Search Warrant – An order issued by a judge giving government officials express permission to enter an area and search for specific evidence pertaining to a specific crime.Note that it is technically geared for “government agents”. As a private individual, you have broader rights to legally search; however, this is easily exceeded, so you should not assume that you can search at will.
29 Fundamentals of Warrants Warrants Must Describe:Probable causeA reasonable belief that a person has committed a crime (affidavit required)Places to be searched, things to be seizedThis must be specified in detailGives government official the limited right to violate a person’s privacyProbable Cause is when a reasonable person would conclude:1) a crime has been committed2) evidence of that crime exists3) evidence presently exists at the place to be searched
30 Drafting Warrant and Affidavit A sworn statement that explains the basis for the affiant’s belief that the search is justified by probable causeWarrantTypically a one-page form, plus attachments, that describes the place to be searched, and the persons or things to be seizedWarrant must be executed within 10 days
31 “Reasonable Expectation of Privacy” in Computers as Storage Devices To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or a file cabinet.The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation.Issues:Are individual files each considered a “closed container?”Relinquishing control to 3rd parties
32 Warrantless SearchesWarrantless searches do not violate the 4th Amendment if:Search does not violate “reasonable expectation of privacy”, orFalls within an established exception to the warrant requirement (that is, the 4th Amendment exceptions covered previously).
33 Other Warrant Issues Multiple Warrants for Network Searches No-Knock WarrantsSneak-and-Peek WarrantsPrivileged Documents
34 Multiple Warrants for Network Search When a computer network is being searched, multiple warrants may be required.This is intended to protect the privacy of the other parties that may have data stored on the network.A similar situation exists when a single computer has multiple logins which are owned and controlled by different people.
35 No-Knock WarrantsUnless otherwise noted, warrants must abide with the “knock and announce” rule.Some warrants are issued as “no-knock” when:It is reasonable that the suspect may aggressively repel the searchThe suspect may escape after the officer knocksIt is likely that evidence will be destroyed after the officer knocks and announcesIn digital cases, when a “kill switch” is anticipated, it is common to request this type of warrantDrug cases also have similar characteristics and often involve no-knock warrant requests.
36 Sneak & Peak WarrantsThe Patriot Act of 2001 provided a new tool called “delayed notice” warrant (aka “sneak & peak”).This allows notification of the search to be delayed up to 90 days.Under normal circumstances, officers cannot seize evidence; however, judges can allow exceptions.For digital forensics, this would allow the officer to secretly make a copy of a computer file found during the secret search.Standard warrants require the officer to notify the individual(s) being searched prior to the search starting. The sneak & peak rules change the timing of this notification.Situations where this warrant would be issued include:- Endangering the life or safety of an individual- Likely flight from prosecution- Destruction of evidence- Intimidation of potential witnesses- otherwise seriously jeopardizing an investigationAn important use of this type of warrant is when suspects are using “burner phones” (cheap cell phones that are only used 1 time and then thrown away). By empowering a 3rd party (phone company) to track communications by the parties, they can change phones all they want, but the evidence is still collected.
37 Privileged DocumentsSome documents are not generally available via warrant (and hence are not “discoverable”).These are called “privileged documents” and generally fall into the following categories.Attorney-clientDoctor-patientWork product contentProtected intellectual propertyAttorney-client is the only one actually defined in the Federal rules of evidence. The other categories are more from tradition.Most state jurisdictions have physician-patient privilege rules.Work product are documents that an individual or organization prepares in anticipation of litigation. It is possible for these to become discoverable if (1) it can be demonstrated that facts critical to the case can only be found in the protected documents or (2) if the entity seeking the documents can prove that it places an undue hardship on them to have to get the protected content elsewhere.Protected intellectual property (e.g., corporate trade secretes) are not protectable by law; however, you can strike a deal with the judge to make the information available for limited review.
38 Subpoenas A subpoena is not the same thing as a warrant. A subpoena does not give the right to search a person or location.Subpoenas do not give the right to seize any material evidence.A subpoena can do 2 things:Command a person to appear (in person or with evidence)Command a person or organization to surrender (or allow examination) of specified tangible evidenceThere are quite a few rules specific to subpoenas that will be covered in a later lecture.
39 Computer Specific Statues Computer Fraud and Abuse Act of 1986 (18 USC § 1030)Child Pornography Protection Act (CPPA)Telecommunications Reform Act of 1996Federal Wiretap ActStored Communications ActElectronic Communication Privacy Act of 1986Communications Assistance for Law Enforcement Act (CALEA) of 1994 – Amended in 2994 to include cell phones)Title III of the Omnibus Crime Control and Safe Streets Act of 1968Foreign Intelligence Surveillance Act (FISA) of 1978Comprehensive Crime Control Act of 1984Privacy Protection Act of 1980Digital Millennium Copyright Act (DMCA??)The intent of this slide is to prepare you for laws and statutes that have been enacted to augment the constitutional protections. These will be covered in a later lecture.