1. 1 Lecture 3 Digital Evidence in the Courtroom Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010

2. 2 Influence of Criminal Behavior from Computer and Internet  History of Internet –ARPA project in 1969 –To create a mechanism for ensured communication between military installations –Today’s internet –Both synchronous and asynchronous international person-to-person communication between private individuals –Beginning of a pervasive form of social-global connectedness –Venues for trade and commerce in a digital-international marketplace  Internet is analogous to the Wild West where the law is mostly unwritten and power falls into hands of those with the best technology –Biegel S. (2003). Beyond our control: Confronting the Limits of our Legal System in the age of cyberspace. Cambridge, MA:MIT Press

3. 3 Influence of Criminal Behavior from Computer and Internet (Continued)  The Internet is where money is –Over one trillion dollars moved electronically each week –The rates of cybercrime are skyrocketing –The annual “take” by theft-oriented cybercriminals is estimated as high as $100 billion and 97% of offenses go undetected –Bennett, W. & K. Hess (2001). Criminal Investigation. Belmont, CA:Wadsworth –The real cost? –Organized crime, terrorism, embezzlement, and a countless ways to offend using computers and the Internet  Computers and the Internet are no different from other technologies adapted by the criminal –Often computers and the Internet technologies merely add a new dimension to existing crime rather than introducing new types of crimes and criminals –“The computers has just given fraud another dimension.” –McPherson T. (2003). Sherlock Holmes’ modern followers, The Advertiser, May 31.

4. 4 Modus Operandi  Latin term, “a method of operating” –How criminals commit their crimes –vs. Motives: why they commit their crimes?  An offender’s MO often serves following purposes –Protects the offender’s identity –Ensures the successful completion of the crime –Facilitate the offender’s escape  Examples –Notes for planning, victim information, etc –Hardware, software systems –Use of aliases,…

5. 5 Technology & Modus Operandi  Technology has long shared a relationship with criminal behavior –Paper & pencils, the postal system, telephone, fax machines, e- mails, web sites, …  Criminals can borrow from existing technology to enhance their current MO to achieve their goals –Skilled and motivated criminals even develop new technology  End result: Spin on an existing form of criminal behavior  From criminal’s perspective –Relationship between advancement of crime detection technologies in the forensic science and a criminal’s knowledge of them

6. 6 Motive & Technology  Motive –Emotional, psychological or material need that impels, and is satisfied by, a behavior –Turvey B. (2002) Criminal Profiling: An introduction to Behavioral Evidence Analysis, 2 nd edition, London: Academic Press  Classifying offenders by their behavior (By Turvey B.) –Power Reassurance –Power Assertive –Anger Retaliatory –Sadistic –Opportunistic –Profit oriented  Examples from text book of how criminals engage and adapt computer and the internet technology –A computer virus, public e-mail discussion list

7. 7 Legal Issues: Broad  Legal Issues –Investigatory needs vs. the right to privacy –What constitutes computer crime? –Fourth Amendment to the U.S. Constitution –Fifth Amendment to the U.S. Constitution –Jurisdiction: –Who cares? –Who prosecutes? –Admissibility of evidence in court –Chain of custody issues –Search warrant laws –Wiretap laws –Digital Millennium Copyright Act (DMCA) –Patriot Act

8. 8 Privacy  Fourth Amendment –The Fourth Amendment of the United States Constitution governs all searches and seizures conducted by government agents –Government is not allowed unreasonable search and seizure of property –Does not apply to individuals (e.g., corporations!) performing the investigation! –Complicated—court tries to balance privacy and need to control crime –Individual must reasonably expect privacy in whatever scenario is being evaluated –Society must believe expectation of privacy is reasonable  Examples: –Random stops on highway –OK. Primarily to ensure highway safety, not investigate crime –Use of a phone booth –When door is shut, reasonable expectation of privacy –Can’t snoop without appropriate court orders –Can’t place microphone on outside of phone booth

9. 9 Fourth Amendment  Fourth Amendment + Computers  From: http://www.usdoj.gov/criminal/cybercrime/s&smanual2009. pdf –Reasonable Expectation of Privacy in Computers as Storage Devices : To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation.

10. 10 Fourth Amendment (Continued)  Computer  3 rd party may render 4 th amendment rights void  Example: –Getting computer fixed, technician discovers something illegal, turns you over to the police

11. 11 Fourth Amendment (Continued)  Bottom line: if you’re law enforcement, all this matters  Otherwise, Fourth Amendment doesn’t even apply  Doesn’t mean that you can hack into whatever you wish w/o worry..  An individual or corporation’s right to search is governed by other laws

12. 12 Fifth Amendment  ‘No person shall be compelled in any criminal case to be a witness against himself’ –Protection against self-incrimination in giving testimony  The USSC has narrowed the privilege so that it applies if the act of producing papers or records has a self-incriminatory ‘communicative’ or ‘testimonial’ aspect –If the act of handing over the papers is non-communicative--if it neither reveals the existence of the document nor authenticates it--then the Fifth Amendment does not apply  Never applies to corporations  Never applies to corporate records  Once document is given to another, fourth and fifth amendment protection is lost

13. 13 Fifth Amendment (Continued)  Can not use the fifth amendment to avoid testifying against another individual (e.g., friend, spouse) –Obstruction of justice  Encryption keys on shaky ground in US –Modern cryptography can make it virtually impossible to decipher documents without the cryptographic key, thus making the availability of the contents of those documents depend on the availability of the key  Key itself does not incriminate you…material it PROTECTS may incriminate you

14. 14 Fifth Amendment (Continued)  If key is written down, you must present it  If it’s memorized, you may be protected from revealing it (in the United States) –Different story in other nations  Recent case –Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes –http://writ.news.findlaw.com/colb/20080204.html

15. 15 Admissibility of Evidence  Chain of custody must be thoroughly recorded  Any person in the chain might be called to testify that evidence was not modified or subjected to contamination  Older: Frye test –Is the technique generally accepted in its particular scientific community? –In the early 1920s, a man named James Frye was found guilty of murder on the basis of a new lie-detector test based on the theory that when a person lied, the systolic blood pressure would be elevated –In 1923, the Washington D.C. appeals court ruled that before a new scientific principle or discovery could be used as evidence in a court of law, it "must be sufficiently established to have gained general acceptance in the particular field in which it belongs." –The court ruled that the blood-pressure test had not gained such acceptance, and so Frye’s conviction was reversed –Courts are free to accept evidence that has not passed the Frye test but such acceptance is more easily appealable

16. 16 Admissibility of Evidence (Continued)  The Frye test was used by the majority of US Federal courts over 70 years –Came under increasing attack since 80’s –Poor at separating any new or novel scientific or technological procedure  Newer: Daubert test (From Supreme court in Daubert) –(e.g.,See: http://www.skepticreport.com/mystics/dauberttest.htm ) http://www.skepticreport.com/mystics/dauberttest.htm –The Federal rule sets the courts up as “gatekeepers” to insure that only opinions that are backed by a consistent methodology be allowed before the jury –A witness qualified as an expert by knowledge, skill, experience, training, or education, may testify in the form of an opinion or otherwise, if: –the testimony is based upon sufficient facts or data, –the testimony is the product of reliable principles and methods –the witness has applied the principles and methods reliably to the facts of the case

17. 17 Daubert (Continued)  Factors should be used by the courts in evaluating any proposed expert testimony –Whether the theory or technique has been scientifically tested –Whether the theory or technique has been subject to peer review or publication –The expected error rate of the technique used –Acceptance of the theory or technique in the relevant scientific community  While the Daubert test is certainly more liberal than the older, Frye standard, it still allows the exclusion of testimony where the court is convinced that the method used to support the opinion is simply too poorly designed to be trustworthy

18. 18 Daubert (Continued)  Since the Daubert decision was handed down, the Federal court have identified a number of additional factors which have been useful in examining the reliability of expert opinion  Other factors (From the commentary of the 2003 version of the Federal Rules of Evidence regarding Rule 702): –Is the expert testifying about something that comes out of their research directly, or have then developed opinions specifically for purposes of testifying? –Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion? –Has the expert adequately accounted for obvious alternative explanations? –Is the field of expertise claimed by the expert known for reliable results for the type of opinion the expert would give?

19. 19 Privacy-Protecting Laws  Federal Wiretap Act –Covers interception of voice and electronic communications “on- the-wire” –Generally illegal to intercept electronic communication, except in certain circumstances, among those on the following slide

20. 20 Privacy-Protecting Laws (Continued)  Provider exception –Can perform limited monitoring to protect rights and property of system under attack  Consent exception –Permission to monitor  Provider exception –Switchboard operator may overhear during call transfers –Line technician may overhear during repairs to phone lines  Court order

21. 21 Privacy-Protecting Laws (Continued)  Electronic Communications Privacy Act (ECPA) –Covers access to stored voice and digital communications –Covers what can be disclosed to law enforcement –Question: Are communication services provided to the public? –e.g., AOL (yes): Restrictions with some exceptions: –Does provider believe that an emergency involving death or serious physical harm may result otherwise? –Consent? –Contents of communication inadvertently acquired, evidence of a crime? –Can disclose non-content (e.g., logs of activity) to anyone not involved in government –e.g., corporate, university (no): No restrictions on what can be disclosed to law enforcement  Pen/Trap Statute of 18 U.S.C. 3121-27 –Covers real-time collection of addressing information (e.g., packet headers, phone #s), not the contents of the communication –Rules more liberal than for wiretap

22. 22 Access to Evidence for Law Enforcement  Preservation of Evidence letter –Letter from government asking that evidence not be erased as a matter of normal administrative procedures –e.g., to AOL: “Please don’t delete logs related to…” –Lasts for 90 days  To get name, address, session info (e.g., when user logged in, etc.) –Subpoena  Stored files –Court order  Stored files containing electronic communications –Search warrant –For email that has been read, court order  Difficulty level: –Letter < subpoena < court order < search warrant

23. 23 Patriot Act  So things weren’t complicated enough?  Hundreds of pages, complicated for non-lawyers  Much analysis of Patriot act is skewed –“it’s a threat to our very lives” vs. “it’s a wonderful anti-terrorism tool”  Still, many citizens not happy  Basic: –significantly erodes requirements for law enforcement to show probable cause for warrants and wiretap orders –removes requirements to notify parties of a search warrant being served –e.g., police may be able to enter a residence without informing party until later

24. 24 DMCA  Digital Millennium Copyright Act  Summary here: –http://www.copyright.gov/legislation/dmca.pdfhttp://www.copyright.gov/legislation/dmca.pdf  Expands copyright law  Makes reverse engineering illegal in many circumstances  Illegal in many circumstances to defeat access controls or anti- copying techniques  Example: Buy a DVD, making a copy of the DVD involves defeating the copy protection scheme, thus illegal  “Encryption research” exceptions –So vague that if you do some “encryption research” and release the results, you should be very careful –“research” vs. distribution of copy protection circumvention techniques –Research paper documenting circumvention with lots of technical explanation vs. a program that performs circumvention

25. 25 Some Thoughts on Privacy  Current concentration: forced disclosure of encryption keys  “Security Against Compelled Disclosure” –I. Brown, B. Laurie, 16th Annual Computer Security Applications Conference (ACSAC'00)  Issues: –Agents that may want info to be disclosed: –Court may order information to be turned over –e.g., in pre-trial “discovery” phase, where parties examine evidence held by other to discover strength of the case for and against –Failure to provide info in intelligible form may result in contempt of court (jail) –Government agencies –Organized crime

26. 26 Digital Evidence in the Courtroom  Evidence must meet certain standards to be admitted –The proof that evidence is authentic and has not been tempered with becomes essential  Rules to evaluate evidence worldwide –US Federal Rules of Evidence –UK Police and Criminal Evidence Act (PACE) –…  Maintaining and documenting the chain of custody of evidence is most important aspect of authentications

27. 27 Admissibility  Requirement of admissibility of digital evidence –Obtained properly –Handled properly  Digital evidence should be obtained with proper authorization –Generally, a warrant is required to search and seize evidence –Digital evidence gained without authorization cannot be admitted to the court –Common mistake among many agents in the field  Exceptions –Plain view –Consent –Exigency

28. 28 Exceptions  If investigators see evidence in plain view, they can seize it provided they obtained access to the area validly  By obtaining consent to search, investigators can perform a search without a warrant –Apply the rule with care!  A warrant-less search can be made for any life threatening emergency case

29. 29 When Searching and Seizing Digital Evidence  Always consider Fourth Amendment and/or ECPA regulations  ECPA prohibits anyone from unlawfully accessing or intercepting electronic communications –4 th Amendment only applies to the government –ECPA is the only federal act that specifically addresses interception of e-mail –The law makes it a federal crime to intentionally or willfully intercepts, access, disclose or use another’s wire, oral or electronic communications (E-mail falls into this category) –ECPA does not establish a right to privacy of e-mail communications in the workplace –Under its Employer Provider Exception, an employer can justify interceptions made in the ordinary course of business and that either –were necessary to the rendition of the service or –were necessary to protect its rights or property –Employer can argue that monitoring is needed for quality control checks!  For law enforcement officers to search and seizure –Have to get a warrant with probable cause and details of the place to be searched or things to be seized

30. 30 To get a warrant  You have to convince a judge that –A crime has been committed –Evidence of crime is in existence –The evidence is likely to exist at the place to be searched  After you get a warrant, maintain focus on the crime under investigation –Once unrelated evidence is found, obtain another search warrant for that crime –Case example –US v.Gray 1999 –Wisconsin v. Schroeder

31. 31 Authenticity and Reliability  Once you’ve shown proper acquisition of a digital evidence, next step is proving its authentication and reliability  Authentication means satisfying the court that –The contents of the record have remained unchanged –The information in the record does in fact originate from its purported source (human or machine) –Extraneous information is accurate –Ex) apparent date of the record –Sommer P., “Downloads, Logs and Captures: Evidence from Cyberspace Journal of Financial Crime”, October 1997, Journal of Financial Crime –http://64.233.167.104/search?q=cache:T0eog1lMG7UJ:isig.lse.ac.uk/ pdf/PeterSommerFullCV.pdf+Downloads,+Logs+and+Captures:+Evid ence+from+Cyberspace+Journal+of+Financial+Crime&hl=en

32. 32 Authenticity  Authentication is a two-step process –Initial examination of the evidence to determine that it is what its proponent claims –Closer analysis to determine its probative value  Problem – Digital evidence is mutable –An intruder might add/remove/modify log entries –They might compromise system components that maintain the logs –You might modify something during your investigation –Ex) IRC logs,…

33. 33 Authenticity (Continued)  Another problem – Increasing variety and complexity of computer systems  US and UK courts have accepted the testimony of individuals who are familiar with the operation of computer systems –Case example –Missouri v. Dunn, Appeals court, Western District of Missouri, Case number 56028 –http://www.missourilawyersweekly.com/mocoa/56028.htm

34. 34 Reliability  Once digital evidence is admitted, its reliability is assessed to determine its probative value  It will either reduce or increase the amount of weight assigned to the evidence  Previously, defending lawyers had argued that digital evidence is untrustworthy simply because there was a theoretical possibility of alteration and fabrication  However, as judges become more familiar with digital evidence, they are requiring evidence to support claims of untrustworthiness

35. 35 Reliability (Continued)  Notes from US Department of Justice Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation –Absent specific evidence that tampering occurred, the mere possibility of tampering does not affect the authenticity of a computer record, US v. Bonallo –“The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness”, US v. Glasser –Notably, once a minimum standard of trustworthiness has been established, questions as to the accuracy of computer records “resulting from … the operation of the computer program” affect only the weight of the evidence, not its admissibility, US v. Catabran

36. 36 Best Evidence  Best evidence rule –Copies become acceptable in place of the original, unless “a genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu of the original”  In digital evidence realm, –A copy is generally accepted since an exact duplicate of most forms can be made –Presenting copy is even desirable since it can avoid the risk of accidental alteration of the original –Paper printouts of a digital document may be considered to equivalent to the original unless important portions of the original are not visible in printed form –Ex) Printed Microsoft Word document (w/o embedded notes and edits)

37. 37 Direct vs. Circumstantial Evidence  Direct evidence establishes a fact  Circumstantial evidence may suggest a fact  Then, how about digital evidence? –Ex) Computer log-on record –Direct or Circumstantial?  Sometimes strong circumstantial evidence is as good as direct evidence –Given enough circumstantial evidence, the court may not require direct evidence to convict an individual of a crime

38. 38 Hearsay  “Evidence is hearsay where a statement in court repeats a statement made out of court in order to prove the truth of the content of the out of court statement”  Digital evidence might not be admitted if it contains hearsay because the speaker of the evidence is not present in court to verify its truthfulness –Case example –North Dakota v. Froistad –Investigators needed a confession or other evidence to prove he killed his daughter as described in e-mail messages to one of internet chatting boards

39. 39 Hearsay (Continued)  Proving that someone distributed materials online is challenging and generally requires multiple data points that enable the court to connect the dots back to the defendant beyond a reasonable doubt  But there are several exceptions to accommodate evidence that portrays events quite accurately and that is easier to verify than other forms of hearsay –Hearsay exceptions

40. 40 Hearsay Exceptions  Records of regularly conducted activity are not excluded by the hearsay rule –By the US Federal Rules of Evidence  Computer-generated vs. Computer-stored digital evidence by USDOJ 2002 –Whether a person or a machine created the record’s content –Computer-generated: machine –Computer-generated records contains the output of the computer program so do not contain human “statements” –The issue is whether the computer program that generated the record was functioning properly (authentication question), not a human’s out-of-court statement was truthful and accurate (hearsay question) –Ex) Log-in records from ISP, telephone records, ATM receipts –Computer-stored: human –Must comply with hearsay rule –Ex) E-mail messages, word processing files, Internet chat room messages

41. 41 Scientific Evidence  Tools, techniques used to process digital evidence have been challenged as well –Courts are careful to assess the validity of scientific process before accepting its result due to power of science to persuade –Questionable scientific process may influence either admissibility or weight of the evidence  In US, Daubert test is used to evaluate scientific process –Whether the theory or technique can be (and has been) tested –Ex) Formal testing is performed by NIST –Whether there is a high known or potential rate of error, and the existence and maintenance of standards controlling the technique’s operation –Whether the theory or technique has been subjected to peer review and publication –Whether the theory or technique enjoys “general acceptance” within the relevant scientific community

42. 42 Presenting Digital Evidence  Preparation, preparation and preparation! –It is not sufficient to merely have the technical skills to locate evidence on computer media –Recover the evidence and maintain a strict chain of custody to ensure that the evidence is preserved in its original form –Document, document and document! –Be familiar with all aspect of case –Anticipate questions, rehearse answers, and prepare visual presentation to address important issues  Target audience is non-technical people –When your present findings, it is necessary to explain how the evidence was handled and analyzed –Using simple diagrams depicting above processes is very effective –Demonstrate chain of custody and thoroughness of methods in clear, well-documented manner –Good to have conclusions stated early in testimony –There is a risk that opportunity will not arise in later

43. 43 Principles for Handling Digital Evidence 1.No action taken by police or agents should change data held on computer or media that may subsequently be relied on in court 2.Investigators must be competent and able to explain consequences of their actions 3.Audit trail should be created and preserved 4.Officer in charge of case is responsible for law and principles being adhered to http://www.nhtcu.org/images/ACPO%20Guide%20v3.0.pdf

44. 44 Some thoughts from NIJ Guide  Computers and other digital media are increasingly important sources of evidence in criminal investigations –The challenge for investigators in the courtroom “is the demonstration that the particular electronic media contained the incriminating evidence”  Because digital data is easily altered and it is difficult to distinguish between original data and copies –extracting, securing and documenting digital evidence requires special attention –Police, prosecutors, lawyers, judges becoming more sophisticated

45. 45 Some thoughts from NIJ Guide (Continued)  General principles for handling digital evidence –The process of collecting digital evidence should not alter it or raise questions about its integrity –Examination of digital evidence should be done by trained personnel –All actions in processing the evidence should be documented and preserved for review –Examination should be conducted on a copy of the original evidence (The original should be preserved intact)