Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Similar presentations


Presentation on theme: "Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya."— Presentation transcript:

1 Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya

2 Introduction technological revolution in communications and information exchange has taken place within business, industry, and our homes technological revolution in communications and information exchange has taken place within business, industry, and our homes In this information technology age, the needs of law enforcement are changing as well In this information technology age, the needs of law enforcement are changing as well

3 Computer Forensic Science Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.

4 Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes

5 and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system. and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system.

6 As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files example, 12 GB of printed text data would create a stack of paper 24 stories high example, 12 GB of printed text data would create a stack of paper 24 stories high

7 Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information. Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information.

8 Recovering and Discovering Information It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable

9 How to collect relevant data, and how to assure that data collected can be authenticated and admitted as evidence.

10 1. Send a preservation of evidence letter. Because the information stored on computers changes, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery Because the information stored on computers changes, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery

11 2. Include definitions and,instructions First, use a series of interrogatories to get an overview of the target computer system First, use a series of interrogatories to get an overview of the target computer system Second, all requests for production should make clear that you are requesting electronic documents as well as paper. Second, all requests for production should make clear that you are requesting electronic documents as well as paper. Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data. Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data.

12 3. Take a 30(b)(6) This is the single best tool for finding out the types of electronic information that exists in your opponents computer systems. This is the single best tool for finding out the types of electronic information that exists in your opponents computer systems. Follow the Checklist For System Discovery Follow the Checklist For System Discovery

13 4. Collect backup tapes One of the most fertile sources of evidence is the routine One of the most fertile sources of evidence is the routine Backup created to protect data in case of disaster Backup created to protect data in case of disaster

14 5. Collect removable media. Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence

15 6. Ask every witness about computer usage In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use Palmtop devices and notebook computers are another good source of evidence Palmtop devices and notebook computers are another good source of evidence

16 7. Make copies of residual data. Residual data includes deleted files, fragments of deleted files, and other data that is still extant on the disk surface. Residual data includes deleted files, fragments of deleted files, and other data that is still extant on the disk surface.

17 8. Write-protect and virus check all media. Now that you have obtained the data, it? You likely have a mix of image copies, backup tapes, diskettes, CDs, and other media. Now that you have obtained the data, it? You likely have a mix of image copies, backup tapes, diskettes, CDs, and other media. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write- protection and virus checking. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write- protection and virus checking.

18 9. Preserve the chain of custody A chain of custody tracks evidence from its original source to what is offered as evidence in court. A chain of custody tracks evidence from its original source to what is offered as evidence in court. A good benchmark is whether the software is used and relied on by law enforcement agencies. A good benchmark is whether the software is used and relied on by law enforcement agencies. Second, the copies made must be capable of independent verification Second, the copies made must be capable of independent verification. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.

19 9. Preserve the chain of custody cont. Second, the copies made must be capable of independent verification Second, the copies made must be capable of independent verification your opponent and the court must be able to satisfy themselves that your copies are accurate. your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof. Third, the copies created must be tamper proof.

20 Examining Computer Evidence The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm

21 Examining Computer Evidence Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. Each agency and examiner must make a decision as to how to implement this principle on a case- by-case basis. Each agency and examiner must make a decision as to how to implement this principle on a case- by-case basis.

22 Authentication of Digital Evidence Authentication is the process by which the reliability of evidence is established Authentication is the process by which the reliability of evidence is established The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven That is accomplished using standardized evidence-handling procedures and chain- of-custody records and relies primarily on physical security measures That is accomplished using standardized evidence-handling procedures and chain- of-custody records and relies primarily on physical security measures

23 Information-Assurance Services The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information- assurance community. The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information- assurance community.

24 It describes five primary security services relevant to information and information processing systems: It describes five primary security services relevant to information and information processing systems: access control, confidentiality, integrity, availability, and non repudiation. access control, confidentiality, integrity, availability, and non repudiation.

25 Daubert Compliance The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue. The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue.

26 The ruling provides the following five example considerations to aid the judge in making that assessment: The ruling provides the following five example considerations to aid the judge in making that assessment: Whether the technique can be and has been tested Whether the technique can be and has been tested Whether the technique has been subjected to peer review and publication Whether the technique has been subjected to peer review and publication Known or potential rate of error Known or potential rate of error Existence and maintenance of standards controlling the technique Existence and maintenance of standards controlling the technique General acceptance in the relevant scientific community General acceptance in the relevant scientific community

27 Presenting evidence in court When collecting computer data for evidentiary purposes, a party has a duty to utilize the method which would yield the most complete and accurate results. Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). When collecting computer data for evidentiary purposes, a party has a duty to utilize the method which would yield the most complete and accurate results. Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files. In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files.

28 Zubulake V, (July 20, 2004) Zubulake V, (July 20, 2004) The contents of the backup tapes restored by UBS demonstrated that certain UBS employees had deleted after being advised of their duty to preserve the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed s would have been beneficial to her case, the Court granted an adverse inference jury instruction. The contents of the backup tapes restored by UBS demonstrated that certain UBS employees had deleted after being advised of their duty to preserve the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed s would have been beneficial to her case, the Court granted an adverse inference jury instruction. Additionally, since it took UBS almost two years to produce the relevant and requested s from the backup tapes, it was ordered to pay Zubulakes costs related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBSs attorneys generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the attorneys failure to communicate with the clients information technology personnel. Additionally, since it took UBS almost two years to produce the relevant and requested s from the backup tapes, it was ordered to pay Zubulakes costs related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBSs attorneys generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the attorneys failure to communicate with the clients information technology personnel. In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two years that this case has been pending. All parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information. In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two years that this case has been pending. All parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.

29 See more sample cases at See more sample cases at m/nyaurakisii/amenya m/nyaurakisii/amenya

30 Conclusion. Challenges of Computer Forensic: Challenges of Computer Forensic: -being able to demonstrate the authenticity of the evidence -being able to demonstrate the authenticity of the evidence -integrity and security of data are also an issue in my courts -integrity and security of data are also an issue in my courts -acceptance of computer technology (judges, jury etc) -acceptance of computer technology (judges, jury etc) -establishing the chain of custody -establishing the chain of custody Why computer crime is had to prosecute: Why computer crime is had to prosecute: -lack of understanding -lack of understanding -Lack of physical evidence -Lack of physical evidence -Lack of political impact -Lack of political impact -Complexity of cases -Complexity of cases -juvenile -juvenile

31 The end The end


Download ppt "Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya."

Similar presentations


Ads by Google