Computer Forensics BACS 371 Basic Law Terms and Concepts
Introduction The legal system in the United States has a long history. It is based on Old English Common Law, but has evolved into a uniquely complex system. This system has many terms and concepts that require explanation to ensure that computer forensic professionals do not make mistakes that jeopardize cases.
Definition of Crime A crime is an offensive act against society that violates a law and is punishable by the government. Two important principles in this definition: The act must violate at least one current criminal law. It is the government (not the victim) that punishes the violator. Given this, until a law exists addressing an action, there is no “crime” in doing it. This gives the first perpetrator a “free pass” to do it at least once (unfortunately). If individuals did the punishing, that would be illegal in and of itself.
Criminal Statutes Criminal laws are defined in rules called “criminal statutes.” All criminal statutes define crimes in terms of what are known as the “elements” of the offense. These include: Required acts A required state of mind (“intent”) The prosecutor tries to persuade the judge and/or jury that the person charged with the crime (the “defendant”): Did the acts Had the intent described in the statute Because of this, it is possible to actually do the illegal act, but not be found guilty because the mental state of intent was missing.
Cybercrime Statutes and Acts Generally, laws and statutes lag behind the “latest trends” in cyber crime. Given that an act isn’t a crime until a law exists, this means that many cyber exploits are allowed to happen at least once free of punishment. Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.
Crime Categories and Sentencing Crimes are divided into two broad categories: Felonies—serious crimes punishable by fine and more than one year in prison. Misdemeanors—lesser crimes punishable by fine and less than one year in prison. Sentencing guidelines give directions for sentencing defendants to ensure consistency. Tougher sentencing guidelines for computer crimes came into effect in 2003. Since then these have been tested and fine- tuned to a certain extent. Now, certain types of computer crime can result in a life sentence. When computer based crimes first became common, there were no directly applicable laws; consequently, existing laws had to be employed to prosecute. This resulted in inconsistent and often unfairly light punishment for serious criminal activity.
Cyber Crime Categories The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably. Two categories of offenses that involve computers: Computer as instrument—computer is used to commit the crime. Computer as target—computer or its data is the target of the crime. In some cases, the computer can be both the target and the instrument. Note that just because a computer is involved, it is not necessarily a “computer crime”. For example, just because you use a telephone (which is hooked up to a computer) to commit a crime does not make it a “computer crime”.
Investigation Types There are 3 different types of investigations: Internal Investigation – generally kept secret (initially) Civil Investigation – between individuals Criminal Investigation – between government and individual Investigations have multiple stakeholders. Court- based cases have: Plaintiff – entity that brings the charges Defendant – entity that is charged Lawyers (usually) & Judges
Civil vs. Criminal Charges There are 2 major categories of criminal charges: civil and criminal. Each has it’s own system of courts and procedures. Civil charges are brought by a person or company Parties must show proof they are entitled to evidence. Criminal charges can be brought only by the government Law enforcement agencies have authority to seize evidence. Penalties are generally more severe and can include loss of liberty and/or life. Distinction between civil and criminal violation is not always clear. It is possible to be tried in both court systems (ex: OJ Simpson trial).
Comparing Criminal and Civil Laws Characteristics Criminal Law Civil Law Objective To protect society’s interests by defining offenses against the public To allow an injured private party to bring a lawsuit for the injury Purpose To deter crime and punish criminals To deter injuries and compensate the injured party Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity Who brings charges against an offender A local, state, or federal government body A private party—a person, company, or group of people (Continued)
Criminal and Civil Laws (Cont.) Characteristics Criminal Law Civil Law Deals with Criminal violations Noncriminal injuries Authority to search for and seize evidence More immediate; law agencies have power to seize information and issue subpoenas or search warrants Parties need to show proof that they are entitled to evidence Burden of proof Beyond a reasonable doubt Preponderance of the evidence Principal types of penalties or punishment Capital punishment, fines, or imprisonment Monetary damages paid to victims or some equitable relief
Evidence Basics Evidence is proof of a fact about what did or did not happen. To be legally admissible, evidence must be reliable and relevant. At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody. Three types of evidence can be used in legal proceedings: Testimony of a witness – based on your 5 senses Physical evidence – anything tangible Electronic evidence – (e-evidence) digital evidence which, by its nature, is intangible Note that “search” and “seizure” are two separate things.
Evidence Basics Testimony of a witness is traditionally considered the “best” form of evidence (even though there are documented problems with this type of evidence). Physical and electronic evidence are “circumstantial” evidence. Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence. All e-evidence is, by its nature, circumstantial evidence. Both cyber crimes and traditional crimes can leave cybertrails of evidence. Testimony of a witness is considered the “best” evidence and is a hold over from Old English Common Law. This is despite the fact that eye witness reports often mis-state the actual facts and circumstances. Basically, we tend to see what we expect to see and ignore the rest.
Evidence vs. Testimony Arguments by attorneys, comments by judges, and witnesses’ answers to questions are not evidence. Maps, models, simulations, or other materials used to demonstrate and explain matters also are not evidence. Each of these are testimony which, based on the ruling of a judge, may be allowed as evidence. It is a subtle, but important distinction.
Use of Evidence As stated previously, testimony is not automatically evidence, but may be admissible and allowed as evidence. The job of the lawyer is to put evidence together into a crime hypothesis that makes sense to the judge and/or jury. Evidence that: Supports hypothesis = inculpatory Contradicts hypothesis = exculpatory As a forensic analyst, you are objective and collect both types of evidence. In other words, you do not ignore any evidence even if it destroys the hypothesis.
Forensic Use of E-Evidence Federal rules of evidence state that accurate copies of electronic data are “originals.” What this means to forensic investigators is that an exact copy of electronic evidence can be analyzed and processed as if it were the original copy. This is important because it means that the “best evidence rule” can be applied to e-evidence. Without this exception, analyst would be required to bring the physical computer into the courtroom to admit something as simple as an email into evidence. The “Best Evidence Rule” states that in order to “prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required…”. Allowing accurate duplicates to be classified as originals makes modern digital forensics possible.
Evidence Terms & Concepts Admissible evidence - evidence allowed to be presented at trial. Must be authenticated. Inadmissible evidence - evidence that cannot be presented at trial. Material evidence - evidence relevant and significant to the legal action. Immaterial evidence - evidence that is not relevant or significant to the legal action. Evidence is only admissible if it is allowed into testimony by a judge. There are many factors that come into play in this decision; not the least of which is if it was collected legally. Consequently, the forensic analyst should take extra precautions to make sure that all laws and procedures are followed carefully. Authentication is the process of proving that evidence is what it purports to be. Authentication of e-evidence is particularly difficult because it is easily modified and technically complex. Evidence may be ruled inadmissible because 1) it was illegally gathered, or 2) it would take too long to present based on its relative value to the trial
Evidence Terms & Concepts Inculpatory evidence - evidence that supports a given theory. Exculpatory evidence - evidence that contradicts a given theory. Tainted evidence - evidence obtained from illegal search or seizure. Artifact evidence – evidence modified or added to a crime scene that causes the investigator to incorrectly think that it relates to the crime. Artifact evidence is a particular risk for forensic investigators because electronic data is so easy to corrupt.
Evidence Terms & Concepts Circumstantial evidence - evidence that is not a direct statement from an eyewitness or participant. Documentary evidence - physical or electronic evidence (which makes it circumstantial also). Hearsay evidence - secondhand evidence. Generally inadmissible. Expert testimony - is generally admissible. It is an exception to the hearsay rule.
Evidence Terms & Concepts E-evidence - generic term for any electronic evidence. E-evidence is another exception to the hearsay rule. Rules of Evidence - published rules by which the courts to determine what evidence is admissible. Best Evidence Rule - “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’”
Discovery Discovery is the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant. All evidence must be disclosed in advance. Evidence not disclosed in advance may be deemed inadmissible. Includes information that must be provided by each party if requested. There are many methods of discovery. This aspect of the legal process is often mis-represented in TV shows and movies. It really is not okay to withhold relevant evidence until the day of the trial as is often portrayed.
Discovery Methods Interrogatories Requests for admissions Written answers made under oath to written questions Requests for admissions Intended to ascertain the authenticity of a document or the truth of an assertion Requests for production Involves the inspection of documents and property Depositions Out-of-court testimony made under oath by the opposing party or other witnesses
Electronic Discovery (E-Discovery) Zubulake v. USB Warburg (2003) - Landmark case involving e-discovery. Based on this case, courts recognized five categories of stored data which could be used for e-discovery. Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data The result was an increased demand for e-discovery based on this (and related) rulings. Basically, gave the green light to all sorts of e-discovery requests in new (and difficult to comply with) areas. To a certain extent, e-discovery could be used as leverage to avoid trial since it would be so expensive and time-consuming. “The more information there is to discover, the more expensive it is to discover all relevant information”. As an example of this, the Enron case required the search of over 400 computers and 10,000 computer backup tapes. In some cases, equipment to read the tapes was not readily available and had to be acquired. Active, online data – Data is available for access as it is created and processed. Hard drives are a common media for this type. Near-line data – Data housed on removable media which can be mounted and read relatively easily. (CD, DVD, …) Offline storage/archives – Data on removable media that has been placed in storage and must be retrieved before it can be accessed. Considered “off site” and archival. Backup tapes – Data stored on backup tapes that is not organized for retrieval of individual documents or files. Normally must be restored before it can be read. Erased, fragmented, or damaged data – Data that has been deleted on the computer, but is still retrievable. May be partially destroyed because of the method used to delete. Significant effort may be needed to recover.
E-Discovery Companies are required to take steps to preserve e-evidence even before being told to do so. When ordered to do so, companies are required to turn over requested e-records in readable format by a specified date. Courts generally view the failure to respond to e-discovery as an attempt to hide guilt. Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice.” Regardless of how expensive it is, companies must comply with discovery requests and produce requested records. In 2003, Boeing was required to restore 14,000 backup tapes to comply with an e-discovery request. They had problems with this because they had to restore all 14,000 to find the emails that were requested. This took thousands of man-hours.
Summary A crime an offense that violates an existing law. Criminal laws are defined by criminal statutes and are punishable according to sentencing guidelines. Crimes are divided into two categories: felonies and misdemeanors. There are two categories of criminal charges: civil and criminal. Evidence is proof of a fact about what did or did not happen. For evidence to be used in a trial, it must be material and admissible.
Summary (Cont.) E-evidence is circumstantial by definition. E-evidence is considered as an original copy if it is collected properly. Evidence that supports a hypothesis is inculpatory and evidence that contradicts a hypothesis is exculpatory. The forensic analyst is objective and collects both types of evidence. e-discovery the process of disclosing electronic evidence prior to trial.