Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Slides:



Advertisements
Similar presentations
Zubulake v. UBS Warburg LLC “Zubulake IV”
Advertisements

Data Quality Considerations
United States District Court for the Southern District of New York, 2004 District Justice Scheindlin Zubulake v. UBS Warburg LLC Zubulake V.
and Electronic Records Retention: IT Requirements Paul Dworak Office of Compliance
Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.
Litigation Holds: Don’t Live in Fear of Spoliation Jason CISO – University of Connecticut October 30, 2014 Information Security Office.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
INFORMATION WITHOUT BORDERS CONFERENCE February 7, 2013 e-DISCOVERY AND INFORMATION MANAGEMENT.
DIGITAL EVIDENCE María del Pilar Jácome August 2012.
COEN 252 Computer Forensics
Ethical Issues in the Electronic Age Ethical Issues in the Electronic Age Frost Brown Todd LLC Seminar May 24, 2007 Frost Brown.
Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.
Developing a Records & Information Retention & Disposition Program:
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Computer Forensics Principles and Practices
By Drudeisha Madhub Data Protection Commissioner Date:
Software CSI -- Effects of Computer-Resident Evidence September 12, 2008 Southern California Software Process Improvement Network (SCSPIN) John Cosgrove,
3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
230 F.R.D. 640 (D. Kan. 2005).  Shirley Williams is a former employee of Sprint/United Management Co.  Her employment was terminated during a Reduction-in-
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Investigating Cybercrime DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Discovery III Expert Witness Disclosure And Discovery Motions & Sanctions.
The Rat Pack Dino Tsibouris (614)
Computer Forensics Principles and Practices
Advanced Civil Litigation Class 11Slide 1 Production of Documents Scope Scope Includes documents of all types, including pictures, graphs, drawings, videos.
Unit 3 Seminar! K. Austin Zimmer Any question from Unit 2! Please make sure you have completed your Unit 1 & 2 Papers!
Against: The Liberal Definition and use of Litigation Holds Team 9.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
P RINCIPLES 1-7 FOR E LECTRONIC D OCUMENT P RODUCTION Maryanne Post.
Skills of a Forensic Scientist & Frye vs. Daubert Standards
The Challenge of Rule 26(f) Magistrate Judge Craig B. Shaffer July 15, 2011.
EDiscovery Preservation, Spoliation, Litigation Holds, Adverse Inferences. September 15, 2008.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007.
Part 11, Electronic Records; Electronic Signatures
Evidence Handling If the evidence is there the case is yours to lose.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
AJ 104 Crime Scene Evidence, Experiments, and Models.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
DIGITAL SIGNATURE.
Introduction to Forensics September 7, 2005 Mr. Schildknecht SUPA Forensics The Science Behind Catching Criminals.
Records Management for Paper and ESI Document Retention Policies addressing creation, management and disposition Minimize the risk and exposure Information.
© 2010 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
The Judicial Branch Unit 5. Court Systems & Jurisdictions.
Is Your Background Check Process Compliant?. 2 © Copyright 2015 ADP, LLC. Proprietary and Confidential Information. Agenda Privileged & Confidential.
Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.
1 What Is Scientific Evidence? Scientific evidence is most often presented in court by an expert witness testifying on expert opinions. It also includes.
Zubulake IV [Trigger Date]
U.S. District Court Southern District of New York 229 F.R.D. 422 (S.D.N.Y. 2004)
EDiscovery Also known as “ESI” Discovery of “Electronically Stored Information” Same discovery, new form of storage.
September 10, 2012 Warm-up: Use pg. 13 in your text book to answer the following question: 1.What was the most significant modern advance in forensic science?
Heartland Surgical Specialty Hospital, LLC v. Midwest Division, Inc 2007 WL (D. Kan. Apr. 9, 2007)
Admissibility. The Frye Standard  1923 – became the standard guideline for determining the judicial admissibility of scientific examinations. To meet.
CITY OF PHOENIX RECORDS MANAGEMENT AND E-PRIVACY Margie Pleggenkuhle City Clerk Department March 18, 2004.
CIT 180 Security Fundamentals Computer Forensics.
Why do I need a Chain of Custody (COC)? Presentation to: KWWOA Department for Environmental Protection Energy & Environment Cabinet To Protect and Enhance.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Digital evidence Stephen Mason, Barrister Visiting Research Fellow
Litigation Holds: Don’t Live in Fear of Spoliation
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
CGSB and Electronic Records
Presentation transcript:

Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya

Introduction technological revolution in communications and information exchange has taken place within business, industry, and our homes technological revolution in communications and information exchange has taken place within business, industry, and our homes In this information technology age, the needs of law enforcement are changing as well In this information technology age, the needs of law enforcement are changing as well

Computer Forensic Science Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes

and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system. and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system.

As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files example, 12 GB of printed text data would create a stack of paper 24 stories high example, 12 GB of printed text data would create a stack of paper 24 stories high

Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information. Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information.

Recovering and Discovering Information It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable

How to collect relevant data, and how to assure that data collected can be authenticated and admitted as evidence.

1. Send a preservation of evidence letter. Because the information stored on computers changes, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery Because the information stored on computers changes, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery

2. Include definitions and,instructions First, use a series of interrogatories to get an overview of the target computer system First, use a series of interrogatories to get an overview of the target computer system Second, all requests for production should make clear that you are requesting electronic documents as well as paper. Second, all requests for production should make clear that you are requesting electronic documents as well as paper. Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data. Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data.

3. Take a 30(b)(6) This is the single best tool for finding out the types of electronic information that exists in your opponents computer systems. This is the single best tool for finding out the types of electronic information that exists in your opponents computer systems. Follow the Checklist For System Discovery Follow the Checklist For System Discovery

4. Collect backup tapes One of the most fertile sources of evidence is the routine One of the most fertile sources of evidence is the routine Backup created to protect data in case of disaster Backup created to protect data in case of disaster

5. Collect removable media. Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence

6. Ask every witness about computer usage In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use Palmtop devices and notebook computers are another good source of evidence Palmtop devices and notebook computers are another good source of evidence

7. Make copies of residual data. Residual data includes deleted files, fragments of deleted files, and other data that is still extant on the disk surface. Residual data includes deleted files, fragments of deleted files, and other data that is still extant on the disk surface.

8. Write-protect and virus check all media. Now that you have obtained the data, it? You likely have a mix of image copies, backup tapes, diskettes, CDs, and other media. Now that you have obtained the data, it? You likely have a mix of image copies, backup tapes, diskettes, CDs, and other media. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write- protection and virus checking. Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write- protection and virus checking.

9. Preserve the chain of custody A chain of custody tracks evidence from its original source to what is offered as evidence in court. A chain of custody tracks evidence from its original source to what is offered as evidence in court. A good benchmark is whether the software is used and relied on by law enforcement agencies. A good benchmark is whether the software is used and relied on by law enforcement agencies. Second, the copies made must be capable of independent verification Second, the copies made must be capable of independent verification. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.. In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.

9. Preserve the chain of custody cont. Second, the copies made must be capable of independent verification Second, the copies made must be capable of independent verification your opponent and the court must be able to satisfy themselves that your copies are accurate. your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof. Third, the copies created must be tamper proof.

Examining Computer Evidence The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm

Examining Computer Evidence Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. Each agency and examiner must make a decision as to how to implement this principle on a case- by-case basis. Each agency and examiner must make a decision as to how to implement this principle on a case- by-case basis.

Authentication of Digital Evidence Authentication is the process by which the reliability of evidence is established Authentication is the process by which the reliability of evidence is established The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven That is accomplished using standardized evidence-handling procedures and chain- of-custody records and relies primarily on physical security measures That is accomplished using standardized evidence-handling procedures and chain- of-custody records and relies primarily on physical security measures

Information-Assurance Services The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information- assurance community. The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information- assurance community.

It describes five primary security services relevant to information and information processing systems: It describes five primary security services relevant to information and information processing systems: access control, confidentiality, integrity, availability, and non repudiation. access control, confidentiality, integrity, availability, and non repudiation.

Daubert Compliance The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue. The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue.

The ruling provides the following five example considerations to aid the judge in making that assessment: The ruling provides the following five example considerations to aid the judge in making that assessment: Whether the technique can be and has been tested Whether the technique can be and has been tested Whether the technique has been subjected to peer review and publication Whether the technique has been subjected to peer review and publication Known or potential rate of error Known or potential rate of error Existence and maintenance of standards controlling the technique Existence and maintenance of standards controlling the technique General acceptance in the relevant scientific community General acceptance in the relevant scientific community

Presenting evidence in court When collecting computer data for evidentiary purposes, a party has a duty to utilize the method which would yield the most complete and accurate results. Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). When collecting computer data for evidentiary purposes, a party has a duty to utilize the method which would yield the most complete and accurate results. Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files. In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files.

Zubulake V, (July 20, 2004) Zubulake V, (July 20, 2004) The contents of the backup tapes restored by UBS demonstrated that certain UBS employees had deleted after being advised of their duty to preserve the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed s would have been beneficial to her case, the Court granted an adverse inference jury instruction. The contents of the backup tapes restored by UBS demonstrated that certain UBS employees had deleted after being advised of their duty to preserve the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed s would have been beneficial to her case, the Court granted an adverse inference jury instruction. Additionally, since it took UBS almost two years to produce the relevant and requested s from the backup tapes, it was ordered to pay Zubulakes costs related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBSs attorneys generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the attorneys failure to communicate with the clients information technology personnel. Additionally, since it took UBS almost two years to produce the relevant and requested s from the backup tapes, it was ordered to pay Zubulakes costs related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBSs attorneys generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the attorneys failure to communicate with the clients information technology personnel. In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two years that this case has been pending. All parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information. In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two years that this case has been pending. All parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.

See more sample cases at See more sample cases at m/nyaurakisii/amenya m/nyaurakisii/amenya

Conclusion. Challenges of Computer Forensic: Challenges of Computer Forensic: -being able to demonstrate the authenticity of the evidence -being able to demonstrate the authenticity of the evidence -integrity and security of data are also an issue in my courts -integrity and security of data are also an issue in my courts -acceptance of computer technology (judges, jury etc) -acceptance of computer technology (judges, jury etc) -establishing the chain of custody -establishing the chain of custody Why computer crime is had to prosecute: Why computer crime is had to prosecute: -lack of understanding -lack of understanding -Lack of physical evidence -Lack of physical evidence -Lack of political impact -Lack of political impact -Complexity of cases -Complexity of cases -juvenile -juvenile

The end The end

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.