Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting.

Slides:



Advertisements
Similar presentations
I Choose Privacy! Intellectual Freedom: Addressing the Privacy Issue in the Academic Library.
Advertisements

AP Government Bill of Rights Slideshow Template
LEGAL CONSIDERATIONS OF FORENSIC SCIENCE CHAPTER 2.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of.
The Bill of Rights is the name of the first ten amendments to the United States Constitution They were introduced by James Madison to the First United.
LAW for Business and Personal Use © 2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible.
The Bill of Rights Amendment I
COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Part 3, Bill of Rights.
By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
The Constitution.
The Bill of Rights The first 10 amendments to the U. S. Constitution ©2012, TESCCC 10/21/12page 1 of 9.
SS4H5 The student will analyze the challenges faced by the new nation.
2.6 Protecting Individual Citizens 1 st & 4 th Amendments In Depth Government & Citizenship Timpanogos High School.
Computer Forensics Principles and Practices
Bill of Rights.
The Bill of Rights. I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom.
Chapter 1 What is Law?. Laws and Values Our current legal system is based on values that our government and society believe are most important to keep.
© Sapphire 2006 Computer Misuse in the Workplace You only get one chance..... David Horn You only get one chance...
The Bill of Rights The First 10 Amendments December 15, 1791.
BILL OF RIGHTS Original Ten Amendments: The Bill of Rights Passed by Congress September 25, Ratified December 15, 1791.
States and Capitals Video.php?video_id=6809&title= Animaniacs_Sing_the_States Video.php?video_id=6809&title=
Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of.
Chapter 2 Legal Aspects of Investigation © 2009 McGraw-Hill Higher Education. All rights reserved. LEARNING OBJECTIVES Explain the historical evolution.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
The U.S. Constitution & the Bill of Rights
The Bill of Rights The First 10 Amendments to the Constitution Take notes on the slides as they appear. Draw pictures to represent at least five of the.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
The U.S. Constitution Article I Article II Article III Article IV Article V Article VI Article VII The Preamble
Bill of Rights  First Ten Amendments to the Constitution  Aims to protect people against the abuses of the Federal Government.
The Bill of Rights. Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging.
Do Now: What Constitutional protections do you have as an American citizen?
Constitution Preamble Art. 1 – Legislative Art 2 – Executive Art. 3 – Judicial Art 4 – Federalism Art 5 – Amend Art 6 – General Provisions Art. 7 – Ratification.
John Marshall John Marshall is considered one of the most influential Supreme Court Justices in American History.
The Bill of Rights U.S. Constitution was ratified on June 21, 1788 ONLY because a “Bill of Rights” was to be added later.
1 Introduction to Forensic Science and the Law Fourth amendment protects citizens against “unreasonable search and seizures” Police and crime scene investigators.
THE BILL OF RIGHTS The First 10 Amendments to the U.S. CONSTITUTION.
First 10 Amendments to the United States Constitution.
Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
The Bill of Rights Amendment I Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging.
C3.2(1) The Bill of Rights First 10 amendments of the Constitution Main Job: limit governments power over individuals.
Title Slide. First Amendment In your OWN words 2 Pictures Freedoms, Petitions, Assembly Congress shall make no law respecting an establishment of religion,
Judicial Branch Basics and “Due Process”. Basic Structure of the Judicial Branch Supreme Court (original and appellate jurisdiction) 13 Circuit Courts.
The Bill of Rights Quick! Write down as many rights as you can remember!
1 st Amendment: Freedom of Expression “Congress shall make no law.
CONSTITUTION. Preamble We the people of the United States, in order to form a more perfect union, establish justice, insure domestic tranquility, provide.
“ The Bill of Rights” The First 10 Amendments of the U.S. Constitution.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
First TEN AMENDMENTS (changes) in the US Constitution
Civil Liberties Chapters 15, 16
The United states constitution AND BILL OF RIGHTS
Personal protections and liberties added to the Constitution for you!
The U.S. Bill of Rights.
Quick! Write down as many rights as you can remember!
Amendment I Congress shall make no Law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
Amendment I Congress shall make no Law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
Bill of Rights. Bill of Rights Amendment One The right to freedom of speech, press, religion, petition, and peaceful assembly Congress shall make.
Bill of Rights Amendments = Change..
The bill of rights Guided Notes.
The Constitution.
Presentation transcript:

Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting

2 Agenda ProblemDefinitions Legal environment Best Evidence Rule Best Evidence Rule Chain of Custody and Protection of Originals Chain of Custody and Protection of Originals Compliance with Constitutional Rights Compliance with Constitutional Rights Suggested procedure Comments

3 Problem Will the electronic evidence seized by the FBI on February 10th, 2006, be admissible in a court of law?

4 Stated Problem Implications In order for electronic evidence to be admissible it must not be hearsay, must comply with the “Best Evidence Rule” and it must be placed under a chain of custody that warrants there has been no tampering or improper handling. Computer forensics suggests procedures and mechanisms that reduce the risks of evidence be deemed inadmissible, while allowing investigators to: Execute a warrant to search electronic devices, Examine and collect electronic evidence, or Seize (impound) electronic equipment where such evidence might be deposited in a manner that protects the integrity of such evidence, Protect acquired evidence

5 Stated Problem Questions to be answered What standards should apply? How they should have been applied by the FBI? Why is it relevant for information systems auditors?

6 Definitions Electronic Evidence Hearsay Best Evidence Rule Authentication Chain of Custody Computer Forensics Science

7 Incident Response and Computer Forensics & Cyber Forensics Definitions Evidence: “Any information of probative value that helps prove something relative to the case under investigation.”

8 Incident Response and Computer Forensics & Cyber Forensics Definitions Hearsay: “When a computer record contains the assertions of a person, whether or not processed by a computer, the record can contain hearsay. An exception to the hearsay rule is the business record exception.” “When a computer record contains computer generated data untouched by human hands, the record cannot contain hearsay.”

9 Incident Response and Computer Forensics & Cyber Forensics Definitions Best Evidence Rule: “Absent some exceptions requires that the original of a writing or recording must be admitted in court to prove its contents.” “(if) data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original.” (FRE 1001(3)) “A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.” (FRE 1003)

10 Incident Response and Computer Forensics & Cyber Forensics Definitions Authentication: “Whomever collected the evidence should testify during examination that the information is what the proponent claims.” (FRE 901(a)) “A testimony by a witness who has personal knowledge as to the origins of that piece of evidence.” “Applicable standard is the same as for other records.”

11 Incident Response and Computer Forensics & Cyber Forensics Definitions Chain of Custody: Requires that evidence is stored in a manner where it cannot be accessed by unauthorized personnel. Requires that evidence is stored in a manner where it cannot be accessed by unauthorized personnel. The location of evidence from the moment it was collected to its presentation at trial needs to be traced. The location of evidence from the moment it was collected to its presentation at trial needs to be traced. A log should be kept for each evidentiary item. A log should be kept for each evidentiary item.

12 Incident Response and Computer Forensics & Cyber Forensics Definitions Computer forensics science: “Is a common ground of rules, techniques and tools for collecting, examining, preserving, retrieving and presenting data that has been processed electronically and has been stored on computer media.” “It pertains to electronic or digital transactions or records.” “It produces direct information and data that may have significance in a case, rather than producing interpretative conclusions.”

13 Legal Environment Constitutional Rights: Fourth Amendment – Fourth Amendment – “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.” First Amendment – First Amendment – “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.”

14 Legal Environment Search and Seizures (42 USC 2000aa): Warrant (exceptions on terrorism by USA Patriot Act) Warrant (exceptions on terrorism by USA Patriot Act) Probable Cause for: Probable Cause for: Search and/or seize HW? Search and/or seize SW? Search and or seize Data? Search and/or seize a Network? Key questions: Key questions: Is it contraband, tool for the offense or incidental? Where will the search be conducted? How will the search be conducted? Can evidence out of the scope of the warrant be used?

15 Legal Environment Other applicable legislation: Federal Criminal Code (18USC2703): Federal Criminal Code (18USC2703):WarrantSubpoena Court Order Electronic Communications Privacy Act (ECPA) Electronic Communications Privacy Act (ECPA) USA Patriot Act (2001) USA Patriot Act (2001) Communications Assistance for Law Enforcement Act (CALEA) – Under scrutiny of Congress Communications Assistance for Law Enforcement Act (CALEA) – Under scrutiny of Congress

16 Best Practices for Seizing Electronic Evidence (US Secret Service) Determine type of search Determine what to search Determine where to search Assure valid warrant Use appropriate collection techniques so the evidence is not destroyed or altered Employ trained personnel for forensic examination

17 Best Practices for Seizing Electronic Evidence (US Secret Service) Conduct the search and seizure: Secure the scene: Secure the scene: Officer safety Preserve area Restrict access to computer(s) and isolate from phone lines or connections to ISP Secure computer evidence: Secure computer evidence: Photograph scene, and screen(s) Unplug and label Place evidence tape If transport is required, package components as fragile cargo Keep away from magnets, radio transmitters and similar environments If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission to court If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission to court

18Cyber Forensics International Principles International Organization on Computer Evidence Take actions not to change seized evidence. Only a forensically competent professional should access original digital evidence, when necessary. All activity relating to the seizure, access, storage, or transfer of digital evidence. must be fully documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

19 Suggested Procedure Request warrant to determine terms, scope of search and of seizure If valid warrant, request: Presence while scene is secured by agents Presence while scene is secured by agents Equipment be digitally photographed in your presence Equipment be digitally photographed in your presence Equipment be turned on (if it is not on): Equipment be turned on (if it is not on): Solicit that an image of each computer’s fixed storage device or computer files to be seized be made in your presence Solicit that an image of each computer’s fixed storage device or computer files to be seized be made in your presence Solicit that an image of each removable storage device to be seized be made in your presence Solicit a that a preliminary forensics investigation be conducted in accordance to the search warrant and request a copy of the results Else, deny access to equipment until legal counsel is present.

20 Suggested Procedure Recommended Forensic Practice Document procedure Search equipment on site Make a mirror image of storage devices Take mirror image off-site Restore mirror image on another hard drive that has been wiped clean Search for files and data specified in warrant: Searching original devices can compromise original evidence Searching original devices can compromise original evidence An image is unreadable unless restored to another device An image is unreadable unless restored to another device If evidence pertaining other crimes is present it might not be admissible if it is out of the scope of the warrant If evidence pertaining other crimes is present it might not be admissible if it is out of the scope of the warrant

21 Comments

22 References Cyber Forensics A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Marcella & Greenfield, Auerbach Publications, 2002 Incident Response & Computer Forensics, Mandia, Prosise & Pepe, 2 nd Edition, McGraw-Hill/Osborne, 2003 United States Constitution, Yahoo version Good Practice Guide for Computer Based Electronic Evidence, National High Tech Crime Unit, Association of Police Officers, Wales Computer Searches and Seizures: Some Unresolved Issues, Brenner & Frederiksen, Michigan Telecomm Tech Law Review, 2002 Computer-Based Investigation and Discovery in Criminal Cases: A Guide for United States Magistrate Judges, Withers, National Workshop for Magistrate Judges II, Boston Mass, 2003 Annotated Case Law on Electronic Discovery, Withers, 2005 Digital Evidence and the New Criminal Procedure, Orin S. Kerr, Columbia Law Review, Vol. 105:279

23 References Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Division, US Dept of Justice, 2002 Ensuring the Admissibility of Electronic Forensic Evidence and Enhancing Its Probative Value at Trial, Galves & Galves, American Bar Association Criminal Justice Magazine, Vol 19 #1, 2004 Suppressing Evidence Gained by Government Surveillance of Computers, James Adams, American Bar Association, Criminal Justice Magazine Spring 2004, Vol 19 #1 Computer Records and the Federal Rules of Evidence, Orin S. Kerr, USA Bulletin, US Dept of Justice, March 2001 Federal Guidelines for Searching and Seizing Computers, US Dept of Justice, 1994 United States Secret Service Best Practices for Seizing electronic Evidence, Communications Assistance for Law Enforcement Act (CALEA),, Agent Michael P. Clifford, US Dept of Justice, CCIPS page, April, 2005

24 Appendix Evidence Handling Procedures Record information about computer system before examining contents of its hard drive. Take digital photos of original system and media before it is duplicated. Take digital photos of original system and media before it is duplicated. Fill an evidence tag for all media to be duplicated, examined and preserved as evidence. Store the best evidence copy in evidence safe. Maintain an evidence log for each piece of best evidence under an evidence custodian. Perform all examinations on a forensic copy of the best evidence ( working copy). Create backup copies of the best evidence. Comply with disposition dates for evidence disposition as defined by principal investigator. Audit monthly all evidence in custody to ascertain that all best evidence is present, properly stored and labeled.

25 Appendix Evidence System Description Record information on individuals who: occupy the office or room where the original evidence is found; occupy the office or room where the original evidence is found; have access to the office or room where the original evidence is found; have access to the office or room where the original evidence is found; actually use the system. actually use the system. Record information on the computer: Location in the room or office; Location in the room or office; State (power on/off), Data on screen; State (power on/off), Data on screen; Time/Date from system BIOS; Time/Date from system BIOS; Network/Modem connections Network/Modem connections Serial #, Model, make of computer, drives and components Serial #, Model, make of computer, drives and components Peripherals attached Peripherals attached Digital photos: Protect investigator(s) from claims of damage to property Protect investigator(s) from claims of damage to property Return system to its exact state prior to forensic duplication Return system to its exact state prior to forensic duplication Capture current configuration Capture current configuration

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.