Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting.

Published byBryce Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting."— Presentation transcript:

1 Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting

2 2 Agenda ProblemDefinitions Legal environment Best Evidence Rule Best Evidence Rule Chain of Custody and Protection of Originals Chain of Custody and Protection of Originals Compliance with Constitutional Rights Compliance with Constitutional Rights Suggested procedure Comments

3 3 Problem Will the electronic evidence seized by the FBI on February 10th, 2006, be admissible in a court of law?

4 4 Stated Problem Implications In order for electronic evidence to be admissible it must not be hearsay, must comply with the “Best Evidence Rule” and it must be placed under a chain of custody that warrants there has been no tampering or improper handling. Computer forensics suggests procedures and mechanisms that reduce the risks of evidence be deemed inadmissible, while allowing investigators to: Execute a warrant to search electronic devices, Examine and collect electronic evidence, or Seize (impound) electronic equipment where such evidence might be deposited in a manner that protects the integrity of such evidence, Protect acquired evidence

5 5 Stated Problem Questions to be answered What standards should apply? How they should have been applied by the FBI? Why is it relevant for information systems auditors?

6 6 Definitions Electronic Evidence Hearsay Best Evidence Rule Authentication Chain of Custody Computer Forensics Science

7 7 Incident Response and Computer Forensics & Cyber Forensics Definitions Evidence: “Any information of probative value that helps prove something relative to the case under investigation.”

8 8 Incident Response and Computer Forensics & Cyber Forensics Definitions Hearsay: “When a computer record contains the assertions of a person, whether or not processed by a computer, the record can contain hearsay. An exception to the hearsay rule is the business record exception.” “When a computer record contains computer generated data untouched by human hands, the record cannot contain hearsay.”

9 9 Incident Response and Computer Forensics & Cyber Forensics Definitions Best Evidence Rule: “Absent some exceptions requires that the original of a writing or recording must be admitted in court to prove its contents.” “(if) data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original.” (FRE 1001(3)) “A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.” (FRE 1003)

10 10 Incident Response and Computer Forensics & Cyber Forensics Definitions Authentication: “Whomever collected the evidence should testify during examination that the information is what the proponent claims.” (FRE 901(a)) “A testimony by a witness who has personal knowledge as to the origins of that piece of evidence.” “Applicable standard is the same as for other records.”

11 11 Incident Response and Computer Forensics & Cyber Forensics Definitions Chain of Custody: Requires that evidence is stored in a manner where it cannot be accessed by unauthorized personnel. Requires that evidence is stored in a manner where it cannot be accessed by unauthorized personnel. The location of evidence from the moment it was collected to its presentation at trial needs to be traced. The location of evidence from the moment it was collected to its presentation at trial needs to be traced. A log should be kept for each evidentiary item. A log should be kept for each evidentiary item.

12 12 Incident Response and Computer Forensics & Cyber Forensics Definitions Computer forensics science: “Is a common ground of rules, techniques and tools for collecting, examining, preserving, retrieving and presenting data that has been processed electronically and has been stored on computer media.” “It pertains to electronic or digital transactions or records.” “It produces direct information and data that may have significance in a case, rather than producing interpretative conclusions.”

13 13 Legal Environment Constitutional Rights: Fourth Amendment – Fourth Amendment – “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.” First Amendment – First Amendment – “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.”

14 14 Legal Environment Search and Seizures (42 USC 2000aa): Warrant (exceptions on terrorism by USA Patriot Act) Warrant (exceptions on terrorism by USA Patriot Act) Probable Cause for: Probable Cause for: Search and/or seize HW? Search and/or seize SW? Search and or seize Data? Search and/or seize a Network? Key questions: Key questions: Is it contraband, tool for the offense or incidental? Where will the search be conducted? How will the search be conducted? Can evidence out of the scope of the warrant be used?

15 15 Legal Environment Other applicable legislation: Federal Criminal Code (18USC2703): Federal Criminal Code (18USC2703):WarrantSubpoena Court Order Electronic Communications Privacy Act (ECPA) Electronic Communications Privacy Act (ECPA) USA Patriot Act (2001) USA Patriot Act (2001) Communications Assistance for Law Enforcement Act (CALEA) – Under scrutiny of Congress Communications Assistance for Law Enforcement Act (CALEA) – Under scrutiny of Congress

16 16 Best Practices for Seizing Electronic Evidence (US Secret Service) Determine type of search Determine what to search Determine where to search Assure valid warrant Use appropriate collection techniques so the evidence is not destroyed or altered Employ trained personnel for forensic examination

17 17 Best Practices for Seizing Electronic Evidence (US Secret Service) Conduct the search and seizure: Secure the scene: Secure the scene: Officer safety Preserve area Restrict access to computer(s) and isolate from phone lines or connections to ISP Secure computer evidence: Secure computer evidence: Photograph scene, and screen(s) Unplug and label Place evidence tape If transport is required, package components as fragile cargo Keep away from magnets, radio transmitters and similar environments If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission to court If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission to court

18 18Cyber Forensics International Principles International Organization on Computer Evidence Take actions not to change seized evidence. Only a forensically competent professional should access original digital evidence, when necessary. All activity relating to the seizure, access, storage, or transfer of digital evidence. must be fully documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

19 19 Suggested Procedure Request warrant to determine terms, scope of search and of seizure If valid warrant, request: Presence while scene is secured by agents Presence while scene is secured by agents Equipment be digitally photographed in your presence Equipment be digitally photographed in your presence Equipment be turned on (if it is not on): Equipment be turned on (if it is not on): Solicit that an image of each computer’s fixed storage device or computer files to be seized be made in your presence Solicit that an image of each computer’s fixed storage device or computer files to be seized be made in your presence Solicit that an image of each removable storage device to be seized be made in your presence Solicit a that a preliminary forensics investigation be conducted in accordance to the search warrant and request a copy of the results Else, deny access to equipment until legal counsel is present.

20 20 Suggested Procedure Recommended Forensic Practice Document procedure Search equipment on site Make a mirror image of storage devices Take mirror image off-site Restore mirror image on another hard drive that has been wiped clean Search for files and data specified in warrant: Searching original devices can compromise original evidence Searching original devices can compromise original evidence An image is unreadable unless restored to another device An image is unreadable unless restored to another device If evidence pertaining other crimes is present it might not be admissible if it is out of the scope of the warrant If evidence pertaining other crimes is present it might not be admissible if it is out of the scope of the warrant

21 21 Comments

22 22 References Cyber Forensics A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Marcella & Greenfield, Auerbach Publications, 2002 Incident Response & Computer Forensics, Mandia, Prosise & Pepe, 2 nd Edition, McGraw-Hill/Osborne, 2003 United States Constitution, Yahoo version Good Practice Guide for Computer Based Electronic Evidence, National High Tech Crime Unit, Association of Police Officers, Wales Computer Searches and Seizures: Some Unresolved Issues, Brenner & Frederiksen, Michigan Telecomm Tech Law Review, 2002 Computer-Based Investigation and Discovery in Criminal Cases: A Guide for United States Magistrate Judges, Withers, National Workshop for Magistrate Judges II, Boston Mass, 2003 Annotated Case Law on Electronic Discovery, Withers, 2005 Digital Evidence and the New Criminal Procedure, Orin S. Kerr, Columbia Law Review, Vol. 105:279

23 23 References Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Division, US Dept of Justice, 2002 Ensuring the Admissibility of Electronic Forensic Evidence and Enhancing Its Probative Value at Trial, Galves & Galves, American Bar Association Criminal Justice Magazine, Vol 19 #1, 2004 Suppressing Evidence Gained by Government Surveillance of Computers, James Adams, American Bar Association, Criminal Justice Magazine Spring 2004, Vol 19 #1 Computer Records and the Federal Rules of Evidence, Orin S. Kerr, USA Bulletin, US Dept of Justice, March 2001 Federal Guidelines for Searching and Seizing Computers, US Dept of Justice, 1994 United States Secret Service Best Practices for Seizing electronic Evidence, www.secretservice.gov www.secretservice.gov Communications Assistance for Law Enforcement Act (CALEA),, Agent Michael P. Clifford, US Dept of Justice, CCIPS page, April, 2005

24 24 Appendix Evidence Handling Procedures Record information about computer system before examining contents of its hard drive. Take digital photos of original system and media before it is duplicated. Take digital photos of original system and media before it is duplicated. Fill an evidence tag for all media to be duplicated, examined and preserved as evidence. Store the best evidence copy in evidence safe. Maintain an evidence log for each piece of best evidence under an evidence custodian. Perform all examinations on a forensic copy of the best evidence ( working copy). Create backup copies of the best evidence. Comply with disposition dates for evidence disposition as defined by principal investigator. Audit monthly all evidence in custody to ascertain that all best evidence is present, properly stored and labeled.

25 25 Appendix Evidence System Description Record information on individuals who: occupy the office or room where the original evidence is found; occupy the office or room where the original evidence is found; have access to the office or room where the original evidence is found; have access to the office or room where the original evidence is found; actually use the system. actually use the system. Record information on the computer: Location in the room or office; Location in the room or office; State (power on/off), Data on screen; State (power on/off), Data on screen; Time/Date from system BIOS; Time/Date from system BIOS; Network/Modem connections Network/Modem connections Serial #, Model, make of computer, drives and components Serial #, Model, make of computer, drives and components Peripherals attached Peripherals attached Digital photos: Protect investigator(s) from claims of damage to property Protect investigator(s) from claims of damage to property Return system to its exact state prior to forensic duplication Return system to its exact state prior to forensic duplication Capture current configuration Capture current configuration

Download ppt "Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting."

Similar presentations

I Choose Privacy! Intellectual Freedom: Addressing the Privacy Issue in the Academic Library.

I Choose Privacy! Intellectual Freedom: Addressing the Privacy Issue in the Academic Library.
AP Government Bill of Rights Slideshow Template

AP Government Bill of Rights Slideshow Template
LEGAL CONSIDERATIONS OF FORENSIC SCIENCE CHAPTER 2.

LEGAL CONSIDERATIONS OF FORENSIC SCIENCE CHAPTER 2.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of.
The Bill of Rights is the name of the first ten amendments to the United States Constitution They were introduced by James Madison to the First United.

The Bill of Rights is the name of the first ten amendments to the United States Constitution They were introduced by James Madison to the First United.
LAW for Business and Personal Use © 2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible.

LAW for Business and Personal Use © 2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible.
The Bill of Rights Amendment I

The Bill of Rights Amendment I
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Part 3, Bill of Rights.

Part 3, Bill of Rights.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Forensic Duplication of Hard Drives.

COEN 252 Computer Forensics Forensic Duplication of Hard Drives.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
The Constitution.

The Constitution.

Similar presentations

Ads by Google