1

Lecture 3Lecture 3

Digital Evidence in the CourtroomDigital Evidence in the Courtroom

Prof. Shamik Sengupta

Office 4210N

ssengupta@jjay.cuny.edu

http://jjcweb.jjay.cuny.edu/ssengupta/

Fall 2010

2Influence of Criminal Behavior from Computer and Internet

History of Internet– ARPA project in 1969– To create a mechanism for ensured communication between

military installations– Today’s internet

– Both synchronous and asynchronous international person-to-person communication between private individuals

– Beginning of a pervasive form of social-global connectedness

– Venues for trade and commerce in a digital-international marketplace

Internet is analogous to the Wild West where the law is mostly unwritten and power falls into hands of those with the best technology– Biegel S. (2003). Beyond our control: Confronting the Limits of

our Legal System in the age of cyberspace. Cambridge, MA:MIT Press

3Influence of Criminal Behavior from Computer and Internet (Continued)

The Internet is where money is– Over one trillion dollars moved electronically each week– The rates of cybercrime are skyrocketing

– The annual “take” by theft-oriented cybercriminals is estimated as high as $100 billion and 97% of offenses go undetected

– Bennett, W. & K. Hess (2001). Criminal Investigation. Belmont, CA:Wadsworth

– The real cost?– Organized crime, terrorism, embezzlement, and a countless ways to offend using

computers and the Internet

Computers and the Internet are no different from other technologies adapted by the criminal– Often computers and the Internet technologies merely add a new

dimension to existing crime rather than introducing new types of crimes and criminals

– “The computers has just given fraud another dimension.”– McPherson T. (2003). Sherlock Holmes’ modern followers, The Advertiser,

May 31.

4

Modus Operandi

Latin term, “a method of operating”– How criminals commit their crimes– vs. Motives: why they commit their crimes?

An offender’s MO often serves following purposes– Protects the offender’s identity– Ensures the successful completion of the crime– Facilitate the offender’s escape

Examples– Notes for planning, victim information, etc– Hardware, software systems – Use of aliases,…

5

Technology & Modus Operandi

Technology has long shared a relationship with criminal behavior– Paper & pencils, the postal system, telephone, fax machines, e-mails,

web sites, …

Criminals can borrow from existing technology to enhance their current MO to achieve their goals– Skilled and motivated criminals even develop new technology

End result: Spin on an existing form of criminal behavior

From criminal’s perspective– Relationship between advancement of crime detection technologies in

the forensic science and a criminal’s knowledge of them

6

Motive & Technology

Motive– Emotional, psychological or material need that impels, and is satisfied by, a behavior

– Turvey B. (2002) Criminal Profiling: An introduction to Behavioral Evidence Analysis, 2nd edition, London: Academic Press

Classifying offenders by their behavior (By Turvey B.)– Power Reassurance– Power Assertive– Anger Retaliatory– Sadistic– Opportunistic– Profit oriented

Examples from text book of how criminals engage and adapt computer and the internet technology– A computer virus, public e-mail discussion list

7

Legal Issues: Broad

Legal Issues – Investigatory needs vs. the right to privacy– What constitutes computer crime?– Fourth Amendment to the U.S. Constitution– Fifth Amendment to the U.S. Constitution– Jurisdiction:

– Who cares? – Who prosecutes?

– Admissibility of evidence in court– Chain of custody issues– Search warrant laws– Wiretap laws– Digital Millennium Copyright Act (DMCA)– Patriot Act

8

Privacy

Fourth Amendment– The Fourth Amendment of the United States Constitution

governs all searches and seizures conducted by government agents

– Government is not allowed unreasonable search and seizure of property

– Does not apply to individuals (e.g., corporations!) performing the investigation!

– Complicated—court tries to balance privacy and need to control crime

– Individual must reasonably expect privacy in whatever scenario is being evaluated

– Society must believe expectation of privacy is reasonable Examples:

– Random stops on highway– OK. Primarily to ensure highway safety, not investigate crime

– Use of a phone booth– When door is shut, reasonable expectation of privacy– Can’t snoop without appropriate court orders– Can’t place microphone on outside of phone booth

9

Fourth Amendment

Fourth Amendment + Computers

From: http://www.usdoj.gov/criminal/cybercrime/s&smanual2009.pdf– Reasonable Expectation of Privacy in Computers as Storage

Devices :

To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation.

10

Fourth Amendment (Continued)

Computer 3rd party may render 4th amendment rights void

Example: – Getting computer fixed, technician discovers something illegal,

turns you over to the police

11

Fourth Amendment (Continued)

Bottom line: if you’re law enforcement, all this matters

Otherwise, Fourth Amendment doesn’t even apply

Doesn’t mean that you can hack into whatever you wish w/o worry..

An individual or corporation’s right to search is governed by other laws

12

Fifth Amendment

‘No person shall be compelled in any criminal case to be a witness against himself’– Protection against self-incrimination in giving testimony

The USSC has narrowed the privilege so that it applies if the act of producing papers or records has a self-incriminatory ‘communicative’ or ‘testimonial’ aspect– If the act of handing over the papers is non-communicative--if it

neither reveals the existence of the document nor authenticatesit--then the Fifth Amendment does not apply

Never applies to corporations

Never applies to corporate records

Once document is given to another, fourth and fifth amendment protection is lost

13

Fifth Amendment (Continued)

Can not use the fifth amendment to avoid testifying against another individual (e.g., friend, spouse)– Obstruction of justice

Encryption keys on shaky ground in US– Modern cryptography can make it virtually impossible to

decipher documents without the cryptographic key, thus making the availability of the contents of those documents depend on the availability of the key

Key itself does not incriminate you…material it PROTECTS may incriminate you

14

Fifth Amendment (Continued)

If key is written down, you must present it

If it’s memorized, you may be protected from revealing it (in the United States)– Different story in other nations

Recent case– Does the Fifth Amendment Protect the Refusal to Reveal

Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes

– http://writ.news.findlaw.com/colb/20080204.html

15

Admissibility of Evidence

Chain of custody must be thoroughly recorded Any person in the chain might be called to testify that evidence was not

modified or subjected to contamination Older: Frye test

– Is the technique generally accepted in its particular scientific community?

– In the early 1920s, a man named James Frye was found guilty of murder on the basis of a new lie-detector test based on the theory that when a person lied, the systolic blood pressure would be elevated

– In 1923, the Washington D.C. appeals court ruled that before a new scientific principle or discovery could be used as evidence in a court of law, it "must be sufficiently established to have gained general acceptance in the particular field in which it belongs."

– The court ruled that the blood-pressure test had not gained such acceptance, and so Frye’s conviction was reversed

– Courts are free to accept evidence that has not passed the Frye test but such acceptance is more easily appealable

16

Admissibility of Evidence (Continued)

The Frye test was used by the majority of US Federal courts over 70 years

– Came under increasing attack since 80’s– Poor at separating any new or novel scientific or technological procedure

Newer: Daubert test (From Supreme court in Daubert)– (e.g.,See:

http://www.skepticreport.com/mystics/dauberttest.htm)– The Federal rule sets the courts up as “gatekeepers” to insure that

only opinions that are backed by a consistent methodology be allowed before the jury

– A witness qualified as an expert by knowledge, skill, experience, training, or education, may testify in the form of an opinion or otherwise, if:

– the testimony is based upon sufficient facts or data, – the testimony is the product of reliable principles and methods– the witness has applied the principles and methods reliably to the

facts of the case

17

Daubert (Continued)

Factors should be used by the courts in evaluating any proposed expert testimony– Whether the theory or technique has been scientifically tested

– Whether the theory or technique has been subject to peer review or publication

– The expected error rate of the technique used

– Acceptance of the theory or technique in the relevant scientific community

While the Daubert test is certainly more liberal than the older, Frye standard, it still allows the exclusion of testimony where the court is convinced that the method used to support the opinion is simply too poorly designed to be trustworthy

18

Daubert (Continued)

Since the Daubert decision was handed down, the Federal court have identified a number of additional factors which have been useful in examining the reliability of expert opinion

Other factors (From the commentary of the 2003 version of the Federal Rules of Evidence regarding Rule 702):– Is the expert testifying about something that comes out of their

research directly, or have then developed opinions specifically for purposes of testifying?

– Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion?

– Has the expert adequately accounted for obvious alternative explanations?

– Is the field of expertise claimed by the expert known for reliable results for the type of opinion the expert would give?

19

Privacy-Protecting Laws

Federal Wiretap Act– Covers interception of voice and electronic communications “on-

the-wire”

– Generally illegal to intercept electronic communication, except in certain circumstances, among those on the following slide

20

Privacy-Protecting Laws (Continued)

Provider exception– Can perform limited monitoring to protect rights and property of system

under attack

Consent exception– Permission to monitor

Provider exception– Switchboard operator may overhear during call transfers

– Line technician may overhear during repairs to phone lines

Court order

21

Privacy-Protecting Laws (Continued)

Electronic Communications Privacy Act (ECPA)– Covers access to stored voice and digital communications– Covers what can be disclosed to law enforcement– Question: Are communication services provided to the public?– e.g., AOL (yes): Restrictions with some exceptions:

– Does provider believe that an emergency involving death or serious physical harm may result otherwise?

– Consent?– Contents of communication inadvertently acquired, evidence of a crime?– Can disclose non-content (e.g., logs of activity) to anyone not involved in

government

– e.g., corporate, university (no): No restrictions on what can be disclosed to law enforcement

Pen/Trap Statute of 18 U.S.C. 3121-27– Covers real-time collection of addressing information (e.g., packet

headers, phone #s), not the contents of the communication– Rules more liberal than for wiretap

22

Access to Evidence for Law Enforcement

Preservation of Evidence letter– Letter from government asking that evidence not be erased as a

matter of normal administrative procedures– e.g., to AOL: “Please don’t delete logs related to…”– Lasts for 90 days

To get name, address, session info (e.g., when user logged in, etc.)– Subpoena

Stored files– Court order

Stored files containing electronic communications– Search warrant– For email that has been read, court order

Difficulty level:– Letter < subpoena < court order < search warrant

23

Patriot Act

So things weren’t complicated enough?

Hundreds of pages, complicated for non-lawyers

Much analysis of Patriot act is skewed – “it’s a threat to our very lives” vs. “it’s a wonderful anti-terrorism

tool”

Still, many citizens not happy

Basic: – significantly erodes requirements for law enforcement to show

probable cause for warrants and wiretap orders– removes requirements to notify parties of a search warrant being

served– e.g., police may be able to enter a residence without informing

party until later

24

DMCA

Digital Millennium Copyright Act Summary here:

– http://www.copyright.gov/legislation/dmca.pdf Expands copyright law Makes reverse engineering illegal in many circumstances Illegal in many circumstances to defeat access controls or anti-

copying techniques Example: Buy a DVD, making a copy of the DVD involves

defeating the copy protection scheme, thus illegal “Encryption research” exceptions

– So vague that if you do some “encryption research” and release the results, you should be very careful

– “research” vs. distribution of copy protection circumvention techniques

– Research paper documenting circumvention with lots of technical explanation vs. a program that performs circumvention

25

Some Thoughts on Privacy

Current concentration: forced disclosure of encryption keys

“Security Against Compelled Disclosure” – I. Brown, B. Laurie, 16th Annual Computer Security Applications

Conference (ACSAC'00)

Issues: – Agents that may want info to be disclosed:

– Court may order information to be turned over– e.g., in pre-trial “discovery” phase, where parties examine evidence held by other to

discover strength of the case for and against– Failure to provide info in intelligible form may result in contempt of court (jail)

– Government agencies– Organized crime

26

Digital Evidence in the Courtroom

Evidence must meet certain standards to be admitted– The proof that evidence is authentic and has not been tempered

with becomes essential

Rules to evaluate evidence worldwide– US Federal Rules of Evidence– UK Police and Criminal Evidence Act (PACE)– …

Maintaining and documenting the chain of custody of evidence is most important aspect of authentications

27

Admissibility

Requirement of admissibility of digital evidence– Obtained properly– Handled properly

Digital evidence should be obtained with proper authorization– Generally, a warrant is required to search and seize evidence– Digital evidence gained without authorization cannot be

admitted to the court– Common mistake among many agents in the field

Exceptions– Plain view – Consent– Exigency

28

Exceptions

If investigators see evidence in plain view, they can seize it provided they obtained access to the area validly

By obtaining consent to search, investigators can perform a search without a warrant – Apply the rule with care!

A warrant-less search can be made for any life threatening emergency case

29

When Searching and Seizing Digital Evidence

Always consider Fourth Amendment and/or ECPA regulations

ECPA prohibits anyone from unlawfully accessing or intercepting electronic communications– 4th Amendment only applies to the government– ECPA is the only federal act that specifically addresses interception

of e-mail– The law makes it a federal crime to intentionally or willfully intercepts, access,

disclose or use another’s wire , oral or electronic communications (E-mail falls into this category)

– ECPA does not establish a right to privacy of e-mail communications in the workplace

– Under its Employer Provider Exception, an employer can justify interceptions made in the ordinary course of business and that either

– were necessary to the rendition of the service or– were necessary to protect its rights or property

– Employer can argue that monitoring is needed for quality control checks!

For law enforcement officers to search and seizure– Have to get a warrant with probable cause and details of the place to

be searched or things to be seized

30

To get a warrant

You have to convince a judge that– A crime has been committed

– Evidence of crime is in existence

– The evidence is likely to exist at the place to be searched

After you get a warrant, maintain focus on the crime under investigation– Once unrelated evidence is found, obtain another search

warrant for that crime

– Case example– US v.Gray 1999

– Wisconsin v. Schroeder

31

Authenticity and Reliability

Once you’ve shown proper acquisition of a digital evidence, next step is proving its authentication and reliability

Authentication means satisfying the court that– The contents of the record have remained unchanged

– The information in the record does in fact originate from its purported source (human or machine)

– Extraneous information is accurate– Ex) apparent date of the record

– Sommer P., “Downloads, Logs and Captures: Evidence from Cyberspace Journal of Financial Crime”, October 1997, Journal of Financial Crime

– http://64.233.167.104/search?q=cache:T0eog1lMG7UJ:isig.lse.ac.uk/pdf/PeterSommerFullCV.pdf+Downloads,+Logs+and+Captures:+Evidence+from+Cyberspace+Journal+of+Financial+Crime&hl=en

32

Authenticity

Authentication is a two-step process– Initial examination of the evidence to determine that it is what

its proponent claims

– Closer analysis to determine its probative value

Problem – Digital evidence is mutable– An intruder might add/remove/modify log entries

– They might compromise system components that maintain the logs

– You might modify something during your investigation

– Ex) IRC logs,…

33

Authenticity (Continued)

Another problem – Increasing variety and complexity of computer systems

US and UK courts have accepted the testimony of individuals who are familiar with the operation of computer systems– Case example

– Missouri v. Dunn, Appeals court, Western District of Missouri, Case number 56028

– http://www.missourilawyersweekly.com/mocoa/56028.htm

34

Reliability

Once digital evidence is admitted, its reliability is assessed to determine its probative value

It will either reduce or increase the amount of weight assigned to the evidence

Previously, defending lawyers had argued that digital evidence is untrustworthy simply because there was a theoretical possibility of alteration and fabrication

However, as judges become more familiar with digital evidence, they are requiring evidence to support claims of untrustworthiness

35

Reliability (Continued)

Notes from US Department of Justice Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigation– Absent specific evidence that tampering occurred, the mere

possibility of tampering does not affect the authenticity of a computer record, US v. Bonallo

– “The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness”, US v. Glasser

– Notably, once a minimum standard of trustworthiness has been established, questions as to the accuracy of computer records “resulting from … the operation of the computer program” affect only the weight of the evidence, not its admissibility, US v. Catabran

36

Best Evidence

Best evidence rule– Copies become acceptable in place of the original, unless “a

genuine question is raised as to the authenticity of the original or the accuracy of the copy or under the circumstances it would be unfair to admit the copy in lieu of the original”

In digital evidence realm, – A copy is generally accepted since an exact duplicate of most

forms can be made

– Presenting copy is even desirable since it can avoid the risk of accidental alteration of the original

– Paper printouts of a digital document may be considered to equivalent to the original unless important portions of the original are not visible in printed form

– Ex) Printed Microsoft Word document (w/o embedded notes and edits)

37

Direct vs. Circumstantial Evidence

Direct evidence establishes a fact

Circumstantial evidence may suggest a fact

Then, how about digital evidence?– Ex) Computer log-on record

– Direct or Circumstantial?

Sometimes strong circumstantial evidence is as good as direct evidence– Given enough circumstantial evidence, the court may not

require direct evidence to convict an individual of a crime

38

Hearsay

“Evidence is hearsay where a statement in court repeats a statement made out of court in order to prove the truth of the content of the out of court statement”

Digital evidence might not be admitted if it contains hearsay because the speaker of the evidence is not present in court to verify its truthfulness– Case example

– North Dakota v. Froistad– Investigators needed a confession or other evidence to prove he killed his

daughter as described in e-mail messages to one of internet chatting boards

39

Hearsay (Continued)

Proving that someone distributed materials online is challenging and generally requires multiple data points that enable the court to connect the dots back to the defendant beyond a reasonable doubt

But there are several exceptions to accommodate evidence that portrays events quite accurately and that is easier to verify than other forms of hearsay– Hearsay exceptions

40

Hearsay Exceptions

Records of regularly conducted activity are not excluded by the hearsay rule– By the US Federal Rules of Evidence

Computer-generated vs. Computer-stored digital evidence by USDOJ 2002– Whether a person or a machine created the record’s content

– Computer-generated: machine– Computer-generated records contains the output of the computer program

so do not contain human “statements”

– The issue is whether the computer program that generated the record was functioning properly (authentication question), not a human’s out-of-court statement was truthful and accurate (hearsay question)

– Ex) Log-in records from ISP, telephone records, ATM receipts

– Computer-stored: human– Must comply with hearsay rule

– Ex) E-mail messages, word processing files, Internet chat room messages

41

Scientific Evidence

Tools, techniques used to process digital evidence have been challenged as well – Courts are careful to assess the validity of scientific process before

accepting its result due to power of science to persuade– Questionable scientific process may influence either admissibility or

weight of the evidence

In US, Daubert test is used to evaluate scientific process – Whether the theory or technique can be (and has been) tested

– Ex) Formal testing is performed by NIST

– Whether there is a high known or potential rate of error, and the existence and maintenance of standards controlling the technique’s operation

– Whether the theory or technique has been subjected to peer review and publication

– Whether the theory or technique enjoys “general acceptance” within the relevant scientific community

42

Presenting Digital Evidence

Preparation, preparation and preparation!– It is not sufficient to merely have the technical skills to locate

evidence on computer media

– Recover the evidence and maintain a strict chain of custody to ensure that the evidence is preserved in its original form

– Document, document and document!

– Be familiar with all aspect of case

– Anticipate questions, rehearse answers, and prepare visual presentation to address important issues

Target audience is non-technical people– When your present findings, it is necessary to explain how the

evidence was handled and analyzed – Using simple diagrams depicting above processes is very effective

– Demonstrate chain of custody and thoroughness of methods in clear, well-documented manner

– Good to have conclusions stated early in testimony – There is a risk that opportunity will not arise in later

43

Principles for Handling Digital Evidence

1. No action taken by police or agents should change data held on computer or media that may subsequently be relied on in court

2. Investigators must be competent and able to explain consequences of their actions

3. Audit trail should be created and preserved

4. Officer in charge of case is responsible for law and principles being adhered to

http://www.nhtcu.org/images/ACPO%20Guide%20v3.0.pdf

44

Some thoughts from NIJ Guide

Computers and other digital media are increasingly important sources of evidence in criminal investigations – The challenge for investigators in the courtroom “is the

demonstration that the particular electronic media contained the incriminating evidence”

Because digital data is easily altered and it is difficult to distinguish between original data and copies – extracting, securing and documenting digital evidence requires

special attention

– Police, prosecutors, lawyers, judges becoming more sophisticated

45

Some thoughts from NIJ Guide (Continued)

General principles for handling digital evidence– The process of collecting digital evidence should not alter it

or raise questions about its integrity

– Examination of digital evidence should be done by trained personnel

– All actions in processing the evidence should be documented and preserved for review

– Examination should be conducted on a copy of the original evidence (The original should be preserved intact)