Computer Forensics BACS 371
description
Transcript of Computer Forensics BACS 371
Evidence Collection & Admissibility
Computer ForensicsBACS 371
Outline Evidence overview Evidence admissibility Challenges to evidence Evidence acquisition Preserving evidence Evidence authenticity Forensic methodology Special considerations2
5 Rules of Evidence Admissibility – the evidence must be
admissible in court. Authenticity – the evidence must relate to
the incident in question Completeness – the evidence must be
comprehensive Reliability – the evidence must be consistent
and uncontaminated Believability – the evidence should be clearly
understandable and believable by the jury3
Admissible Evidence?What makes evidence “admissible”? Short answer – if a judge says it is, it is… Judges use guidelines for admissibility:
Is the evidence relevant? Is the evidence authentic and credible? Is the evidence competent?
An overriding principle is the “exclusionary rule” which says it is not admissible if it was not collected legally.
4
Is it Relevant? The question of relevance is usually the
first considered by a judge. If it is not relevant, then it will not be admissible.
To be considered relevant the evidence must satisfy 2 conditions:1. It must be material – directly relating to
the case being presented.2. It must be probative – proves something
that will help get to the truth of the situation.
5
Is it Authentic and Credible? The question of authenticity is basically
asking if the evidence is what it purports to be.
This requires asking a number of questions which include: Is the material an opinion? If it is an opinion, is it the opinion of an
expert witness? Was it collected correctly? Could it have been altered in any way?
6
Is it Competent? It is not prejudicial in any way. This applies
primarily to evidence not directly related to the case.
It is not privileged. For example, it cannot involve attorney-client, doctor-patient, … or other privileged communication.
It cannot be collected in violation of Constitutional rights.
It cannot be hearsay (except for expert witnesses).
It cannot violate an exclusionary rule.7
Withstanding Challenges to Evidence
Criminal trials are often preceded by a suppression hearing.
This is where the admissibility (i.e., suppression) of evidence is determined.
At this hearing, the judge determines if the 4th Amendment was correctly followed.
Also, if proper discovery procedure is not followed, defendants can challenge evidence admissibility.
8
Exclusionary Rules Exclusionary rules test whether
evidence will be admissible (judges use them).
Exclusionary rules pertain to the following: Relevancy Privilege Opinion of an expert Hearsay Authentication9
Acquiring Evidence – Legal AspectsThere are a number of pertinent legal aspects to acquiring evidence. These include: The 4th Amendment affects how forensic
analysts can acquire evidence Preserving the evidence Establish authenticity of the evidence Following a repeatable process to ensure
admissibility10
4th Amendment Considerations when Acquiring Evidence When does evidence “seizure” occur? Who owns the computer that contains
data? What type of image is “good enough” to
be searched? Do attempts to delete data involve privacy
or indicate a cover-up? When searching a network, where do you
stop? What if one search leads to another?
Where does one search stop and another begin?
11
Preserving the EvidenceComputer Forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic data.
Three C’s of evidence: Care - Take Care of the way you collect and
handle it Control - Take Control of it by seizing and
storing it properly Chain of Custody - Keep an accurate Chain of
Custody12
Preserving and Storing the Evidence
Keep evidence in possession or control at all times
Document movement of evidence between investigators (chain of custody).
Secure evidence appropriately so that it can’t be tampered with or corrupted.
Mathematically authenticate data. (i.e., hash values)
13
Preserving the Evidence Preserving the evidence means that you
practice a defensible (objective, unbiased) approach that is: Performed in accordance with forensic
science principles Based on standard or current best practices Conducted with verified tools to identify,
collect, filter, tag and bag, store, and preserve e-evidence
Conducted by individuals who are certified in the use of verified tools, if such certification exists
Documented thoroughly14
Establishing Authenticity Authenticity is normally established by
one of the following 3 methods: Authentication – show that it’s a true copy Best Evidence Rule – work with the original Exceptions to Hearsay rule – confessions or
business recordsForensic analyst tend to use authentication based upon hash values
15
Legal Authenticity StandardsOver the years, several evidence standards have been devised. These exist to determine if evidence is what it purports to be (i.e., “authentic & credible”) Relevancy test – Anything that is materially relevant to case Frye Standard – Technique my be sufficiently established
(general acceptance test) Coppolino Standard – Even if not generally accepted, court
can accept if good foundation laid Marx Standard – No need to sacrifice common sense Daubert Standard – Rigorous test with special discovery
procedures
16
Forensic MethodologyA forensic methodology is a well-defined, repeatable process used by forensic analysts to ensure that:
Evidence is properly collected, prepared, and stored
Evidence is analyzed in a consistent and thorough manner acceptable to the court
Analyst objectivity is maintained Documentation is collected to ensure that
a comprehensive report can be generated.17
Brief Outline of the Scientific Method
Successful forensic examinations generally follow the scientific method.1. Identify and research a problem2. Formulate a hypothesis3. Conceptually and empirically test the
hypothesis4. Evaluate the hypothesis with regards to
test results5. If hypothesis is acceptable, evaluate its
impact. If not, reevaluate the hypothesis
18
Special Considerations Digital Forensics has some
special considerations when it comes to evidence.
The plain view doctrine Multiple computer users Search with consent
19
Plain View Doctrine The plain view doctrine was developed for
physical, tangible evidence. Digital evidence requires a more refined definition
of “plain view” Inadvertence approach - Did the investigator discover
the evidence accidentally or as the result of a systematic search?
Prophylactic test approach - required that a neutral 3rd party go thru and separate relevant evidence when intermixed with non-relevant.
Computers as containers approach - treats individual directories as “closed containers”. Requires specially worded warrant to view all.
20
Multiple Computer Users Any time a computer is configured for
multiple users the issue of privacy becomes convoluted.
Legal search in these cases revolves around the notion of “reasonable expectation of privacy.”
Accounts with passwords are a strong case for individual account privacy.
The problem is also present in network environments and cloud storage situations.21
Search with Consent Multiple computer user accounts combined
with forensic tools that cannot distinguish who actually owns a file can cause search with consent problems.
The general rule is that consent cannot be given to another users files if an effort has been made to segregate the users (e.g., passwords, independent folders, …)
The issue is clouded when the user accounts have administrative privilege (since they can reset passwords).
22
23
Summary Evidence must be admissible, authentic,
complete, reliable, and believable. Judges determine admissibility based on a set of
exclusionary rules and other procedural concerns. Improper search and seizure can make even the
best evidence inadmissible. There are various ways to establish the
authenticity of evidence. Certain special considerations must be taken into
account when working with digital evidence.