Transcript Search and Seizure - Southern Oregon University

Real Forensics
The hard way
Data Recovery
●
What data/evidence can you retrieve from a
hard drive.
●
Usually dd is good enough
●
Sometimes real help is needed
Real Help
●
Hard Drive recovered from Columbia Shuttle
accident
●
February 1, 2003
●
400 Mbyte
http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia
●
99% of the data was recovered from a Xenon
shear thinning experiment
Hard Drive Mounted on Plate
HDD Internals
Ontrack Data Recovery
●
Probably:
–
Remove the platters and cleaned them.
–
Rebuilt the Spindle assembly
–
Mounted in a new case
–
Exercised in a clean room
Hard Drive Architecture
HDD Capacity
Forensic Investigations
●
Investigations
●
Search Warrants
●
Subpoena
●
Surveillance
●
Wire Taps
●
NSL
●
First some Law
Constitution
●
●
●
Under what authority can one search and seize
people and things
All Law Enforcement activities must be
traceable to the Constitution
Especially search and seizure of potential
evidence of suspected crime
Amendment IV
The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and
seizures, shall not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched, and the
persons or things to be seized.
Rights of People
●
●
Secure against unreasonable searches
●
Persons
●
Houses
●
Papers
●
Effects
Warrant
●
Probable cause
●
Under Oath
●
Specified place, persons or things to be seized
4th Amendment
●
Protects people not places.
●
People in their
●
●
Protects both tangible and intangible items.
●
●
Persons, Houses, Papers, Effects
Includes oral communication
4th Amendment covers only government
searches.
Forensics Investigations
●
Law Enforcement
●
Industrial
●
Recovery
●
Informal
●
Illegal
Law Enforcement Investigation
●
Fully supported by a duly obtained search
warrant
●
Full probable cause
●
Adequately witnessed
●
Formally executed
●
Under judicial review
●
Suspect can have redress in court.
Industrial Investigation
●
●
●
●
Often secret, informal
Authorization follows from ownership of place
and things.
Authority over people follows from employment
contract.
Only employee action can follow, unless law
enforcement is called in.
●
At which time legal procedures must be used.
●
Employee have have redress is civil court.
System Recovery
●
Exam of systems to discover what happened.
●
Often to recover lost data
●
Usually done be experts for hire.
●
●
Usually not interested in preserving evidence
for court presentation.
Done with permission of the owner of the
device.
Informal Investigation
●
Done with full permission of the owner.
●
Few procedures are followed.
●
Of no evidentiary value.
●
●
●
Be careful
If you want to practice get some used ones from
a recycler.
If you find anything of a privacy nature destroy
it.
Illegal Investigations
●
Don’t do it!
●
Get’s you nowhere.
●
●
A lot of industrial and informal investigations are
ultimately illegal.
It will follow you for a long time.
Constitution (again)
●
●
4th Amendment enables the issuance of
Warrants for search and seizure.
Case Law and Congressional Acts have refined
and expanded on the Constitution.
Privacy
●
●
●
1st Amendment ensures a person’s right to
association and privacy in one’s association.
4th Amendment ensures a person’s right to
privacy of their persons, houses, papers and
effects.
5th Amendment ensures a person’s right to a
private enclave.
1st Amendment
●
Congress shall make no law respecting an
establishment of religion, or prohibiting the free
exercise thereof; or abridging the freedom of
speech, or of the press; or the right of the
people peaceably to assemble, and to petition
the Government for a redress of grievances.
5th Amendment
●
No person shall be held to answer for a capital, or
otherwise infamous crime, unless on a presentment or
indictment of a Grand Jury, except in cases arising in
the land or naval forces, or in the Militia, when in
actual service in time of War or public danger; nor
shall any person be subject for the same offence to be
twice put in jeopardy of life or limb; nor shall be
compelled in any criminal case to be a witness against
himself, nor be deprived of life, liberty, or property,
without due process of law; nor shall private property
be taken for public use, without just compensation.
Expectation of Privacy
●
●
There is no blanket guarantee of privacy in the
Constitution.
The 4th Amendment sufficed until telephones
etc.
●
The Wire Tap Law (1934)
●
Further refined in:
●
ECPA 1986
●
CALEA
Legal Invasion of Privacy
Legal Instruments for Search and Seizure
●
Search Warrants
●
Warrantless Searches
●
Subpoenas
●
Wire Taps/Surveillance
●
FISA – It is a new world.
●
NSL – It is a brave new world
●
NSA – ???
Search Warrant
●
Obey the Constitution
●
Specifies
●
●
●
Place
●
Persons
●
Stuff – papers, effects
Show Probable cause
●
Contained in a sworn affidavits
●
Support for probable cause
Signed by a Judge with jurisdiction
Warrants
●
Expectation of privacy
●
In public places
●
Requires warrants to conduct surveillance
●
If given to a 3rd party, no expectation of privacy
●
–
Telephone records, bank deposits,etc.
–
Requires subpoena
Careful: Exclusionary Rule
●
If government agents engage in unlawful searches of
seizures, then all fruits of search are excluded from further
legal action.
Warrant
●
●
Warrant to seize computer HW is different from
warrant to seize information.
Seize HW if the HW is contraband, evidence,
etc.
●
●
Warrant should describe HW.
Seize information if it relates to probable cause.
●
Warrant should describe information.
●
Either image HDD on site OR
●
Seize the HW and image at the office
●
Be sure you have a warrant for and description of HW.
Back to Warrants
●
Search warrants and computers, etc.
●
Much confusion over the wording of the warrant
●
Search and Seize
●
HW
●
Contents
●
Information
●
Where – home or the office?
Search Warrants for Computer stuff
●
Be very careful
●
Get 2 search warrants
●
Number 1:
●
●
Search premises, people, vehicles, etc.
●
Seize computers, docs, data media, etc.
Number 2:
●
●
Search the contents of the computers, digital devices,
etc.
Business practice concerns taken
Warrantless Searches
●
Permission
●
Incident to arrest
●
Plain sight
●
Recent Oregon ruling
“Through the window of ones home is not in plain sight”
Subpoenas/Summons
●
A writ commanding a person to appear in court
under penalty of law.
●
●
●
Specified time and place
Must be issued by the clerk of the court in the
name of a judge.
Lawyers acting as officers of the court can issue
subpoenas for testimony in a trial or for records.
Subpoenas
●
Law Enforcement can request the court to
issue subpoenas.
●
Usually through a court
●
Usually for testimony
●
Always subject to judicial review and approval.
●
Must satisfy the 4th Amendment.
Subpoenas
●
E-mail, voice mail, stored files
●
If at an Electronic Services Provider get a subpoena for
the information.
●
Careful these can be very expensive.
●
Is there enough evidence on the HW to convict?
Subpoena duces tecum
●
●
●
A Summons to appear in court and produce
tangible evidence for use at a hearing or trial.
●
Usually only to furnish records.
●
Often part of discovery
Used to get phone records, financial records,
etc.
Used also to get handbooks, papers, and any
other relevant records to the case at hand.
Subpoena ad testificandum
●
A summons to appear in court and give oral
testimony for use at a hearing ro trial.
Surveillance
●
Physical, Auditory, Visual eavesdropping
●
●
Not part of Computer Forensics
Electronic Surveillance
●
Actual communication content
●
●
Source destination information
●
●
Pen/trap and trace
Real time surveillance
●
●
Phone conversations
Monitoring telephone line
Stored communication activity
●
Voice mail
Surveillance
●
For computer forensics, we are only concerned
with communications using digital/electronic
technology.
●
Aware of the potential evidence
●
Liabilities
●
Responsibilities
Federal Wire Tap Act 1934
●
●
●
Used to insure privacy of telephone
communications.
People were reluctant to use telephones
because some one with headphones and
alligator clips could listen in.
Defined Wire Communications
●
Essentially aural communications
●
Understood with the human ear.
ECPA of 1986
●
Electronic Communications Privacy Act
●
●
Extended Title III of the Omnibus Crime Control and Safe
Streets Act of 1968.
●
Passed to protect privacy in the increasingly digital world.
●
Made exceptions for Law Enforcement.
Contains 3 Titles
Title I
●
●
Outlines statutory procedures for intercepting
wire, oral and electronic communications.
Extended wiretap protections to inaudible
communications, e.g. Transmission through
wire, fiber optic, microwave, etc.
●
Can’t listen in on these transmissions.
●
Illegal to enable wiretapping devices.
Title II
●
The Stored Communications Act
●
Protects communications not in transit.
●
Providers can’t reveal stored communications
●
●
●
Voice mail
●
E-mail
Issues regarding unopened e-mail and voice
mail.
Release is through subpoena or court order.
Title III
●
●
●
●
Provides law enforcement the capability of
electronically monitoring targeted
communications.
Should be used judiciously.
Authorized only by a Federal District Court
Judge.
Emergencies – May initiate surveillance
provided application for search warrant is made
within 48 hours.
Title III Wire Tap
Sec. 2518. Procedure for interception of wire, oral, or electronic communications
-STATUTE(1) Each application for an order authorizing or approving the interception of a wire, oral, or electronic
communication under this chapter shall be made in writing upon oath or affirmation to a judge of
competent jurisdiction and shall state the applicant's authority to make such application. Each
application shall include the following information:
(a) the identity of the investigative or law enforcement officer making the application, and the officer
authorizing the application;
(b) a full and complete statement of the facts and circumstances relied upon by the applicant, to justify
his belief that an order should be issued,
(c) a full and complete statement as to whether or not other investigative procedures have been tried
and failed or why they reasonably appear to be unlikely to succeed if tried or to be too dangerous;
(d) a statement of the period of time for which the interception is required to be maintained.
(e) a full and complete statement of the facts concerning all previous applications known to the
individual authorizing and making the application; and
(f) where the application is for the extension of an order, a statement setting forth the results thus far
obtained from the interception, or a reasonable explanation of the failure to obtain such results.
Wire vs. Electronic
●
Wire Communications
any aural communications via wire, cable between the point of
origin and the point of reception.
●
Must contain human voice
●
Basically telephone communication
●
Not radio unless encrypted/scrambled
●
And storage of such communication
Wire vs. Electronic
●
Electronic Communications:
Transfer of signs, signals, writing, images, sounds, data via wire,
radio, electromagnetic, photo-optic system, but does not
include:
●
any wire or oral communications
●
tone-only paging device
●
any communication from a tracking device
●
electronic funds transfer
Wire vs. Electronic
●
Intercept ●
Acquired contemporaneously with their transmission
Stored vs. In Transit
●
Electronic Storage
Any temporary, intermediate storage of a wire of electronic
communication incidental to the its transmission and
storage for purposes of backup protection.
●
●
●
●
●
Temporary storage
Example:
E-mail stored and not yet delivered.
NOT opened, read and saved, then it is a stored computer
record and subject to search warrant.
In Transit
On the wire and ephemeral.
CALEA
●
Communications Assistance for Law
Enforcement Act
●
●
Required telecom equipment manufacturers to design
equipment to facilitate interception.
–
Cell phones
–
Pagers
–
Mobile radio
Required delivery of packet-mode communications to LE
without warrant
●
Supposedly maiatained the privacy/LE balance in ECPA
●
Has greatly expanded since 9-11
CALEA – post 9-11
●
●
New requirements for switching technologies
Separation of signaling info from content has
blurred.
●
Excessive requirements on VoIP.
●
New requirements for LANs in the public arena.