Computer Forensics

Principles and Practices by Volonino, Anzaldua, and Godwin

Chapter 12: Federal Rules and Criminal Codes

Objectives

 Identify federal rules of evidence and other principles of due process of the law  Explain the legal foundation and reasons for pretrial motions regarding evidence  Identify the limitations on expectations of privacy  Explain the major anticrime laws and amendments impacting discovery and use of e-evidence © Pearson Education Computer Forensics: Principles and Practices 2

Introduction

In this chapter you will learn about the due process of law, federal rules of evidence and procedure, and anticrime laws. You will learn about the authority granted to investigators under privacy laws and the limitations those laws impose to protect civil rights.

© Pearson Education Computer Forensics: Principles and Practices 3

Due Process of the Law



Due process of the law

is a fundamental principle to ensure all civil and criminal cases follow rules to prevent

prejudicial

treatment  Primary rules ensuring due process:  Federal Rules of Civil Procedure  Federal Rules of Criminal Procedure  Federal Rules of Evidence © Pearson Education Computer Forensics: Principles and Practices 4

Due Process of the Law (Cont.)

 Federal rules of procedure regulate production of evidence  Amendment to Rule 34 made electronic data subject to discovery  This change raised issues about e-evidence  How can evidence be authenticated, proved reliable, and determined to be admissible in criminal and civil proceedings © Pearson Education Computer Forensics: Principles and Practices 5

In Practice: Supreme Court Approves E-Discovery Changes

 In April 2006, U.S. Supreme Court approved proposed amendments to the Federal Rules of Civil Procedure concerning discovery of “electronically stored information”  Amendments will impose greater precision and change the way lawyers and courts approach e-discovery © Pearson Education Computer Forensics: Principles and Practices 6

Due Process of the Law (Cont.)

 Federal Rules of Evidence adopted in 1975  Rules govern the admissibility of evidence, including electronic records or data  Some rules are

exclusionary rules

that specify types of evidence that can be excluded  In establishing admissibility, many rules concentrate first on evidence’s relevancy © Pearson Education Computer Forensics: Principles and Practices 7

Due Process of the Law (Cont.)

 Exclusionary rules test whether evidence will be admissible  Exclusionary rules pertain to:  Relevancy  Privilege  Opinion of expert  Hearsay  Authentication © Pearson Education Computer Forensics: Principles and Practices 8

Federal Rules of Evidence Pertaining to E-Evidence

Federal Rules of Evidence Description

Rule 104(a) Preliminary questions of admissibility generally Rule 401. Definition of Relevant Evidence Preliminary questions concerning the qualification of an expert witness or the admissibility of evidence are decided by the court Relevant evidence means evidence that can make some fact or issue more probable or less probable than it would be without the evidence Rule 402. Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible All relevant evidence is admissible, except as otherwise provided by the Constitution of the United States, by Act of Congress, by these rules, or by other rules of the Supreme Court © Pearson Education Computer Forensics: Principles and Practices

(Continued)

9

Federal Rules of Evidence Pertaining to E-Evidence (Cont.)

Federal Rules of Evidence

Rule 702. Testimony by Experts Rule 704. Opinion on Ultimate Issue Rule 802. Hearsay Rule

Description

This rule broadly governs the admissibility of expert testimony Testimony in the form of an opinion — that is not inadmissible for some other reason —is allowed Hearsay is not admissible except as provided by these rules or by other rules of the Supreme Court © Pearson Education Computer Forensics: Principles and Practices 10

Due Process of the Law (Cont.)

 Hearsay evidence  Hearsay Rule 802 can block admissibility except in case of an exception  Electronic records that are business records are admissible under the business records exception rule  Motions to suppress evidence are handled before trial in a

motion in limine

© Pearson Education Computer Forensics: Principles and Practices 11

Due Process of the Law (Cont.)

 Under Federal Rule 702, a forensic investigator’s qualifications or tools or methods used in an investigation can be objected to  From 1923 to 1993, the Frye test was used to determine admissibility of expert witness testimony and methodologies  In 1993, the Daubert test replaced the Frye test © Pearson Education Computer Forensics: Principles and Practices 12

Due Process of the Law (Cont.)

 To determine admissibility, a judge must decide:  Whether the theory or technique can be and has been tested     Whether it has been subjected to peer review and publication The known or potential error The general acceptance of the theory in the scientific community Whether the proffered testimony is based upon the expert’s special skill © Pearson Education Computer Forensics: Principles and Practices 13

Due Process of the Law (Cont.)

   A physical document can be authenticated by direct evidence or circumstantial evidence  Examples of circumstantial evidence include document’s appearance, content, or substance The same circumstantial evidence courts use to authenticate physical documents applies to e-mail messages Rule 901 requires that the person who introduces the message provide evidence sufficient to prove that the message is what its proponent claims it is © Pearson Education Computer Forensics: Principles and Practices 14

Due Process of the Law (Cont.)

 Reliability of e-evidence and methods used must also be established by proving that  The computer equipment is accepted as standard and competent and was in good working order  Qualified computer operators were employed  Proper procedures were followed in connection with the input and output of information  A reliable software program and hardware were used  Equipment was programmed and operated correctly  Exhibit is properly identified as the output in question © Pearson Education Computer Forensics: Principles and Practices 15

Due Process of the Law (Cont.)

 Circumstantial e-mail evidence authenticates other e-mail  E-mail messages not directly relevant may be relevant when used to authenticate other messages  Content of messages may have a style similar to that in other documents  Circumstantial evidence can also be used to authenticate chat room sessions © Pearson Education Computer Forensics: Principles and Practices 16

In Practice: The Importance of Style

 In a sexual harassment case, a manager produced an e-mail supposedly sent by an employee  Computer forensics investigation concluded it was impossible to prove the e-mail had been sent by the employee  The employee produced e-mail messages that differed markedly in style from the one the manager had received © Pearson Education Computer Forensics: Principles and Practices 17

Anticrime Laws

 Electronic Communications Privacy Act of 1986  Applies to stored files that had been transmitted over a network  Goal is to balance privacy rights with law enforcement needs   Limitations of privacy laws Courts’ interpretation of Fourth Amendment protection © Pearson Education Computer Forensics: Principles and Practices 18

In Practice: Constitutional Rights Are Not Unlimited

 Alan Scott shredded documents that contained evidence of tax evasion, then argued that shredding created a reasonable expectation of privacy  Use of technology (the shredder) does not provide constitutional protection  Reconstruction of documents did not violate expectation of privacy because he had no foundation for that expectation © Pearson Education Computer Forensics: Principles and Practices 19

Anticrime Laws (Cont.)

 Federal Wiretap Statue of 1968  ECPA amended this statute to include interception of electronic communications, including e-mail  USA PATRIOT act also expanded the list of activities for which wiretaps can be ordered  Wiretaps are ordered when terrorist bombings, hijackings, or other violent crimes are suspected  Statute requires that recordings captured with the wiretap must be given to the judge within a reasonable amount of time © Pearson Education Computer Forensics: Principles and Practices 20

Anticrime Laws (Cont.)

 Pen/Trap Statute, Section 216  Governs the collection of noncontent traffic data, such as numbers dialed by a particular phone  Section 216 updates the statute in three ways:    Law enforcement may use pen/trap orders to trace communications on the Internet and other networks Pen/trap orders issued by federal courts have nationwide effect Law enforcement must file special report when they use a pen/trap order to install their own monitoring device on computers belonging to a public provider © Pearson Education Computer Forensics: Principles and Practices 21

Anticrime Laws (Cont.)

 Counterfeit Access Device and Computer Fraud and Abuse Act  This act primarily covered illegal access or use of protected government systems  Aimed at individuals who broke into or stole information from government computers  Law was too narrow so it was amended twice   Through CFAA in 1994 Through National Information Infrastructure Protection Act (NII) in 1996 © Pearson Education Computer Forensics: Principles and Practices 22

In Practice: Federal Wiretap Authority

 Two sources of authority for federal wiretaps within the United States  Federal Wiretap Act (Title III) of 1968  Sets procedures for real-time surveillance of voice, e mail, fax, and Internet communications  Foreign Intelligence Surveillance Act (FISA) of 1978  Allows wiretapping based on probable cause that the person is a member of a foreign terrorist group or agent of foreign power © Pearson Education Computer Forensics: Principles and Practices 23

Anticrime Laws (Cont.)

 USA PATRIOT Act  This act greatly broadened the FBI’s authority to monitor phone conversations, e-mail, pagers, wireless phones, computers, and other electronic communications  This act made it lawful for an officer to intercept a computer trespasser’s wire or electronic communication transmitted to or through a protected computer © Pearson Education Computer Forensics: Principles and Practices 24

Anticrime Laws (Cont.)

 USA PATRIOT Act authorizations include:  Intercepting voice communications in computer hacking investigations  Allowing law enforcement to trace communications on the Internet and other computer networks within the pen and trap statute  Intercepting communications of computer trespassers  Writing nationwide search warrants for e-mail  Deterring and preventing cyberterrorism © Pearson Education Computer Forensics: Principles and Practices 25

Anticrime Laws (Cont.)

 USA PATRIOT Act (cont.)  Act changed the point at which targets are notified of the search  Delayed notification is called the

sneak and peek

provision  Law enforcement can delay notification for up to 90 days or even longer by showing good cause for delay © Pearson Education Computer Forensics: Principles and Practices 26

Anticrime Laws (Cont.)

 USA PATRIOT Act (cont.)  Expanded power for surveillance:   Judicial supervision of telephone and Internet surveillance by law enforcement is limited Law enforcement and intelligence agencies have broad access to sensitive medical, mental health, financial, and educational records with limited judicial oversight  Government has power to conduct secret searches of individuals’ homes and businesses, including monitoring books bought from bookstores or borrowed from libraries © Pearson Education Computer Forensics: Principles and Practices 27

Anticrime Laws (Cont.)

 USA PATRIOT Act (cont.)  Requires an agency that sets up surveillance to identify:  Any officers who installed or accessed the device to obtain information from the network    The date and time the device was installed and uninstalled, and the duration of each time the device was accessed The configuration of the device at the time of installation, plus any later modification Any information that the device has collected © Pearson Education Computer Forensics: Principles and Practices 28

In Practice: Defendant’s Attempt to Exclude E-Evidence Rejected

 U.S. Court of Appeals rejected a defendant’s efforts to exclude evidence that had been obtained using

cell-site data

 Defendant argued that his phone had been turned into a tracking device  Court ruled that this data fell into the realm of electronic communication and suppression was not a remedy for legal interception of electronic communications © Pearson Education Computer Forensics: Principles and Practices 29

Anticrime Laws (Cont.)

 Electronic surveillance issues  In 2005 – 2006, it was reported that President George W. Bush had authorized the NSA to spy on Americans without warrants  Administration justified action as required to combat terrorism  Legal scholars argued that this warrantless wiretapping in violation of FISA and bypassing Congress constituted an impeachable offense © Pearson Education Computer Forensics: Principles and Practices 30

Anticrime Laws (Cont.)

 Computer Fraud and Abuse Act (CFAA)  First law to address computer crime in which the computer is the subject of the crime  CFAA has been used to prosecute virus creators, hackers, information and identity thieves, and people who use computers to commit fraud © Pearson Education Computer Forensics: Principles and Practices 31

Key Terms in the CFAA

Key Terms

Protected computer Authorized access Damage

This Term Means . . .

A protected computer means a computer that:  Is used by a financial institution  Is used by the U.S. government  Affects domestic, interstate commerce  Affects foreign commerce Two references regarding authorized access:  Without authorization  Exceeding authorized access Damage is defined as any impairment to the integrity or availability of data

(Continued)

© Pearson Education Computer Forensics: Principles and Practices 32

Key Terms in the CFAA (Cont.)

Key Terms

Loss Conduct

This Term Means . . .

Any reasonable cost to any victim, including:  Responding to an offense  Conducting a damage assessment  Restoring the data, program, etc.

 Lost revenue or other damages Determines if the damage done was intentional, reckless, or negligent  Intentional conduct  Reckless conduct © Pearson Education Computer Forensics: Principles and Practices 33

In Practice: Applying Crime Laws

 Drugs known as “research chemicals” were sold openly from U.S. Web sites to customers around the world  In 2004, the DEA shut down the Web sites and arrested site operators  Web site operators were prosecuted under a law that prohibits possession and supply of chemicals “substantially similar” to controlled substances © Pearson Education Computer Forensics: Principles and Practices 34

Summary

 You have learned about the Federal Rules of Evidence and Procedure  Actual cases and court decisions were presented to illustrate the challenges an investigator faces  Before seizing computers, Fourth Amendment search warrant requirements need to be met © Pearson Education Computer Forensics: Principles and Practices 35

Summary (Cont.)

 The Electronic Communication Privacy Act (ECPA) must be considered  Anticrime legislation such as the USA PATRIOT Act provides greater authority to law officials and investigators  Ethical issues and dilemmas will be covered in the next chapter © Pearson Education Computer Forensics: Principles and Practices 36