COEN 152 Computer Forensics
The purpose of Forensic activity is the presentation of evidence in a court room. Depending on the nature of the proceeding, criminal or civil, different issues arise. In civil proceedings, the collection of evidence can violate somebody's rights and thus expose the investigator to legal claims and sanctions (e.g. for violating the wiretap code). Criminal proceedings center on the admissibility of evidence. For instance, was chain of custody maintained for the evidence or has evidence to be suppressed as a remedy against an illegal search. The purpose of this module is not to educate the future forensics examiner in legal issues, but to give a first introduction into the legal issues.
Computer Forensics is the application of science and engineering to the legal problem of evidence. It is a synthesis of science and law.
Virtually all professional examiners will agree on some overriding principles, ... that evidence should not be altered, examination results should be accurate, and that examination results are verifiable and repeatable.
Mark Pollitt (FBI, ret.)
Computer Forensics is the application of computer science and engineering to incidents involving a single or several computer, router, etc. to extract evidence that can be used in a legal proceeding. The legal proceedings might be criminal or civil. A more specialized form of computer forensics is intrusion forensics, where we investigate attacks or suspicious behavior directed against computers.
In order to be used in legal proceedings, evidence must be admissible. Courts and judicial systems have established certain standards, in the US, by the Federal (and state) Rules of Evidence, and by case law.
Any information is in principle admissible in court if it is relevant and if its probative value outweighs its prejudicial effect. In addition, there must be guarantees of trustworthiness of the information. The U.S. legal system has uses several techniques to ensure the reliability of testimony and evidence.
Foundations lay the context for information used as evidence in a trial. On rare occasions, an out-of-court statement is admissible. The proper foundations for admitting the conversation includes statements on who was present, where and when the conversation was held, and other relevant circumstances. The foundations for evidence from a confiscated computer include at least the circumstances of the confiscation.
With a few, tightly controlled exceptions, hearsay is inadmissible. For example, the forensics examiner has to testify in court, she cannot simply write a report that is then to be admitted as evidence in the legal proceedings. Primarily, this preserves the right of the other side to cross examine and thus the capacity of the adversarial system to establish trustworthiness and to assess credibility.
Admissions, that is out-of-court statements made by parties that are against their penal or pecuniary interest, are not hearsay. For example, an email or a file that can be attributed to the defendant can be considered an admission that is therefore admissible as evidence. For this to happen, there must be something more than just a file or an email that seems to stem from the defendant. For example, the information tends to be something that only the defendant could know. Or that the computer was only used by the defendant, e.g. because it was at his home, it was password protected, and he was the only one to know the password (exclusive dominion and control).
Writings are normally considered hearsay and are inadmissible unless they fall under an exception to the hearsay rule. Business records do not count as hearsay. For something to be a business record, it must (in general) satisfy the following, general conditions:
Assume that network logs (at a private company) are submitted as evidence that a person sftp-ed to a certain site. If they qualify as business records, then they can be admitted. It might be necessary to provide testimony about the type of computer equipment on which they were created and maintained, the reliability of the equipment, the reliability of the personnel involved, what and where the source data is, how the records were created, what is the purpose and use of these records, what quality checks are in place, etc. The record must also be identified as that which was described in the supportive testimony. (There is a large set of case law on all of these issues.) If the logging was turned on after the suspect was suspected for espionage, then the evidence looses its presumption of trustworthiness. If however the logging was always done, and only the report destilled from the logs on the sftp activity of the suspect prepared for the investigation of the suspect, then the logs themselves maintain their status as business records. Even in case that the logs were turned on in order to find evidence that the suspect was engaged in commercial espionage, the logs could be admitted under another exception to hearsay (and one could certainly try to argue that turning on the logging did not cause the bias that is the concern of the rule). At any case, the information destilled from the logs could (and probably would) still be admissable as evidence. For example, the systems administrator that turned on the log can act as a witness that describes the actions she took based on the readings of the logs (that there were sftp packets going from one IP address to an IP address assigned to the other company, how she ascertained that the IP address was leased to the defendent's workstation, ...).
As courts become more familiar with computers, they might accept a distinction between computer-stored records and computer-generated records. The hearsay rule prefers direct evidence over the potentially tainted memory of an out-of-court statement, thus, records that are merely stored on a computer fall under the hearsay rule unless there is an exception thus as the business record rule. Since computer-generated records such as logs do not degenerate from copy to copy, the question is more whether the computer-generated record is authentic, that is, the offerer of the evidence must be ready to show that the record is what the proponent claims. Authenticity can be lacking if there is the possibility of alteration, though the mere possibility of alteration is not enough to exclude evidence. Authenticity can also be lacking if the program that generated the computer-generated records lacks reliability.
Chain of custody prevents evidence from being tainted, it thus establishes trustworthiness of items brought into evidence. The U.S. legal system wants the proponent of evidence to be able to demonstrate an unbroken chain of custody for items, he wants to have admitted.
Often, there is a stipulation, for example, when there is an agreement between the parties or a concession by the opponent of the evidence that allows it to be admitted without requiring testimony to prove the foundational elements. The purpose of stipulation is to move the trial quickly forward, without pondering idle questions.
If there is a break in the chain of custody brought to the attention of the court, then the court has to decide whether the breach is so severe as to meet exclusion of the item from trial. Alternatively, the court can decide that the trier (trial judge or jury) need to decide the value of the evidence. To prevent a breach, a forensic investigation should follow a written policy, so that necessary deviations of the policy can be argued. The policy itself should take all reasonable (or arguably reasonable) precautions against tampering.
For example, assume that a PDA is seized from a suspected drug dealer. In the case of an PDA, there is no hard drive image to mirror, that is, the examination will have to be done on the powered-on original. The PDA can loose data, for example by disconnecting it from its battery. On seizure, the device should not be switched on. If it is seized switched on, it should be switched off in order to preserve battery power. It needs to be put into an evidence bag that does not allow access to the PDA without breaking the seal (no clear plastic bag!). The evidence needs to be tagged with all pertinent data, including the serial number of the PDA and the circumstances of the seizure. The PDA should never be returned to the accused at the scene, because the device can loose data if reset. To maintain the data in the PDA, it needs to be kept in a continuously charged mode. It should only be used to extract evidence by a competent person who can testify in court. As long as the PDA could be evidence, it needs to be kept in an evidence locker, with check-out logs, so that it can be determined who had access to the PDA at any time.
The "Best Evidence Rule" says that an original writing must be offered as evidence unless it is unavailable, in which case other evidence, like copies, notes, or other testimony can be used. Since the rules concerning evidence on a computer are fairly reasonable (what you can see on the monitor is what the computer contains, computer printouts are best evidence, ...) computer records and records obtained from a computer are best evidence.
The California Evidence Code Section 1500 provides that the content of a writing by proven by introducing the original:
Except as otherwise provided by statute, no evidence other than the original of a writing is admissible to prove the content of a writing. This section shall be known and may be cited as the best evidence rule.
The set of exceptions to the "original only" rule is large. In California, it comprises:
The Electronic Communications Privacy Act ("ECPA"), Title III, extends protection against wiretapping to communications between computers. This put at risk my privilege to monitor traffic from my computer, if a hacker gained control over it and uses it as a jumping off point for further attacks. The following exceptions in Title III restore some of my privileges:
The constitution limits the action of government, but not of individuals. When a private person violates someone's privacy, then the wronged party cannot seek redress because constitutional rights have been violated, but must take resource to other legal protection. A government agent enjoys in most of their actions as government agents protection from prosecution through the sovereign immunity principle. Thus, the same action by a private person and by a government agent can have very different consequences. If Peter Panther install a keystroke sniffer on Jerry Jackal's machine and therefore can prove that Jackal is in the possession of child pornography, then this evidence is admissible in court against Jackal. But since Panther violated the wiretap law, both Jackal and Panther might end up in jail. But if Leo Lion, a sworn law encorcement official, does the same thing without a warrant, then Lion's violation of Jackal's right is so grievous, that only exclusion of the evidence can remedy the violation. But Lion is probably protected by sovereign immunity (prosecutorial immunity) if he had a reasonable assumption that what he was doing was legal.
The fourth amendment: The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
If a government agency would like to seize electronic evidence, e.g. a computer without warrant, it needs to take the reasonable expectation of privacy into account. Court decisions make an analogy between a closed contained (file cabinet or briefcase) if law enforcement is interested in the contents stored on the computer. There is conflicting case law on whether individual folders (directories) and files can be considered closed containers. See United States v. Carey, 172 F.3d 1268, 1273-75 (10th Cir. 1999) (ruling that agent exceeded the scope of a warrant to search for evidence of drug sales when he "abandoned that search" and instead searched for evidence of child pornography for five hours). The scope of the expectation of privacy is limited. For example United States v. David, 756 F. Supp. 1385 (D. Nev. 1991), where agents looking over the defendant's shoulder read the defendant's password from the screen as the defendant typed his password into a handheld computer. The court found no Fourth Amendment violation in obtaining the password, because the defendant did not enjoy a reasonable expectation of privacy "in the display that appeared on the screen." A person might also loose expectation to privacy when they relinquish their control to third parties, for example, by sending a computer in for repair. However, during mere transmission, government examination of contents would usually violate the expectation of privacy. If someone sends a file to someone else, then they could loose fourth amendment protection. For example, in United States v. Horowitz, 806 F.2d 1222 (4th Cir. 1986), the defendant e-mailed confidential pricing information relating to his employer to his employer's competitor. After the FBI searched the competitor's computers and found the pricing information, the defendant claimed that the search violated his Fourth Amendment rights. This was not held up by the court.
The constitution does not protect against actions by private parties. The issue becomes murky when government profits from these actions, since the private person becomes a quasi-agent of government the moment that a govermental official participates or knows of the action. For example, in United States v. Hall, 142 F.3d 988 (7th Cir. 1998), the defendant took his computer to a private computer specialist for repairs. In the course of evaluating the defendant's computer, the repairman observed that many files stored on the computer had filenames characteristic of child pornography. The repairman accessed the files, saw that they did in fact contain child pornography, and then contacted the state police. The tip led to a warrant, the defendant's arrest, and his conviction for child pornography offenses. On appeal, the Seventh Circuit rejected the defendant's claim that the repairman's warrantless search through the computer violated the Fourth Amendment. Because the repairman's search was conducted on his own, the court held, the Fourth Amendment did not apply to the search or his later description of the evidence to the state police.
People can and do give consent to have their property searched, even if it is common property, as is the case with co-users of a computer. See United States v. Smith, 27 F. Supp. 2d 1111, 1115-16 (C.D. Ill. 1998) (concluding that a woman could consent to a search of her boyfriend's computer located in their house, and noting that the boyfriend had not password-protected his files). Make sure you read the paragraph referring to system administrator's rights to allow access to the contents of computer storage under their control in Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.
Under exigent circumstances agents can search without warrant if the circumstances "would cause a reasonable person to believe that entry . . . was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts."
Evidence of a crime may be seized without a warrant under the plain view exception to the warrant requirement. To rely on this exception, the agent must be in a lawful position to observe and access the evidence, and its incriminating character must be immediately apparent.
Pursuant to a lawful arrest, agents may conduct a "full search" of the arrested person, and a more limited search of his surrounding area, without a warrant.
Under the Privacy Protection Act ("PPA") protects publishers against searches. One criterium is that the materials are possessed by a person "in connection with a purpose to disseminate to the public" some form of "public communication," such as the WWW. Thus, anyone who has a computer and an internet connection might possess PPA protected material.
The Electronic Communications Privacy Act (ECPA) governs law enforcement access to the contents of electronic communications stored by third-party service providers. ECPA also has a criminal provision that prohibits unauthorized access to electronic or wire communications in "electronic storage." This makes government searches of Internet service providers very difficult, since the privacy of the users needs to be guarded.
Government seized legally privileged documents, typically medical records and attorney-client communications, cannot only be not admitted, they also can taint the prosecution. When agents seize a computer that contains legally privileged files, a trustworthy third party must comb through the files to separate those files within the scope of the warrant from files that contain privileged material. After reviewing the files, the third party will offer those files within the scope of the warrant to the prosecution team.
The doctrine of sovereign immunity asserts that a sovereign or a government cannot commit a legal wrong and is immune from civil suit or criminal prosecution. (Wikipedia ) As an offshoot, certain offices such as judge or prosecutor and by extensions others have either absolute or qualified immunity. For example, in Jean v. Collins, police officers have absolute immunity for failure to turn over exculpatory material over to a criminal defendant, because they are performing a prosecutorial task. The same court said that they had qualified immunity for not turning over the exculpatory material over to the prosecutor. This immunity can be waived by the legislature. Essentially, sovereign immunity protects the state and its agents and it can give up this immunity. For example, law enforcement officers do not enjoy sovereign immunity for willfully violating civil rights.
APCO Good Practice Guide for Computer based Electronic Evidence (UK)
Recognizing and Meeting Title III Concerns in Computer Investigations (USA)
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (USA)
DoJ on the USA Patriot Act (USA)
Computer Crime and Intellectual Property (USA)
Council of Europe Cybercrime Convention (EU)
Chapter 7 & following, Marcella, Greenfield (edt.) Cyber Forensics.
Chemerinsky, Erwin (1999): Prosecutorial Immunity. Touro Law Review 15:1643-1656.
Mosteller, Robert P. (2003) Admissibility of Fruits of Breached Evidentiary Privileges: The Importance of Adversarial Fairness, Party Culpability, and Fear of Immunity. Washington University Law Quarterly 81:961-1016.
|©2007 Thomas Schwarz, S.J., COEN, SCU||SCU||COEN||COEN252||T. Schwarz|