legal issues computer forensics coen 152/252 drama in soviet court. post-stalin (1955). painted by...
TRANSCRIPT
Legal Issues
Computer ForensicsCOEN 152/252
Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
Issues of EvidenceAn information is admissible in court if it isRelevantIts probative value outweighs its prejudicial
effect.
Issues of EvidenceBest Evidence Rule
The legal doctrine that an original piece of evidence, particularly a document, is superior to a copy. If the original is available, a copy will not be allowed as evidence in a trial.
Issues of EvidenceFoundation
Context for InformationHearsay
Statement made not by declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted
In general not admissableChain of Custody
Establishes trustworthiness of evidence by preventing tampering
Stipulation: Agreement between parties or concession by one party in a judicial proceeding.
HearsayRule 801. Definitions That Apply to This
Article; Exclusions from Hearsay(a) Statement. “Statement” means a person’s
oral assertion, written assertion, or nonverbal conduct, if the person intended it as an assertion.
(b) Declarant. “Declarant” means the person who made the statement.
(c) Hearsay. “Hearsay” means a statement that:(1) the declarant does not make while testifying at the current trial or hearing; and(2) a party offers in evidence to prove the truth of the matter asserted in the statement.
Exceptions to HearsayAdmission against interest:
out-of-court statements contrary to penal or pecuniary interest, including those found on a computer.
Business RecordsMade in the normal course of business.Relied on by the business.Made at or near the occurrence of the act the
record purports to record.Offered through a competent witness, either
the custodian of the record or another who can testify to those issues.
Exceptions to HearsayOfficial government records
Must be properly kept.Writing about an event close to its
occurrence used to refresh a witnesses memory.
“Learned treatise”Judgments in other casesSpontaneous excited utterance
Exceptions to HearsayContemporaneous statement which
explains the a person’s state of mind at the time of an event.
A statement which explains a person’s future intentions if that state of mind is in question.
Prior testimonyA declaration of the opposing party which
was contrary to their best interest if the parity is not available at trial.
Dying declaration by a person who believes (s) is dying.
http://dictionary.law.com/
Exceptions to HearsayA statement made about one’s mental set,
feeling, pain, or health if the person is not available
A statement about one’s own will when the person is not available
Other exception at the judge’s discretion based on the reliability of the testimony.
http://dictionary.law.com/
Exceptions to Hearsay RuleRelevant for computer-based evidence
Records of regularly conducted activityAbsence of entry in records kept in
accordance with the provisions of paragraph (6)
Nature of “Computer Evidence”Computer Evidence falls under
Computer-generated evidence Logs, file-system, …
Computer-stored evidenceEmail, photo, …
Both need additional evidence for evaluationDoes file-system show signs of temperingIs the file-system reliableWhen was the photo takenWas the clock on the camera off
Nature of Computer EvidenceNonhearsay: Records created by a process
that does not involve a human assertionTelephone toll recordsCell tower logsEmbedded GPS dataATM recordsWeb server logs
There is no assertion made by a human being, at best, a commando
Nature of Computer EvidenceMixed Hearsay and Nonhearsay
Combination of hearsay and nonhearsayEmail containing header information and contentDocuments created by a human being, but with
creation date from file system
Nature of Computer EvidenceNonhearsay records:
Are not human statementsResult from a program designed to process
informationEither: There is no person involvedOr: The human conduct is non-assertive
Issue is AuthenticationIs the computer equipment and software
functioning
Nature of Computer EvidenceWhile computer evidence often falls under
the business record exception for hearsay,Mostly is nonhearsay
The real question is authenticationDoes the evidence says what it purports to
say?
We get back to authentication when we talk about expert witnessing
Proper Care of EvidenceEvidence collected by the state needs to be
protected from fraud.This lays a burden on the state to provably
preserve the evidence.Chain of custody.
Breach of Chain of Custody
Not every breach makes the item inadmissible.
Not necessary to have the best security against tampering.
Government agents are assumed to be trustworthy.
But
Chain of CustodySeized device is put in an Evidence Locker.Typically a closet safeguarded against
intrusion.Records allow reconstruction of who had
physical control over the device.
Chain of CustodyWorking on the original. A forensic
examination that is done directly on the original disk drive will make it difficult to argue that the evidence could not have been tampered with. Much better to make a “true copy” and examine the true copy.
Proof that it is a true copy.
Best Evidence RuleCopies are worse than originals, therefore
they are not admissible unless the original has been destroyed.
Does not apply to various computer outputs.
Best Evidence Rule Except as otherwise provided by statute,
no evidence other than the original of a writing is admissible to prove the content of a writing. This section shall be known and may be cited as the best evidence rule.
California Rules of Evidence 1500.
Best Evidence Rule Exceptions:Printed representations of computer information
and computer programs.Printed representations of images stored on video
or digital media.Secondary evidence of writings that have been
lost or destroyed without fraudulent intent of the proponent of the evidence.
Secondary evidence of unavailable writings.Secondary evidence of writings an opponent has,
but fails to produce as requested.Secondary evidence of collateral writings that
would be inexpedient to produce.
Best Evidence Rule Exceptions: Secondary evidence of writings recorded in public records, if
the record or an attested or certified copy is made evidence of the writing by statue.
Secondary evidence of voluminous writings. Copies of writings that were produced at the hearing and
made available to the other side. Certain official records and certified copies of writings in
official custody. Photographic copies made as business records. Photographic copies of documents lost or destroyed, if
properly certified. Copies of business records produced in compliance with
Sections 1560-1561.
FutureThe law argues by analogy.Justice takes (eventually) account of
technology.Digital storage has qualitative properties that
make it fundamentally different from writings.Ease of alteration.Possibility of completely accurate copy & transmission.
Current law is still based on the case of manual copy.
If the problems are big enough, either precedent will change or statutes will make the proper exceptions.
Acquisition of EvidenceDistinction between government agents and
private citizens.Illegal actions by private citizens can yield
admissible evidence and lead to their punishment.
If a sworn law officer violates an amendment, the gained evidence is usually suppressed, but the officer is protected by sovereign immunity.
Sovereign ImmunityA sovereign or a government cannot
commit a legal wrong and is immune from civil suit or criminal prosecution.
Prosecutorial ImmunityJudges, legislators, prosecutors enjoy
qualified or unqualified immunity.Property of the role, not the person.
I.e. a prosecutor’s immunity depends on whether they are acting in a prosecutorial role, an investigative role, etc.
Prosecutorial ImmunityJean v. Collins
police officers have absolute immunity for failure to turn over exculpatory material over to a criminal defendant, because they are performing a prosecutorial task.
They have qualified immunity for not turning over the exculpatory material over to the prosecutor.
Law enforcement officers do not enjoy sovereign immunity for willfully violating civil rights.
Electronic Communications Privacy Act ("ECPA"), Title IIIExtends protection against wiretapping to
communications between computersKnow the exceptionsKnow the consequences of violating the
title
Electronic Communications Privacy Act ("ECPA"), Title III
A person acting under the color of law can intercept electronic communication where such a person is party to the communication or one of the parties of the communication have given prior consent to such interception.
Electronic Communications Privacy Act ("ECPA"), Title III "A person not acting under color of law" is
also allowed to intercept an "electronic communication" where "such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception."
The consent can be implicit, e.g. by using a computer protected with login banners.
ECPA Title III Concerns Title III also permits providers of a
communication service, including an electronic communication service, the right to intercept communications as a "necessary incident to the rendition of his service" or to protect "the rights or property of the provider of that service."
ECPA Title III ConcernsTwo exceptions to the last rule:If there is no actual damage, then the right
to monitor does not exist. The government is not allow to do the
monitoring, but they can profit from monitoring.
Fourth Amendment The right of people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Fourth AmendmentComputer Storage = Closed Container such
as a briefcaseWith Warrant:
Limits to warrant because of privilege or additional protection.
Without WarrantExpectation of Privacy
Fourth AmendmentNo expectation of privacy
Public displayMaterial in some else’s handsConsent by co-owner or authorized person
Exigent circumstancesPlain view exceptionLawful arrest
Very difficult and interesting case law.
Fourth AmendmentFundamental question:
Does the individual enjoy a reasonable expectation of privacy in electronic information stored within a storage device.
Courts equate storage devices to “closed container”
Fourth AmendmentReasonable Expectation of Privacy and
Third Party PossessionDifference between data in transit (usually
need warrant) and data received by third party.
Received by third party: Can owner reasonably expect privacy:Bank account information that account holders
divulge to the bank.
Fourth AmendmentFourth Amendment does not apply to
private searches.Private party cannot act as government
agents:Repairman discovers many file names indicating
child pornography, opens those, discovers child pornography, and informs LE.
LE can repeat the original private search, but not exceed it.
Fourth AmendmentSearches using innovative technology
applied to ordinary devices might need a warrant:Kyllo v. United States
Supreme Court held that the warrantless use of a thermal imager to reveal the relative amount of heat released from the various rooms of a suspect's home was a search that violated the Fourth Amendment.
Fourth AmendmentExceptions to the Warrant Requirement
ConsentGovernment carries burden of proof that the consent
was voluntary.Scope of consent depends on the facts of
each case.E.g.: does consent to search premises includes
consent of storage devices found there.
Fourth AmendmentExceptions to the Warrant Requirement
Exigent Circumstances“would cause a reasonable person to believe that
entry . . . was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.”
Arises in computer cases because some electronic evidence is volatile.
Reasons for exigent circumstances limit the scope of the search.
Fourth AmendmentExceptions to the Warrant Requirement
Plain ViewAgent must in lawful position to observe and access
the evidence and its incriminating character must be immediately apparent.
E.g.: LE agent makes search of hard drive, comes upon evidence of an unrelated crime while conducting the search.
Search Incident to a Lawful ArrestSearch incident to arrest must be reasonable
Strip searches are usually not reasonable. Inventory searches are reasonable.
o But that should not support a search through seized computer files.
Fourth AmendmentExceptions to the Warrant Requirement
Border Searches“Routine searches” do not require a warrant:
United States Customs Agents learned that William Roberts, a suspect believed to be carrying computerized images of child pornography, was scheduled to fly from Houston, Texas to Paris, France on a particular day. On the day of the flight, the agents set up an inspection area in the jetway at the Houston airport with the sole purpose of searching Roberts. Roberts arrived at the inspection area and was told by the agents that they were searching for "currency" and "high technology or other data" that could not be exported legally. Id. at 681. After the agents searched Roberts' property and found a laptop computer and six Zip diskettes, Roberts agreed to sign a consent form permitting the agents to search his property. A subsequent search revealed several thousand images of child pornography.
Fourth AmendmentWorkplace Searches
O'Connor Supreme Court Decision: the legality of warrantless workplace searches
depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.
Fourth AmendmentWorkplace Searches
Typical:A fellow employee who has equal control over a
computer can consent to its search.Employers and supervisors who have authority over
a computer can consent to its search.HELPFUL: An employment policy stating that the
employer retains authority over its computers and networks.
Fourth AmendmentMultiple warrants might be needed in
network searches.No-knock warrants:
As a general matter, agents must announce their presence and authority prior to executing a search warrant.
Sneak-and-Peek Warrants "surreptitious entry warrants"
Privacy Protection ActProtects publishers against government
searches of material that is acquired for publication
Reaction to the Daily Stanfordian caseInternet publishing allows much private
computer material to fall under the PPA protection
Privacy Protection ActSubject to certain exceptions, the PPA makes it
unlawful for a government officer "to search for or seize" materials when (a) the materials are "work product materials" prepared,
produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);
(b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and
(c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“
OR
Privacy Protection ActSubject to certain exceptions, the PPA makes it
unlawful for a government officer "to search for or seize" materials when (a) the materials are "work product materials" prepared,
produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1);
(b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and
(c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“
Privacy Protection ActSubject to certain exceptions, the PPA makes
it unlawful for a government officer "to search for or seize" materials when the materials are "documentary materials" that
contain "information," (b) the materials are possessed by a person "in
connection with a purpose to disseminate to the public" some form of "public communication."
Privacy Protection ActExceptions
the only materials searched for or seized are contraband, instrumentalities, or fruits of crime
2) there is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury
3) there is probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate (an exception which is itself subject to several exceptions),
4) in a search for or seizure of "documentary materials" as defined by § 2000aa-7(a), a subpoena has proven inadequate or there is reason to believe that a subpoena would not result in the production of the materials.
Privacy Protection ActWas not intended for web journalism that
raises questions of who is a journalist and what constitutes publication.
Electronic Communications Privacy ActProtects third party data against law
enforcement seizesE.g. internet provider.
Electronic Communications Privacy ActSteve Jackson Games, Inc. v. Secret Service
Steve Jackson Games, Inc. ("SJG") was primarily a publisher of role-playing games, but it also operated a network of thirteen computers that provided its customers with e-mail, published information about SJG products, and stored drafts of upcoming publications. Believing that the system administrator of SJG's computers had stored evidence of crimes, the Secret Service obtained a warrant and seized two of the thirteen computers connected to SJG's network, in addition to other materials. The Secret Service did not know that SJG's computers contained publishing materials until the day after the search. However, the Secret Service did not return the computers it seized until months later. At no time did the Secret Service believe that SJG itself was involved in the crime under investigation.
Electronic Communications Privacy ActIn Steve Jackson Games, the district court
held the Secret Service liable under ECPA after it seized, reviewed, and (in some cases) deleted stored electronic communications seized pursuant to a valid search warrant.
Pen/Trap Statute (amended 2001)Authorizes installation of pen-registers and
trap-and-trace devices.Pen register only records dialing, routing, and
address information for electronic outgoing communications.
Trap-and-Trace: same for incoming communications.
Court order for pen/trap device requires only a statement by the investigator that the information is likely to be relevant to a criminal investigation.
USA Patriot Act (2001)Contains “sneak and peek” authority
Delayed notification of physical searches for up to 90 days.Already norm in wiretap cases.
Dalia v. U.S. 1979:o Feds implanted a hidden microphone pursuant to a
search warrant.o Notification was delayed until surveillance was
ended.Allows installation of electronic surveillance
devices authorized for the whole U.S.important for working with IP providers.
Gives immunity to persons providing technical assistance.
Legally Privileged DocumentsNeed to prevent ongoing investigation from
using legally privileged documents.Medical records.Attorney-client communications.Priest-penitent communications.
Case LawKleiner vs. Burns, 2000
Defendant only produced limited correspondence in the original discovery request.
Court imposed sanctions and enjoined defendant to try harder
Rowe Entm’t Inc. v. William Morris Agency, Inc. (2002)Distribution of Costs of Discovery
Zubulake v. UBS Warburg (2003)Standard gender discrimination caseCourt revisited costs of discovery
Case LawAlexander v. FBI (1998)
Limits large-scale digital discovery to targeted and appropriately worded searches of backed up and archived e-mail messages
Crown Life Ins. v. Craig Ltd (1993)Sanctions imposed for precluding evidence
and failure to comply with court orderBrand Name Prescription Drug Antitrust
Litigation (1995)Early case about burden of discovery
Simon Prop. Group vs. mySimon Inc.Discovery extends to recoverable, but
deleted files
Case LawSantiago v. Miles (1988)
Raw computer information is obtainable under discovery: special tool was created for extraction of data for the court.
Anti-Monopoly Inc. v. Hasbro, Inc (1995)Not only hard copies, but also electronic documents
are discoverablePlayboy Ent. v. Welles (1999)
Burden of cost factors is only limitation to discovery requests for copying and examining a hard drive for emails
People v. Hawkins (2002)Importance of time in computers.Allowed printout of computer access times.Proper functioning of computer clock relevant to case.
Case Law U.S. v. Allen (1997)
“Merely raising the possibility of tampering is insufficient to render evidence inadmissible”
U.S. v. Bonallo (1988) “The fact that it is possible to alter data contained in a computer is
plainly insufficient to establish untrustworthiness” Arizona v. Yougblood (1988)
Requires defendant to demonstrate that the police acted in bad faith in failing to preserve the evidence.
Easaly, McCaleb & Assoc. v. Perry (1994) Deleted but recoverable files are discoverable
RKI, Inc. v. Grimes (2001) Defendant was fined after defendant conducted a disk defrag before
discovery in order to destroy evidence State v. Cook (2002)
Upheld admissibility of bit stream analysis after export testimony on imaging process, authenticity methods, and possibility of tampering
V Cable, Inc. v. Budnick (2001) Evidence collection by private agency is trustworthy under rule 803(6)