Forensic Evidence and Crime Investigation

2

Objectives

Understand what constitutes a crime and identify categories of crime

Understand law enforcement’s authority to investigate information warfare and terrorist threats to national security

Explain the different types of evidence Identify what affects the admissibility of

evidence

3

Objectives (Cont.)

Identify how electronic evidence differs from physical evidence

Identify what digital forensics tools and techniques can reveal and recover

Explain the process of discovery and electronic discovery

4

Introduction

Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes.

5

Introduction (Cont.)

The expansion of the Internet provides countless opportunities for crimes to be committed

Digital technologies record and document electronic trails of information that can be analyzed later E-mail, instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc.

6

Introduction (Cont.)

This chapter introduces: Legal foundations for recovering evidence Foundations for examining computer forensic

evidence Crime and principles of evidence Admissibility of evidence Proper evidence collection and handling

procedures

7

Basics of Crimes

Early cases that illustrate the importance of knowing the law regarding computer crimes Robert T. Morris Jr. (Morris worm) Onel De Guzman (Lovebug virus)

Computer crimes can be prosecuted only if they violate existing laws

8

Morris Worm and Lovebug Virus

Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA)

Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine

Lovebug virus did $7 billion in damage in 2000

De Guzman released because no law in the Philippines made what he had done a crime

9

Definition of Crime

A crime is an offensive act against society that violates a law and is punishable by the government

Two important principles in this definition: The act must violate at least one criminal law It is the government (not the victim of the crime)

that punishes the violator

10

Crime Categories and Sentencing

Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and

more than one year in prison Misdemeanors—lesser crimes punishable by fine

and less than one year in prison Sentencing guidelines give directions for

sentencing defendants Tougher sentencing guidelines for computer

crimes came into effect in 2003

11

Cybercrime Categories

The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably

Two categories of offenses that involve computers: Computer as target—computer or its data is the

target of the crime Computer as instrument—computer is used to

commit the crime

12

Cybercrime Statutes and Acts

Statutes are amended to keep pace with cybercrimes CFAA (Computer Fraud and Abuse Act) of 1984

Amended in 1986 to include stiffer criminal penalties (only government and financial institutions)

Revised in 1994 to include a civil law component

New acts are passed to control cybercrime CAN-SPAM Act of 2003

13

Civil vs. Criminal Charges

Civil charges are brought by a person or company Parties must show proof they are entitled to

evidence Criminal charges can be brought only by the

government Law enforcement agencies have authority to seize

evidence

14

Comparing Criminal and Civil Laws

Characteristics Criminal Law Civil Law

Objective To protect society’s interests by defining offenses against the public

To allow an injured private party to bring a lawsuit for the injury

Purpose To deter crime and punish criminals

To deter injuries and compensate the injured party

Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity

Who brings charges against an offender

A local, state, or federal government body

A private party—a person, company, or group of people

(Continued)

15

Criminal and Civil Laws (Cont.)

Characteristics Criminal Law Civil Law

Deals with Criminal violations Noncriminal injuries

Authority to search for and seize evidence

More immediate; law agencies have power to seize information and issue subpoenas or search warrants

Parties need to show proof that they are entitled to evidence

Burden of proof Beyond a reasonable doubt

Preponderance of the evidence

Principal types of penalties or punishment

Capital punishment, fines, or imprisonment

Monetary damages paid to victims or some equitable relief

16

In Practice: Distinction Between Criminal and Civil Cases Distinction between civil and criminal

violation is not always clear In Werner v. Lewis case (Civil Court of N.Y.

1992) Lewis inserted a time bomb (malicious computer

program) into system (a crime) Werner was awarded damages as in a civil suit

17

Information Warfare and Cyberterrorism Information warfare is the extension of war

into and through cyberspace Defenses against cyberterrorism

USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board

18

Computer Forensics Skills

An investigator’s success depends on three skill sets

Value of recovered evidence depends on expertise in these areas

19

Evidence Basics

Evidence is proof of a fact about what did or did not happen

Three types of evidence can be used to persuade someone: Testimony of a witness Physical evidence Electronic evidence

Both cybercrimes and traditional crimes can leave cybertrails of evidence

20

In Practice: Forensics Saves a Life

In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped”

Police examined her computer and traced an IP address to Lisa Montgomery

Montgomery had corresponded with Stinnett over the Internet

21

Types of Evidence

Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime

Inculpatory evidence—evidence that supports a given theory

Exculpatory evidence—evidence that contradicts a given theory

Admissible evidence—evidence allowed to be presented at trial

Inadmissible evidence—evidence that cannot be presented at trial

Tainted evidence—evidence obtained from illegal search or seizure

22

In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law

enforcement provides sufficient proof that there is probable cause a crime has been committed

The law officer must specify what premises, things, or persons will be searched

Evidence discovered during the search can be seized

23

Types of Evidence (Cont.)

Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact

Hearsay evidence—secondhand evidence

Material evidence—evidence relevant and significant to lawsuit

Immaterial evidence—evidence that is not relevant or significant

24

Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.)

determine admissibility of evidence According to Fed. R. Evid., electronic

materials qualify as “originals” for court use An expert witness is a qualified specialist

who testifies in court Expert testimony is an exception to the rule

against giving opinions in court

25

Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information

can lead to considerable labor Electronic evidence is volatile and may be

easily changed Electronic evidence conversely is difficult to

delete entirely E-mail evidence has become the most

common type of e-evidence

26

Importance of Digital Forensics

Digital forensics investigations supply evidence for: Criminal cases such as homicide, financial fraud,

drug and embezzlement crimes, and child pornography

Civil cases such as fraud, divorce, discrimination, and harassment

Digital forensics also used to prevent, detect, and respond to cyber attacks

27

Digital Forensics Can Reveal . . .

Theft of intellectual property, trade secrets, confidential data

Defamatory or revealing statements in chat rooms, usenet groups, or IM

Sending of harassing, hateful, or other objectionable e-mail

Downloading of criminally pornographic material

Downloading or installation of unlicensed software

Online gambling, insider trading, solicitation, drug trafficking

Files accessed, altered, or saved

28

Digital Forensics Can Recover . . .

Lost client records intentionally deleted by an employee

Proof that an ex-employee stole company trade secrets for use at a competitor

Proof of violations of noncompete agreements

Proof that a supplier’s information security negligence caused costly mistakes

Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim

29

Fourth Amendment Rights

The Fourth Amendment protects against unreasonable searches and seizures Covers individuals and corporations

Home Workplace Automobile

Law enforcement must show probable cause of a crime

30

Discovery Process

Pretrial right of each party to “discover” or learn about the opponent’s case

Includes information that must be provided by each party if requested

There are many methods of discovery

31

Discovery Methods

Interrogatories Written answers made under oath to written questions

Requests for admissions Intended to ascertain the authenticity of a document or the

truth of an assertion Requests for production

Involves the inspection of documents and property Depositions

Out-of-court testimony made under oath by the opposing party or other witnesses

32

Rules Governing Discovery

Federal Rules of Civil Procedure 1970 Amendment to Rule 34 addressed changing

technology and communication Federal Rules of Discovery categorize

electronic records as follows: Computer-stored records (active data, replicated

data, residual data, backup data and legacy data) Computer-generated records (cache files,

cookies, web logs and metadata)

33

Electronic Discovery (E-Discovery)

Discovery of e-evidence Landmark case involving e-discovery

Zubulake v. USB Warburg (2003) “The more information there is to discover, the

more expensive it is to discover all relevant information”

Increased demand for e-discovery

34

Categories of Stored Data

Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data

35

Increased Demand for E-Discovery

Most business operations and transactions are done on computers and stored on digital devices

Most common means of communication are electronic

People are candid in their e-mail and instant messages

E-evidence is very difficult to destroy

36

Summary

E-evidence plays an important role in crime reconstruction

Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes

Without evidence of an act or activity that violates a statute, there is no crime

Rules must be followed to gather, search for, and seize evidence in order to protect individual rights

37

Summary (Cont.)

E-discovery refers to the discovery of electronic documents, data, e-mail, etc.

E-discovery is more complex than traditional discovery of information

Tools used to recover lost or destroyed data can also be used in e-discovery of evidence