Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | janice-lawson |
View: | 220 times |
Download: | 0 times |
2
Objectives
Understand what constitutes a crime and identify categories of crime
Understand law enforcement’s authority to investigate information warfare and terrorist threats to national security
Explain the different types of evidence Identify what affects the admissibility of
evidence
3
Objectives (Cont.)
Identify how electronic evidence differs from physical evidence
Identify what digital forensics tools and techniques can reveal and recover
Explain the process of discovery and electronic discovery
4
Introduction
Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes.
5
Introduction (Cont.)
The expansion of the Internet provides countless opportunities for crimes to be committed
Digital technologies record and document electronic trails of information that can be analyzed later E-mail, instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc.
6
Introduction (Cont.)
This chapter introduces: Legal foundations for recovering evidence Foundations for examining computer forensic
evidence Crime and principles of evidence Admissibility of evidence Proper evidence collection and handling
procedures
7
Basics of Crimes
Early cases that illustrate the importance of knowing the law regarding computer crimes Robert T. Morris Jr. (Morris worm) Onel De Guzman (Lovebug virus)
Computer crimes can be prosecuted only if they violate existing laws
8
Morris Worm and Lovebug Virus
Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA)
Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine
Lovebug virus did $7 billion in damage in 2000
De Guzman released because no law in the Philippines made what he had done a crime
9
Definition of Crime
A crime is an offensive act against society that violates a law and is punishable by the government
Two important principles in this definition: The act must violate at least one criminal law It is the government (not the victim of the crime)
that punishes the violator
10
Crime Categories and Sentencing
Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and
more than one year in prison Misdemeanors—lesser crimes punishable by fine
and less than one year in prison Sentencing guidelines give directions for
sentencing defendants Tougher sentencing guidelines for computer
crimes came into effect in 2003
11
Cybercrime Categories
The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably
Two categories of offenses that involve computers: Computer as target—computer or its data is the
target of the crime Computer as instrument—computer is used to
commit the crime
12
Cybercrime Statutes and Acts
Statutes are amended to keep pace with cybercrimes CFAA (Computer Fraud and Abuse Act) of 1984
Amended in 1986 to include stiffer criminal penalties (only government and financial institutions)
Revised in 1994 to include a civil law component
New acts are passed to control cybercrime CAN-SPAM Act of 2003
13
Civil vs. Criminal Charges
Civil charges are brought by a person or company Parties must show proof they are entitled to
evidence Criminal charges can be brought only by the
government Law enforcement agencies have authority to seize
evidence
14
Comparing Criminal and Civil Laws
Characteristics Criminal Law Civil Law
Objective To protect society’s interests by defining offenses against the public
To allow an injured private party to bring a lawsuit for the injury
Purpose To deter crime and punish criminals
To deter injuries and compensate the injured party
Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity
Who brings charges against an offender
A local, state, or federal government body
A private party—a person, company, or group of people
(Continued)
15
Criminal and Civil Laws (Cont.)
Characteristics Criminal Law Civil Law
Deals with Criminal violations Noncriminal injuries
Authority to search for and seize evidence
More immediate; law agencies have power to seize information and issue subpoenas or search warrants
Parties need to show proof that they are entitled to evidence
Burden of proof Beyond a reasonable doubt
Preponderance of the evidence
Principal types of penalties or punishment
Capital punishment, fines, or imprisonment
Monetary damages paid to victims or some equitable relief
16
In Practice: Distinction Between Criminal and Civil Cases Distinction between civil and criminal
violation is not always clear In Werner v. Lewis case (Civil Court of N.Y.
1992) Lewis inserted a time bomb (malicious computer
program) into system (a crime) Werner was awarded damages as in a civil suit
17
Information Warfare and Cyberterrorism Information warfare is the extension of war
into and through cyberspace Defenses against cyberterrorism
USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board
18
Computer Forensics Skills
An investigator’s success depends on three skill sets
Value of recovered evidence depends on expertise in these areas
19
Evidence Basics
Evidence is proof of a fact about what did or did not happen
Three types of evidence can be used to persuade someone: Testimony of a witness Physical evidence Electronic evidence
Both cybercrimes and traditional crimes can leave cybertrails of evidence
20
In Practice: Forensics Saves a Life
In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped”
Police examined her computer and traced an IP address to Lisa Montgomery
Montgomery had corresponded with Stinnett over the Internet
21
Types of Evidence
Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime
Inculpatory evidence—evidence that supports a given theory
Exculpatory evidence—evidence that contradicts a given theory
Admissible evidence—evidence allowed to be presented at trial
Inadmissible evidence—evidence that cannot be presented at trial
Tainted evidence—evidence obtained from illegal search or seizure
22
In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law
enforcement provides sufficient proof that there is probable cause a crime has been committed
The law officer must specify what premises, things, or persons will be searched
Evidence discovered during the search can be seized
23
Types of Evidence (Cont.)
Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact
Hearsay evidence—secondhand evidence
Material evidence—evidence relevant and significant to lawsuit
Immaterial evidence—evidence that is not relevant or significant
24
Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.)
determine admissibility of evidence According to Fed. R. Evid., electronic
materials qualify as “originals” for court use An expert witness is a qualified specialist
who testifies in court Expert testimony is an exception to the rule
against giving opinions in court
25
Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information
can lead to considerable labor Electronic evidence is volatile and may be
easily changed Electronic evidence conversely is difficult to
delete entirely E-mail evidence has become the most
common type of e-evidence
26
Importance of Digital Forensics
Digital forensics investigations supply evidence for: Criminal cases such as homicide, financial fraud,
drug and embezzlement crimes, and child pornography
Civil cases such as fraud, divorce, discrimination, and harassment
Digital forensics also used to prevent, detect, and respond to cyber attacks
27
Digital Forensics Can Reveal . . .
Theft of intellectual property, trade secrets, confidential data
Defamatory or revealing statements in chat rooms, usenet groups, or IM
Sending of harassing, hateful, or other objectionable e-mail
Downloading of criminally pornographic material
Downloading or installation of unlicensed software
Online gambling, insider trading, solicitation, drug trafficking
Files accessed, altered, or saved
28
Digital Forensics Can Recover . . .
Lost client records intentionally deleted by an employee
Proof that an ex-employee stole company trade secrets for use at a competitor
Proof of violations of noncompete agreements
Proof that a supplier’s information security negligence caused costly mistakes
Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim
29
Fourth Amendment Rights
The Fourth Amendment protects against unreasonable searches and seizures Covers individuals and corporations
Home Workplace Automobile
Law enforcement must show probable cause of a crime
30
Discovery Process
Pretrial right of each party to “discover” or learn about the opponent’s case
Includes information that must be provided by each party if requested
There are many methods of discovery
31
Discovery Methods
Interrogatories Written answers made under oath to written questions
Requests for admissions Intended to ascertain the authenticity of a document or the
truth of an assertion Requests for production
Involves the inspection of documents and property Depositions
Out-of-court testimony made under oath by the opposing party or other witnesses
32
Rules Governing Discovery
Federal Rules of Civil Procedure 1970 Amendment to Rule 34 addressed changing
technology and communication Federal Rules of Discovery categorize
electronic records as follows: Computer-stored records (active data, replicated
data, residual data, backup data and legacy data) Computer-generated records (cache files,
cookies, web logs and metadata)
33
Electronic Discovery (E-Discovery)
Discovery of e-evidence Landmark case involving e-discovery
Zubulake v. USB Warburg (2003) “The more information there is to discover, the
more expensive it is to discover all relevant information”
Increased demand for e-discovery
34
Categories of Stored Data
Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data
35
Increased Demand for E-Discovery
Most business operations and transactions are done on computers and stored on digital devices
Most common means of communication are electronic
People are candid in their e-mail and instant messages
E-evidence is very difficult to destroy
36
Summary
E-evidence plays an important role in crime reconstruction
Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes
Without evidence of an act or activity that violates a statute, there is no crime
Rules must be followed to gather, search for, and seize evidence in order to protect individual rights