Legal Aspects of Legal Aspects of Digital ForensicsDigital Forensics

Taylan Sen, JDPhillips Lytle, LLP

Overview

Purposes of Digital Forensics Overview of legal system

Federal Civil

Liability from improperly conducted Digital Forensic analyses Legal Tools in helping to obtain evidence

Warrants eDiscovery

Admissibility of Digital Evidence Proactive actions that can be taken in light of eDiscovery

Guidelines on how to perform a Digital Forensic Analysis -so that lawsuit is won, the right business decisions are made, and most importantly to

keep YOU out of legal trouble!

Purposes of Digital Forensics

Criminal lawsuit Civil lawsuit Human resources

Employee misconductHarassment

Economic research/espionage

U.S. Judicial System

Federal State Hierarchical Rules

CriminalCivil

Federal Court System

Federal Circuit Courts

Court Rules/Structure

Court’s job is 1. fact finding 2. interpretation of the law

Courts must follow not only follow written law but also previous decisions (stare decisis).

Heirarchical Lower courts’ main job is fact finding Higher courts’ main job is interpretation of law Appeals go up Lower level courts must follow the decisions of their parents.

Types of Criminal cases

Copyright infringement Theft of trade secret Fraud/embezzlement Vandalism Harassment Child pornography

fines/incarceration

Client Investigation

Case 1: Ex-employee left company to form his own company. Is he violating company intellectual property in his new

business? Can we use a KeyStroke logger?

Case 2: Ex-Franchisee is currently violating company’s trademark and copyright through their website What kind of Digital Forensic evidence is admissible?

Internet Archive Whois/ DNS lookup?

Criminal Trial Overview

Judge Chamberlain Haller: I don't want to hear explanations. The state of Alabama has a procedure. And that procedure is to have an arraignment. Are we clear on this?

Criminal Trial must follow the “Federal Rules of Criminal Procedure”

Anatomy of a Criminal Trial Investigation Probable cause warrant (search/arrest) Initial Appearance

criminal complaint is accompanied by an affidavit that summarizes the evidence against the defendant. bail is set

Arraignment/Grand Jury Hearing Discovery Pretrial Motions (motion in limine) Plea bargaining Trial

Prosecution Defense Deliberation/Verdict (burden)

Sentencing Appeal

Investigation: 4th Amendment

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

You do not have a carte blanche to perform a Digital Forensic search.

Investigation: What is a Warrant?

A court order, issued by a judge or magistrate, authorizing an act which would otherwise be illegal in violating an individual’s rights.

Affords the person executing the warrant protection from damages if the act is performed.

Obtaining a warrant

4th amendment – “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Probable cause – “reasonable”, “prudent”: Direct observation of officer or secondary information based

Totality of the circumstances Aguillar-Spinelli

Reliable and credible Knowledge of underlying circumstances

Digital Forensic Data is often the basis to obtain a warrant A warrant must be specific to place being searched Exceptions: Exigent circumstances, sufficiently attenuated

Warrants and the Aguilar-Spinelli test # The magistrate must be informed of the

reasons to support the conclusion that such an informant is reliable and credible.

# The magistrate must be informed of some of the underlying circumstances relied on by the person providing the information.

Fruit of the poisonous tree(exclusionary rule)

Evidence which is collected or analyzed in violation of defendant’s constitutional rights is inadmissible for criminal prosecution in a court of law unless the evidence gathered is sufficiently attenuated from the illegal act.

Your digital Forensic investigation must be conducted properly

Anatomy of a civil lawsuit

Investigation Complaint/Answer Discovery

eDiscovery Settlement negotiations Trial

Prosecution Defense

Deliberation/Verdict (burden) Appeal

Types of civil cases

Breach of contract Copyright/trademark infringement Tortious interference Harassment/Slander Misuse of corporate resources Improper termination

damages ($), injunction

Federal Rules of Civil Procedure

Rule #26 – (B) Specific Limitations on Electronically Stored Information. A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.

Rule #34 - (A) any designated documents or electronically stored information — including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations — stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; or

Federal Rules of Evidence

General rules Authentication and identification Hearsay Original evidence rule Expert Witnesses & Junk science Fruit of the poisonous tree

General Rules of Evidence

Must not be unfairly prejudicial (previous crime)

Subsequent remedial measures Insurance coverage Witnesses must hav personal knowledge

Federal Rule Evidence 901 Authentication

“admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.”

Authentication and Identification

901(a) - General Rule: Evidence must be shown to be authentic before allowed into trial.

Authenticity can be shown through: 901(b)(1) Testimony of witness with knowledge. Testimony that

a matter is what it is claimed to be. 901(b)(9) Process or system. Evidence describing a process or

system used to produce a result and showing that the process or system produces an accurate result.

Example: Are Internet Archive pages admissible?

Authentication - In re Vee Vinhnee, 2005

"...the focus is not on the circumstances of the creation of the record, but rather on the circumstances of the preservation of the record during the time it is in the file so as to assure that the document being proffered is the same as the document that originally was created."

American Express – credit card records.

In re Vee Vinhnee, 2005

"The logical questions extend beyond the identification of the particular computer equipment and programs used. The entity's policies and procedures for the use of the equipment, database, and programs are important. How access to the pertinent database is controlled and, separately, how access to the specific program is controlled are important questions. How changes in the database are logged or recorded, as well as the structure and implementation of backup systems and audit procedures for assuring the continuing integrity of the database, are pertinent to the question of whether records have been changed since their creation.”

Factors for consideration of Digital Forensic Data

1. The business uses a computer.

2. The computer is reliable.

3. The business has developed a procedure for inserting data into the computer.

4. The procedure has built-in safeguards to ensure accuracy and identify errors.

5. The business keeps the computer in a good state of repair.

6. The witness had the computer readout certain data.

7. The witness used the proper procedures to obtain the readout.

8. The computer was in working order at the time the witness obtained the readout.

9. The witness recognizes the exhibit as the readout.

10. The witness explains how he or she recognizes the readout.

11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.

Federal Rule of Evidence 801: Hearsay is generally not allowed "Hearsay" is a statement, other than one

made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.

Exception: business records

Internet Archive

Should Internet Archive records be admissible?

Telewizja Polska USA, Inc. v. Echostar,2004

Polska granted EchoStar a license to use its trademarks to market the subscription package to its customers.

Agreement ended, EchoStar continued to use Polska's name and trademarks.

Polska sued for trademark infringement Polska filed a motion in limine to exclude several Echostar trial exhibits,

including screenshot printouts of Polska’s website from the Internet Archive’s “Wayback Machine”

Plaintiff then contends that the exhibit has not been properly authenticated. 1 Attached to the exhibits is an affidavit from Ms. Molly Davis, verifying that the Internet Archive Company retrieved copies of the website as it appeared on the dates in question from its electronic archives. Plaintiff labels the Internet Archive an unreliable source and claims that Defendant has not, therefore, met the threshold requirement for authentication.

Telewizja Polska USA, Inc. v. Echostar2004

OUTCOME: Court finds affidavit from Internet Archive employee sufficient for laying a foundation and authenticating the Internet snapshots of Plaintiff’s website and thus denied motion in limine to limit evidence.

St. Luke's Cataract & Laser Institute, P.A. v. Sanderson2006 U.S. Dist Fla., 2006 “… affidavit from a previous litigation, without

more, is insufficient … However, an affidavit by Ms. Davis, or some other representative of Internet Archive with personal knowledge of its contents, verifying that the printouts Plaintiff seeks to admit are true and accurate copies of Internet Archive's records would satisfy Plaintiff's obligation to this Court.”

Authentication and Digital Forensics When gathering data, make sure it is done

in a way that can be later authenticated in a court of law.

Chain of custody. Records of who, when, where, and how

the forensic analysis is done.

Federal Rule of Evidence 702 Technical/Scientific Evidence

“If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise."

Daubert v. Merrell Dow PharmaceuticalsU.S. Supreme Court, 1993

CLAIM: the drug Bendectin had caused the birth defects

EVIDENCE: Test tube and live animal studies were conducted to show that Bendectin caused birth defects.

MOTION FOR SUMMARY JUDGMENT: no published scientific study demonstrated a link between Bendectin and birth defects

Daubert factors

1. Empirical testing: the theory or technique must be falsifiable, refutable, and testable.

2. Subjected to peer review and publication.3. Known or potential error rate and the existence4. The existence and maintenance of standards

and controls concerning its operation.5. Degree to which the theory and technique is

generally accepted by a relevant scientific community.

Daubert and Digital Forensics

Selection of your forensic analysis tools and techniques should be made with the Daubert factors in mind:

Testing: Has this software tool/procedure been tested?

Error Rate: Is there a known error rate of the procedure?

Tool Implementation Error is from bugs in the code or from using the wrong specification. Abstraction Error is from the tool making decisions that do not have a 100% certainty: data reduction

techniques or by processing data in a way that it was not originally designed for. Publication:

Has the tool/procedure been published and subject to peer review? Is this a commercially offered tool/technique or something developed in house? OpenSource vs. proprietary software

“Diebold Admits to Decade-old Voting Machine Bug” Acceptance:

Is this tool technique used by experts in the field?

E Discovery Overview What exactly is discovery? - “the pre-trial phase in a lawsuit in which each party through the

law of civil procedure can request documents and other evidence from other parties or can compel the production of evidence by using a subpoena or through other discovery devices, such as requests for production and depositions.”

e-discovery Data types include: e-mail & documents on hard drives, backup tapes, PDA’s, CD’s, etc. use in depth automated searches

Costly – especially when data storage infrastructure is not in place. Cost shifting

Noncompliance - Courts are very unforgiving to parties who show signs of noncompliance with discovery requests.

Qualcomm, Inc. v. Broadcom Corporation (S.D. Cal. August 6, 2007) $8.5 million fine for withholding emails.

Need forward planning through: 1. a document retention and destruction policy, 2. data storage tools, and when litigation comes, 3. efficient management of e-discovery process.

Document retention and destruction policy:How does a company determine how long to retaindocuments?

The retention period of documents will depend on a number of considerations, including: the retention periods specified in state or federal regulations contractual obligations pending or reasonably foreseeable lawsuits or government

proceedings relating to the subject matter of the documents statutes of limitations.

In the absence of a specific legal duty to retain documents a company will need to determine whether there are business reasons to retain the documents and, if so, how long such reasons will remain viable.

Sources of the legal duty to retain data

State and federal tax, labor, employment, and environmental laws Sarbanes Oxley Act HIPAA

Contracts Litigation – legal duty to preserve relevant

evidence Federal Rules of Civil Procedure (amended

2006) Zubulake v. UBS Warburg LLC, 2004 WL

1620866 (S.D.N.Y. July 20, 2004)

Violations shall be fined and/or imprisoned for up to 20 years. (Section 802 of the Sarbanes-Oxley Act)

Desired characteristics of a document retention policy

Should be specific when to destroy who should destroy

Should be written Should be followed consistently Should not retain data you don’t need Should be distributed to employees Should be re-evaluated annually

Example Document Retention and

Destruction Policy

Suspension of the document retention/destruction policy

"Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ' litigation hold ' to ensure the preservation of relevant documents." (See Zubulake v. UBS Warburg LLC, 2004 WL 1620866 (S.D.N.Y. July 20,2004)).

Other Digital Forensic Related Statutes Electronic Communications Privacy Act of 1986 Pen/Trap Statute Wiretap Act US Patriot Act Computer Security Act of 1987 Federal Privacy Act of 1974 HIPAA 1996 Computer Fraud and Abuse Act Economic Espionage Act

Conclusion

Certain legal considerations must be made when performing a digital forensic analysis to ensure thatNo laws are broken that would subject the

investigator to criminal or economic liability The evidence obtained is admissible in court