26
3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Embed Size (px)

Citation preview

Page 1: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

3Digital Evidence in the Courtroom

Dr. John P. Abraham

Professor of Computer Science

UTPA

Page 2: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Intro

• Role of digital investigators is to present supporting facts and probabilities.

• Court depends on trustworthiness of investigators.

• Accurate, clear, factual and objective

Page 3: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Duty of Experts

• Present objective unbiased truth.

• Not to be an advocate, leave it to the attorneys.

• Not to take the side of the one pays you.

• Keep bias, emotion and greed out as much as possible.

Page 4: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Resisting influences

• Digital investigators are often pressured to concentrate on specific areas and to reach conclusions favorable to one party.

• Champion the truth rather than deciding who is guilty. You will not have all the facts like the court does.

Page 5: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Avoid preconceived theories

• Consider whether a crime occurred, think of all alternatives.– An employee denied unauthorized access to the

root account of unix. After careful reviews it was found that the utmp/wtmp log was corrupt.

– If data was missing, check hard drive corruption rather than intrusion.

– A suicide note date was later than the computer clock. Discovered that the computer clock was incorrect.

Page 6: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Scientific truth and legal judgment

• In prosecutorial environment, theories based on scientific truth are subordinate to legal judgment.

• Standard of proof for criminal acts– Beyond a reasonable doubt

• Standard of proof for civil– Balance of probabilities

• Investigator must accept the court ruling or attorneys decision.

Page 7: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Admissibility

• If evidence is safe to put before a jury (that gives foundation for making a decision)

• A set of legal tests done by the Judge to assess the item of evidence.– For instance unauthenticated emails could not

admitted as anyone could create a false email. Digital evidence admissibility:

• Relevance, authenticity, not hearsay, best evidence, not unduly prejudicial.

– Improper handling and illegal search can prevent evidence being admissible.

Page 8: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Search Warrants (4th amendment)

• Digital evidence must be gathered with search warrants. Warrants have expiry time.

• To obtain a warrant, probable cause must be established:– A crime has been committed– Evidence of crime is in existence– Evidence is likely to exist at the place to be searched.

• If suspect consented to the search, no need for search warrant, provided that consent can be substantiated.

Page 9: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Caveats

• Evidence collected outside of warrant time limit is not admissible.

• Evidence collected outside of the scope of the warrant is not admissible (pornography found while searching for drugs). Another search warrant should be obtained.

Page 10: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Authentication of digital evidence

• To demonstrate that digital evidence is authentic, show that it was acquired from specific computer and/or location, that a complete and accurate copy of digital evidence was acquired, and that has remained unchanged since it was collected.

• Chain of custody and integrity documentation (evidence has not been altered) are important.

Page 11: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Reliability of Digital Evidence

• 1. was the computer that generated evidence functioning normally?

• 2. Examine the digital evidence for tampering or other damage.

Page 12: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Best evidence

• Courts will require original evidence rather than copies. Digital copies can be exact, therefore courts will accept copies.

Page 13: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Hearsay

• An email may be used to prove that an individual made certain statements, but cannot be used to prove the truth of the statements it contains.

• Exceptions: Business records. Records routinely kept by a business are not hearsay.

Page 14: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Levels of certainty in digital forensics

• Currently there is a lack of consistency in evaluating digital evidence. There are no mathematical way to evaluate certainty.

• Computers can introduce errors and uncertainty: system clock errors, IP address (real or proxy, VPN, etc.)

• Levels: almost definitely, most probably, probably, very possibly and possibly.

• Certainty can be assigned a C value from 0 to 6, 6 being certain. I refer you to pages 70 and 71 in your textbook.

Page 15: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Direct Vs. Circumstantial evidence

• Direct evidence establishes a fact, circumstantial suggests one.– A computer log is a direct evidence that a

given account was used to log into a system.– It is circumstantial evidence that the owner

used the computer to gain access.– Finding a copy of an intellectual property

could be a direct evidence.

Page 16: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Scientific Evidence

• Whether the theory or technique can be tested.• Whether there is high known or potential rate of

error. Existence of standards or controls.• Whether the theory or technique has been

subjected to peer review and publication.• Whether the theory or technique enjoys general

acceptance within the scientific community.

Page 17: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Reduce the risk of mistakes

• Assess the reliability of commonly used tools.

• Error rates exist for the analysis?

• Can another tool be used to substantiate the findings?

Page 18: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Presenting the Digital Evidence

• Writing expert reports– Build solid arguments by providing supporting

evidence and demonstrate that the explanation provided is the most reasonable one.

– Support assertions with multiple independent sources of evidence.

– State clearly how and where the evidence was found.– Use figures or attachments.– Present alternative scenarios and demonstrate why

they are less reasonable and less compatible with the evidence. If there is no evidence to support alternatives, clearly state that.

Page 19: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Report format

• Introduction

• Evidence summary

• Examination Summary

• File System Examination

• Forensic Analysis and Findings

• Conclusions

Page 20: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Introduction

• Overview of the case

• Relevance of the evidential media examined.

• Who required the analysis

• What was requested

• Bona fides of those who performed the work, CV, experience and training.

Page 21: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Evidence Summary

• Describe evidence that were analyzed• Details that uniquely identify such as make,

model and serial number• Include MD5 values, photographs, lab

submission numbers• Details of when and where the evidence was

obtained• From whom the evidence was obtained and its

condition• Processing methods and tools

Page 22: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Examination Summary

• This is a summary for those who do not have time to read the whole thing. Present everything in a summary format here.

• Overview of the critical findings

• Recommendation or conclusions in short summary.

Page 23: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

File System Examination

• Provide an inventory of files, directories and recovered data that are relevant to the investigation.

• Pathnames, date time stamps, MD5 values, physical sector location on the disk, etc.

• Note any unusual absences of data (mass deletion, reformatting, or wiping).

Page 24: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Forensic Analysis and Findings

• Detailed description of forensic analysis performed

• Relulting finds• Supporting evidence• Specify the location where each referenced item

was found• Show photographs, screenshots, or printout• Describe and interpret temporal, functional and

relational analysis

Page 25: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Conclusions

• A summary of conclusions

• Refer to supporting evidence

• Do not jump to conclusions or make statements about innocence or guilt

• Let the evidence speak for itself.

Page 26: 3Digital Evidence in the Courtroom Dr. John P. Abraham Professor of Computer Science UTPA

Testimony

• Prepare well

• Talk with the attorney you are working with

• Remember you are talking to a non-technical audence.