Crime & Evidence Concepts

Computer ForensicsBACS 371

2

Introduction

Traditional criminal investigations involve the analysis of several types of evidence. This can include ballistic or bloodstain patterns, gunpowder residue, tire tracks, and fingerprints (to name a few).

E-evidence is the digital equivalent of the physical evidence found at crime scenes.

When collected and handled properly, e-evidence can be just as useful in a court of law.

3

Introduction (Cont.)

The expansion of the Internet provides countless opportunities for crimes to be committed.

Digital technologies record and document electronic trails of information that can be analyzed later. E-mail, instant messages (IM), Web site

visits PDAs, iPods, smart phones, cookies, log

files etc. Application programs’ run history, USB

mounting, etc. All this provides a very rich environment

for the forensic investigator.

4

Definition of Crime

A crime is an offensive act against society that violates a law and is punishable by the government.

Two important principles in this definition:1. The act must violate at least one current

criminal law.2. It is the government (not the victim of the

crime) that punishes the violator.

5

Crime Categories and Sentencing Crimes divided into two broad categories:

Felonies—serious crimes punishable by fine and more than one year in prison.

Misdemeanors—lesser crimes punishable by fine and less than one year in prison.

Sentencing guidelines give directions for sentencing defendants. Tougher sentencing guidelines for computer

crimes came into effect in 2003. Since then these have been tested and fine tuned to a certain extent.

6

Cyber Crime Categories

The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably.

Two categories of offenses that involve computers: Computer as instrument—computer is used to

commit the crime. Computer as target—computer or its data is the

target of the crime. In some cases, the computer can be both the

target and the instrument.

Computers as Targets

Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites

Computers as Instrument of Crime Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft

Identity theft Phishing

Pyramid schemes Chain letters etc.

Computers as Storage

Computer storage can also be involved in the crime. This is particularly true with the new “cloud-based” services.

If the data is stored or moves over an international border, it makes for some interesting (and complex) legal situations.

For example: Off-shore gambling sites Credit card fraud rings Wikileaks type sites…

10

Cybercrime Statutes and Acts Generally, laws and statutes lag behind

the “latest trends” in cyber crime. Given that an act isn’t a crime until a law

exists, this means that many exploits are allowed to happen at least once free of punishment.

Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.

11

Civil vs. Criminal Charges

There are 2 major categories of criminal charges; civil and criminal. Each has it’s own system of courts and procedures.

Civil charges are brought by a person or company Parties must show proof they are entitled to evidence.

Criminal charges can be brought only by the government Law enforcement agencies have authority to seize

evidence. Penalties are generally more severe and can include

loss of liberty and/or life.

12

Comparing Criminal and Civil Laws

Characteristics Criminal Law Civil Law

Objective To protect society’s interests by defining offenses against the public

To allow an injured private party to bring a lawsuit for the injury

Purpose To deter crime and punish criminals

To deter injuries and compensate the injured party

Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity

Who brings charges against an offender

A local, state, or federal government body

A private party—a person, company, or group of people

(Continued)

13

Criminal and Civil Laws (Cont.)

Characteristics Criminal Law Civil Law

Deals with Criminal violations Noncriminal injuries

Authority to search for and seize evidence

More immediate; law agencies have power to seize information and issue subpoenas or search warrants

Parties need to show proof that they are entitled to evidence

Burden of proof Beyond a reasonable doubt

Preponderance of the evidence

Principal types of penalties or punishment

Capital punishment, fines, or imprisonment

Monetary damages paid to victims or some equitable relief

Types of Cyber Crime

Generally speaking, there are 2 types of cyber crime; violent crime and non-violent crime.

Violent Cyber Crime Cyberterrorism Assault by Threat Cyberstalking Pornography …

Types of Cyber Crime

Non-Violent Crime Cybertrespass Cybertheft

Embezzlement Unlawful appropriation Corporate/Industrial espionage Plagiarism Credit card theft Identity theft DNS Cache poisoning

Cyberfraud Destructive cyber crimes

Deleting data or program files Vandalizing web pages Introducing viruses, worms, or malicious code Mounting a DoS attack

16

Information Warfare and Cyberterrorism

The terms “cyberterrorism”, “cyber warfare”, and “information warfare” are relatively new.

Basically, there are an extension of war into and through cyberspace.

It is an area that the U.S. military is moving into aggressively.

Legal defenses against cyberterrorism USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board

17

Famous examples of Cyber crimes Early cases that illustrate the importance of knowing

the law regarding computer crimes. Robert T. Morris Jr. (Morris worm):

Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA).

Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine.

Onel De Guzman (Lovebug virus): Lovebug virus did $7 billion in damage in 2000. De Guzman released because no law in the Philippines

made what he had done a crime. Computer crimes can be prosecuted only if they

violate existing laws.

18

Evidence Basics

Evidence is proof of a fact about what did or did not happen.

To be legally admissible, evidence must be reliable and relevant.

At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody.

Three types of evidence can be used to persuade someone:1. Testimony of a witness – based on 5 senses 2. Physical evidence – anything tangible3. Electronic evidence – digital (intangible)

evidence

19

Evidence Basics

Testimony of a witness is traditionally considered the “best” form of evidence.

Physical and electronic evidence are “circumstantial” evidence.

Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence.

All e-evidence is, by its nature, circumstantial evidence.

Both cyber crimes and traditional crimes can leave cybertrails of evidence.

20

Types of Evidence

Artifact evidence— any change in evidence that causes the investigator to incorrectly think that the evidence relates to the crime.

Inculpatory evidence—evidence that supports a given theory.

Exculpatory evidence—evidence that contradicts a given theory.

Admissible evidence—evidence allowed to be presented at trial.

Inadmissible evidence—evidence that cannot be presented at trial.

Tainted evidence—evidence obtained from illegal search or seizure.

21

Types of Evidence (Cont.)

E-evidence — generic term for any electronic evidence. Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice”.

Hearsay evidence—secondhand evidence. Generally inadmissible.

Expert testimony — is generally admissible. It is an exception to the hearsay rule.

Material evidence—evidence relevant and significant to lawsuit

Immaterial evidence—evidence that is not relevant or significant

Documentary evidence —Physical or electronic evidence (which is also circumstantial).

22

Fourth Amendment Rights

Evidence is commonly collected through a search and subsequent seizure. There are very specific rules governing this process.

The Fourth Amendment of the U.S. Constitution protects against unreasonable searches and seizures. Covers individuals and corporations

Home Workplace Automobile, etc.

Law enforcement must show probable cause of a crime. There are several notable exceptions to this amendment.

23

In Practice: Search Warrant for Admissible Evidence

A search warrant is issued only if law enforcement provides sufficient proof that there is probable cause a crime has been committed.

The law officer must specify what premises, things, or persons will be searched in very exact terms.

Evidence discovered during legal search can be seized.

Evidence seized after an illegal search is tainted and is normally inadmissible.

Testimony

Testimony – comments and arguments made by attorney, judge, & others. Could also be maps, models, etc.. Testimony is not evidence, but may be admissible and allowed as evidence.

The job of the lawyer is to put evidence together into a crime hypothesis that makes sense.

Evidence that: Supports hypothesis = inculpatory Contradicts hypothesis = exculpatory

25

Rules of Evidence and Expert Testimony

Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence.

According to Fed. R. Evid., electronic materials qualify as “originals” for court use as long as they are handed properly and are “accurate” copies of the original.

An expert witness is a qualified specialist who testifies in court.

Expert testimony is an exception to the rule against giving opinions in court (i.e., the “hearsay rule”).

Discovery

Discovery is the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant. All evidence must be disclosed in advance.

Evidence not disclosed in advance may be deemed inadmissible.

Includes information that must be provided by each party if requested.

There are many methods of discovery.

27

Discovery Methods

Interrogatories Written answers made under oath to written

questions Requests for admissions

Intended to ascertain the authenticity of a document or the truth of an assertion

Requests for production Involves the inspection of documents and property

Depositions Out-of-court testimony made under oath by the

opposing party or other witnesses

28

Electronic Discovery (E-Discovery) Zubulake v. USB Warburg (2003) - Landmark case

involving e-discovery. Based on this case, courts recognized five

categories of stored data:1. Active, online data2. Near-line data3. Offline storage/archives4. Backup tapes5. Erased, fragmented, or damaged data

Increased demand for e-discovery based on this (and other related) rulings.

29

Increased Demand for E-Discovery Most business operations and

transactions are done on computers and stored on digital devices.

Most common means of communication are electronic.

People are candid in their e-mail and instant messages.

E-evidence is very difficult to completely destroy (but can be difficult to find).

30

Electronic Evidence: Technology and Legal Issues

Discovery requests for electronic information can lead to considerable labor.

Why? Electronic evidence is volatile and may be

easily changed. Requires extra care. Electronic evidence conversely is difficult to

delete entirely. Traces must be located. Fun Fact: E-mail evidence has become

the most common type of e-evidence.

31

In Practice: Largest Computer Forensics Case in History—Enron

Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes.

The investigation also included records from Arthur Andersen, Enron’s accounting firm.

“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case.

32

Summary

E-evidence plays an important role in crime reconstruction.

Crimes are not limited to cyber crimes; cybertrails are left by many traditional crimes.

Without evidence of an act or activity that violates a statute, there is no crime.

Rules must be followed to gather, search for, and seize evidence in order to protect individual rights.

33

Summary (Cont.)

E-discovery refers to the discovery of electronic documents, data, e-mail, etc.

E-discovery is more complex than traditional discovery of information.

Tools used to recover lost or destroyed data can also be used in e-discovery of evidence.