Applicable Laws and Statutes

Computer ForensicsBACS 371

Outline Basic Categories of Computer Crime Constitutional Amendments Relevant Laws & Statutes

Pen/Trap StatueFederal Wiretap ActElectronic Communications Privacy Act (ECPA)Privacy Protection ActForeign Intelligence Surveillance Act (FISA)Computer Fraud & Abuse Act (CFAA)U.S. Patriot Act

2

Categories of Computer Crime1

A computer can be the object of a crime A computer can be the subject of a crime The computer can be used as the tool for

conducting or planning a crime Includes… compromising a computer and using

that computer as a source for further attacks The symbol of the computer itself can be

used to intimidate or deceive The most significant omission, according

to Casey, is computers as sources of digital evidence

1 from Donn Parker as described in Eoghan Casey, Digital Evidence and Computer Crime3

USDOJ Categories1

1. Hardware as Contraband or Fruits of a Crime

2. Hardware as an Instrumentality3. Hardware as Evidence4. Information as Contraband or Fruits of

a Crime5. Information as an Instrumentality6. Information as Evidence

1 US Dept of Justice, Search and Seizure Guidelines Document4

Case/Incident Resolution Process1

1 From Donn Parker as described in Eoghan Casey, Digital Evidence and Computer Crime, p 50

Categories of Computer Crime

Computers as targets Computers as storage devices Computers as communication tools

Same ole stuff, but computers are involved!!

6

Computers as Targets Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites

7

Computers as Means (tool) Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft

Identity theft Phishing

Pyramid schemes Chain letters8

Computers as Storage Drug trafficking Book making Burglary Homicide Child pornography

9

Web Related Crime Cyber-squatting Internet gambling Cyber stalking and harassment Child pornography Drug dealing Cyber terrorism Cyberplanning

10

The Key Point… The main point is that computers can be

used in a wide variety of criminal activities.

Since a “crime” requires an existing statute, that places a heavy burden on law makers.

More often than not, the law lags behind the crimes that are in progress.

The remainder of this slide set talks about the legal “weapons” against cyber crime.

Constitutional Amendments There are several Constitutional

Amendments that are directly related to computer forensics.

The most important one is the 4th Amendment.

It protects people from “unreasonable” searching by government agents without probable cause.

With the exclusion of a set of “exceptions”, this right cannot be impinged upon.

It is important for you to understand it because failure to follow it can render evidence inadmissible.

Constitutional Amendments Other important Amendments to the

forensic analyst are the 1st ,5th, and 14th. The 1st Amendment guarantees the right

to freedom of speech and religion. Privileged information and what constitutes the “press” are the links to forensics.

The 5th relates to self incrimination and guarantees “due process of the law” (which links to forensics).

The 14th came about after the Civil War and also supports the notion of “due process of the law.”

Laws and Statutes As criminals devise new ways to use

computers for crime, the justice system attempts to keep up by making new laws.

These laws are written to stop past criminal activity.

As technology progresses, the laws have to be re-written and amended.

The following are the major laws and statutes used to fight cyber crime.

14

Pen/Trap Statute Governs the collection of non-content traffic data

(i.e., “metadata”), such as numbers dialed by a particular phone.

Section 216 of the Patriot Act updates the statute in three ways:1. Law enforcement may use pen/trap orders to trace

communications on the Internet and other networks2. Pen/trap orders issued by federal courts have

nationwide effect3. Law enforcement must file special report when they

use a pen/trap order to install their own monitoring device on computers belonging to a public provider

15

Title III of the Omnibus Crime Control and Safe Streets Act of 1968 aka “Federal Wiretap Act” 18 USC § § 2510-2522 Covers illegal interception of voice and e-communications

in real-time as they traverse networks. Protects against unauthorized interception of

communication Delineates specific requirements for wiretapping:

Requires probable cause Requires court approval Requires that alternative avenues be exhausted “Innocent” conversations must be excluded Requires disclosure of surveillance upon conclusion of

investigation

16

Electronic Communications Privacy Act of 1986

The ECPA (18 USC §§ 2701 – 2712) deals primarily with stored computer files that have been transmitted over a network.

3 main categories are covered:1. Communications (e-mail, voicemail, other files)2. Transactional data (logs of who called who)3. Subscriber/session information

Basically, it amended Title III of the Wiretap Act to extend to different types of electronic communications (including e-mail).

17

Electronic Communications Privacy Act of 1986

Title I Statutory procedures for intercepting wire, oral,

and electronic communications Extended to digital communications and non-

common carrier communications Title II – Stored Communications Act

Protects communications not in transmission which have been stored in some way

Title III Provides for law enforcement monitoring of

electronic communications

18

Requirements Under Title III Must be authorized by Federal District Court Judge Must demonstrate probable cause – with specifics Must identify previous attempts at evidence collection and

indicate why unsuccessful Generally limited to 30 days Progress reports must be issued every 7-10 days Surveillance must be terminated when objective is met Subjects must be notified when surveillance terminated Service providers must cooperate with authorities

possessing a valid court order After surveillance, subject must be given an inventory of

what was catalogued. Any party to an illegal interception may be charged with a

Federal offense punishable by 5 years in prison and/or fine

19

ECPA Information Categories Basic Subscriber Information

Name, address, telephone connection records, length of service, subscriber identity, means and sources of payment

Records Pertaining to a Subscriber Account logs, cell site data, e-mail addresses,

… Contents

Actual files stored in the account “Electronic Storage” contents for ECS providers Contents stored by Remote Computer Service (RCS)

providers Contents held by neither

20

Less difficult to acquire

More difficult to acquire

ECPA Mechanisms for Government Entity to Compel Disclosure Subpoena

Basic Subscriber information Subpoena without Prior Notice

Opened e-mail Court Order

Account logs and transactional records Court Order without Prior Notice

Everything in an account except for unopened e-mail Search Warrant

Full contents of account No notice to subscriber required

Less difficult to acquire

More difficult to acquire21

Privacy Protection Act of 1980

PPA (42 USC § 2000) Unlawful for local, state, or Federal law

enforcement authorities to search or seize those materials which may be publishable

Expand the 1968 Wiretap Act to include electronic bulletin boards

Protects “work product” including impressions,

conclusions, opinions, or theories “documentary materials” including

mechanically, magnetically, or electronically recorded cards, tapes or discs

22

Privacy Protection Act of 1980

Matters when search may result in seizure of 1st Amendment materials (publishing, …) “Congress probably intended the PPA to apply

only when law enforcement intentionally targeted First Amendment material that related to a crime.”

Incidental seizure of PPA-protected material commingled on a suspect’s computer with evidence of a crime does not give rise to PPA liability.

However, subsequent search of such material was mostly forbidden

23

Foreign Intelligence Surveillance Act (FISA) of 1978 Regulates wiretaps in national security cases Broader than Title III

Allows more invasive searches Lower probable-cause threshold

Differences No requirement to disclose content or existence of

surveillance No protection for non-US citizens For citizens, probable cause that criminal activity

engagement is required For others, suspicion of criminal activity is not required

24

Computer Fraud and Abuse Act Computer Fraud and Abuse Act

(CFAA) First law to address computer crime in

which the computer is the subject of the crime

First law that does not have an analog to traditional crime

CFAA has been used to prosecute virus creators, hackers, information and identity thieves, and people who use computers to commit fraud

25

Computer Fraud and Abuse Act of 1986

Originally, very narrow in scope and not very effective Makes it…

A felony to knowingly access a computer without authorization, or in excess of authorization, in order to obtain classified United States defense or foreign relations information.

A misdemeanor to knowingly access a computer without authorization, in excess of authorization, in order to obtain information contained in a financial record of a financial institution or in a consumer file of a consumer reporting agency.

A misdemeanor to knowingly access a computer without authorization, or in excess of authorization, in order to use, modify, destroy, or disclose information in, or prevent authorized use of, a computer operated on behalf of the United States if such conduct would affect the government’s use of the computer.

The Act also made it a crime to attempt to or conspire to commit any of the three acts defined above.26

Computer Fraud and Abuse Act of 1986 - Revised

Original Act was modified to include: Federal Interest Computer – expanded to include any

computer which is used in interstate or foreign commerce or communications

Expanded criminal intent from “knowingly” to “intentionally” Made it a misdemeanor to gain unauthorized access to

financial information from any financial institution or credit reporting agency,

any information in the possession of the government, any private information where the defendants conduct involved interstate

or foreign commerce A felony if the activity involved an expectation of gain or if the

offense was in the furtherance of another crime Current Act protects computers involved in Interstate

commerce or communication, Federal Interest, Government computers

Illegal actions included theft, destruction, or corruption of sensitive information27

Computer Fraud and Abuse Act of 1986 – Further Amendments

1988 Protections expanded to include all FDIC-insured

institutions 1990

Expanding protections to foreign banks 1994

Developed three levels of intentIntentional – did it on purposeReckless – should have known betterNegligent – you were careless, but didn’t mean to

Incorporated provisions for Denial of Service (DoS) attacks and potential harm to systems or components

28

Key Terms in the CFAAKey Terms This Term Means . . .Protected computer A protected computer means a computer that:

Is used by a financial institution Is used by the U.S. government Affects domestic, interstate commerce Affects foreign commerce

Authorized access Two categories of unauthorized access: Without authorization Exceeding authorized access

Damage Damage is defined as any impairment to the integrity or availability of data

29

Key Terms in the CFAA (Cont.)

Key Terms This Term Means . . .Loss Any reasonable cost to any victim, including:

Responding to an offense Conducting a damage assessment Restoring the data, program, etc. Lost revenue or other damages

Conduct Determines if the damage done was: Intentional conduct Reckless conduct Negligent

30

USA PATRIOT Act1Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Greatly broadened FBI’s authority to gather electronic evidence Allows:

Intercept voice communications in computer hacking cases Trace communications on the Internet Subpoena for cable company records Intercept communications of computer trespassers ISPs can disclose content and non-content information in

emergency situations Nationwide search warrants for e-mail “Sneak & Peek” – Permits investigator to delay notification

of “search” Establishment of Regional Computer Forensic laboratories

1http://www.usdoj.gov/criminal/cybercrime/PatriotAct.htm31