Upload
cordelia-griffin
View
239
Download
4
Tags:
Embed Size (px)
Citation preview
2
Introduction
Traditional criminal investigations involve the analysis of several types of evidence. This can include ballistic or bloodstain patterns, gunpowder residue, tire tracks, and fingerprints (to name a few).
E-evidence is the digital equivalent of the physical evidence found at crime scenes.
When collected and handled properly, e-evidence can be just as useful in a court of law.
3
Introduction (Cont.)
The expansion of the Internet provides countless opportunities for crimes to be committed.
Digital technologies record and document electronic trails of information that can be analyzed later. E-mail, instant messages (IM), Web site
visits PDAs, iPods, smart phones, cookies, log
files etc. Application programs’ run history, USB
mounting, etc. All this provides a very rich environment
for the forensic investigator.
4
Definition of Crime
A crime is an offensive act against society that violates a law and is punishable by the government.
Two important principles in this definition:1. The act must violate at least one current
criminal law.2. It is the government (not the victim of the
crime) that punishes the violator.
5
Crime Categories and Sentencing Crimes divided into two broad categories:
Felonies—serious crimes punishable by fine and more than one year in prison.
Misdemeanors—lesser crimes punishable by fine and less than one year in prison.
Sentencing guidelines give directions for sentencing defendants. Tougher sentencing guidelines for computer
crimes came into effect in 2003. Since then these have been tested and fine tuned to a certain extent.
6
Cyber Crime Categories
The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably.
Two categories of offenses that involve computers: Computer as instrument—computer is used to
commit the crime. Computer as target—computer or its data is the
target of the crime. In some cases, the computer can be both the
target and the instrument.
Computers as Targets
Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites
Computers as Instrument of Crime Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft
Identity theft Phishing
Pyramid schemes Chain letters etc.
Computers as Storage
Computer storage can also be involved in the crime. This is particularly true with the new “cloud-based” services.
If the data is stored or moves over an international border, it makes for some interesting (and complex) legal situations.
For example: Off-shore gambling sites Credit card fraud rings Wikileaks type sites…
10
Cybercrime Statutes and Acts Generally, laws and statutes lag behind
the “latest trends” in cyber crime. Given that an act isn’t a crime until a law
exists, this means that many exploits are allowed to happen at least once free of punishment.
Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.
11
Civil vs. Criminal Charges
There are 2 major categories of criminal charges; civil and criminal. Each has it’s own system of courts and procedures.
Civil charges are brought by a person or company Parties must show proof they are entitled to evidence.
Criminal charges can be brought only by the government Law enforcement agencies have authority to seize
evidence. Penalties are generally more severe and can include
loss of liberty and/or life.
12
Comparing Criminal and Civil Laws
Characteristics Criminal Law Civil Law
Objective To protect society’s interests by defining offenses against the public
To allow an injured private party to bring a lawsuit for the injury
Purpose To deter crime and punish criminals
To deter injuries and compensate the injured party
Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity
Who brings charges against an offender
A local, state, or federal government body
A private party—a person, company, or group of people
(Continued)
13
Criminal and Civil Laws (Cont.)
Characteristics Criminal Law Civil Law
Deals with Criminal violations Noncriminal injuries
Authority to search for and seize evidence
More immediate; law agencies have power to seize information and issue subpoenas or search warrants
Parties need to show proof that they are entitled to evidence
Burden of proof Beyond a reasonable doubt
Preponderance of the evidence
Principal types of penalties or punishment
Capital punishment, fines, or imprisonment
Monetary damages paid to victims or some equitable relief
Types of Cyber Crime
Generally speaking, there are 2 types of cyber crime; violent crime and non-violent crime.
Violent Cyber Crime Cyberterrorism Assault by Threat Cyberstalking Pornography …
Types of Cyber Crime
Non-Violent Crime Cybertrespass Cybertheft
Embezzlement Unlawful appropriation Corporate/Industrial espionage Plagiarism Credit card theft Identity theft DNS Cache poisoning
Cyberfraud Destructive cyber crimes
Deleting data or program files Vandalizing web pages Introducing viruses, worms, or malicious code Mounting a DoS attack
16
Information Warfare and Cyberterrorism
The terms “cyberterrorism”, “cyber warfare”, and “information warfare” are relatively new.
Basically, there are an extension of war into and through cyberspace.
It is an area that the U.S. military is moving into aggressively.
Legal defenses against cyberterrorism USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board
17
Famous examples of Cyber crimes Early cases that illustrate the importance of knowing
the law regarding computer crimes. Robert T. Morris Jr. (Morris worm):
Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA).
Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine.
Onel De Guzman (Lovebug virus): Lovebug virus did $7 billion in damage in 2000. De Guzman released because no law in the Philippines
made what he had done a crime. Computer crimes can be prosecuted only if they
violate existing laws.
18
Evidence Basics
Evidence is proof of a fact about what did or did not happen.
To be legally admissible, evidence must be reliable and relevant.
At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody.
Three types of evidence can be used to persuade someone:1. Testimony of a witness – based on 5 senses 2. Physical evidence – anything tangible3. Electronic evidence – digital (intangible)
evidence
19
Evidence Basics
Testimony of a witness is traditionally considered the “best” form of evidence.
Physical and electronic evidence are “circumstantial” evidence.
Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence.
All e-evidence is, by its nature, circumstantial evidence.
Both cyber crimes and traditional crimes can leave cybertrails of evidence.
20
Types of Evidence
Artifact evidence— any change in evidence that causes the investigator to incorrectly think that the evidence relates to the crime.
Inculpatory evidence—evidence that supports a given theory.
Exculpatory evidence—evidence that contradicts a given theory.
Admissible evidence—evidence allowed to be presented at trial.
Inadmissible evidence—evidence that cannot be presented at trial.
Tainted evidence—evidence obtained from illegal search or seizure.
21
Types of Evidence (Cont.)
E-evidence — generic term for any electronic evidence. Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice”.
Hearsay evidence—secondhand evidence. Generally inadmissible.
Expert testimony — is generally admissible. It is an exception to the hearsay rule.
Material evidence—evidence relevant and significant to lawsuit
Immaterial evidence—evidence that is not relevant or significant
Documentary evidence —Physical or electronic evidence (which is also circumstantial).
22
Fourth Amendment Rights
Evidence is commonly collected through a search and subsequent seizure. There are very specific rules governing this process.
The Fourth Amendment of the U.S. Constitution protects against unreasonable searches and seizures. Covers individuals and corporations
Home Workplace Automobile, etc.
Law enforcement must show probable cause of a crime. There are several notable exceptions to this amendment.
23
In Practice: Search Warrant for Admissible Evidence
A search warrant is issued only if law enforcement provides sufficient proof that there is probable cause a crime has been committed.
The law officer must specify what premises, things, or persons will be searched in very exact terms.
Evidence discovered during legal search can be seized.
Evidence seized after an illegal search is tainted and is normally inadmissible.
Testimony
Testimony – comments and arguments made by attorney, judge, & others. Could also be maps, models, etc.. Testimony is not evidence, but may be admissible and allowed as evidence.
The job of the lawyer is to put evidence together into a crime hypothesis that makes sense.
Evidence that: Supports hypothesis = inculpatory Contradicts hypothesis = exculpatory
25
Rules of Evidence and Expert Testimony
Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence.
According to Fed. R. Evid., electronic materials qualify as “originals” for court use as long as they are handed properly and are “accurate” copies of the original.
An expert witness is a qualified specialist who testifies in court.
Expert testimony is an exception to the rule against giving opinions in court (i.e., the “hearsay rule”).
Discovery
Discovery is the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant. All evidence must be disclosed in advance.
Evidence not disclosed in advance may be deemed inadmissible.
Includes information that must be provided by each party if requested.
There are many methods of discovery.
27
Discovery Methods
Interrogatories Written answers made under oath to written
questions Requests for admissions
Intended to ascertain the authenticity of a document or the truth of an assertion
Requests for production Involves the inspection of documents and property
Depositions Out-of-court testimony made under oath by the
opposing party or other witnesses
28
Electronic Discovery (E-Discovery) Zubulake v. USB Warburg (2003) - Landmark case
involving e-discovery. Based on this case, courts recognized five
categories of stored data:1. Active, online data2. Near-line data3. Offline storage/archives4. Backup tapes5. Erased, fragmented, or damaged data
Increased demand for e-discovery based on this (and other related) rulings.
29
Increased Demand for E-Discovery Most business operations and
transactions are done on computers and stored on digital devices.
Most common means of communication are electronic.
People are candid in their e-mail and instant messages.
E-evidence is very difficult to completely destroy (but can be difficult to find).
30
Electronic Evidence: Technology and Legal Issues
Discovery requests for electronic information can lead to considerable labor.
Why? Electronic evidence is volatile and may be
easily changed. Requires extra care. Electronic evidence conversely is difficult to
delete entirely. Traces must be located. Fun Fact: E-mail evidence has become
the most common type of e-evidence.
31
In Practice: Largest Computer Forensics Case in History—Enron
Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes.
The investigation also included records from Arthur Andersen, Enron’s accounting firm.
“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case.
32
Summary
E-evidence plays an important role in crime reconstruction.
Crimes are not limited to cyber crimes; cybertrails are left by many traditional crimes.
Without evidence of an act or activity that violates a statute, there is no crime.
Rules must be followed to gather, search for, and seize evidence in order to protect individual rights.