Embed Size (px)
Citation preview
Louisiana Judicial College Louisiana Association for Justice
Windsor Court Hotel, New Orleans
February 18-19, 2016
EVIDENCE AND PROCEDURE SEMINAR: STEPS TO JUSTICE
Everyday Technology and Its Discovery
Jordan Ginsburg – United States Attorney’s Office Matthew Allison – Federal Bureau of Investigation
1
Everyday Technology and Its Discovery:Obtaining and Using Digital Evidence
Jordan Ginsberg Matthew AllisonAssistant United States Attorney Special AgentEastern District of Louisiana Federal Bureau of Investigation
Jordan Ginsberg Matthew AllisonAssistant United States Attorney Special AgentEastern District of Louisiana Federal Bureau of Investigation
Topics
BackgroundGathering EvidenceUsing Evidence at Trial
BackgroundGathering EvidenceUsing Evidence at Trial
CYBERCRIME
Illegal access to computer systems
Interference with data or computer systems
Online identity theft
Digital intellectual property crimes
CYBERCRIME
Illegal access to computer systems
Interference with data or computer systems
Online identity theft
Digital intellectual property crimes
ELECTRONIC EVIDENCE
Any crime can create electronic evidence
Computers (including mobile phones) store evidence of crimes
Computers (including mobile phones) for communication
ELECTRONIC EVIDENCE
Any crime can create electronic evidence
Computers (including mobile phones) store evidence of crimes
Computers (including mobile phones) for communication
3
Focus is on thesubstantive offenses.
Focus is on proceduresfor collecting evidence.
2
What is a “computer?”
Using a Computer in a Crime
An instrumentality (for traditional crimes)Illegal drug distribution
A means of storing evidenceChild pornography
A weaponHackingCyber attacks
An instrumentality (for traditional crimes)Illegal drug distribution
A means of storing evidenceChild pornography
A weaponHackingCyber attacks
Computers Create Digital EvidenceStore evidence
Child pornographyPirated moviesRecords of drug sales
Communication about or during crime
EmailSocial networking Voice and video communicationsTransfer documents and photographs
Store evidenceChild pornographyPirated moviesRecords of drug sales
Communication about or during crime
EmailSocial networking Voice and video communicationsTransfer documents and photographs
MOST CRIMINALS DO NOT KNOW ABOUTTHE DIGITAL EVIDENCE THEY CREATE!
3
Crimes Create Digital Evidence
Any crime can create electronic evidenceCybercrimes - Computer used to commit crime
Illegal access to computer systems – “hacking”Interference with data or computer systemsOnline identity theft
Any crime can create electronic evidenceCybercrimes - Computer used to commit crime
Illegal access to computer systems – “hacking”Interference with data or computer systemsOnline identity theft
7
MOST CRIMINALS DO NOT KNOW ABOUTTHE DIGITAL EVIDENCE THEY CREATE!
Electronic evidence can be fragile
Deleted by a keystrokeDeleted in normal course of businessLost when computer turned offSpecialized knowledge and tools are needed to recover deleted dataSome data cannot be recovered
Deleted by a keystrokeDeleted in normal course of businessLost when computer turned offSpecialized knowledge and tools are needed to recover deleted dataSome data cannot be recovered
8
INVESTIGATORS MUST ACT QUICKLYTO PRESERVE DIGITAL EVIDENCE
Electronic evidence can endure...…in multiple places
“Deleted” or altered data can sometimes be recoveredForensic analysis of computer drives and storage mediaCopies stored with service providers
Data may be recorded across many computers
Data does not naturally deteriorate over time
“Deleted” or altered data can sometimes be recoveredForensic analysis of computer drives and storage mediaCopies stored with service providers
Data may be recorded across many computers
Data does not naturally deteriorate over time
9
4
Electronic evidence is reliable……when proper steps are taken
Some disadvantagesUsers can alter or delete dataInvestigators must know how to identify, collect, and protect dataForensic analysis requires specialized knowledge and tools
Some advantagesComputers keep records unbeknownst to most usersAnalysis can reveal and restore altered or deleted dataA forensic, protected “image” of data is an exact copy of the dataAnalysis of the data can occur using the image
Some disadvantagesUsers can alter or delete dataInvestigators must know how to identify, collect, and protect dataForensic analysis requires specialized knowledge and tools
Some advantagesComputers keep records unbeknownst to most usersAnalysis can reveal and restore altered or deleted dataA forensic, protected “image” of data is an exact copy of the dataAnalysis of the data can occur using the image
10
THE INVESTIGATIONTHE INVESTIGATION
Investigative StepsFollow the evidencePreserve evidence (where possible)Obtain off-site evidence (staying covert)Gather on-site evidenceSave the evidence (and keep it safe!)Analyze the evidence
Keep it trial ready!
Follow the evidencePreserve evidence (where possible)Obtain off-site evidence (staying covert)Gather on-site evidenceSave the evidence (and keep it safe!)Analyze the evidence
Keep it trial ready!
5
Off-Site Evidence –Internet Service Providers
Service providers are between suspects and the rest of the world
Service Providers possess important digital evidenceCustomer/subscriber informationTraffic data (logs) – stored and prospectiveContent (copies) – stored and prospective
Service providers are between suspects and the rest of the world
Service Providers possess important digital evidenceCustomer/subscriber informationTraffic data (logs) – stored and prospectiveContent (copies) – stored and prospective
Types of Evidence Available from ISPs
E-mail AddressIP AddressCell Tower LocationContent
E-mailsSocial Media MessagesGPS Location
E-mail AddressIP AddressCell Tower LocationContent
E-mailsSocial Media MessagesGPS Location
Preserving Off-Site Evidence
6
Off-Site Preservation
Title 18, United States Code, Section 2703(f):
(1) In general.—A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
(2) Period of retention.—Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.
Title 18, United States Code, Section 2703(f):
(1) In general.—A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
(2) Period of retention.—Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.
Obtaining Off-Site EvidenceSubpoena: Non-content
Search Warrant: Content
Subpoena: Non-content
Search Warrant: Content
How Do You Know?
Content vs. Non-ContentNon-Content
Subscriber InfoIP Address used to access accountCredit care used to pay for serviceCell Tower Location
Legal RequirementCourt Order/SubpoenaOnly demonstrative relevance
Content vs. Non-ContentNon-Content
Subscriber InfoIP Address used to access accountCredit care used to pay for serviceCell Tower Location
Legal RequirementCourt Order/SubpoenaOnly demonstrative relevance
7
Obtaining Off-Site EvidenceSubpoena: Non-content
Search Warrant: ContentEmailCloud storagePrivate messages**Prospective GPS Location Information
Court OrderHistorical cell-site location information
Subpoena: Non-content
Search Warrant: ContentEmailCloud storagePrivate messages**Prospective GPS Location Information
Court OrderHistorical cell-site location information
CELL-SITE DATA (CSLI)In re: Application for Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013)
2703(d) order is sufficient to get historical cell site records because
A 3rd party is recording the information for non-law enforcement reasons (business records)Users know about cell towers (bars!)They choose to make a call (like sending a letter?)Contractual terms of service
Upheld post-Riley, United States v. Guerrero, 2014 WL 4476565 (5th Cir. 2014)
In re: Application for Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013)
2703(d) order is sufficient to get historical cell site records because
A 3rd party is recording the information for non-law enforcement reasons (business records)Users know about cell towers (bars!)They choose to make a call (like sending a letter?)Contractual terms of service
Upheld post-Riley, United States v. Guerrero, 2014 WL 4476565 (5th Cir. 2014)
8
Off-Site Search Warrant: 18 U.S.C. 2703
Probable cause to believe that account contains evidence and instrumentalities utilized in commission or furtherance of crime signed by a judge
In jurisdiction where provider is locate, where offense occurred, or where offense is being investigated
Served on provider (like subpoena)Provider isolates account, create exact duplicate and transmits to agent“Minimization” not necessaryDate restrictions are allowable
Probable cause to believe that account contains evidence and instrumentalities utilized in commission or furtherance of crime signed by a judge
In jurisdiction where provider is locate, where offense occurred, or where offense is being investigated
Served on provider (like subpoena)Provider isolates account, create exact duplicate and transmits to agent“Minimization” not necessaryDate restrictions are allowable
Subscriber Notification (“Thank you Mr. Snowden”)
Many electronic communication service providers notify subscribers after receiving “legal process”Facebook, Yahoo!, Google, Twitter, Apple, Instagram, LinkedIn, Microsoft, PinterestIncludes GJ and administrative subpoenas
NOT preservation letters (except Twitter or Wordpress), per the provider
Typically 60-90 days until disclosure…unless “prohibited by law.”
Many electronic communication service providers notify subscribers after receiving “legal process”Facebook, Yahoo!, Google, Twitter, Apple, Instagram, LinkedIn, Microsoft, PinterestIncludes GJ and administrative subpoenas
NOT preservation letters (except Twitter or Wordpress), per the provider
Typically 60-90 days until disclosure…unless “prohibited by law.”
So…2705(b) Non-Disclosure Order
9
On-Site Evidence: The Search
Where to Find EvidenceOn-site
A criminal’s devicesComputersTabletsCell phoneStorage drives/USB drives/CDs/DVDsGPS Printers“Smart” watchesAutomobile
On-siteA criminal’s devices
ComputersTabletsCell phoneStorage drives/USB drives/CDs/DVDsGPS Printers“Smart” watchesAutomobile
The Evolution of Privacy Law in a Digital World
City of Ontario, CA v. Quon, 560 U.S. 746 (2010)Takeaways:
4th A. protections apply to government employersUnclear whether a reasonable expectation of privacy exists“Workplace needs” justification controls, and search was reasonable
United States v. Jones, 132 S. Ct. 945 (2012)Takeaways :
A late search = no search warrantGPS on cars (even in public space) violates the 4th
City of Ontario, CA v. Quon, 560 U.S. 746 (2010)Takeaways:
4th A. protections apply to government employersUnclear whether a reasonable expectation of privacy exists“Workplace needs” justification controls, and search was reasonable
United States v. Jones, 132 S. Ct. 945 (2012)Takeaways :
A late search = no search warrantGPS on cars (even in public space) violates the 4th
10
Riley v. California, 134 S.Ct. 2473 (2014)Facts
Consolidated 2 cases:California v. Riley:
Traffic violation & Weapons chargeSmartphonePictures, videos, and terms = Gang ties
United States v. Wurie (Mass.): Flip phone Receiving calls from “my house”Drug sale and Search Warrant
FactsConsolidated 2 cases:
California v. Riley: Traffic violation & Weapons chargeSmartphonePictures, videos, and terms = Gang ties
United States v. Wurie (Mass.): Flip phone Receiving calls from “my house”Drug sale and Search Warrant
Searching Cellular Phones
Riley v. California, 134 S.Ct. 2473 (2014):YOU CANNOT SEARCH A CELL PHONE INCIDENT TO ARREST WITHOUT A
WARRANT
(Court focused on volume and breadth of data available on cell phone, ability to access “the cloud,” ubiquity of cell phones, and distinguished “other objects”)
Riley v. California, 134 S.Ct. 2473 (2014):YOU CANNOT SEARCH A CELL PHONE INCIDENT TO ARREST WITHOUT A
WARRANT
(Court focused on volume and breadth of data available on cell phone, ability to access “the cloud,” ubiquity of cell phones, and distinguished “other objects”)
The Life of Riley (cont.)Strategy: Go for the phone first!
Ok to have limited access (unlock = secure)Faraday bag!!!!
Anticipatory Search Warrants on the rise?“Exigent circumstances”
iPhone 6, iOS 8 (no ability to decrypt)
Compelling disclosure of passwordBiometricPassword as “forgone conclusion?”
Must seek DOJ approval
Strategy: Go for the phone first!Ok to have limited access (unlock = secure)Faraday bag!!!!
Anticipatory Search Warrants on the rise?“Exigent circumstances”
iPhone 6, iOS 8 (no ability to decrypt)
Compelling disclosure of passwordBiometricPassword as “forgone conclusion?”
Must seek DOJ approval
11
The Life of Riley (finally)Increased recognition for remote/electronic signing of warrants
It’s in Riley!It’s the 21st century!
What is “probable cause” for a cell phone search warrant?
Everyone has one! Everyone uses one!Nebraska v. Henderson, 289 Neb. 371 (Neb. Oct. 17, 2015)
Increased recognition for remote/electronic signing of warrants
It’s in Riley!It’s the 21st century!
What is “probable cause” for a cell phone search warrant?
Everyone has one! Everyone uses one!Nebraska v. Henderson, 289 Neb. 371 (Neb. Oct. 17, 2015)
Forensic Analysis
Digital Forensics is the science of gathering, retrieving and evaluating electronic stored data.
With the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Digital Forensics is the science of gathering, retrieving and evaluating electronic stored data.
With the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
The Forensic Process • Identification• Integrity of Evidence• Preservation• Extraction • Analysis• Documentation• Factual Reporting of the Information
Found
• Identification• Integrity of Evidence• Preservation• Extraction • Analysis• Documentation• Factual Reporting of the Information
Found
12
THE PROSECUTION:USING DIGITAL EVIDENCE AT TRIAL
THE PROSECUTION:USING DIGITAL EVIDENCE AT TRIAL
Evidentiary
Evidence is easy to destroy/loseLocate! Preserve! Obtain!
Takes a lot of time to reviewOften requires relying on expertsAdmissibilitySimplification
Evidence is easy to destroy/loseLocate! Preserve! Obtain!
Takes a lot of time to reviewOften requires relying on expertsAdmissibilitySimplification
Choosing an Expert
QualificationsLocationCostBias?Ability to communicate clearly and simply
QualificationsLocationCostBias?Ability to communicate clearly and simply
13
Evidence Admissibility
“Informal” evidence not admissible in courtRequirements for admissibility
Authentication (“official” documentation)Custodian of records
“Informal” evidence not admissible in courtRequirements for admissibility
Authentication (“official” documentation)Custodian of records
Evidence Admissibility (cont.)
Place of manufactureLocation of serversAccuracy of contentTime and dateRules of usage
Place of manufactureLocation of serversAccuracy of contentTime and dateRules of usage
Will a defendant oppose admission?Is there another reason to use a custodian?
Evidence Admissibility: Certification
14
Evidence Simplification
Is the data understandable?Bank records are familiar
Not true with E-Bay or PayPal
Telephone records are simpleNot true with all electronic records (cell-tower data)
Information is often proprietaryA custodian can help explain
Is the data understandable?Bank records are familiar
Not true with E-Bay or PayPal
Telephone records are simpleNot true with all electronic records (cell-tower data)
Information is often proprietaryA custodian can help explain
Questions?Matthew AllisonSpecial AgentFederal Bureau of Investigation(504) [email protected]
Jordan GinsbergAssistant United States AttorneyEastern District of Louisiana(504) [email protected]
Matthew AllisonSpecial AgentFederal Bureau of Investigation(504) [email protected]
Jordan GinsbergAssistant United States AttorneyEastern District of Louisiana(504) [email protected]
Matthew F. Allison After obtaining a BS in Computer Science and a BS in Mechanical Engineering from the University of Texas and working in Research and Development in the Oilfield for 5 years, SA Allison joined the FBI in 2010. For the past 6 years, SA Allison has investigated Cyber Crimes and Crimes against Children involving the use of a computer. SA Allison regularly identifies, preserves, collects, seizes, searches, and maintains digital evidence as part of his investigations. Jordan Ginsberg Jordan Ginsberg is an Assistant United States Attorney in the Eastern District of Louisiana and the Deputy Supervisor of the Office's Fraud Unit. Mr. Ginsberg specializes in the prosecution of various complex white-collar and cybercrimes, including public corruption, financial and health care fraud, computer intrusion, intellectual property violations, and child exploitation and trafficking. Mr. Ginsberg has successfully tried numerous cases concerning financial, computer, and violent crimes, including the first juvenile sex trafficking matter in the Eastern District of Louisiana, and he has argued before the Fifth and Seventh Circuit Courts of Appeals. He also serves as the Office's Computer Hacking and Intellectual Property (CHIP) coordinator and is an Associate Professor at Tulane Law School, where he is a member of the Trial Advocacy Faculty. Jordan graduated summa cum laude from Washington and Lee University in 2001 and from the University of Chicago Law School with honors in 2004. After law school, Mr. Ginsberg served as a law clerk in the Northern District of Illinois for the Honorable Mark Filip.
