It’s a It’s a ComputerComputer, M’Lud!, M’Lud!

Neil BarrettNeil Barrett

IntroductionIntroduction

The law and computersThe law and computers The nature of computer evidenceThe nature of computer evidence Obtaining evidence from computersObtaining evidence from computers Preparing statements for courtPreparing statements for court The role of the expert witnessThe role of the expert witness Courtroom experienceCourtroom experience Current defence strategies and tacticsCurrent defence strategies and tactics The future for computer evidenceThe future for computer evidence

The Law and ComputersThe Law and Computers

Computer Misuse Act 1990Computer Misuse Act 1990 Data Protection Act 1998Data Protection Act 1998 Laws of PornographyLaws of Pornography

Obscene Publications Act 1959Obscene Publications Act 1959 Protection of Children Act 1978Protection of Children Act 1978 Criminal Justice Act 1988Criminal Justice Act 1988

Laws of ‘Harm’Laws of ‘Harm’ Theft Act 1968/1978Theft Act 1968/1978 Offences Against the Person Act 1861Offences Against the Person Act 1861

Computer Misuse Act 1990Computer Misuse Act 1990

Data is not ‘Property’Data is not ‘Property’ Oxford v Moss 1978Oxford v Moss 1978 ““Confidential information is not property”Confidential information is not property”

Accessing a computer illicitly is not ‘Fraud’Accessing a computer illicitly is not ‘Fraud’ R v Gold 1988R v Gold 1988 A password is not a ‘false instrument’A password is not a ‘false instrument’

Judicial review produces a new lawJudicial review produces a new law

Computer Misuse Act 1990 (2)Computer Misuse Act 1990 (2) Section 1 – Unauthorised AccessSection 1 – Unauthorised Access

An offence to access a computer knowing that the access is An offence to access a computer knowing that the access is not authorisednot authorised

Summary offence; 6 months and/or £5,000Summary offence; 6 months and/or £5,000 Section 2 – Unauthorised Access with IntentSection 2 – Unauthorised Access with Intent

An offence to commit Section 1 with intent to commit a An offence to commit Section 1 with intent to commit a further arrestable offencefurther arrestable offence

Arrestable offence; 5 years and/or £unlimitedArrestable offence; 5 years and/or £unlimited Section 3 – Unauthorised ModificationSection 3 – Unauthorised Modification

An offence to modify any computer so as to impair the An offence to modify any computer so as to impair the operation of any computeroperation of any computer

Arrestable offence; 5 years and/or £unlimitedArrestable offence; 5 years and/or £unlimited

Computer Misuse Act 1990 (3)Computer Misuse Act 1990 (3)

Outlaws hacking for:Outlaws hacking for: CuriosityCuriosity To steal credit cards, information, etcTo steal credit cards, information, etc To damage something – web defacement, etcTo damage something – web defacement, etc

Outlaws computer virusesOutlaws computer viruses But not obviously Denial of Service attacksBut not obviously Denial of Service attacks

Review currently underwayReview currently underway Bill failed in Lords – rightly so!Bill failed in Lords – rightly so!

Implications of Computer Misuse Implications of Computer Misuse ActAct

Data stored on computers is not protected by Data stored on computers is not protected by the laws of propertythe laws of property

So must be protected under CMASo must be protected under CMA Means you must define ‘authorised’ accessMeans you must define ‘authorised’ access Acceptable Use Policy statementsAcceptable Use Policy statements

On internal computers On internal computers andand on Web sites! on Web sites!

Other LawsOther Laws

Data Protection Act 1998Data Protection Act 1998 Makes an offence for the hacker to process personal dataMakes an offence for the hacker to process personal data

E.g. credit cardsE.g. credit cards

But Principle 7 says you must enact ‘adequate technical But Principle 7 says you must enact ‘adequate technical and organisational’ mechanisms to protect itand organisational’ mechanisms to protect it

Protection of Children Act 1978Protection of Children Act 1978 An offence to publish ‘indecent photographs’ of childrenAn offence to publish ‘indecent photographs’ of children

Criminal Justice Act 1988Criminal Justice Act 1988 An offence knowingly to possess themAn offence knowingly to possess them

Other Laws (2)Other Laws (2)

Theft ActsTheft Acts An offence to demand money with threatsAn offence to demand money with threats E.g., Denial of Service plus extortionE.g., Denial of Service plus extortion

Offences Against The Person ActOffences Against The Person Act An offence to harass, threaten, etcAn offence to harass, threaten, etc

Also, laws against defamationAlso, laws against defamation Slander or Libel?Slander or Libel?

Laws and ComputersLaws and Computers

A rich set of laws cover computer use and A rich set of laws cover computer use and misusemisuse

Computer is theComputer is the AgentAgent VictimVictim WitnessWitness

Means that computers will beMeans that computers will be ‘‘in the witness box’; orin the witness box’; or ‘‘on the exhibits table’on the exhibits table’

Nature of Computer EvidenceNature of Computer Evidence

Evidence isEvidence is ‘‘That which can be seen’; orThat which can be seen’; or ‘‘That which shows something’That which shows something’

Computer data cannot be ‘seen’Computer data cannot be ‘seen’ But it can be used to show somethingBut it can be used to show something And it can be represented to a courtAnd it can be represented to a court

But the process of turning computer records into But the process of turning computer records into evidence must be done carefullyevidence must be done carefully

Nature of EvidenceNature of Evidence

Direct versus CircumstantialDirect versus Circumstantial Computer evidence is ‘Direct’ if automatically produced; Computer evidence is ‘Direct’ if automatically produced;

otherwise ‘Circumstantial’otherwise ‘Circumstantial’ Real, Original and HearsayReal, Original and Hearsay

Again, relates to the ‘automatically produced’ aspectAgain, relates to the ‘automatically produced’ aspect Example, an email messageExample, an email message

Real evidence is the hard disk driveReal evidence is the hard disk drive Original evidence is the header detail and recordsOriginal evidence is the header detail and records Hearsay evidence is the email contentHearsay evidence is the email content

Nature of Evidence (2)Nature of Evidence (2)

Hearsay evidence is generally not admissibleHearsay evidence is generally not admissible Unless special provision is madeUnless special provision is made

Must be able to produce ‘Best Evidence’Must be able to produce ‘Best Evidence’ In practice, means produce the disk drive as an In practice, means produce the disk drive as an

exhibitexhibit But then derive further exhibits by the process But then derive further exhibits by the process

of forensics from this diskof forensics from this disk

Computer ForensicsComputer Forensics

The process of deriving evidence from The process of deriving evidence from computer datacomputer data

Requires that the data is shown to be reliably Requires that the data is shown to be reliably obtainedobtained Is not changed in any wayIs not changed in any way Is completeIs complete Can be repeatedCan be repeated

And most importantly, that it can be And most importantly, that it can be understood!understood!

Sources of Computer EvidenceSources of Computer Evidence

Personal ComputersPersonal Computers Principally, the disk drivePrincipally, the disk drive

Server ComputersServer Computers Running processesRunning processes Contents of file systemContents of file system

Removable mediaRemovable media Automatically-produced log filesAutomatically-produced log files

E.g., firewall, IDS, proxy, etcE.g., firewall, IDS, proxy, etc

Evidence ProcessEvidence Process IdentifyIdentify

What sources are available?What sources are available? SeizeSeize

‘‘Bag and Tag’ Best EvidenceBag and Tag’ Best Evidence TransportTransport

Safely and responsibly take the best evidence to a secure Safely and responsibly take the best evidence to a secure locationlocation

ReceiveReceive Accept responsibility for the evidenceAccept responsibility for the evidence

StoreStore Ensure securely held free from risk of contaminationEnsure securely held free from risk of contamination

Evidence Process (2)Evidence Process (2)

PreservePreserve Take a reliable copy of the evidenceTake a reliable copy of the evidence

ReserveReserve Put the original Best Evidence source in a secure placePut the original Best Evidence source in a secure place

AnalyseAnalyse Investigate the evidence on the preserved copyInvestigate the evidence on the preserved copy

ProduceProduce Identify the exhibits that establish factsIdentify the exhibits that establish facts

TestifyTestify Create a statement and go to courtCreate a statement and go to court

ProblemsProblems

Evidence from running computersEvidence from running computers How do you make this ‘repeatable’?How do you make this ‘repeatable’?

Volumes of data to be analysedVolumes of data to be analysed Making sure process of analysis doesn’t Making sure process of analysis doesn’t

change datachange data Use an ‘Imaging’ program like EnCase?Use an ‘Imaging’ program like EnCase?

Proving you haven’t changed anythingProving you haven’t changed anything Best is to make change impossibleBest is to make change impossible

Presenting the stuff in court!Presenting the stuff in court!

StatementsStatements

Statements (2)Statements (2)

QualificationsQualifications Statement of understandingStatement of understanding

““I am told that the defendant had a computer…”I am told that the defendant had a computer…” Definitions of termsDefinitions of terms Points to be addressedPoints to be addressed

““I am asked to consider…”I am asked to consider…” FindingsFindings

Expert WitnessesExpert Witnesses

Servants of the courtServants of the court Help court to understand complex evidence Help court to understand complex evidence

‘outside of their normal experience’‘outside of their normal experience’ Allowed to express an opinionAllowed to express an opinion Allowed to attend entire trialAllowed to attend entire trial Paid for attendancePaid for attendance Must be able to demonstrate their expertiseMust be able to demonstrate their expertise

E.g., academic qualificationsE.g., academic qualifications

Pre-Trial ExperiencePre-Trial Experience

Experts for prosecution and for defenceExperts for prosecution and for defence Exchange statementsExchange statements Raise and exchange ‘Rebuttal Statements’Raise and exchange ‘Rebuttal Statements’ Meet to agree evidenceMeet to agree evidence

What is agreed?What is agreed? What is agreed as disagreed?What is agreed as disagreed? What points need not be put before the court?What points need not be put before the court? Common terms and definitionsCommon terms and definitions

Courtroom ExperienceCourtroom Experience

Prosecution bats firstProsecution bats first So definitions are presented by the expert called So definitions are presented by the expert called

for the prosecutionfor the prosecution ExaminationExamination

Initial points, then detailInitial points, then detail Cross-examinationCross-examination

Defence tries to trip you upDefence tries to trip you up Re-examinationRe-examination

Prosecution picks you up and dusts you downProsecution picks you up and dusts you down

Problems in CourtProblems in Court

Being led by the defence questionsBeing led by the defence questions ““It’s right, isn’t it…?”It’s right, isn’t it…?”

Being lured into providing arcane detailsBeing lured into providing arcane details ““Perhaps the witness would care to explain public Perhaps the witness would care to explain public

key cryptography to the Jury?”key cryptography to the Jury?” Being led outside area of expertiseBeing led outside area of expertise

““Perhaps the witness would care to explain how he Perhaps the witness would care to explain how he can be sure that this was a picture of a child?”can be sure that this was a picture of a child?”

Defence TacticsDefence Tactics

Current best defence is the ‘Trojan defence’Current best defence is the ‘Trojan defence’ Computer was hackedComputer was hacked

R v Caffrey – ‘Invisible’ hackerR v Caffrey – ‘Invisible’ hacker Computer had a virusComputer had a virus Computer had a series of pop-upsComputer had a series of pop-ups Most laws require the prosecution to prove Most laws require the prosecution to prove

intentintent Mens Rea?Mens Rea?

Trojan Defence in Child Trojan Defence in Child PornographyPornography

Criminal Justice Act 1988Criminal Justice Act 1988 It is an offence to possess and indecent photograph It is an offence to possess and indecent photograph

of a childof a child It is a defence for the accused to proveIt is a defence for the accused to prove

He had not looked at it and had no reason to He had not looked at it and had no reason to believe it was indecent; orbelieve it was indecent; or

He did not ask for it, it was not asked for on his He did not ask for it, it was not asked for on his behalf, and he took steps to remove it as soon as behalf, and he took steps to remove it as soon as possiblepossible

Trojan Defence (2)Trojan Defence (2)

Pop up is an involuntary downloadPop up is an involuntary download But still in possessionBut still in possession If pop-up, will have looked at itIf pop-up, will have looked at it Was it asked for on his behalf?Was it asked for on his behalf? And if it’s still in Temporary Internet Files, And if it’s still in Temporary Internet Files,

could we argue he did not take steps to remove could we argue he did not take steps to remove it?it?

And, crucially, is this fair?And, crucially, is this fair?

The Future?The Future?

Encryption and secure deletion will spoil a lot Encryption and secure deletion will spoil a lot of current ‘Best Evidence’of current ‘Best Evidence’

But we will still have lots of recordsBut we will still have lots of records Need to ensure ruling in R v Caffrey does not Need to ensure ruling in R v Caffrey does not

spoil other casesspoil other cases Need a way to educate juriesNeed a way to educate juries Need a way to train lawyersNeed a way to train lawyers Need broader knowledge of the issues!Need broader knowledge of the issues!

Thank you!Thank you!

neil.barrett@btinternet.comneil.barrett@btinternet.com 07712 86577407712 865774 Prof Neil BarrettProf Neil Barrett

Centre for Forensic ComputingCentre for Forensic ComputingRMCS ShrivenhamRMCS ShrivenhamUniversity of CranfieldUniversity of CranfieldShrivenhamShrivenhamSwindonSwindon