1 / 36

Computer Forensics Principles and Practices

Computer Forensics Principles and Practices. by Volonino, Anzaldua, and Godwin. Chapter 12: Federal Rules and Criminal Codes. Objectives. Identify federal rules of evidence and other principles of due process of the law

mignon
Download Presentation

Computer Forensics Principles and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer ForensicsPrinciples and Practices by Volonino, Anzaldua, and Godwin Chapter 12: Federal Rules and Criminal Codes

  2. Objectives • Identify federal rules of evidence and other principles of due process of the law • Explain the legal foundation and reasons for pretrial motions regarding evidence • Identify the limitations on expectations of privacy • Explain the major anticrime laws and amendments impacting discovery and use of e-evidence © Pearson Education Computer Forensics: Principles and Practices

  3. Introduction In this chapter you will learn about the due process of law, federal rules of evidence and procedure, and anticrime laws. You will learn about the authority granted to investigators under privacy laws and the limitations those laws impose to protect civil rights. © Pearson Education Computer Forensics: Principles and Practices

  4. Due Process of the Law • Due process of the law is a fundamental principle to ensure all civil and criminal cases follow rules to prevent prejudicial treatment • Primary rules ensuring due process: • Federal Rules of Civil Procedure • Federal Rules of Criminal Procedure • Federal Rules of Evidence © Pearson Education Computer Forensics: Principles and Practices

  5. Due Process of the Law (Cont.) • Federal rules of procedure regulate production of evidence • Amendment to Rule 34 made electronic data subject to discovery • This change raised issues about e-evidence • How can evidence be authenticated, proved reliable, and determined to be admissible in criminal and civil proceedings © Pearson Education Computer Forensics: Principles and Practices

  6. In Practice: Supreme Court Approves E-Discovery Changes • In April 2006, U.S. Supreme Court approved proposed amendments to the Federal Rules of Civil Procedure concerning discovery of “electronically stored information” • Amendments will impose greater precision and change the way lawyers and courts approach e-discovery © Pearson Education Computer Forensics: Principles and Practices

  7. Due Process of the Law (Cont.) • Federal Rules of Evidence adopted in 1975 • Rules govern the admissibility of evidence, including electronic records or data • Some rules are exclusionary rules that specify types of evidence that can be excluded • In establishing admissibility, many rules concentrate first on evidence’s relevancy © Pearson Education Computer Forensics: Principles and Practices

  8. Due Process of the Law (Cont.) • Exclusionary rules test whether evidence will be admissible • Exclusionary rules pertain to: • Relevancy • Privilege • Opinion of expert • Hearsay • Authentication © Pearson Education Computer Forensics: Principles and Practices

  9. Federal Rules of Evidence Pertaining to E-Evidence © Pearson Education Computer Forensics: Principles and Practices (Continued)

  10. Federal Rules of Evidence Pertaining to E-Evidence (Cont.) © Pearson Education Computer Forensics: Principles and Practices

  11. Due Process of the Law (Cont.) • Hearsay evidence • Hearsay Rule 802 can block admissibility except in case of an exception • Electronic records that are business records are admissible under the business records exception rule • Motions to suppress evidence are handled before trial in a motion in limine © Pearson Education Computer Forensics: Principles and Practices

  12. Due Process of the Law (Cont.) • Under Federal Rule 702, a forensic investigator’s qualifications or tools or methods used in an investigation can be objected to • From 1923 to 1993, the Frye test was used to determine admissibility of expert witness testimony and methodologies • In 1993, the Daubert test replaced the Frye test © Pearson Education Computer Forensics: Principles and Practices

  13. Due Process of the Law (Cont.) • To determine admissibility, a judge must decide: • Whether the theory or technique can be and has been tested • Whether it has been subjected to peer review and publication • The known or potential error • The general acceptance of the theory in the scientific community • Whether the proffered testimony is based upon the expert’s special skill © Pearson Education Computer Forensics: Principles and Practices

  14. Due Process of the Law (Cont.) • A physical document can be authenticated by direct evidence or circumstantial evidence • Examples of circumstantial evidence include document’s appearance, content, or substance • The same circumstantial evidence courts use to authenticate physical documents applies to e-mail messages • Rule 901 requires that the person who introduces the message provide evidence sufficient to prove that the message is what its proponent claims it is © Pearson Education Computer Forensics: Principles and Practices

  15. Due Process of the Law (Cont.) • Reliability of e-evidence and methods used must also be established by proving that • The computer equipment is accepted as standard and competent and was in good working order • Qualified computer operators were employed • Proper procedures were followed in connection with the input and output of information • A reliable software program and hardware were used • Equipment was programmed and operated correctly • Exhibit is properly identified as the output in question © Pearson Education Computer Forensics: Principles and Practices

  16. Due Process of the Law (Cont.) • Circumstantial e-mail evidence authenticates other e-mail • E-mail messages not directly relevant may be relevant when used to authenticate other messages • Content of messages may have a style similar to that in other documents • Circumstantial evidence can also be used to authenticate chat room sessions © Pearson Education Computer Forensics: Principles and Practices

  17. In Practice: The Importance of Style • In a sexual harassment case, a manager produced an e-mail supposedly sent by an employee • Computer forensics investigation concluded it was impossible to prove the e-mail had been sent by the employee • The employee produced e-mail messages that differed markedly in style from the one the manager had received © Pearson Education Computer Forensics: Principles and Practices

  18. Anticrime Laws • Electronic Communications Privacy Act of 1986 • Applies to stored files that had been transmitted over a network • Goal is to balance privacy rights with law enforcement needs • Limitations of privacy laws • Courts’ interpretation of Fourth Amendment protection © Pearson Education Computer Forensics: Principles and Practices

  19. In Practice: Constitutional Rights Are Not Unlimited • Alan Scott shredded documents that contained evidence of tax evasion, then argued that shredding created a reasonable expectation of privacy • Use of technology (the shredder) does not provide constitutional protection • Reconstruction of documents did not violate expectation of privacy because he had no foundation for that expectation © Pearson Education Computer Forensics: Principles and Practices

  20. Anticrime Laws (Cont.) • Federal Wiretap Statue of 1968 • ECPA amended this statute to include interception of electronic communications, including e-mail • USA PATRIOT act also expanded the list of activities for which wiretaps can be ordered • Wiretaps are ordered when terrorist bombings, hijackings, or other violent crimes are suspected • Statute requires that recordings captured with the wiretap must be given to the judge within a reasonable amount of time © Pearson Education Computer Forensics: Principles and Practices

  21. Anticrime Laws (Cont.) • Pen/Trap Statute, Section 216 • Governs the collection of noncontent traffic data, such as numbers dialed by a particular phone • Section 216 updates the statute in three ways: • Law enforcement may use pen/trap orders to trace communications on the Internet and other networks • Pen/trap orders issued by federal courts have nationwide effect • Law enforcement must file special report when they use a pen/trap order to install their own monitoring device on computers belonging to a public provider © Pearson Education Computer Forensics: Principles and Practices

  22. Anticrime Laws (Cont.) • Counterfeit Access Device and Computer Fraud and Abuse Act • This act primarily covered illegal access or use of protected government systems • Aimed at individuals who broke into or stole information from government computers • Law was too narrow so it was amended twice • Through CFAA in 1994 • Through National Information Infrastructure Protection Act (NII) in 1996 © Pearson Education Computer Forensics: Principles and Practices

  23. In Practice: Federal Wiretap Authority • Two sources of authority for federal wiretaps within the United States • Federal Wiretap Act (Title III) of 1968 • Sets procedures for real-time surveillance of voice, e-mail, fax, and Internet communications • Foreign Intelligence Surveillance Act (FISA) of 1978 • Allows wiretapping based on probable cause that the person is a member of a foreign terrorist group or agent of foreign power © Pearson Education Computer Forensics: Principles and Practices

  24. Anticrime Laws (Cont.) • USA PATRIOT Act • This act greatly broadened the FBI’s authority to monitor phone conversations, e-mail, pagers, wireless phones, computers, and other electronic communications • This act made it lawful for an officer to intercept a computer trespasser’s wire or electronic communication transmitted to or through a protected computer © Pearson Education Computer Forensics: Principles and Practices

  25. Anticrime Laws (Cont.) • USA PATRIOT Act authorizations include: • Intercepting voice communications in computer hacking investigations • Allowing law enforcement to trace communications on the Internet and other computer networks within the pen and trap statute • Intercepting communications of computer trespassers • Writing nationwide search warrants for e-mail • Deterring and preventing cyberterrorism © Pearson Education Computer Forensics: Principles and Practices

  26. Anticrime Laws (Cont.) • USA PATRIOT Act (cont.) • Act changed the point at which targets are notified of the search • Delayed notification is called the sneak and peek provision • Law enforcement can delay notification for up to 90 days or even longer by showing good cause for delay © Pearson Education Computer Forensics: Principles and Practices

  27. Anticrime Laws (Cont.) • USA PATRIOT Act (cont.) • Expanded power for surveillance: • Judicial supervision of telephone and Internet surveillance by law enforcement is limited • Law enforcement and intelligence agencies have broad access to sensitive medical, mental health, financial, and educational records with limited judicial oversight • Government has power to conduct secret searches of individuals’ homes and businesses, including monitoring books bought from bookstores or borrowed from libraries © Pearson Education Computer Forensics: Principles and Practices

  28. Anticrime Laws (Cont.) • USA PATRIOT Act (cont.) • Requires an agency that sets up surveillance to identify: • Any officers who installed or accessed the device to obtain information from the network • The date and time the device was installed and uninstalled, and the duration of each time the device was accessed • The configuration of the device at the time of installation, plus any later modification • Any information that the device has collected © Pearson Education Computer Forensics: Principles and Practices

  29. In Practice: Defendant’s Attempt to Exclude E-Evidence Rejected • U.S. Court of Appeals rejected a defendant’s efforts to exclude evidence that had been obtained using cell-site data • Defendant argued that his phone had been turned into a tracking device • Court ruled that this data fell into the realm of electronic communication and suppression was not a remedy for legal interception of electronic communications © Pearson Education Computer Forensics: Principles and Practices

  30. Anticrime Laws(Cont.) • Electronic surveillance issues • In 2005–2006, it was reported that President George W. Bush had authorized the NSA to spy on Americans without warrants • Administration justified action as required to combat terrorism • Legal scholars argued that this warrantless wiretapping in violation of FISA and bypassing Congress constituted an impeachable offense © Pearson Education Computer Forensics: Principles and Practices

  31. Anticrime Laws(Cont.) • Computer Fraud and Abuse Act (CFAA) • First law to address computer crime in which the computer is the subject of the crime • CFAA has been used to prosecute virus creators, hackers, information and identity thieves, and people who use computers to commit fraud © Pearson Education Computer Forensics: Principles and Practices

  32. Key Terms in the CFAA (Continued) © Pearson Education Computer Forensics: Principles and Practices

  33. Key Terms in the CFAA (Cont.) © Pearson Education Computer Forensics: Principles and Practices

  34. In Practice: Applying Crime Laws • Drugs known as “research chemicals” were sold openly from U.S. Web sites to customers around the world • In 2004, the DEA shut down the Web sites and arrested site operators • Web site operators were prosecuted under a law that prohibits possession and supply of chemicals “substantially similar” to controlled substances © Pearson Education Computer Forensics: Principles and Practices

  35. Summary • You have learned about the Federal Rules of Evidence and Procedure • Actual cases and court decisions were presented to illustrate the challenges an investigator faces • Before seizing computers, Fourth Amendment search warrant requirements need to be met © Pearson Education Computer Forensics: Principles and Practices

  36. Summary (Cont.) • The Electronic Communication Privacy Act (ECPA) must be considered • Anticrime legislation such as the USA PATRIOT Act provides greater authority to law officials and investigators • Ethical issues and dilemmas will be covered in the next chapter © Pearson Education Computer Forensics: Principles and Practices

More Related