llaw 6117 cybercrime presentation computer forensic and the law of evidence

1. LLAW 6117 Cybercrime Eric K.M. Cheung May 2003

2. What is computer forensic ? (1) �The application of computer investigation and analysis techniques in the interests of determining legal evidence� Judd Robbins

3. What is computer forensic ? (2) �The science of acquiring, preserving, retrieving and presenting data that has been processed electronically and stored on computer media� (FBI)

4. What is computer forensic ? (3) A modern definition : �a scientific and systematic methodology for identifying, searching, retrieving, recovering and analyzing digital evidence from computers, computer storage media & electronic devices and presenting the findings which meets the standard required by a court of law� (Hilton Chan)

5. Applications Law enforcement agencies e.g. cybercrime Civil Litigators e.g. IP infringement Insurance companies Corporations Individuals

6. What is �digital evidence� ? �Information of probative value stored or transmitted in digital form� (Scientific Working Group on Digital Evidence)

7. Examples of Digital Evidence E-mail, e-mail address Wordprocessor, spreadsheet files Software source code Image files (.PCX, .JPEG, .TIFF) Web Browser bookmarks, cookies Calendar, to-do-list

8. Cybercrime Scene (1) No specific cyber crime scene Victims � late discovery i.e. 2 weeks The evidence is destroyed Low Detection rate by police

9. No. of computer crime case in HK (1995-2002)

10. Cybercrime Scene (2)

11. Standard Guidelines For Computer Forensics (1) How to handle reported case Techniques in preserving potential evidence Techniques in analyzing the collected data records Present the findings in court The limitation in computer forensic operations IT professional knowledge (HKPF)

12. Standard Guidelines For Computer Forensics (2) The International Association of Computer Investigative Specialists (IACIS) Good Practice Guide for Computer-based Evidence 1999 (ACPO) International Organization on Computer Evidence (IOCE) FBI�s Guidelines for Searching and Seizing Computers 2002

13. Prosecuting Cybercrime � Difficulty (1) Presentation of evidence Logs records (s.22 Evidence Ord.) Real time records (s.22 Evidence Ord.) Document produced by Computer (s.22A) Original vs. Copy Chain of Exhibit Identity

14. Prosecuting Cybercrime � Difficulty (2) s.22A Direct oral evidence of fact admissible s.22A(1)(a) Computer was used to store, process or retrieve information s.22A(2)(a) Information reproduces or derived from computer s.22A(2)(b)

15. Prosecuting Cybercrime � Difficulty (3) Measures to prevent unauthorized interference s.22A(2)( c ) (i) Computer was operating properly s.22A(2)(c) (ii) Definition of computer s.22A(12) Document produced by computer s.22A(9)

16. Prosecuting Cybercrime � Difficulty (4) Prosecution adduces computer certificate under s.22A(5) to prove s.22A(1) and (2) requirements If fails, what to do ?

17. Prosecuting Cybercrime � Difficulty (5) Not proving the truth of contents : s.22A(11) Real Evidence

18. Prosecuting Cybercrime � Difficulty (6) International Dimensions Collect evidence outside HK Mutual Legal Assistance in Criminal Matters Ordinance (Cap. 525) Slow process

19. Prosecuting Cybercrime � Difficulty (7) Judge or magistrate (Technology Court opened in April 2003) Jury (in High Court) Counsel for the Defendant Victims Witness

20. Cyber Law Enforcement Agency Hong Kong Police Force ICAC C&E Immigration Department of Justice

21. Acceditation of Forensics Expert On the job training HKUST Professional Diploma in Computer Forensics Software e.g. DESK, EnCase

22. The Reform (1) Decryption tools e.g. UK Regulation of Investigative Power Act 2000 Legislative reform � real time tracing, availability and preservation of stored data Extradition and Fast MLA Trained and Equipment Law enforcement officer, prosecutors, lawyers and judges

23. The Reform (2) International Standard of Technical Procedure in Computer Forensics Science Enhanced International Cooperation Cooperative and outreach to ISPs and Victims