1 / 31

Recovering,Examining and Presenting Computer Forensic Evidence in Court

Recovering,Examining and Presenting Computer Forensic Evidence in Court. By malack Amenya. Introduction. technological revolution in communications and information exchange has taken place within business, industry, and our homes

ebony-grimes
Download Presentation

Recovering,Examining and Presenting Computer Forensic Evidence in Court

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya

  2. Introduction • technological revolution in communications and information exchange has taken place within business, industry, and our homes • In this information technology age, the needs of law enforcement are changing as well

  3. Computer Forensic Science • Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media.

  4. Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence • With the average storage capacity in a personally owned microcomputer approaching 30 gigabytes

  5. and systems readily available that have 60-GB storage capacity or more, it is likely to be impossible from a practical standpoint to completely and exhaustively examine every file stored on a seized computer system.

  6. As difficult as it would be to scan a directory of every file on a computer system, it would be equally difficult for law enforcement personnel to read and assimilate the amount of information contained within the files • example, 12 GB of printed text data would create a stack of paper 24 stories high

  7. Even though the examiner may have the legal right to search every file, time limitations and other judicial constraints may not permit it. The examination in most cases should be limited to only well-identified probative information.

  8. Recovering and Discovering Information • It is now black letter law that information generated and stored on computers and in other electronic forms is discoverable

  9. How to collect relevant data, and how to assure that data collected can be authenticated and admitted as evidence.

  10. 1. Send a preservation of evidence letter. • Because the information stored on computers changes, it is critical that you put all parties on notice that you will be seeking electronic evidence through discovery

  11. 2. Include definitions and ,instructions • First, use a series of interrogatories to get an overview of the target computer system • Second, all requests for production should make clear that you are requesting electronic documents as well as paper. • Finally, if necessary, include a request for inspection so you can examine the computer system first hand and retrieve any relevant data.

  12. 3. Take a 30(b)(6) • This is the single best tool for finding out the types of electronic information that exists in your opponent’s computer systems. • Follow the Checklist For System Discovery

  13. 4. Collect backup tapes • One of the most fertile sources of evidence is the routine • Backup created to protect data in case of disaster

  14. 5. Collect removable media. • Data selectively saved by users to diskettes or other portable media is another fertile, but often overlooked, source of evidence

  15. 6.Ask every witness about computer usage • In addition to the discovery directed at the computer system, every witness must be questioned about his or her computer use • Palmtop devices and notebook computers are another good source of evidence

  16. 7. Make copies of residual data. • Residual data includes “deleted” files, fragments of deleted files, and other data that is still extant on the disk surface.

  17. 8. Write-protect and virus check all media. • Now that you have obtained the data, it? You likely have a mix of image copies, backup tapes, diskettes, CDs, and other media. • Before doing anything else, you must maintain the integrity of the media you have received. The two key steps in doing this are write-protection and virus checking.

  18. 9. Preserve the chain of custody • A chain of custody tracks evidence from its original source to what is offered as evidence in court. • A good benchmark is whether the software is used and relied on by law enforcement agencies. • Second, the copies made must be capable of independent verification • . In short, your opponent and the court must be able to satisfy themselves that your copies are accurate. Third, the copies created must be tamper proof.

  19. 9. Preserve the chain of custodycont. • Second, the copies made must be capable of independent verification • your opponent and the court must be able to satisfy themselves that your copies are accurate. • Third, the copies created must be tamper proof.

  20. Examining Computer Evidence • The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidence—the information—from harm

  21. Examining Computer Evidence • Creating the copy and ensuring that it is true and accurate involves a subset of the principle, that is, policy and practice. • Each agency and examiner must make a decision as to how to implement this principle on a case-by-case basis.

  22. Authenticationof Digital Evidence • Authentication is the process by which the reliability of evidence is established • The party leading the evidence in court must show that it has not been altered since it was collected and that the location, date, and time of collection can be proven • That is accomplished using standardized evidence-handling procedures and chain-of-custody records and relies primarily on physical security measures

  23. Information-Assurance Services • The Information Assurance Technical Framework (National Security Agency 2002) captures information-assurance guidance reflecting the state-of-practice in the U.S. Department of Defense, federal government, and industry information-assurance community.

  24. It describes five primary security services relevant to information and information processing systems: • access control, confidentiality, integrity, availability, and non repudiation.

  25. Daubert Compliance • The Daubert ruling (Daubert 1993) requires the trial judge to make an assessment of whether a methodology or technique invoked by expert testimony is scientifically valid and whether the methodology can be applied to the facts in issue.

  26. The ruling provides the following five example considerations to aid the judge in making that assessment: • Whether the technique can be and has been tested • Whether the technique has been subjected to peer review and publication • Known or potential rate of error • Existence and maintenance of standards controlling the technique • General acceptance in the relevant scientific community

  27. Presenting evidence in court • When collecting computer data for evidentiary purposes, a party has a duty to “utilize the method which would yield the most complete and accurate results.” Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). • In Gates, the court criticized the plaintiff for failing to make image copies and for failing to properly preserve undeleted files.

  28. Zubulake V, (July 20, 2004) • The contents of the backup tapes restored by UBS demonstrated that certain UBS employees had deleted email after being advised of their duty to preserve the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed emails would have been beneficial to her case, the Court granted an adverse inference jury instruction. • Additionally, since it took UBS almost two years to produce the relevant and requested emails from the backup tapes, it was ordered to pay Zubulake’s costs related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBS’s attorneys generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the attorneys’ failure to communicate with the client’s information technology personnel. • In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two years that this case has been pending. “All parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.”

  29. See more sample cases at • http://www.geocities.com/nyaurakisii/amenya

  30. Conclusion. • Challenges of Computer Forensic: • -being able to demonstrate the authenticity of the evidence • -integrity and security of data are also an issue in my courts • -acceptance of computer technology (judges, jury etc) • -establishing the chain of custody • Why computer crime is had to prosecute: • -lack of understanding • -Lack of physical evidence • -Lack of political impact • -Complexity of cases • -juvenile

  31. The end

More Related