Presentation Transcript

1. Computer ForensicsBACS 371 Crime & Evidence Concepts
2. Introduction Traditional criminal investigations involve the analysis of several types of evidence. This can include ballistic or bloodstain patterns, gunpowder residue, tire tracks, and fingerprints (to name a few). E-evidence is the digital equivalent of the physical evidence found at crime scenes. When collected and handled properly, e-evidence can be just as useful in a court of law.
3. Introduction (Cont.) The expansion of the Internet provides countless opportunities for crimes to be committed. Digital technologies record and document electronic trails of information that can be analyzed later. E-mail, instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc. Application programs’ run history, USB mounting, etc. All this provides a very rich environment for the forensic investigator.
4. Definition of Crime A crime is an offensive act against society that violates a law and is punishable by the government. Two important principles in this definition: The act must violate at least one current criminal law. It is the government (not the victim of the crime) that punishes the violator.
5. Crime Categories and Sentencing Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and more than one year in prison. Misdemeanors—lesser crimes punishable by fine and less than one year in prison. Sentencing guidelines give directions for sentencingdefendants. Tougher sentencing guidelines for computer crimes came into effect in 2003. Since then these have been tested and fine tuned to a certain extent.
6. Cyber Crime Categories The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably. Two categories of offenses that involve computers: Computer as instrument—computer is used to commit the crime. Computer as target—computer or its data is the target of the crime. In some cases, the computer can be both the target and the instrument.
7. Computers as Targets Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites
8. Computers as Instrument of Crime Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft Identity theft Phishing Pyramid schemes Chain letters etc.
9. Computers as Storage Computer storage can also be involved in the crime. This is particularly true with the new “cloud-based” services. If the data is stored or moves over an international border, it makes for some interesting (and complex) legal situations. For example: Off-shore gambling sites Credit card fraud rings Wikileaks type sites…
10. Cybercrime Statutes and Acts Generally, laws and statutes lag behind the “latest trends” in cyber crime. Given that an act isn’t a crime until a law exists, this means that many exploits are allowed to happen at least once free of punishment. Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.
11. Civil vs. Criminal Charges There are 2 major categories of criminal charges; civil and criminal. Each has it’s own systemof courts and procedures. Civil charges are brought by a person or company Parties must show proof they are entitled to evidence. Criminal charges can be brought only by the government Law enforcement agencies have authority to seize evidence. Penalties are generally more severe and can include loss of liberty and/or life.
12. Comparing Criminal and Civil Laws (Continued)
13. Criminal and Civil Laws (Cont.)
14. Types of Cyber Crime Generally speaking, there are 2 types of cyber crime; violent crime and non-violent crime. Violent Cyber Crime Cyberterrorism Assault by Threat Cyberstalking Pornography …
15. Types of Cyber Crime Non-Violent Crime Cybertrespass Cybertheft Embezzlement Unlawful appropriation Corporate/Industrial espionage Plagiarism Credit card theft Identity theft DNS Cache poisoning Cyberfraud Destructive cyber crimes Deleting data or program files Vandalizing web pages Introducing viruses, worms, or malicious code Mounting a DoS attack
16. Information Warfare and Cyberterrorism The terms “cyberterrorism”, “cyber warfare”, and “information warfare” are relatively new. Basically, there are an extension of war into and through cyberspace. It is an area that the U.S. military is moving into aggressively. Legal defenses against cyberterrorism USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board
17. Famous examples of Cyber crimes Early cases that illustrate the importance of knowing the law regarding computer crimes. Robert T. Morris Jr. (Morris worm): Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA). Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine. Onel De Guzman (Lovebug virus): Lovebug virus did $7 billion in damage in 2000. De Guzman released because no law in the Philippines made what he had done a crime. Computer crimes can be prosecuted only if they violate existing laws.
18. Evidence Basics Evidence is proof of a fact about what did or did not happen. To be legally admissible, evidence must be reliable and relevant. At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody. Three types of evidence can be used to persuade someone: Testimony of a witness – based on 5 senses Physical evidence – anything tangible Electronic evidence – digital (intangible) evidence
19. Evidence Basics Testimony of a witness is traditionally considered the “best” form of evidence. Physical and electronic evidence are “circumstantial” evidence. Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence. All e-evidence is, by its nature, circumstantial evidence. Both cyber crimes and traditional crimes can leave cybertrails of evidence.
20. Artifact evidence— any change in evidence that causes the investigator to incorrectly think that the evidence relates to the crime. Inculpatory evidence—evidence that supports a given theory. Exculpatory evidence—evidence that contradicts a given theory. Admissible evidence—evidence allowed to be presented at trial. Inadmissible evidence—evidence that cannot be presented at trial. Tainted evidence—evidence obtained from illegal search or seizure. Types of Evidence
21. E-evidence— generic term for any electronic evidence. Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice”. Hearsay evidence—secondhand evidence. Generally inadmissible. Expert testimony— is generally admissible. It is an exception to the hearsay rule. Material evidence—evidence relevant and significant to lawsuit Immaterial evidence—evidence that is not relevant or significant Documentary evidence —Physical or electronic evidence (which is also circumstantial). Types of Evidence(Cont.)
22. Fourth Amendment Rights Evidence is commonly collected through a search and subsequent seizure. There are very specific rules governing this process. The Fourth Amendment of the U.S. Constitution protects against unreasonable searches and seizures. Covers individuals and corporations Home Workplace Automobile, etc. Law enforcement must show probable cause of a crime. There are several notable exceptions to this amendment.
23. In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law enforcement provides sufficient proof that there is probable causea crime has been committed. The law officer must specify what premises, things, or persons will be searched in very exact terms. Evidence discovered during legal search can be seized. Evidence seized after an illegal search is tainted and is normally inadmissible.
24. Testimony Testimony – comments and arguments made by attorney, judge, & others. Could also be maps, models, etc.. Testimony is not evidence, but may be admissible and allowed as evidence. The job of the lawyer is to put evidence together into a crime hypothesis that makes sense. Evidence that: Supports hypothesis= inculpatory Contradicts hypothesis= exculpatory
25. Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence. According to Fed. R. Evid., electronic materials qualify as “originals” for court use as long as they are handed properly and are “accurate” copies of the original. An expert witness is a qualified specialist who testifies in court. Expert testimony is an exception to the rule against giving opinions in court (i.e., the “hearsay rule”).
26. Discovery Discoveryis the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant. All evidence must be disclosed in advance. Evidence not disclosed in advance may be deemed inadmissible. Includes information that must be provided by each party if requested. There are many methods of discovery.
27. Discovery Methods Interrogatories Written answers made under oath to written questions Requests for admissions Intended to ascertain the authenticity of a document or the truth of an assertion Requests for production Involves the inspection of documents and property Depositions Out-of-court testimony made under oath by the opposing party or other witnesses
28. Electronic Discovery (E-Discovery) Zubulakev. USB Warburg (2003) - Landmark case involving e-discovery. Based on this case, courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data Increased demand for e-discovery based on this (and other related) rulings.
29. Increased Demand for E-Discovery Most business operations and transactions are done on computers and stored on digital devices. Most common means of communication are electronic. People are candid in their e-mail and instant messages. E-evidence is very difficult to completely destroy (but can be difficult to find).
30. Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information can lead to considerable labor. Why? Electronic evidence is volatile and may be easily changed. Requires extra care. Electronic evidence conversely is difficult to delete entirely. Traces must be located. Fun Fact: E-mail evidence has become the most common type of e-evidence.
31. In Practice: Largest Computer Forensics Case in History—Enron Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes. The investigation also included records from Arthur Andersen, Enron’s accounting firm. “Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case.
32. Summary E-evidence plays an important role in crime reconstruction. Crimes are not limited to cyber crimes; cybertrails are left by many traditional crimes. Without evidence of an act or activity that violates a statute, there is no crime. Rules must be followed to gather, search for, and seize evidence in order to protect individual rights.
33. Summary (Cont.) E-discovery refers to the discovery of electronic documents, data, e-mail, etc. E-discovery is more complex than traditional discovery of information. Tools used to recover lost or destroyed data can also be used in e-discovery of evidence.