Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting

Electronic Evidence Electronic Evidence AdmissibilityAdmissibility

Carmen R. Cintrón Ferrer, 2006, Derechos ReservadosCarmen R. Cintrón Ferrer, 2006, Derechos Reservados

ISACA – San Juan Chapter, February MeetingISACA – San Juan Chapter, February Meeting

22

AgendaAgenda

ProblemProblem

Definitions Definitions

Legal environmentLegal environment Best Evidence RuleBest Evidence Rule Chain of Custody and Protection of OriginalsChain of Custody and Protection of Originals Compliance with Constitutional RightsCompliance with Constitutional Rights

Suggested procedureSuggested procedure

CommentsComments

33

ProblemProblem

Will the electronic evidence seized by the FBI on February 10th, 2006, be admissible in a court of law?

44

Stated Problem ImplicationsStated Problem ImplicationsIn order for electronic evidence to be admissible it must not be hearsay, must comply with the “Best Evidence Rule” and it must be placed under a chain of custody that warrants there has been no tampering or improper handling.

Computer forensics suggests procedures and mechanisms that reduce the risks of evidence be deemed inadmissible, while allowing investigators to:

•Execute a warrant to search electronic devices,

•Examine and collect electronic evidence, or

•Seize (impound) electronic equipment where such evidence might be deposited in a manner that protects the integrity of such evidence,

•Protect acquired evidence

55

Stated Problem Stated Problem Questions to be answeredQuestions to be answered

What standards should apply?

How they should have been applied by the FBI?

Why is it relevant for information systems auditors?

66

DefinitionsDefinitions

Electronic EvidenceElectronic Evidence

HearsayHearsay

Best Evidence RuleBest Evidence Rule

AuthenticationAuthentication

Chain of CustodyChain of Custody

Computer Forensics ScienceComputer Forensics Science

77 Incident Response and Computer ForensIncident Response and Computer Forensics & Cyber Forensicsics & Cyber Forensics


Evidence:Evidence:

““Any information of probative value that helps Any information of probative value that helps prove something relative to the case under prove something relative to the case under investigation.”investigation.”



Hearsay:Hearsay:

““When a computer record contains the assertions of a When a computer record contains the assertions of a person, whether or not processed by a computer, the person, whether or not processed by a computer, the record can contain hearsay. An exception to the record can contain hearsay. An exception to the hearsay rule is the business record exception.”hearsay rule is the business record exception.”

““When a computer record contains computer generated When a computer record contains computer generated data untouched by human hands, the record cannot data untouched by human hands, the record cannot contain hearsay.”contain hearsay.”


DefinitionsDefinitionsBest Evidence Rule:Best Evidence Rule:““Absent some exceptions requires that the Absent some exceptions requires that the originaloriginal of a writing or recording must be of a writing or recording must be admitted in court to prove its contents.”admitted in court to prove its contents.”

““(if) data are stored in a computer or similar device, any (if) data are stored in a computer or similar device, any printout or other output readable by sight, shown to printout or other output readable by sight, shown to reflect the data accurately, is an reflect the data accurately, is an originaloriginal.” .” (FRE 1001(3))(FRE 1001(3))

““A duplicate is admissible to the same extent as an A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the the authenticity of the original or (2) in the circumstances it would be unfair to admit the circumstances it would be unfair to admit the duplicate in lieu of the original.” duplicate in lieu of the original.” (FRE 1003)(FRE 1003)



Authentication:Authentication:““Whomever collected the evidence should Whomever collected the evidence should

testify during examination that the information testify during examination that the information is what the proponent claims.” (FRE 901(a))is what the proponent claims.” (FRE 901(a))

““A testimony by a witness who has personal A testimony by a witness who has personal knowledge as to the origins of that piece of knowledge as to the origins of that piece of evidence.”evidence.”

““Applicable standard is the same as for other Applicable standard is the same as for other records.” records.”



Chain of Custody:Chain of Custody: Requires that evidence is stored in a manner Requires that evidence is stored in a manner

where it cannot be accessed by unauthorized where it cannot be accessed by unauthorized personnel.personnel.

The location of evidence from the moment it The location of evidence from the moment it was collected to its presentation at trial needs was collected to its presentation at trial needs to be traced.to be traced.

A log should be kept for each evidentiary A log should be kept for each evidentiary item.item.



Computer forensics science:Computer forensics science:““Is a common ground of rules, techniques and tools for Is a common ground of rules, techniques and tools for

collecting, examining, preserving, retrieving and collecting, examining, preserving, retrieving and presenting data that has been processed presenting data that has been processed electronically and has been stored on computer electronically and has been stored on computer media.”media.”

““It pertains to electronic or digital transactions or It pertains to electronic or digital transactions or records.”records.”

““It produces direct information and data that may have It produces direct information and data that may have significance in a case, rather than producing significance in a case, rather than producing interpretative conclusions.”interpretative conclusions.”

1313

Legal EnvironmentLegal Environment

Constitutional Rights:Constitutional Rights: Fourth AmendmentFourth Amendment – – ““The right of the people to be secure in their persons, The right of the people to be secure in their persons,

houses, papers and effects, against unreasonable houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.”to be searched and the persons or things to be seized.”

First AmendmentFirst Amendment – – ““Congress shall make no law respecting an establishment of Congress shall make no law respecting an establishment of

religion, or prohibiting the free exercise thereof, or religion, or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press; or the abridging the freedom of speech or of the press; or the right of the people peaceably to assemble, and to petition right of the people peaceably to assemble, and to petition the government for a redress of grievances.”the government for a redress of grievances.”

1414


Search and Seizures Search and Seizures (42 USC 2000aa):(42 USC 2000aa): Warrant Warrant (exceptions on terrorism by USA Patriot Act)(exceptions on terrorism by USA Patriot Act)

Probable Cause for:Probable Cause for:Search and/or seize HW?Search and/or seize HW?

Search and/or seize SW?Search and/or seize SW?

Search and or seize Data?Search and or seize Data?

Search and/or seize a Network?Search and/or seize a Network? Key questions:Key questions:

Is it contraband, tool for the offense or incidental?Is it contraband, tool for the offense or incidental?

Where will the search be conducted?Where will the search be conducted?

How will the search be conducted?How will the search be conducted?

Can evidence out of the scope of the warrant be used?Can evidence out of the scope of the warrant be used?

1515


Other applicable legislation:Other applicable legislation: Federal Criminal Code Federal Criminal Code (18USC2703):(18USC2703):

WarrantWarrant

SubpoenaSubpoena

Court OrderCourt Order

Electronic Communications Privacy Act Electronic Communications Privacy Act (ECPA)(ECPA)

USA Patriot Act (2001)USA Patriot Act (2001) Communications Assistance for Law Communications Assistance for Law

Enforcement Act Enforcement Act (CALEA) – Under scrutiny of Congress(CALEA) – Under scrutiny of Congress

1616

Best Practices for Seizing Best Practices for Seizing Electronic Evidence Electronic Evidence (US Secret Service)(US Secret Service)

Determine type of searchDetermine type of search

Determine what to searchDetermine what to search

Determine where to searchDetermine where to search

Assure valid warrantAssure valid warrant

Use appropriate collection techniques so Use appropriate collection techniques so the evidence is not destroyed or alteredthe evidence is not destroyed or altered

Employ trained personnel for forensic Employ trained personnel for forensic examination examination

1717

Best Practices for Seizing Best Practices for Seizing Electronic Evidence Electronic Evidence (US Secret Service)(US Secret Service)

Conduct the search and seizure:Conduct the search and seizure: Secure the scene:Secure the scene:

Officer safetyOfficer safetyPreserve areaPreserve areaRestrict access to computer(s) and isolate from phone lines or Restrict access to computer(s) and isolate from phone lines or connections to ISPconnections to ISP

Secure computer evidence:Secure computer evidence:Photograph scene, and screen(s)Photograph scene, and screen(s)Unplug and labelUnplug and labelPlace evidence tape Place evidence tape If transport is required, package components as fragile cargoIf transport is required, package components as fragile cargoKeep away from magnets, radio transmitters and similar Keep away from magnets, radio transmitters and similar environmentsenvironments

If it is necessary to access storage devices all actions If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted associated with the manipulation of the device should be noted in order to document the chain of custody and insure its in order to document the chain of custody and insure its admission to courtadmission to court

1818 Cyber ForensicsCyber Forensics

International PrinciplesInternational PrinciplesInternational Organization on Computer EvidenceInternational Organization on Computer Evidence

Take actions not to change seized evidence.Take actions not to change seized evidence.Only a forensically competent professional should Only a forensically competent professional should access original digital evidence, when necessary.access original digital evidence, when necessary.All activity relating to the seizure, access, storage, or All activity relating to the seizure, access, storage, or transfer of digital evidence. must be fully documented, transfer of digital evidence. must be fully documented, preserved and available for review.preserved and available for review.An individual is responsible for all actions taken with An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in respect to digital evidence while the digital evidence is in their possession.their possession.Any agency that is responsible for seizing, accessing, Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for storing or transferring digital evidence is responsible for compliance with these principles.compliance with these principles.

1919

Suggested ProcedureSuggested Procedure

Request warrant to determine terms, scope of Request warrant to determine terms, scope of search and of seizuresearch and of seizureIf valid warrant, request:If valid warrant, request: Presence while scene is secured by agentsPresence while scene is secured by agents Equipment be digitally photographed in your presenceEquipment be digitally photographed in your presence Equipment be turned on (if it is not on):Equipment be turned on (if it is not on):

Solicit that an image of each computer’s fixed storage Solicit that an image of each computer’s fixed storage device or computer files to be seized be made in your device or computer files to be seized be made in your presencepresenceSolicit that an image of each removable storage device to be Solicit that an image of each removable storage device to be seized be made in your presenceseized be made in your presenceSolicit a that a preliminary forensics investigation be Solicit a that a preliminary forensics investigation be conducted in accordance to the search warrant and request conducted in accordance to the search warrant and request a copy of the resultsa copy of the results

Else, deny access to equipment until legal Else, deny access to equipment until legal counsel is present.counsel is present.

2020

Suggested ProcedureSuggested ProcedureRecommended Forensic PracticeRecommended Forensic PracticeDocument procedureDocument procedureSearch equipment on siteSearch equipment on siteMake a mirror image of storage devicesMake a mirror image of storage devicesTake mirror image off-siteTake mirror image off-siteRestore mirror image on another hard drive that has Restore mirror image on another hard drive that has been wiped cleanbeen wiped cleanSearch for files and data specified in warrant:Search for files and data specified in warrant: Searching original devices can compromise original Searching original devices can compromise original

evidence evidence An image is unreadable unless restored to another deviceAn image is unreadable unless restored to another device If evidence pertaining other crimes is present it might not If evidence pertaining other crimes is present it might not

be admissible if it is out of the scope of the warrantbe admissible if it is out of the scope of the warrant

2121

CommentsComments

2222

ReferencesReferences

Cyber Forensics A Field Manual for Collecting, Examining, and Cyber Forensics A Field Manual for Collecting, Examining, and Preserving Evidence of Computer CrimesPreserving Evidence of Computer Crimes, Marcella & Greenfield, , Marcella & Greenfield, Auerbach Publications, 2002Auerbach Publications, 2002Incident Response & Computer ForensicsIncident Response & Computer Forensics, Mandia, Prosise & Pepe, , Mandia, Prosise & Pepe, 22ndnd Edition, McGraw-Hill/Osborne, 2003 Edition, McGraw-Hill/Osborne, 2003United States ConstitutionUnited States Constitution, Yahoo version, Yahoo versionGood Practice Guide for Computer Based Electronic EvidenceGood Practice Guide for Computer Based Electronic Evidence, , National High Tech Crime Unit, Association of Police Officers, National High Tech Crime Unit, Association of Police Officers, WalesWalesComputer Searches and Seizures: Some Unresolved Issues, Computer Searches and Seizures: Some Unresolved Issues, Brenner & Frederiksen, Michigan Telecomm Tech Law Review, Brenner & Frederiksen, Michigan Telecomm Tech Law Review, 20022002Computer-Based Investigation and Discovery in Criminal Cases: A Computer-Based Investigation and Discovery in Criminal Cases: A Guide for United States Magistrate JudgesGuide for United States Magistrate Judges, Withers, National , Withers, National Workshop for Magistrate Judges II, Boston Mass, 2003Workshop for Magistrate Judges II, Boston Mass, 2003Annotated Case Law on Electronic DiscoveryAnnotated Case Law on Electronic Discovery, Withers, 2005, Withers, 2005Digital Evidence and the New Criminal Procedure, Digital Evidence and the New Criminal Procedure, Orin S. Kerr, Orin S. Kerr, Columbia Law Review, Vol. 105:279Columbia Law Review, Vol. 105:279

2323

ReferencesReferencesSearching and Seizing Computers and Obtaining Electronic Evidence in Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Division, US Dept of Justice, 2002Criminal Division, US Dept of Justice, 2002Ensuring the Admissibility of Electronic Forensic Evidence and Enhancing Ensuring the Admissibility of Electronic Forensic Evidence and Enhancing Its Probative Value at Trial, Its Probative Value at Trial, Galves & Galves, American Bar Association Galves & Galves, American Bar Association Criminal Justice Magazine, Vol 19 #1, 2004Criminal Justice Magazine, Vol 19 #1, 2004Suppressing Evidence Gained by Government Surveillance of Computers, Suppressing Evidence Gained by Government Surveillance of Computers, James Adams, American Bar Association, Criminal Justice Magazine Spring James Adams, American Bar Association, Criminal Justice Magazine Spring 2004, Vol 19 #12004, Vol 19 #1Computer Records and the Federal Rules of EvidenceComputer Records and the Federal Rules of Evidence, Orin S. Kerr, USA , Orin S. Kerr, USA Bulletin, US Dept of Justice, March 2001Bulletin, US Dept of Justice, March 2001Federal Guidelines for Searching and Seizing Computers,Federal Guidelines for Searching and Seizing Computers, US Dept of US Dept of Justice, 1994Justice, 1994United States Secret Service Best Practices for Seizing electronic EvidenceUnited States Secret Service Best Practices for Seizing electronic Evidence, , www.secretservice.govwww.secretservice.govCommunications Assistance for Law Enforcement Act (CALEA),, ACommunications Assistance for Law Enforcement Act (CALEA),, Agent gent Michael P. Clifford, US Dept of Justice, CCIPS page, April, 2005Michael P. Clifford, US Dept of Justice, CCIPS page, April, 2005

2424

AppendixAppendixEvidence Handling ProceduresEvidence Handling Procedures

Record information about computer system before examining contents Record information about computer system before examining contents of its hard drive.of its hard drive. Take digital photos of original system and media before it is Take digital photos of original system and media before it is duplicated.duplicated.Fill an evidence tag for all media to be duplicated, examined and Fill an evidence tag for all media to be duplicated, examined and preserved as evidence.preserved as evidence.Store the best evidence copy in evidence safe.Store the best evidence copy in evidence safe.Maintain an evidence log for each piece of best evidence under an Maintain an evidence log for each piece of best evidence under an evidence custodian.evidence custodian.Perform all examinations on a forensic copy of the best evidence Perform all examinations on a forensic copy of the best evidence ( ( working copy)working copy)..Create backup copies of the best evidence.Create backup copies of the best evidence.Comply with disposition dates for evidence disposition as defined by Comply with disposition dates for evidence disposition as defined by principal investigator.principal investigator.Audit monthly all evidence in custody to ascertain that all best Audit monthly all evidence in custody to ascertain that all best evidence is present, properly stored and labeled.evidence is present, properly stored and labeled.

2525

AppendixAppendixEvidence System DescriptionEvidence System Description

Record information on individuals who:Record information on individuals who: occupy the office or room where the original evidence is found; occupy the office or room where the original evidence is found; have access to the office or room where the original evidence is have access to the office or room where the original evidence is

found;found; actually use the system.actually use the system.

Record information on the computer:Record information on the computer: Location in the room or office;Location in the room or office; State (power on/off), Data on screen;State (power on/off), Data on screen; Time/Date from system BIOS;Time/Date from system BIOS; Network/Modem connectionsNetwork/Modem connections Serial #, Model, make of computer, drives and componentsSerial #, Model, make of computer, drives and components Peripherals attachedPeripherals attached

Digital photos:Digital photos: Protect investigator(s) from claims of damage to propertyProtect investigator(s) from claims of damage to property Return system to its exact state prior to forensic duplicationReturn system to its exact state prior to forensic duplication Capture current configurationCapture current configuration

Documents

Electronic Evidence Admissibility Carmen R. Cintrón Ferrer, 2006, Derechos Reservados ISACA – San Juan Chapter, February Meeting