Embed Size (px)
Citation preview
Law, Guidelines and Forensics
Dr Jill Slay
Objectives
• In this module we will discuss:– Role of Computer Forensics in Law Enforcement
– Objective of Computer forensics
– Principles of evidence
– Problems with Computer evidence
– Australian Computer Crime Legislation
– Categorisations of E-crime
– Cybercrime Act of 2001
– Forensic Computing and Business and Accounting Legislation and Guidelines
Role of Computer Forensics in Law Enforcement
• Early cases involved fraud
• Later cases involved networking
• Nowadays three roles of computer in electronic crime1. Computer as a tool
2. Computer as a target
3. Computer as storage device
Objective of Computer forensics
• Types of examination– Content of data files
– Comparison of data to known document and data files
– File transactions, time and sequence
– Extraction of data files from computer
– Recovery of deleted data files
– Format conversion of data files
– Keyword searching in data
– Passwords recovered and decrypted
– Source code analysis and comparison
– Storage media examined
Objective of Computer forensics
• Network history collection – Browser
• Graphics and Multimedia file examination
Most common crimes investigated internationally needing forensic
Investigation
• Fraud
• Murder
• Drug crime
• Paedophilia
• Organised crime
• Terrorism
• Hacking
Principles of evidence
• Computer evidence must be:– Admissible and conform to legal rules
– Authentic and be possible to tie the evidence to the incident
– Complete and tell the whole story, not one perspective
– Reliable and dependable in content and process
– Believable and understandable to a jury
Problems with Computer evidence
• Can be easily altered or deleted
• Can be invisibly and undetectably altered
• Can travel with other data
• Can be stored in a different format to that in which it is displayed
• It is difficult for layman, police, judge and jury to understand
Problems with Computer evidence
• In summary of previous slide, computer evidence is:– Mutable, subject to change
– Volatile, reflecting system’s current state
• Australian Federal and State law has had to be adapted to deal with the growth in magnitude and sophistication of computer crime.
• Federal and State legislation is similar in its scope; – Federal legislation deals solely with offences committed
against or using Commonwealth government IT infrastructure.
– Each state has its own legislation and while we would expect to find major similarities between individual State legislations, we will also discover that there are some dissimilarities between the states.
Australian Computer Crime Legislation
Federal Criminal Legislation • Cybercrime Act of 2001.• In January 2001, the Model Criminal Code
Damage and Computer Offences Report (Cybercrime Act 2001) was produced as a result of consultation between the varying Commonwealth and State justice and law enforcement agencies
• This Commonwealth Act produces a number of new offences, such as denial of service, virus propagation and provides legislative ‘powers’ to aid law enforcement agencies in the investigation if these crimes.
Electronic Crime
• The South Australian Police Department (SAPOL 2003) defines electronic crime as:
‘Offences where a computer or other electronic device is used as a tool in the commission of an offence, or as a target of an offence, or used as a storage device in the commission of an offence.’
Categorisations of E-crime
Tier 1
General duties
• Examples of the types of offences that may fall into this category are:– internet frauds
– threatening or offensive emails
– stolen computer hardware and software stalking
– other investigations of a similar typology.
Categorisations of E-crime
• Tier 2
• CIB
• Examples of the types of offences that may fall into this category are:– multi-jurisdictional and pattern crime internet fraud offences .
– unlawful computer access
– serious threats to harm or kill
– serious fraud or dishonesty offences
– child pornography and paedophilia matters
– other investigations of a similar typology.
Categorisations of E-crime
• Tier 3 investigation responsibilities• Electronic Crime Section and will include• Electronic crimes of a significant, serious, political, national,
international or terrorist nature. • Examples of the types of offences that may fall into this
category are:– terrorism– high level computer hacking . – infrastructure sabotage– manufacture of malicious code (eg virus, worm and trojan) .
serious impairment of electronic communication (eg denial of service attacks)
– other investigations of a similar typology.
• The offences are divided into serious computer offences and other computer offences.
• The offences are designed to address instances of hacking where Commonwealth data or data contained within Commonwealth computers are the target of offenders.
• Additionally, crimes facilitated through the use of telecommunications services are also captured within these offences.
Cybercrime Act of 2001.
Serious Computer Offences
• Unauthorised access, modification or impairment with intent to commit a serious offence (Section 477.1 Criminal Code Act)
• Unauthorised modification of data to cause impairment (Section 477.2 Criminal Code Act)
• Unauthorised impairment of electronic communication (Section 477.3 Criminal Code Act)
Other Computer Offences• Unauthorised access to, or modification of,
restricted data (Section 478.1 Criminal Code Act)• Unauthorised impairment of data held on a
computer disk etc. (Section 478.2 Criminal Code Act)
• Possession or control of data with intent to commit a computer offence (Section 478.3 Criminal Code Act)
• Producing, supplying or obtaining data with intent to commit a computer offence (Section 478.4 Criminal Code Act)
• Unauthorised access to or modification of computer data (Section 86C CLCA)
• Unauthorised impairment of electronic communication (Section 86D CLCA)
• Use of a computer with intention to commit, facilitate the commission of an offence (Section 86E CLCA)
• Use of computer to commit, or facilitate the commission of, an offence outside the State (Section 86F CLCA)
Other Computer Offences
Other Computer Offences
• Unauthorised modification of computer data (Section 86G CLCA)
• Unauthorised impairment of electronic communication (Section 86h CLCA)
• Possession of computer viruses etc with intent to commit a serious offence Section 86I CLCA)
• Unlawful operation of computer system (Section 44 S.O.A.)
• Unauthorised impairment of data held in credit card or on computer disk or other device (Section 44A S.O.A.)
Thrust of legislation
• In its entirety, this legislation deals with – unauthorised modification of data (without permission of
the owner of the data),
– impairment of communication within a network,
– use of a computer to modify data (hacking) or to commit another offence inside or outside of the State and
– all types denial of service.
Thrust of legislation
1. If an offender accesses a system and does no harm to it, they have still committed an offence.
2. it is an offence to damage data stored on a computer disk, credit card or other kind of device used to store data by electronic means
3. Other legislation includes:
• Dishonest manipulation of machines (Section 141 CLCA)• Unlawful stalking (Section 19AA CLCA)• Interference with approved system or equipment (Section 41 of the
Casino Act)• Making available or supplying objectionable matter on on-line
service (Section 75C Classification (Publication, Films & Computer Games) Act)
• Making available or supplying matter unsuitable for minors on on-line service (Section 75D Classification (Publication, Films & Computer Games) Act)
Why is the Cybercrime legislation important?
• We would expect that any kind of breach of this legislation which was prosecuted would then demand a forensic investigation:– Hacking
– Denial of service
– Pornography
• Investigators need to be ready for this
But other crimes need forensic computing input
• Fraud – examination of accounts
• Murder – what was on victim’s pc, phone, iPod, pda
• Suicide – was it really suicide?
• Need to know the same answers if we arrest a suspect for:– Drug offence
– Terrorism
Forensic Computing and Business and Accounting Legislation and Guidelines
New US Accounting Reform Laws and forensic computing
• Sarbanes-Oxley Act of 2002
• Enron case
• affects all multi-national companies
• mandates retention of electronic documents
• imposes strict criminal penalties for altering or destroying records, including those kept in electronic form, and
• mandates production of electronic records and other documents when summoned
• Computer forensics mandatory process whenever the results of a computer investigation may ultimately be presented in a legal or administrative proceeding.
Australian Guidelines
• HB 171: 003 Guidelines for the management of IT evidence
• gives ‘guidance on the management of electronic records that may be used in judicial or administrative proceedings, whether as a plaintiff, defendant or witness’
• useful where suspect criminal activity is to be referred to appropriate authorities for investigation.’
IT Security Risk
• The greatest risk we are thus managing in an IT Security sense is two fold:
• If we do not ensure appropriate record keeping systems are designed and developed we will have no evidence for any kind of judicial or administrative investigation
• If we do not take full cognisance of legal and forensic computing requirements our records, however technically accurate, may not be legally admissible in court
Basic principles for the management of IT evidence
• In HB 171: 003 Guidelines for the management of IT evidence are presented. These include:
• 1. ‘Obligation to provide records’ • 2. ‘Design for evidence’ • 3. ‘Evidence collection’ and ‘Custody of records’, • The guidelines give a full picture of how
investigations must be carried out and also give information on principles for recovery of digital evidence (HB-171, 2003, p.27), principles for evidence collection and the role and duties of expert witnesses in this context.
Challenges in court
• Based on – Computer Forensics: The Need for Standardization and
Certification by Matthew Meyers and Marc Rogers
1. Search and Seizure • An illegal search and seizure or improper methodology
employed during search and seizure can negatively affect the admissibility of the evidence.
• The Trojan defence (the big wooden horse did it!)
Challenges in court
2. The “Expert”• an area of contention is whether one can be
considered an expert solely based on the ability to use a tool or software package, without the ability to clearly define how the tool works or reviewing the source code.
• The majority of the tools and software used in computer forensics is proprietary and copyrighted, thus negating the ability to access the source code.
Challenges in court
3. Analysis and Preservation
• If the evidence makes it through the first two stages, it must be proven that the analysis and preservation was conducted properly.
The Future
• Defence lawyers will become more expert in forensic computing issues challenging– Prosecution expertise
– Expert witnesses
– Tools and techniques
An American Perspective from Professor Golden Richard III
• Legal Issues
– Investigatory needs vs. the right to privacy– What constitutes computer crime?– Fourth Amendment to the U.S. Constitution– Search warrants vs. wiretap orders– Fifth Amendment to the U.S. Constitution– Jurisdiction: Who cares? Who prosecutes?– Admissibility of evidence in court– Chain of custody issues– Digital Millennium Copyright Act (DMCA)– Patriot Act
Privacy
• Fourth Amendment– Government is not allowed unreasonable search
and/or seizure of property– Does not apply for non-governmental (e.g.,
corporate) investigators– Complicated—court tries to balance privacy and
need to control crime– Individual must reasonably expect privacy in
whatever scenario is being evaluated– Society must believe expectation of privacy is
reasonable– Example: Sitting in a public park, counting
pictures of people you’ve murdered…NO expectation of privacy!
Fourth Amendment
• More Examples:– Random stops on highway
• OK. Primarily to ensure highway safety, not investigate crime
– Use of a phone booth• When door is shut, reasonable expectation of privacy
• Can’t snoop without appropriate court orders
• Can’t place microphone on outside of phone booth
– Placing computer in outdoor trash• Not reasonable to expect that this is a private container
• No right to privacy here, and police can search your trash legally
Fourth (2)
• Drug sniffing dogs are not considered a search• Limited, “reveal only contraband”• Commonly available? Yes?• If a dog could sniff drugs in your house from the
street, is it a search?• Probably not, if “reveal only contraband” exception
holds• If dogs are replaced by a recently developed
sniffing technology, legal?• Probably not, because technology not in common
use• Dogs issue very controversial, many think that court
needs to reconsider this issue
Fourth Amendment (3)
• Thermal imager to find hotspots in a house, potentially indicates use of high-intensity lights to grow herbs…– Supreme Court said (in 2001) that use of the
thermal imager revealed things inside the house that could not have otherwise been discovered without a physical search, so violates 4th amendment
– Close decision, hinged on fact that thermal imager is not widely used by the public
– If it was, then no reasonable expectation of privacy?
Fourth (4)• Fourth Amendment + Computers• From: http://www.cybercrime.gov/s&smanual2002.htm
– To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation.
• Computer 3rd party may render 4th amendment rights void• Example: Getting computer fixed, technician discovers
something illegal, turns you over to the police• Government can recreate search which was performed by a
non-government entity (e.g., your wife!) but not exceed the scope of the original search without a warrant
Fourth (5)
• Bottom line: if you’re law enforcement, all this matters
• Otherwise, Fourth Amendment doesn’t even apply
• Doesn’t mean that you can hack into whatever you wish w/o worry..
• An individual or corporation’s right to search is governed by other laws
Fifth Amendment
• Protection against self-incrimination in giving testimony• ‘No person shall be compelled in any criminal case to be a
witness against himself’• Applies if the act of producing papers or records has a self-
incriminatory ‘communicative’ or ‘testimonial’ aspect• Never applies to corporations• Never applies to corporate records• Once document is given to another, fourth and fifth
amendment protection is lost
Fifth (2)
• Can not use the fifth amendment to avoid testifying against another individual (e.g., friend, spouse)– Obstruction of justice
• Encryption keys on shaky ground in US• Key itself does not incriminate you…
material it PROTECTS may incriminate you
• If key is written down, you must present it• If it’s memorized, you may be protected
from revealing it (in the United States)
Encryption Keys
• UK, India, Singapore, Malaysia– Must produce encryption keys when under warrant– UK: Gag clause: 5 years imprisonment for revealing
that order to reveal encryption keys was served
• US– When key in possession of third party, you’re probably
in trouble– Third party cannot “claim the 5th” to avoid disclosing
keys– Essentially, to be protected you probably need to
memorize the keys (as on previous slide)
More on Encryption Keys, 4th, 5th
• “Self Incrimination and Cryptographic Keys” (Sergienko)
• Documents receive very little protection under 4th, 5th amendments
• View of Supreme Court seems to be that government can compel production of documents (“give me the document”) because government did not compel defendant to write the document in the first place
• This article states that at least one view holds that written cryptographic keys cannot be distinguished from the documents they protect
• If you can subpoena the documents, you can subpoena the written keys
More on Keys (2)
• What about memorized keys?• Difference between physical evidence and testimonial
evidence (blood sample vs. “I admit that I killed him”)• Non-cryptographic key (e.g., a house key) is physical
evidence• Physical key thus NOT protected! Courts have upheld
seizure of such physical evidence under the 4th Amendment and compulsory production OK under the 5th
• Choosing a key whose utterance confesses a crime (“ikilledjoebecauseididn’tlikehim”) may offer some protection
• Uttering key is self-incriminating?!• Dangerous ground here, though!
More on Keys (3)
• If the key doesn’t have “testimonial content” (uttering it is admission of a crime), why is an encryption key different from a physical key?
• Can’t refuse to produce physical key sowhy would it be OK to refuse to produce an encryption key?
• Person may not be required to “restate, repeat, or affirm the truth of the contents of the documents sought” when such would be self-incriminating
• Forcing production of key may ‘cause’ document to be restated in an intelligible fashion
• If encryption key authenticates a document…• Person has never revealed key/document to anyone
else• …then production of the key might authenticate the
document• 5th Amendment protection would be triggered
Admissibility of Evidence
• Chain of custody must be thoroughly recorded• Any person in the chain might be called to testify that evidence
was not modified or subjected to contamination• Older: Frye test
– Is the technique generally accepted in its particular scientific community?
• Newer: Daubert test– (e.g., See:
http://www.skepticreport.com/mystics/dauberttest.htm)– A witness qualified as an expert by knowledge,
skill, experience, training, or education, may testify in the form of an opinion or otherwise, if:
• the testimony is based upon sufficient facts or data, • the testimony is the product of reliable principles and
methods, and • the witness has applied the principles and methods
reliably to the facts of the case.
Daubert (2)
• Factors:– Whether the theory or technique has been scientifically
tested– Whether the theory or technique has been subject to peer
review or publication– The expected error rate of the technique used is known– Acceptance of the theory or technique in the relevant
scientific community
Daubert (3)
• Other factors:– Is the expert testifying about something that
comes out of their research directly, or have they developed opinions specifically for purposes of testifying?
– Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion?
– Has the expert adequately accounted for obvious alternative explanations?
• “Might this have happened instead?”• <<gulp>>
– Is the field of expertise claimed by the expert known for reliable results for the type of opinion the expert would give (e.g., astrology == “NO”)
Privacy-Protecting Laws
• (Explanations by Richard Salgado, Computer Crime Section, U.S. Dept. of Justice, in his SANS security lecture, these don’t constitute legal advice and all such disclaimers)
• Federal Wiretap Act– Covers interception of voice and electronic communications
“on-the-wire”
– Generally illegal to intercept electronic communication, except in certain circumstances, among those on the following slide
Privacy-Protecting (2)
• Provider exception– Can perform limited monitoring to protect rights and
property of system under attack– Switchboard operator may overhear during call transfers– Line technician may overhear during repairs to phone
lines
• Consent exception– Permission to monitor, e.g. written permission or a login
banner– Essentially, must “banner” all ports that allow access
unless you have written permission
• Court order
Privacy-Protecting (3)
• Electronic Communications Privacy Act (ECPA)– Covers access to stored voice and digital communications– Covers what can be disclosed to law enforcement– Question: Are communication services provided to the public?– e.g., AOL (yes): Restrictions with some exceptions:
• Does provider believe that an emergency involving death or serious physical harm may result otherwise?
• Consent?• Contents of communication inadvertently acquired, evidence of a
crime?• Can disclose non-content (e.g., logs of activity) to anyone not
involved in government– e.g., corporate, university (no): No restrictions on what can be
disclosed to law enforcement• Pen/Trap Statute of 18 U.S.C. 3121-27
– Covers real-time collection of addressing information (e.g., packet headers, phone #s), not the contents of the communication
– Rules more liberal than for wiretap
Access to Evidence for Law Enforcement
• Preservation of Evidence letter– Letter from government asking that evidence not be erased as a matter of
normal administrative procedures– e.g., to AOL: “Please don’t delete logs related to…”– Lasts for 90 days
• To get name, address, session info (e.g., when user logged in, etc.)– Subpoena
• Stored files– Court order
• Stored files containing electronic communications– Search warrant– For email that has been read, court order
• Difficulty level:– Letter < subpoena < court order < search warrant < wiretap order
Patriot Act
• So things weren’t complicated enough?• Hundreds of pages, complicated for non-lawyers• Much analysis of Patriot act is skewed (“it’s a threat to our very
lives” vs. “it’s a wonderful anti-terrorism tool”)• Still, many citizens not happy• Basic:
– significantly erodes requirements for law enforcement to show probable cause for warrants and wiretap orders
– removes requirements to notify parties of a search warrant being served
– e.g., police may be able to enter a residence without informing party until later
– Bad because party might have been able to better protect her rights by pointing out that address on warrant is incorrect
– Bad because warrants are limited—in secret, impossible for party to object to “unauthorized” searches
– “Good” because prevents evidence from being destroyed before seizure can take place
DMCA
• Digital Millennium Copyright Act• Summary here:
– http://www.copyright.gov/legislation/dmca.pdf• Expands copyright law• Makes reverse engineering illegal in many circumstances• Illegal in many circumstances to defeat access controls or anti-
copying techniques• Example: Buy a DVD, making a copy of the DVD involves
defeating the copy protection scheme, thus illegal• “Encryption research” exceptions
– So vague that if you do some “encryption research” and release the results, you should be very careful
– “research” vs. distribution of copy protection circumvention techniques
– Research paper documenting circumvention with lots of technical explanation vs. a program that performs circumvention
