Recovering,Examining and Presenting Computer Forensic Evidence in Court

1
Recovering,Examining and Presenting Computer
Forensic Evidence in Court

• By malack Amenya

2
Introduction

• technological revolution in communications and
  information exchange has taken place within
  business, industry, and our homes
• In this information technology age, the needs of
  law enforcement are changing as well

3
Computer Forensic Science

• Computer forensic science is the science of
  acquiring, preserving, retrieving, and presenting
  data that has been processed electronically and
  stored on computer media.

4

• Computer forensic science was created to address
  the specific and articulated needs of law
  enforcement to make the most of this new form of
  electronic evidence
• With the average storage capacity in a personally
  owned microcomputer approaching 30 gigabytes

5

• and systems readily available that have 60-GB
  storage capacity or more, it is likely to be
  impossible from a practical standpoint to
  completely and exhaustively examine every file
  stored on a seized computer system.

6

• As difficult as it would be to scan a directory
  of every file on a computer system, it would be
  equally difficult for law enforcement personnel
  to read and assimilate the amount of information
  contained within the files
• example, 12 GB of printed text data would create
  a stack of paper 24 stories high

7

• Even though the examiner may have the legal right
  to search every file, time limitations and other
  judicial constraints may not permit it. The
  examination in most cases should be limited to
  only well-identified probative information.

8
Recovering and Discovering Information

• It is now black letter law that information
  generated and stored on computers and in other
  electronic forms is discoverable

9
How to collect relevant data, and how to assure
that data collected can be authenticated and
admitted as evidence.
10
1. Send a preservation of evidence letter.

• Because the information stored on computers
  changes, it is critical that you put all parties
  on notice that you will be seeking electronic
  evidence through discovery

11
2. Include definitions and ,instructions

• First, use a series of interrogatories to get an
  overview of the target computer system
• Second, all requests for production should make
  clear that you are requesting electronic
  documents as well as paper.
• Finally, if necessary, include a request for
  inspection so you can examine the computer system
  first hand and retrieve any relevant data.

12
3. Take a 30(b)(6)

• This is the single best tool for finding out the
  types of electronic information that exists in
  your opponents computer systems.
• Follow the Checklist For System Discovery

13
4. Collect backup tapes

• One of the most fertile sources of evidence is
  the routine
• Backup created to protect data in case of
  disaster

14
5. Collect removable media.

• Data selectively saved by users to diskettes or
  other portable media is another fertile, but
  often overlooked, source of evidence

15
6. Ask every witness about computer usage

• In addition to the discovery directed at the
  computer system, every witness must be questioned
  about his or her computer use
• Palmtop devices and notebook computers are
  another good source of evidence

16
7. Make copies of residual data.

• Residual data includes deleted files, fragments
  of deleted files, and other data that is still
  extant on the disk surface.

17
8. Write-protect and virus check all media.

• Now that you have obtained the data, it? You
  likely have a mix of image copies, backup tapes,
  diskettes, CDs, and other media.
• Before doing anything else, you must maintain the
  integrity of the media you have received. The two
  key steps in doing this are write-protection and
  virus checking.

18
9. Preserve the chain of custody

• A chain of custody tracks evidence from its
  original source to what is offered as evidence in
  court.
• A good benchmark is whether the software is used
  and relied on by law enforcement agencies.
• Second, the copies made must be capable of
  independent verification
• . In short, your opponent and the court must be
  able to satisfy themselves that your copies are
  accurate. Third, the copies created must be
  tamper proof.

19
9. Preserve the chain of custody cont.

• Second, the copies made must be capable of
  independent verification
• your opponent and the court must be able to
  satisfy themselves that your copies are accurate.
  
• Third, the copies created must be tamper proof.

20
Examining Computer Evidence

• The challenge to computer forensic science is to
  develop methods and techniques that provide valid
  and reliable results while protecting the real
  evidencethe informationfrom harm

21
Examining Computer Evidence

• Creating the copy and ensuring that it is true
  and accurate involves a subset of the principle,
  that is, policy and practice.
• Each agency and examiner must make a decision as
  to how to implement this principle on a
  case-by-case basis.

22
Authentication of Digital Evidence

• Authentication is the process by which the
  reliability of evidence is established
• The party leading the evidence in court must show
  that it has not been altered since it was
  collected and that the location, date, and time
  of collection can be proven
• That is accomplished using standardized
  evidence-handling procedures and chain-of-custody
  records and relies primarily on physical security
  measures

23
Information-Assurance Services

• The Information Assurance Technical Framework
  (National Security Agency 2002) captures
  information-assurance guidance reflecting the
  state-of-practice in the U.S. Department of
  Defense, federal government, and industry
  information-assurance community.

24

• It describes five primary security services
  relevant to information and information
  processing systems
• access control, confidentiality, integrity,
  availability, and non repudiation.

25
Daubert Compliance

• The Daubert ruling (Daubert 1993) requires the
  trial judge to make an assessment of whether a
  methodology or technique invoked by expert
  testimony is scientifically valid and whether the
  methodology can be applied to the facts in issue.

26

• The ruling provides the following five example
  considerations to aid the judge in making that
  assessment
• Whether the technique can be and has been tested
• Whether the technique has been subjected to peer
  review and publication
• Known or potential rate of error
• Existence and maintenance of standards
  controlling the technique
• General acceptance in the relevant scientific
  community

27
Presenting evidence in court

• When collecting computer data for evidentiary
  purposes, a party has a duty to utilize the
  method which would yield the most complete and
  accurate results. Gates Rubber Co. v. Bando
  Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D.
  Colo. 1996).
• In Gates, the court criticized the plaintiff for
  failing to make image copies and for failing to
  properly preserve undeleted files.

28

• Zubulake V, (July 20, 2004)
• The contents of the backup tapes restored by UBS
  demonstrated that certain UBS employees had
  deleted email after being advised of their duty
  to preserve the evidence. Since Zubulake could
  now show that the destruction was willful and it
  was likely the destroyed emails would have been
  beneficial to her case, the Court granted an
  adverse inference jury instruction.
• Additionally, since it took UBS almost two years
  to produce the relevant and requested emails from
  the backup tapes, it was ordered to pay
  Zubulakes costs related to re-deposing any
  relevant witnesses. Even though the Court
  acknowledged that UBSs attorneys generally
  fulfilled their duty to communicate with their
  client on its duty to preserve and produce data,
  it noted certain key shortcomings - one of which
  was the attorneys failure to communicate with
  the clients information technology personnel.
• In a postscript to this July 2004 opinion, Judge
  Scheindlin discusses how rapidly the body of case
  law on discovery of electronic information has
  evolved in the little over two years that this
  case has been pending. All parties and their
  counsel are fully on notice of their
  responsibility to preserve and produce
  electronically stored information.

29

• See more sample cases at
• http//www.geocities.com/nyaurakisii/amenya

30
Conclusion.

• Challenges of Computer Forensic
• -being able to demonstrate the authenticity of
  the evidence
• -integrity and security of data are also an issue
  in my courts
• -acceptance of computer technology (judges, jury
  etc)
• -establishing the chain of custody
• Why computer crime is had to prosecute
• -lack of understanding
• -Lack of physical evidence
• -Lack of political impact
• -Complexity of cases
• -juvenile

31

• The end