Title: Recovering,Examining and Presenting Computer Forensic Evidence in Court
1Recovering,Examining and Presenting Computer
Forensic Evidence in Court
2Introduction
- technological revolution in communications and
information exchange has taken place within
business, industry, and our homes - In this information technology age, the needs of
law enforcement are changing as well
3Computer Forensic Science
- Computer forensic science is the science of
acquiring, preserving, retrieving, and presenting
data that has been processed electronically and
stored on computer media.
4- Computer forensic science was created to address
the specific and articulated needs of law
enforcement to make the most of this new form of
electronic evidence - With the average storage capacity in a personally
owned microcomputer approaching 30 gigabytes
5- and systems readily available that have 60-GB
storage capacity or more, it is likely to be
impossible from a practical standpoint to
completely and exhaustively examine every file
stored on a seized computer system.
6- As difficult as it would be to scan a directory
of every file on a computer system, it would be
equally difficult for law enforcement personnel
to read and assimilate the amount of information
contained within the files - example, 12 GB of printed text data would create
a stack of paper 24 stories high
7- Even though the examiner may have the legal right
to search every file, time limitations and other
judicial constraints may not permit it. The
examination in most cases should be limited to
only well-identified probative information.
8Recovering and Discovering Information
- It is now black letter law that information
generated and stored on computers and in other
electronic forms is discoverable
9How to collect relevant data, and how to assure
that data collected can be authenticated and
admitted as evidence.
101. Send a preservation of evidence letter.
- Because the information stored on computers
changes, it is critical that you put all parties
on notice that you will be seeking electronic
evidence through discovery
112. Include definitions and ,instructions
- First, use a series of interrogatories to get an
overview of the target computer system - Second, all requests for production should make
clear that you are requesting electronic
documents as well as paper. - Finally, if necessary, include a request for
inspection so you can examine the computer system
first hand and retrieve any relevant data.
123. Take a 30(b)(6)
- This is the single best tool for finding out the
types of electronic information that exists in
your opponents computer systems. - Follow the Checklist For System Discovery
134. Collect backup tapes
- One of the most fertile sources of evidence is
the routine - Backup created to protect data in case of
disaster
145. Collect removable media.
- Data selectively saved by users to diskettes or
other portable media is another fertile, but
often overlooked, source of evidence
156. Ask every witness about computer usage
- In addition to the discovery directed at the
computer system, every witness must be questioned
about his or her computer use - Palmtop devices and notebook computers are
another good source of evidence
167. Make copies of residual data.
- Residual data includes deleted files, fragments
of deleted files, and other data that is still
extant on the disk surface.
178. Write-protect and virus check all media.
- Now that you have obtained the data, it? You
likely have a mix of image copies, backup tapes,
diskettes, CDs, and other media. - Before doing anything else, you must maintain the
integrity of the media you have received. The two
key steps in doing this are write-protection and
virus checking.
189. Preserve the chain of custody
- A chain of custody tracks evidence from its
original source to what is offered as evidence in
court. - A good benchmark is whether the software is used
and relied on by law enforcement agencies. - Second, the copies made must be capable of
independent verification - . In short, your opponent and the court must be
able to satisfy themselves that your copies are
accurate. Third, the copies created must be
tamper proof.
199. Preserve the chain of custody cont.
- Second, the copies made must be capable of
independent verification - your opponent and the court must be able to
satisfy themselves that your copies are accurate.
- Third, the copies created must be tamper proof.
20Examining Computer Evidence
- The challenge to computer forensic science is to
develop methods and techniques that provide valid
and reliable results while protecting the real
evidencethe informationfrom harm
21Examining Computer Evidence
- Creating the copy and ensuring that it is true
and accurate involves a subset of the principle,
that is, policy and practice. - Each agency and examiner must make a decision as
to how to implement this principle on a
case-by-case basis.
22Authentication of Digital Evidence
- Authentication is the process by which the
reliability of evidence is established - The party leading the evidence in court must show
that it has not been altered since it was
collected and that the location, date, and time
of collection can be proven - That is accomplished using standardized
evidence-handling procedures and chain-of-custody
records and relies primarily on physical security
measures
23Information-Assurance Services
- The Information Assurance Technical Framework
(National Security Agency 2002) captures
information-assurance guidance reflecting the
state-of-practice in the U.S. Department of
Defense, federal government, and industry
information-assurance community.
24- It describes five primary security services
relevant to information and information
processing systems - access control, confidentiality, integrity,
availability, and non repudiation.
25Daubert Compliance
- The Daubert ruling (Daubert 1993) requires the
trial judge to make an assessment of whether a
methodology or technique invoked by expert
testimony is scientifically valid and whether the
methodology can be applied to the facts in issue.
26- The ruling provides the following five example
considerations to aid the judge in making that
assessment - Whether the technique can be and has been tested
- Whether the technique has been subjected to peer
review and publication - Known or potential rate of error
- Existence and maintenance of standards
controlling the technique - General acceptance in the relevant scientific
community
27Presenting evidence in court
- When collecting computer data for evidentiary
purposes, a party has a duty to utilize the
method which would yield the most complete and
accurate results. Gates Rubber Co. v. Bando
Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D.
Colo. 1996). - In Gates, the court criticized the plaintiff for
failing to make image copies and for failing to
properly preserve undeleted files.
28- Zubulake V, (July 20, 2004)
- The contents of the backup tapes restored by UBS
demonstrated that certain UBS employees had
deleted email after being advised of their duty
to preserve the evidence. Since Zubulake could
now show that the destruction was willful and it
was likely the destroyed emails would have been
beneficial to her case, the Court granted an
adverse inference jury instruction. - Additionally, since it took UBS almost two years
to produce the relevant and requested emails from
the backup tapes, it was ordered to pay
Zubulakes costs related to re-deposing any
relevant witnesses. Even though the Court
acknowledged that UBSs attorneys generally
fulfilled their duty to communicate with their
client on its duty to preserve and produce data,
it noted certain key shortcomings - one of which
was the attorneys failure to communicate with
the clients information technology personnel. - In a postscript to this July 2004 opinion, Judge
Scheindlin discusses how rapidly the body of case
law on discovery of electronic information has
evolved in the little over two years that this
case has been pending. All parties and their
counsel are fully on notice of their
responsibility to preserve and produce
electronically stored information.
29- See more sample cases at
- http//www.geocities.com/nyaurakisii/amenya
30Conclusion.
- Challenges of Computer Forensic
- -being able to demonstrate the authenticity of
the evidence - -integrity and security of data are also an issue
in my courts - -acceptance of computer technology (judges, jury
etc) - -establishing the chain of custody
- Why computer crime is had to prosecute
- -lack of understanding
- -Lack of physical evidence
- -Lack of political impact
- -Complexity of cases
- -juvenile
31