Applicable Laws and Statutes Computer Forensics BACS 371
Dec 24, 2015
Applicable Laws and Statutes
Computer ForensicsBACS 371
Outline
Basic Categories of Computer Crime Constitutional Amendments Relevant Laws & Statutes
Pen/Trap StatueFederal Wiretap ActElectronic Communications Privacy Act
(ECPA)Privacy Protection ActForeign Intelligence Surveillance Act (FISA)Computer Fraud & Abuse Act (CFAA)U.S. Patriot Act
2
Categories of Computer Crime1
A computer can be the object of a crime A computer can be the subject of a crime The computer can be used as the tool for
conducting or planning a crime Includes… compromising a computer and using
that computer as a source for further attacks The symbol of the computer itself can be
used to intimidate or deceive The most significant omission, according
to Casey, is computers as sources of digital evidence
1 from Donn Parker as described in Eoghan Casey, Digital Evidence and Computer Crime3
USDOJ Categories1
1. Hardware as Contraband or Fruits of a Crime
2. Hardware as an Instrumentality3. Hardware as Evidence4. Information as Contraband or Fruits of
a Crime5. Information as an Instrumentality6. Information as Evidence
1 US Dept of Justice, Search and Seizure Guidelines Document4
Categories of Computer Crime
Computers as targets Computers as storage devices Computers as communication tools
Same ole stuff, but computers are involved!!
5
Computers as Targets
Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites
6
Computers as Means (tool)
Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft
Identity theft Phishing
Pyramid schemes Chain letters
7
Computers as Storage
Drug trafficking Book making Burglary Homicide Child pornography
8
Web Related Crime
Cyber-squatting Internet gambling Cyber stalking and harassment Child pornography Drug dealing Cyber terrorism Cyberplanning
9
The Key Point…
The main point is that computers can be used in a wide variety of criminal activities.
Since a “crime” requires an existing statute, that places a heavy burden on law makers.
More often than not, the law lags behind the crimes that are in progress.
The remainder of this slide set talks about the legal “weapons” against cyber crime.
Constitutional Amendments
There are several Constitutional Amendments that are directly related to computer forensics.
The most important one is the 4th Amendment.
It protects people from “unreasonable” searching by government agents without probable cause.
With the exclusion of a set of “exceptions”, this right cannot be impinged upon.
It is important for you to understand it because failure to follow it can render evidence inadmissible.
Constitutional Amendments
Other important Amendments to the forensic analyst are the 1st ,5th, and 14th.
The 1st Amendment guarantees the right to freedom of speech and religion. Privileged information and what constitutes the “press” are the links to forensics.
The 5th relates to self incrimination and guarantees “due process of the law” (which links to forensics).
The 14th came about after the Civil War and also supports the notion of “due process of the law.”
Laws and Statutes
As criminals devise new ways to use computers for crime, the justice system attempts to keep up by making new laws.
These laws are written to stop past criminal activity.
As technology progresses, the laws have to be re-written and amended.
The following are the major laws and statutes used to fight cyber crime.
13
Pen/Trap Statute
Governs the collection of non-content traffic data, such as numbers dialed by a particular phone.
Section 216 updates the statute in three ways:1. Law enforcement may use pen/trap orders to trace
communications on the Internet and other networks2. Pen/trap orders issued by federal courts have
nationwide effect3. Law enforcement must file special report when they
use a pen/trap order to install their own monitoring device on computers belonging to a public provider
14
Title III of the Omnibus Crime Control and Safe Streets Act of 1968
aka “Federal Wiretap Act” 18 USC § § 2510-2522 Covers illegal interception of voice and e-
communications in real-time as they traverse networks. Protects against unauthorized interception of
communication Delineates specific requirements for wiretapping:
Requires probable cause Requires court approval Requires that alternative avenues be exhausted “Innocent” conversations must be excluded Requires disclosure of surveillance upon conclusion of
investigation
15
Electronic Communications Privacy Act of 1986
The ECPA (18 USC §§ 2701 – 2712) deals primarily with stored computer files that have been transmitted over a network.
3 main categories are covered:1. Communications (e-mail, voicemail, other files)2. Transactional data (logs of who called who)3. Subscriber/session information
Basically, it amended Title III of the Wiretap Act to extend to different types of electronic communications (including e-mail).
16
Electronic Communications Privacy Act of 1986
Title I Statutory procedures for intercepting wire, oral,
and electronic communications Extended to digital communications and non-
common carrier communications Title II – Stored Communications Act
Protects communications not in transmission which have been stored in some way
Title III Provides for law enforcement monitoring of
electronic communications
17
Requirements Under Title III
Must be authorized by Federal District Court Judge Must demonstrate probable cause – with specifics Must identify previous attempts at evidence collection
and indicate why unsuccessful Generally limited to 30 days Progress reports must be issued every 7-10 days Surveillance must be terminated when objective is met Subjects must be notified when surveillance terminated Service providers must cooperate with authorities
possessing a valid court order After surveillance, subject must be given an inventory of
what was catalogued. Any party to an illegal interception may be charged with
a Federal offense punishable by 5 years in prison and/or fine
18
ECPA Information Categories
Basic Subscriber Information Name, address, telephone connection records,
length of service, subscriber identity, means and sources of payment
Records Pertaining to a Subscriber Account logs, cell site data, e-mail addresses,
… Contents
Actual files stored in the account “Electronic Storage” contents for ECS providers Contents stored by RCS providers Contents held by neither
19
Less difficult to acquire
More difficult to acquire
ECPA Mechanisms for Government Entity to Compel Disclosure
Subpoena Basic Subscriber information
Subpoena without Prior Notice Opened e-mail
Court Order Account logs and transactional records
Court Order without Prior Notice Everything in an account except for unopened e-mail
Search Warrant Full contents of account No notice to subscriber required
Less difficult to acquire
More difficult to acquire
20
Privacy Protection Act of 1980 PPA (42 USC § 2000) Unlawful for local, state, or Federal law
enforcement authorities to search or seize those materials which may be publishable
Expand the 1968 Wiretap Act to include electronic bulletin boards
Protects “work product” including impressions,
conclusions, opinions, or theories “documentary materials” including
mechanically, magnetically, or electronically recorded cards, tapes or discs
21
Privacy Protection Act of 1980
Matters when search may result in seizure of 1st Amendment materials (publishing, …) “Congress probably intended the PPA to
apply only when law enforcement intentionally targeted First Amendment material that related to a crime.”
Incidental seizure of PPA-protected material commingled on a suspect’s computer with evidence of a crime does not give rise to PPA liability.
However, subsequent search of such material was mostly forbidden
22
Foreign Intelligence Surveillance Act (FISA) of 1978
Regulates wiretaps in national security cases Broader than Title III
Allows more invasive searches Lower probable-cause threshold
Differences No requirement to disclose content or existence of
surveillance No protection for non-US citizens For citizens, probable cause that criminal activity
engagement is required For others, suspicion of criminal activity is not
required23
Computer Fraud and Abuse Act Computer Fraud and Abuse Act
(CFAA) First law to address computer crime in
which the computer is the subject of the crime
First law that does not have an analog to traditional crime
CFAA has been used to prosecute virus creators, hackers, information and identity thieves, and people who use computers to commit fraud
24
Computer Fraud and Abuse Act of 1986
Originally, very narrow in scope and not very effective Makes it…
A felony to knowingly access a computer without authorization, or in excess of authorization, in order to obtain classified United States defense or foreign relations information.
A misdemeanor to knowingly access a computer without authorization, in excess of authorization, in order to obtain information contained in a financial record of a financial institution or in a consumer file of a consumer reporting agency.
A misdemeanor to knowingly access a computer without authorization, or in excess of authorization, in order to use, modify, destroy, or disclose information in, or prevent authorized use of, a computer operated on behalf of the United States if such conduct would affect the government’s use of the computer.
The Act also made it a crime to attempt to or conspire to commit any of the three acts defined above.25
Computer Fraud and Abuse Act of 1986 - Revised
Original Act was modified to include: Federal Interest Computer – expanded to include any
computer which is used in interstate or foreign commerce or communications
Expanded criminal intent from “knowingly” to “intentionally” Made it a misdemeanor to gain unauthorized access to
financial information from any financial institution or credit reporting agency,
any information in the possession of the government, any private information where the defendants conduct involved interstate
or foreign commerce A felony if the activity involved an expectation of gain or if the
offense was in the furtherance of another crime Current Act protects computers involved in Interstate
commerce or communication, Federal Interest, Government computers
Illegal actions included theft, destruction, or corruption of sensitive information
26
Computer Fraud and Abuse Act of 1986 – Further Amendments
1988 Protections expanded to include all FDIC-insured
institutions 1990
Expanding protections to foreign banks 1994
Developed three levels of intentIntentional – did it on purposeReckless – should have known betterNegligent – you were careless, but didn’t mean to
Incorporated provisions for Denial of Service (DoS) attacks and potential harm to systems or components
27
Key Terms in the CFAA
Key Terms This Term Means . . .
Protected computer A protected computer means a computer that: Is used by a financial institution Is used by the U.S. government Affects domestic, interstate commerce Affects foreign commerce
Authorized access Two categories of unauthorized access: Without authorization Exceeding authorized access
Damage Damage is defined as any impairment to the integrity or availability of data
28
Key Terms in the CFAA (Cont.)
Key Terms This Term Means . . .
Loss Any reasonable cost to any victim, including: Responding to an offense Conducting a damage assessment Restoring the data, program, etc. Lost revenue or other damages
Conduct Determines if the damage done was: Intentional conduct Reckless conduct Negligent
29
USA PATRIOT Act1Uniting and Strengthening America by Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism
Greatly broadened FBI’s authority to gather electronic evidence Allows:
Intercept voice communications in computer hacking cases Trace communications on the Internet Subpoena for cable company records Intercept communications of computer trespassers ISPs can disclose content and non-content information in
emergency situations Nationwide search warrants for e-mail “Sneak & Peek” – Permits investigator to delay notification
of “search” Establishment of Regional Computer Forensic laboratories
1http://www.usdoj.gov/criminal/cybercrime/PatriotAct.htm30