Top Banner
Recovering,Examining Recovering,Examining and Presenting and Presenting Computer Forensic Computer Forensic Evidence in Court Evidence in Court By malack Amenya By malack Amenya
31

Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Mar 27, 2015

Download

Documents

Amia Henderson
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Recovering,Examining Recovering,Examining and Presenting and Presenting

Computer Forensic Computer Forensic Evidence in CourtEvidence in Court

By malack AmenyaBy malack Amenya

Page 2: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

IntroductionIntroduction

technological revolution in technological revolution in communications and information communications and information exchange has taken place within exchange has taken place within business, industry, and our business, industry, and our homes homes

In this information technology In this information technology age, the needs of law age, the needs of law enforcement are changing as enforcement are changing as well well

Page 3: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Computer Forensic ScienceComputer Forensic Science

Computer forensic science is Computer forensic science is the science of acquiring, the science of acquiring, preserving, retrieving, and preserving, retrieving, and presenting data that has been presenting data that has been processed electronically and processed electronically and stored on computer media.stored on computer media.

Page 4: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Computer forensic science was Computer forensic science was created to address the specific and created to address the specific and articulated needs of law enforcement articulated needs of law enforcement to make the most of this new form of to make the most of this new form of electronic evidence electronic evidence

With the average storage capacity in With the average storage capacity in a personally owned microcomputer a personally owned microcomputer approaching 30 gigabytes approaching 30 gigabytes

Page 5: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

and systems readily available and systems readily available that have 60-GB storage that have 60-GB storage capacity or more, it is likely to be capacity or more, it is likely to be impossible from a practical impossible from a practical standpoint to completely and standpoint to completely and exhaustively examine every file exhaustively examine every file stored on a seized computer stored on a seized computer system. system.

Page 6: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

As difficult as it would be to scan a As difficult as it would be to scan a directory of every file on a computer directory of every file on a computer system, it would be equally difficult system, it would be equally difficult for law enforcement personnel to for law enforcement personnel to read and assimilate the amount of read and assimilate the amount of information contained within the files information contained within the files

example, 12 GB of printed text data example, 12 GB of printed text data would create a stack of paper 24 would create a stack of paper 24 stories high stories high

Page 7: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Even though the examiner may Even though the examiner may have the legal right to search have the legal right to search every file, time limitations and every file, time limitations and other judicial constraints may other judicial constraints may not permit it. The examination in not permit it. The examination in most cases should be limited to most cases should be limited to only well-identified probative only well-identified probative information.information.

Page 8: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Recovering and Recovering and Discovering InformationDiscovering Information

It is now black letter law that It is now black letter law that information generated and information generated and stored on computers and in stored on computers and in other electronic forms is other electronic forms is discoverable discoverable

Page 9: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

How to collect relevant data, How to collect relevant data, and how to assure that data and how to assure that data

collected can be collected can be authenticated and admitted authenticated and admitted

as evidence.as evidence.

Page 10: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

1. Send a preservation of 1. Send a preservation of evidence letter.evidence letter.

Because the information stored Because the information stored on computers changes, it is on computers changes, it is critical that you put all parties on critical that you put all parties on notice that you will be seeking notice that you will be seeking electronic evidence through electronic evidence through discovery discovery

Page 11: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

2. Include definitions 2. Include definitions and ,instructionsand ,instructions First, use a series of interrogatories First, use a series of interrogatories

to get an overview of the target to get an overview of the target computer system computer system

Second, all requests for production Second, all requests for production should make clear that you are should make clear that you are requesting electronic documents as requesting electronic documents as well as paper. well as paper.

Finally, if necessary, include a Finally, if necessary, include a request for inspection so you can request for inspection so you can examine the computer system first examine the computer system first hand and retrieve any relevant data. hand and retrieve any relevant data.

Page 12: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

3. Take a 30(b)(6)3. Take a 30(b)(6)

This is the single best tool for This is the single best tool for finding out the types of finding out the types of electronic information that electronic information that exists in your opponent’s exists in your opponent’s computer systems.computer systems.

Follow the Checklist For Follow the Checklist For System Discovery System Discovery

Page 13: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

4. Collect backup tapes4. Collect backup tapes

One of the most fertile sources One of the most fertile sources of evidence is the routine of evidence is the routine

Backup created to protect data Backup created to protect data in case of disaster in case of disaster

Page 14: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

5. Collect removable media5. Collect removable media..

Data selectively saved by users Data selectively saved by users to diskettes or other portable to diskettes or other portable media is another fertile, but media is another fertile, but often overlooked, source of often overlooked, source of evidence evidence

Page 15: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

66.. Ask every witness about Ask every witness about computer usagecomputer usage

In addition to the discovery In addition to the discovery directed at the computer directed at the computer system, every witness must be system, every witness must be questioned about his or her questioned about his or her computer usecomputer use

Palmtop devices and notebook Palmtop devices and notebook computers are another good computers are another good source of evidence source of evidence

Page 16: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

7. 7. Make copies of residual Make copies of residual data.data.

Residual data includes “deleted” Residual data includes “deleted” files, fragments of deleted files, files, fragments of deleted files, and other data that is still extant and other data that is still extant on the disk surface. on the disk surface.

Page 17: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

8. 8. Write-protect and virus Write-protect and virus check all mediacheck all media..

Now that you have obtained the Now that you have obtained the data, it? You likely have a mix of data, it? You likely have a mix of image copies, backup tapes, image copies, backup tapes, diskettes, CDs, and other media. diskettes, CDs, and other media.

Before doing anything else, you Before doing anything else, you must maintain the integrity of the must maintain the integrity of the media you have received. The two media you have received. The two key steps in doing this are key steps in doing this are write-write-protection and virus checking. protection and virus checking.

Page 18: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

99. Preserve the chain of . Preserve the chain of custodycustody A chain of custody tracks evidence from its A chain of custody tracks evidence from its

original source to what is offered as original source to what is offered as evidence in court. evidence in court.

A good benchmark is whether the software A good benchmark is whether the software is used and relied on by law enforcement is used and relied on by law enforcement agencies.agencies.

Second, the copies made must be capable Second, the copies made must be capable of independent verificationof independent verification

. In short, your opponent and the court . In short, your opponent and the court must be able to satisfy themselves that must be able to satisfy themselves that your copies are accurate. Third, the copies your copies are accurate. Third, the copies created must be tamper proof. created must be tamper proof.

Page 19: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

9. Preserve the chain of 9. Preserve the chain of custodycustody cont.cont. Second, the copies made must Second, the copies made must

be capable of independent be capable of independent verificationverification

your opponent and the court your opponent and the court must be able to satisfy must be able to satisfy themselves that your copies are themselves that your copies are accurate. accurate.

Third, the copies created must Third, the copies created must be tamper proof. be tamper proof.

Page 20: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Examining Computer EvidenceExamining Computer Evidence

The challenge to computer The challenge to computer forensic science is to develop forensic science is to develop methods and techniques that methods and techniques that provide valid and reliable provide valid and reliable results while protecting the results while protecting the real evidence—the real evidence—the information—from harminformation—from harm

Page 21: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Examining Computer Examining Computer EvidenceEvidence Creating the copy and ensuring that Creating the copy and ensuring that

it is true and accurate involves a it is true and accurate involves a subset of the principle, that is, policy subset of the principle, that is, policy and practice.and practice.

Each agency and examiner must Each agency and examiner must make a decision as to how to make a decision as to how to implement this principle on a case-implement this principle on a case-by-case basis. by-case basis.

Page 22: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

AuthenticationAuthentication of Digital of Digital EvidenceEvidence Authentication is the process by which the Authentication is the process by which the

reliability of evidence is established reliability of evidence is established The party leading the evidence in court The party leading the evidence in court

must show that it has not been altered must show that it has not been altered since it was collected and that the location, since it was collected and that the location, date, and time of collection can be proven date, and time of collection can be proven

That is accomplished using standardized That is accomplished using standardized evidence-handling procedures and chain-evidence-handling procedures and chain-of-custody records and relies primarily on of-custody records and relies primarily on physical security measures physical security measures

Page 23: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Information-Assurance Information-Assurance ServicesServices

The The Information Assurance Information Assurance Technical FrameworkTechnical Framework (National (National Security Agency 2002) captures Security Agency 2002) captures information-assurance guidance information-assurance guidance reflecting the state-of-practice in reflecting the state-of-practice in the U.S. Department of the U.S. Department of Defense, federal government, Defense, federal government, and industry information-and industry information-assurance community. assurance community.

Page 24: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

It describes five primary security It describes five primary security services relevant to information services relevant to information and information processing and information processing systems: systems:

access control, confidentiality, access control, confidentiality, integrity, availability, and non integrity, availability, and non repudiation. repudiation.

Page 25: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

DaubertDaubert Compliance Compliance

The The DaubertDaubert ruling ( ruling (DaubertDaubert 1993) requires the trial judge to 1993) requires the trial judge to make an assessment of whether make an assessment of whether a methodology or technique a methodology or technique invoked by expert testimony is invoked by expert testimony is scientifically valid and whether scientifically valid and whether the methodology can be applied the methodology can be applied to the facts in issue. to the facts in issue.

Page 26: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

The ruling provides the following five The ruling provides the following five example considerations to aid the example considerations to aid the judge in making that assessment:judge in making that assessment:

Whether the technique can be and Whether the technique can be and has been testedhas been tested

Whether the technique has been Whether the technique has been subjected to peer review and subjected to peer review and publicationpublication

Known or potential rate of errorKnown or potential rate of error Existence and maintenance of Existence and maintenance of

standards controlling the techniquestandards controlling the technique General acceptance in the relevant General acceptance in the relevant

scientific community scientific community

Page 27: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Presenting evidence in Presenting evidence in courtcourt

When collecting computer data for When collecting computer data for evidentiary purposes, a party has a evidentiary purposes, a party has a duty to “utilize the method which duty to “utilize the method which would yield the most complete and would yield the most complete and accurate results.” Gates Rubber Co. accurate results.” Gates Rubber Co. v. Bando Chemical Indus. Ltd., 167 v. Bando Chemical Indus. Ltd., 167 F.R.D. 90, 112 (D. Colo. 1996). F.R.D. 90, 112 (D. Colo. 1996).

In Gates, the court criticized the In Gates, the court criticized the plaintiff for failing to make image plaintiff for failing to make image copies and for failing to properly copies and for failing to properly preserve undeleted files. preserve undeleted files.

Page 28: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

Zubulake VZubulake V, (July 20, 2004), (July 20, 2004) The contents of the backup tapes restored by UBS The contents of the backup tapes restored by UBS

demonstrated that certain UBS employees had deleted demonstrated that certain UBS employees had deleted email after being advised of their duty to preserve the email after being advised of their duty to preserve the evidence. Since Zubulake could now show that the evidence. Since Zubulake could now show that the destruction was willful and it was likely the destroyed destruction was willful and it was likely the destroyed emails would have been beneficial to her case, the Court emails would have been beneficial to her case, the Court granted an adverse inference jury instruction. granted an adverse inference jury instruction.

Additionally, since it took UBS almost two years to Additionally, since it took UBS almost two years to produce the relevant and requested emails from the produce the relevant and requested emails from the backup tapes, it was ordered to pay Zubulake’s costs backup tapes, it was ordered to pay Zubulake’s costs related to re-deposing any relevant witnesses. Even related to re-deposing any relevant witnesses. Even though the Court acknowledged that UBS’s attorneys though the Court acknowledged that UBS’s attorneys generally fulfilled their duty to communicate with their generally fulfilled their duty to communicate with their client on its duty to preserve and produce data, it noted client on its duty to preserve and produce data, it noted certain key shortcomings - one of which was the certain key shortcomings - one of which was the attorneys’ failure to communicate with the client’s attorneys’ failure to communicate with the client’s information technology personnel. information technology personnel.

In a postscript to this July 2004 opinion, Judge Scheindlin In a postscript to this July 2004 opinion, Judge Scheindlin discusses how rapidly the body of case law on discovery discusses how rapidly the body of case law on discovery of electronic information has evolved in the little over two of electronic information has evolved in the little over two years that this case has been pending. “All parties and years that this case has been pending. “All parties and their counsel are fully on notice of their responsibility to their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.”preserve and produce electronically stored information.”

Page 29: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

See more sample cases See more sample cases atat

http://http://www.geocities.com/www.geocities.com/nyaurakisii/amenyanyaurakisii/amenya

Page 30: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

ConclusionConclusion..

Challenges of Computer Forensic:Challenges of Computer Forensic: -being able to demonstrate the authenticity of the -being able to demonstrate the authenticity of the

evidenceevidence -integrity and security of data are also an issue in -integrity and security of data are also an issue in

my courtsmy courts -acceptance of computer technology (judges, jury -acceptance of computer technology (judges, jury

etc)etc) -establishing the chain of custody-establishing the chain of custody Why computer crime is had to prosecuteWhy computer crime is had to prosecute:: -lack of understanding -lack of understanding -Lack of physical evidence-Lack of physical evidence -Lack of political impact-Lack of political impact -Complexity of cases-Complexity of cases -juvenile-juvenile

Page 31: Recovering,Examining and Presenting Computer Forensic Evidence in Court By malack Amenya.

The endThe end