legal issues computer forensics coen 252 drama in soviet court. post-stalin (1955). painted by...

Legal IssuesLegal Issues

Computer ForensicsComputer Forensics

COEN 252COEN 252

Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Issues of EvidenceIssues of Evidence

An information is admissible in court if it is

• Relevant

• Its probative value outweighs its prejudicial effect.

Issues of EvidenceIssues of Evidence• Foundation

– Context for Information

• Hearsay– Not admissible with exceptions

• Chain of Custody– Establishes trustworthiness of evidence

by preventing tampering

Stipulation: Agreement between parties or concession by one party in a judicial proceeding.

Exceptions to HearsayExceptions to Hearsay

• Admissions: – out-of-court statements contrary to penal or pecuniary

interest, including those found on a computer.

• Business Records– Made in the normal course of business.– Relied on by the business.– Made at or near the occurrence of the act the record

purports to record.– Offered through a competent witness, either the

custodian of the record or another who can testify to those issues.

Computer-Generated RecordsComputer-Generated Records

• Computer generated records often fall under the business record exemption.

• Courts might also start to make a distinction between computer-generated records and computer-stored records.

Computer-Generated RecordsComputer-Generated Records

• Not a question of hear-say (is there better evidence available)

• But a question of Authenticity.Is the generating program reliable?

Breach of Chain of CustodyBreach of Chain of Custody

• Not every breach makes the item inadmissible. • Not necessary to have the best security against

tampering.• Government agents are assumed to be

trustworthy.• But

Chain of CustodyChain of Custody

• Working on the original. A forensic examination that is done directly on the original disk drive will make it difficult to argue that the evidence could not have been tampered with. Much better to make a “true copy” and examine the true copy.

• Proof that it is a true copy.

Best Evidence RuleBest Evidence Rule

• Copies are worse than originals, therefore they are not admissible unless the original has been destroyed.

• Does not apply to various computer outputs.

Acquisition of EvidenceAcquisition of Evidence

• Distinction between government agents and private citizens.

• Illegal actions by private citizens can yield admissible evidence and lead to their punishment.

• If a sworn law officer violates an amendment, the gained evidence is usually suppressed, but the officer is protected by sovereign immunity.

Electronic Communications Privacy Electronic Communications Privacy Act ("ECPA"), Title IIIAct ("ECPA"), Title III

• Extends protection against wiretapping to communications between computers

• Know the exceptions

• Know the consequences of violating the title

Electronic Communications Privacy Electronic Communications Privacy Act ("ECPA"), Title IIIAct ("ECPA"), Title III

• A person acting under the color of law can intercept electronic communication where such a person is party to the communication or one of the parties of the communication have given prior consent to such interception.

Electronic Communications Privacy Electronic Communications Privacy Act ("ECPA"), Title IIIAct ("ECPA"), Title III

"A person not acting under color of law" is also allowed to intercept an "electronic communication" where "such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception."

The consent can be implicit, e.g. by using a computer protected with login banners.

ECPA Title III ConcernsECPA Title III Concerns

Title III also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a "necessary incident to the rendition of his service" or to protect "the rights or property of the provider of that service."

ECPA Title III ConcernsECPA Title III Concerns

Two exceptions to the last rule:

• If there is no actual damage, then the right to monitor does not exist.

• The government is not allow to do the monitoring, but they can profit from monitoring.

Fourth AmendmentFourth Amendment

The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Fourth AmendmentFourth Amendment

• Computer Storage = Closed Container such as a briefcase

• With Warrant: – Limits to warrant because of privilege or

additional protection.

• Without Warrant– Expectation of Privacy

Fourth AmendmentFourth Amendment

• No expectation of privacy– Public display– Material in some else’s hands– Consent by co-owner or authorized person

• Exigent circumstances• Plain view exception• Lawful arrest

Very difficult and interesting case law.

Privacy Protection ActPrivacy Protection Act

• Protects publishers against government searches of material that is acquired for publication

• Reaction to the Daily Stanfordian case

• Internet publishing allows much private computer material to fall under the PPA protection

Electronic Communications Privacy Electronic Communications Privacy ActAct

• Protects third party data against law enforcement seizes

• E.g. internet provider.

Legally Privileged DocumentsLegally Privileged Documents

• Need to prevent ongoing investigation from using legally privileged documents.

• Medical records.

• Attorney-client communications.

• Priest-penitent communications.