Basic Law Terms and Concepts

Computer ForensicsBACS 371

Introduction

The legal system in the United States has a long history.

It is based on Old English Common Law, but has evolved into a uniquely complex system.

This system has many terms and concepts that require explanation to ensure that computer forensic professionals do not make mistakes that jeopardize cases.

2

3

Definition of Crime

A crime is an offensive act against society that violates a law and is punishable by the government.

Two important principles in this definition:1. The act must violate at least one current

criminal law.2. It is the government (not the victim) that

punishes the violator. Given this, until a law exists addressing

an action, there is no “crime” in doing it.

Criminal Statutes

Criminal laws are defined in rules called “criminal statutes.”

All criminal statutes define crimes in terms of what are known as the “elements” of the offense. These include:1. Required acts2. A required state of mind (“intent”)

The prosecutor tries to persuade the judge and/or jury that the person charged with the crime (the “defendant”):1. Did the acts2. Had the intent described in the statute

4

5

Cybercrime Statutes and Acts Generally, laws and statutes lag behind

the “latest trends” in cyber crime. Given that an act isn’t a crime until a law

exists, this means that many cyber exploits are allowed to happen at least once free of punishment.

Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.

6

Crime Categories and Sentencing Crimes are divided into two broad categories:

Felonies—serious crimes punishable by fine and more than one year in prison.

Misdemeanors—lesser crimes punishable by fine and less than one year in prison.

Sentencing guidelines give directions for sentencing defendants to ensure consistency. Tougher sentencing guidelines for computer crimes

came into effect in 2003. Since then these have been tested and fine-tuned to a certain extent.

Now, certain types of computer crime can result in a life sentence.

7

Cyber Crime Categories

The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably.

Two categories of offenses that involve computers: Computer as instrument—computer is used to

commit the crime. Computer as target—computer or its data is the

target of the crime. In some cases, the computer can be both the

target and the instrument.

Investigation Types

There are 3 different types of investigations:1. Internal Investigation – generally kept secret

(initially)2. Civil Investigation – between individuals3. Criminal Investigation – between government

and individual Investigations have multiple stakeholders.

Court-based cases have:1. Plaintiff – entity that brings the charges2. Defendant – entity that is charged3. Lawyers (usually) & Judges

8

9

Civil vs. Criminal Charges

There are 2 major categories of criminal charges: civil and criminal. Each has it’s own system of courts and procedures.

Civil charges are brought by a person or company Parties must show proof they are entitled to evidence.

Criminal charges can be brought only by the government Law enforcement agencies have authority to seize

evidence. Penalties are generally more severe and can include

loss of liberty and/or life.

10

Comparing Criminal and Civil Laws

Characteristics Criminal Law Civil Law

Objective To protect society’s interests by defining offenses against the public

To allow an injured private party to bring a lawsuit for the injury

Purpose To deter crime and punish criminals

To deter injuries and compensate the injured party

Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity

Who brings charges against an offender

A local, state, or federal government body

A private party—a person, company, or group of people

(Continued)

11

Criminal and Civil Laws (Cont.)

Characteristics Criminal Law Civil Law

Deals with Criminal violations Noncriminal injuries

Authority to search for and seize evidence

More immediate; law agencies have power to seize information and issue subpoenas or search warrants

Parties need to show proof that they are entitled to evidence

Burden of proof Beyond a reasonable doubt

Preponderance of the evidence

Principal types of penalties or punishment

Capital punishment, fines, or imprisonment

Monetary damages paid to victims or some equitable relief

12

Evidence Basics

Evidence is proof of a fact about what did or did not happen.

To be legally admissible, evidence must be reliable and relevant.

At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody.

Three types of evidence can be used in legal proceedings:1. Testimony of a witness – based on your 5

senses 2. Physical evidence – anything tangible3. Electronic evidence – (e-evidence) digital

evidence which, by its nature, is intangible

13

Evidence Basics

Testimony of a witness is traditionally considered the “best” form of evidence (even though there are documented problems with this type of evidence).

Physical and electronic evidence are “circumstantial” evidence.

Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence.

All e-evidence is, by its nature, circumstantial evidence.

Both cyber crimes and traditional crimes can leave cybertrails of evidence.

Evidence vs. Testimony

Arguments by attorneys, comments by judges, and witnesses’ answers to questions are not evidence.

Maps, models, simulations, or other materials used to demonstrate and explain matters also are not evidence.

Each of these are testimony which, based on the ruling of a judge, may be allowed as evidence.

It is a subtle, but important distinction.14

Use of Evidence

As stated previously, testimony is not automatically evidence, but may be admissible and allowed as evidence.

The job of the lawyer is to put evidence together into a crime hypothesis that makes sense to the judge and/or jury.

Evidence that: Supports hypothesis = inculpatory Contradicts hypothesis = exculpatory

15

Forensic Use of E-Evidence

Federal rules of evidence state that accurate copies of electronic data are “originals.”

What this means to forensic investigators is that an exact copy of electronic evidence can be analyzed and processed as if it were the original copy.

This is important because it means that the “best evidence rule” can be applied to e-evidence.

Without this exception, analyst would be required to bring the physical computer into the courtroom to admit something as simple as an email into evidence.

16

Evidence Terms & Concepts

Admissible evidence - evidence allowed to be presented at trial. Must be authenticated.

Inadmissible evidence - evidence that cannot be presented at trial.

Material evidence - evidence relevant and significant to the legal action.

Immaterial evidence - evidence that is not relevant or significant to the legal action.

17

Evidence Terms & Concepts

Inculpatory evidence - evidence that supports a given theory.

Exculpatory evidence - evidence that contradicts a given theory.

Tainted evidence - evidence obtained from illegal search or seizure.

Artifact evidence – evidence modified or added to a crime scene that causes the investigator to incorrectly think that it relates to the crime.

18

Evidence Terms & Concepts

Circumstantial evidence - evidence that is not a direct statement from an eyewitness or participant.

Documentary evidence - physical or electronic evidence (which makes it circumstantial also).

Hearsay evidence - secondhand evidence. Generally inadmissible.

Expert testimony - is generally admissible. It is an exception to the hearsay rule.

19

Evidence Terms & Concepts

E-evidence - generic term for any electronic evidence. E-evidence is another exception to the hearsay rule.

Rules of Evidence - published rules by which the courts to determine what evidence is admissible.

Best Evidence Rule - “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’”

20

Discovery

Discovery is the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant.

All evidence must be disclosed in advance. Evidence not disclosed in advance may be

deemed inadmissible. Includes information that must be provided

by each party if requested. There are many methods of discovery.

21

22

Discovery Methods

Interrogatories Written answers made under oath to written

questions Requests for admissions

Intended to ascertain the authenticity of a document or the truth of an assertion

Requests for production Involves the inspection of documents and property

Depositions Out-of-court testimony made under oath by the

opposing party or other witnesses

23

Electronic Discovery (E-Discovery) Zubulake v. USB Warburg (2003) - Landmark case

involving e-discovery. Based on this case, courts recognized five categories

of stored data which could be used for e-discovery.1. Active, online data2. Near-line data3. Offline storage/archives4. Backup tapes5. Erased, fragmented, or damaged data

The result was an increased demand for e-discovery based on this (and related) rulings.

E-Discovery

Companies are required to take steps to preserve e-evidence even before being told to do so.

When ordered to do so, companies are required to turn over requested e-records in readable format by a specified date.

Courts generally view the failure to respond to e-discovery as an attempt to hide guilt.

Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice.”

Regardless of how expensive it is, companies must comply with discovery requests and produce requested records.

24

25

Summary

A crime an offense that violates an existing law. Criminal laws are defined by criminal statutes and

are punishable according to sentencing guidelines. Crimes are divided into two categories: felonies

and misdemeanors. There are two categories of criminal charges: civil

and criminal. Evidence is proof of a fact about what did or did

not happen. For evidence to be used in a trial, it must be

material and admissible.

26

Summary (Cont.)

E-evidence is circumstantial by definition. E-evidence is considered as an original copy

if it is collected properly. Evidence that supports a hypothesis is

inculpatory and evidence that contradicts a hypothesis is exculpatory.

The forensic analyst is objective and collects both types of evidence.

e-discovery the process of disclosing electronic evidence prior to trial.