1 / 25

Electronic Evidence Admissibility

Jims
Télécharger la présentation

Electronic Evidence Admissibility

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Electronic Evidence Admissibility Carmen R. Cintrn Ferrer, 2006, Derechos Reservados

    2. 2 Agenda Problem Definitions Legal environment Best Evidence Rule Chain of Custody and Protection of Originals Compliance with Constitutional Rights Suggested procedure Comments

    3. 3 Problem

    4. 4 Stated Problem Implications

    5. 5 Stated Problem Questions to be answered

    6. 6 Definitions Electronic Evidence Hearsay Best Evidence Rule Authentication Chain of Custody Computer Forensics Science

    7. 7 Incident Response and Computer Forensics & Cyber Forensics Definitions Evidence: Any information of probative value that helps prove something relative to the case under investigation.

    8. 8 Incident Response and Computer Forensics & Cyber Forensics Definitions Hearsay: When a computer record contains the assertions of a person, whether or not processed by a computer, the record can contain hearsay. An exception to the hearsay rule is the business record exception. When a computer record contains computer generated data untouched by human hands, the record cannot contain hearsay.

    9. 9 Incident Response and Computer Forensics & Cyber Forensics Definitions Best Evidence Rule: Absent some exceptions requires that the original of a writing or recording must be admitted in court to prove its contents. (if) data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original. (FRE 1001(3)) A duplicate is admissible to the same extent as an original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original. (FRE 1003)

    10. 10 Incident Response and Computer Forensics & Cyber Forensics Definitions Authentication: Whomever collected the evidence should testify during examination that the information is what the proponent claims. (FRE 901(a)) A testimony by a witness who has personal knowledge as to the origins of that piece of evidence. Applicable standard is the same as for other records.

    11. 11 Incident Response and Computer Forensics & Cyber Forensics Definitions Chain of Custody: Requires that evidence is stored in a manner where it cannot be accessed by unauthorized personnel. The location of evidence from the moment it was collected to its presentation at trial needs to be traced. A log should be kept for each evidentiary item.

    12. 12 Incident Response and Computer Forensics & Cyber Forensics Definitions Computer forensics science: Is a common ground of rules, techniques and tools for collecting, examining, preserving, retrieving and presenting data that has been processed electronically and has been stored on computer media. It pertains to electronic or digital transactions or records. It produces direct information and data that may have significance in a case, rather than producing interpretative conclusions.

    13. 13 Legal Environment Constitutional Rights: Fourth Amendment The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized. First Amendment Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

    14. 14 Legal Environment Search and Seizures (42 USC 2000aa): Warrant (exceptions on terrorism by USA Patriot Act) Probable Cause for: Search and/or seize HW? Search and/or seize SW? Search and or seize Data? Search and/or seize a Network? Key questions: Is it contraband, tool for the offense or incidental? Where will the search be conducted? How will the search be conducted? Can evidence out of the scope of the warrant be used?

    15. 15 Legal Environment Other applicable legislation: Federal Criminal Code (18USC2703): Warrant Subpoena Court Order Electronic Communications Privacy Act (ECPA) USA Patriot Act (2001) Communications Assistance for Law Enforcement Act (CALEA) Under scrutiny of Congress

    16. 16 Best Practices for Seizing Electronic Evidence (US Secret Service) Determine type of search Determine what to search Determine where to search Assure valid warrant Use appropriate collection techniques so the evidence is not destroyed or altered Employ trained personnel for forensic examination

    17. 17 Best Practices for Seizing Electronic Evidence (US Secret Service) Conduct the search and seizure: Secure the scene: Officer safety Preserve area Restrict access to computer(s) and isolate from phone lines or connections to ISP Secure computer evidence: Photograph scene, and screen(s) Unplug and label Place evidence tape If transport is required, package components as fragile cargo Keep away from magnets, radio transmitters and similar environments If it is necessary to access storage devices all actions associated with the manipulation of the device should be noted in order to document the chain of custody and insure its admission to court

    18. 18 Cyber Forensics International Principles International Organization on Computer Evidence Take actions not to change seized evidence. Only a forensically competent professional should access original digital evidence, when necessary. All activity relating to the seizure, access, storage, or transfer of digital evidence. must be fully documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

    19. 19 Suggested Procedure Request warrant to determine terms, scope of search and of seizure If valid warrant, request: Presence while scene is secured by agents Equipment be digitally photographed in your presence Equipment be turned on (if it is not on): Solicit that an image of each computers fixed storage device or computer files to be seized be made in your presence Solicit that an image of each removable storage device to be seized be made in your presence Solicit a that a preliminary forensics investigation be conducted in accordance to the search warrant and request a copy of the results Else, deny access to equipment until legal counsel is present.

    20. 20 Suggested Procedure Recommended Forensic Practice Document procedure Search equipment on site Make a mirror image of storage devices Take mirror image off-site Restore mirror image on another hard drive that has been wiped clean Search for files and data specified in warrant: Searching original devices can compromise original evidence An image is unreadable unless restored to another device If evidence pertaining other crimes is present it might not be admissible if it is out of the scope of the warrant

    21. 21 Comments

    22. 22 References Cyber Forensics A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Marcella & Greenfield, Auerbach Publications, 2002 Incident Response & Computer Forensics, Mandia, Prosise & Pepe, 2nd Edition, McGraw-Hill/Osborne, 2003 United States Constitution, Yahoo version Good Practice Guide for Computer Based Electronic Evidence, National High Tech Crime Unit, Association of Police Officers, Wales Computer Searches and Seizures: Some Unresolved Issues, Brenner & Frederiksen, Michigan Telecomm Tech Law Review, 2002 Computer-Based Investigation and Discovery in Criminal Cases: A Guide for United States Magistrate Judges, Withers, National Workshop for Magistrate Judges II, Boston Mass, 2003 Annotated Case Law on Electronic Discovery, Withers, 2005 Digital Evidence and the New Criminal Procedure, Orin S. Kerr, Columbia Law Review, Vol. 105:279

    23. 23 References Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Division, US Dept of Justice, 2002 Ensuring the Admissibility of Electronic Forensic Evidence and Enhancing Its Probative Value at Trial, Galves & Galves, American Bar Association Criminal Justice Magazine, Vol 19 #1, 2004 Suppressing Evidence Gained by Government Surveillance of Computers, James Adams, American Bar Association, Criminal Justice Magazine Spring 2004, Vol 19 #1 Computer Records and the Federal Rules of Evidence, Orin S. Kerr, USA Bulletin, US Dept of Justice, March 2001 Federal Guidelines for Searching and Seizing Computers, US Dept of Justice, 1994 United States Secret Service Best Practices for Seizing electronic Evidence, www.secretservice.gov Communications Assistance for Law Enforcement Act (CALEA),, Agent Michael P. Clifford, US Dept of Justice, CCIPS page, April, 2005

    24. 24 Appendix Evidence Handling Procedures Record information about computer system before examining contents of its hard drive. Take digital photos of original system and media before it is duplicated. Fill an evidence tag for all media to be duplicated, examined and preserved as evidence. Store the best evidence copy in evidence safe. Maintain an evidence log for each piece of best evidence under an evidence custodian. Perform all examinations on a forensic copy of the best evidence ( working copy). Create backup copies of the best evidence. Comply with disposition dates for evidence disposition as defined by principal investigator. Audit monthly all evidence in custody to ascertain that all best evidence is present, properly stored and labeled.

    25. 25 Appendix Evidence System Description Record information on individuals who: occupy the office or room where the original evidence is found; have access to the office or room where the original evidence is found; actually use the system. Record information on the computer: Location in the room or office; State (power on/off), Data on screen; Time/Date from system BIOS; Network/Modem connections Serial #, Model, make of computer, drives and components Peripherals attached Digital photos: Protect investigator(s) from claims of damage to property Return system to its exact state prior to forensic duplication Capture current configuration

More Related