C Crime Research Computer Crime Research Center

Home / Articles

The Digital Evidence in the Information Era

March 10, 2004 · Judge Mohamed Chawki

Introduction

  1. The evidence is the foundation of any criminal case, including those involving cybercrimes.Searching, examining, collecting, and preserving evidence may differ from one law enforcement officer to another, however these procedures are governed by laws and legislations that should be followed. Errors in gathering, developing, or presenting evidence can have dire consequences on the trial.

  2. An evidence can be generally defined as ‘ something that tends to establish or disprove a fact. It can include documents, testimony, and other objects’. It can be classified into three categories:

  • Real or physical evidence, which consists of tangible objects that can be seen and touched.

  • A testamentary evidence, where the testimony of a witness can be given during a trial, based on a personal observation or experience.

  • Circumstantial evidence, which is based on a remark, or observation of realities that tends to support a conclusion, but not to prove it.

  1. In criminal trials, the prosecution has to prove every element of its case beyond a reasonable doubt. In civil trials, on the other hand, a party has the burden only of proving his or her affirmative contentions by a preponderance of the evidence. In recent years the problems of procuring evidence have been eased somewhat by the introduction of broader discovery (i.e., disclosure) rules. In civil cases, these rules compel each party to a suit to allow the other to have access to its witnesses and to certain types of evidence before the trial. In criminal cases, the judge has the discretionary power to order discovery; however, in any event, the prosecutor must release all exculpatory evidence on request.[1]

The rise of digital forensics and the digital evidence

  1. As early as 1984, the FBI Laboratory and other law enforcement agencies began developing programs to examine computer evidence. To properly address the growing demands of investigators and prosecutors in a structured and programmatic manner, the FBI established the Computer Analysis and Response Team (CART). In 1991, a new term; “Computer Forensics” was coined in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. It is the science whereby; experts extract data from computer media in such a way that it may be used in a court of law; it deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as Forensic Computer Science. Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. Since then, it has become a popular topic in technological circles and in the legal community, while the digital forensic is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations”

  2. The domain of computer forensics involves collecting, preserving, seizure, analyzing and presentation of computer-related evidence utilizing secure, controlled methodologies and auditable procedures, the These examinations involve the examination of computer media, such as floppy disks, hard disk drives, backup tapes, CD-ROM’s and any other media used to store data. The forensic specialist uses specialized software, not normally available to the general public. The examination will discover data that resides in a computer system, or recover deleted/erased, encrypted or damaged file information and recover passwords, so that documents can be read. Any or all of this information found during the analysis may or can be used during both criminal and civil litigation. Thus, this evidence can be visible when stored in the mean of files saved on disks, or not visible, when it requires some sort of software to locate it.

  3. Regarding computer related crimes cases, evidences are classified into three main categories, according to SWGDE/IOCE standards:

  • Digital evidence, where the information are stored or transmitted in electronic or magnetic form.

  • Physical items, where the digital information is stored, or transmitted through a physical media.

  • Data objects, where the information are linked to physical items.

Admissibility of the digital evidence

  1. Generally speaking, there are three requirements for the evidence to be admissible in the court. (a) Authentication, (b) the best evidence rule, and (c) exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law. In addition, the U.S. courts require the legality of the evidence; it must be obtained in accordance with the laws governing search and seizure, including laws expressed in the U.S. and state legislations. Some legislation sets special rules to admissible the digital evidence. Starting by rule 401, the evidence is defined ‘as having any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence’.

While rule 402 of the federal rule of evidence states that ‘All relevant evidence is admissible, except as otherwise provided by the Constitution of the United States, by Act of Congress, by these rules, or by other rules prescribed by the Supreme Court pursuant to statutory authority. Evidence which is not relevant is not admissible.

  1. When these rules are still not clear, there are some requirements and precautions that should be followed by investigators. The IACIS provides some of these requirements to its members, to ensure that competent, professional forensic examinations:

  • Forensically sterile examination media must be used.

  • The examination must maintain the integrity of the original media.

  • Printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled and transmitted.

Searching and Seizing the Digital Evidence

  1. The first successful step in searching and seizing the digital evidence is to know and understand well what will be searched and seized. Secondly, investigators and law enforcement officers doing these steps must have a warrant to search, which covers the location and description of the system.Thirdly, the digital evidence shall be well seized when it is located.

A: Items that can be searched and/or seized

  1. When speaking about searching or seizing computers, we usually do not refer to the CPU (Central Processing Unit) only; computer is useless without the devices that allow for input (e.g., the Keyboard or the mouse) and output (e.g., a monitor or printer) of Information. These devices are known as “peripherals,”’ and they are an integral part of any “computer system. It means “[t]he input/output units and auxiliary storage units of a computer system, attached by cables to the central processing unit.[2]

  2. Thus, searching and seizing the Digital Evidence in computers will often refer to the hardware, software, and data contained in the main unit. Printers, external modems (attached by cable to the main unit), monitors, and other external attachments will be referred to collectively as “peripherals” and discussed individually where appropriate. When we are referring to both the computer and all attached peripherals as one huge package, we will use the term “computer system.” “Information” refers to all the information on a computer system, including both software applications and data.[3]

Software is the term used to describe all of the programs we use when we employ the computer for some task; it is usually delivered to us on either one or more small magnetic disks or CD-ROMs.There are two basic categories of software: system software and application software. System software consists of the programs that manage our operation of the computer; while application software consists of the programs that allow us to work on higher-level tasks. They all compose the evidence searched.

  1. Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups: (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored off-site, and the computer at the search scene is used to access this off-site location.

  2. In some cases, the distinction is insignificant, for example when the computer is part of a network. Although “property” is defined in Federal Rule of Criminal Procedure 41(h) to include “documents, books, papers and other tangible objects,” (emphasis added), courts have held that intangible property such as information may be seized. In United States v. Villegas, 899 F.2d 1324, 1334-35 (2d Cir.), cert. denied, 498 U.S. 991 (1990), the Second Circuit noted that warrants had been upheld for intangible property such as telephone numbers called from a given phone line and recorded by a pen register, conversations overheard by means of a microphone touching a heating duct, the movement of property as tracked by location-monitoring beepers, and images seized with video cameras and telescopes. The court in Villegas upheld a warrant which authorized agents to search a cocaine factory and covertly take photographs without authorizing the seizure of any tangible objects.

  3. When investigators are dealing with smaller networks, desktops PC and workstations an attempt to justify the taking of the whole system should be based on the following criteria. When an entire organization is pervasively involved in an ongoing criminal scheme, with little legitimate business, (in non-essential services) and evidence of the crime is clearly present throughout the network, an entire system seizure might be proper.

In small desktop situations, investigators should seize the whole system, after requesting to do so in the affidavit. Investigators seizing whole systems should justified it by wording their affidavits in such a way so as to refer to the computer as a “system”, dependant on set configurations to preserve “best evidence” in a state of original configuration. This can and often does include peripherals, components, manuals, and software.

In addition to the above, investigators should make every effort to lessen the inconvenience of an on-site search. Some estimates of manual data search and analyses are 1 megabyte for every 1hour of investigation work. Based on this equation, a 1-Gigabyte hard drive can take up to 1000 hours to fully examine. This equation assumes that each piece of data is decrypted, decoded, compiled, read, interpreted and printed out.

B: Having a search Warrant

  1. As mentioned above, there are some principals that govern searching and seizing the digital evidence, we will be presenting an overview on the U.S. Constitution and other federal laws, as this will help in understanding the general theories governing this subject:

“ The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants[4] shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized ”.

  1. The Fourth Amendment is applicable when a ”search” and a ”seizure,” are occurring typically in a criminal case, with a subsequent attempt to use judicially what was seized. Whether there was a search and seizure within the meaning of the Amendment, whether a complainant’s interests were constitutionally infringed, will often turn upon consideration of his interest and whether it was officially abused. Its restrictions apply only to agents of the government such as the public employees, the public officials, and the police officers. A private party cannot violate a suspect’s Fourth Amendment rights.

  2. In order to search a specific location, a search warrant issued by a ”judicial officer” or a ”magistrate’ should be obtained. Warrants to search computers which contain privileged information must meet the same requirements as warrants to search for and seize paper documents under similar conditions; that is, the warrant should be narrowly drawn to include only the data pertinent to the investigation[5], and that data should be described as specifically as possible. Since a broad search of computers used by confidential fiduciaries (e.g., attorneys or physicians) is likely to uncover personal information about individuals who are unconnected with the investigation, it is important to instruct any assisting forensic computer experts not to examine files about uninvolved third parties any more than absolutely necessary to locate and seize the information described in the warrant. The search warrant may normally authorize the seizure of a) contraband, b) Anything which is the fruit of or has been used in the commission of any crime. c) Anything other than documents which may constitute evidence of any crime. d) Documents which may constitute evidence of any crime…

C: Searching without a search Warrant

  1. As already explained, a search without a warrant is per se invalid. However, there are some well defined and well delineated exceptions to that rule. These exceptions as established by statues include :

(1) Consent Search

  1. A consent search is a voluntary permission of the party who is being searched, or controlled to the officers. In this case, they search using this consent, even if they don’t have a reason to believe that an offense has been committed. The consent should be always being voluntary; if it is obtained under threat, duress, or any shape of intimidation, it is considered non voluntary.

  2. Courts have held that the person, who gives the consent, must have the authority to do. For example, an employer can give the officers consent to search employees’ computer, parents for their young minors, spouses, On the other hand, a landlord can’t give consent to search a tenant’s home. The courts normally consider the person giving this consent, and its scope.

(2) Exigent Circumstances[6]

  1. The second situation where searches can be done, without a warrant is the case of exigent circumstances. Under the “exigent circumstances” exception to the warrant requirement, agents can search without a warrant if the circumstances would cause a reasonable person to believe it to be necessary when destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity. If a target’s screen is displaying evidence which agents reasonably believe to be in danger, the “exigent circumstances” doctrine would justify downloading the information before obtaining a warrant. For example, agents may know that the incriminating data is not actually stored on the suspect’s machine, but is only temporarily on line from a second network storage site in another building, city, or district. Thus, even if the agents could secure the target’s computer in front of them, someone could still electronically damage or destroy the data—either from the second computer where it is stored or from a third, unknown site. Of course, when agents know they must search and seize data from two or more computers on a wide-area network, they should, if possible, simultaneously execute separate search warrants.

  2. The court always regards the exigent circumstances; some courts have ruled that exigent circumstances did not exist if the law enforcement officers had time to obtain a warrant by telephone. United States v. Patino, 830 F.2d 1413, 1416 (7th Cir. 1987) (warrantless search not justified when officer had adequate opportunity to obtain telephone warrant during 30-minute wait for backup assistance; not permissible for agents to wait for exigency and then exploit it), cert. denied, 490 U.S. 1069 (1989).

(3) Plain-View search

  1. In this exception, the law enforcement officer is in a place, where he/she can observe the evidence in plain view. This normally happen, when the officers search for a particular evidence, and they come across a different one. To rely on this exception, the officer must be in a lawful position to observe the evidence, and its incriminating character must be immediately apparent

(4) Border Searches

  1. Law enforcement officers may search computers without a warrant and without probable cause as a condition of crossing the border or its “functional equivalent. When determining the contents of international baggage and incoming international mail at the border

Border searches or international mail searches of diskettes, tapes, computer hard drives (such as laptops carried by international travelers), or other media should fall under the same rules which apply to incoming persons, documents, and international mail. On the other hand, this exception will not be applied to data transmitted electronically, or by other non-physical methods into the United States from other countries.

D: Seizure of Digital Evidence

  1. The way in which we can seize the digital evidence differs from hardware to software. Investigators used to print the files and recopy them on floppy disks, or to seize all computer equipments and access the stored data from another location. Hardware searches are not conceptually difficult; they occupy physical space and can be moved in familiar ways. One of the best ways used nowadays is making a complete exact bitstream copy of the hard disk before shutting down the computer. These copies will be used to reconstruct the suspect disk and analyze it later.

  2. Searches for data and software are far more complex, specially to be accepted by the court. Before the Supreme Court’s rejection of the “mere evidence” rule in Warden v. Hayden, 387 U.S. 294, 300-301 (1967), courts were inconsistent in ruling whether records that helped to connect the criminal to the offense were instrumentalities of crime (and thus seizable), or were instead merely evidence of crime (and thus not seizable). Indeed, several courts have concluded that, when it comes to documents, it is impossible to separate the two categories, stating that the distinction between mere evidence and instrumentalities is wholly irrational, since, depending on the circumstances, the same ‘papers and effects’ may be ‘mere evidence’ in one case and ‘instrumentality’ in another.

  3. Information could be found printed out on copies, this is very valuable as they display an earlier version of data that has since been altered or deleted, and this negates the suspects’ defense. Also they may lead the investigators to a particular printer which in turn may be seizable.In some conditions, investigators, and law enforcement officers may find notes in manuals, on the equipment, near by the computer. These also are considered evidence accepted by the courts. They may lead to beak a password finding a directory, operate software…etc

  4. But since a broad search of computers used by confidential fiduciaries (e.g., attorneys or physicians) is likely to uncover personal information about individuals who are unconnected with the investigation, it is important to instruct any assisting forensic computer experts not to examine files about uninvolved third parties any more than absolutely necessary to locate and seize the information described in the warrant. Federal law recognizes some, but not all, of the common law testimonial privileges. Fed. R. Evid. 501. Indeed, Congress has recognized a “special concern for privacy interests in cases in which a search or seizure for documents would intrude upon a known confidential relationship such as that which may exist between clergyman and parishioner; lawyer and client; or doctor and patient.” 42 U.S.C. § 2000aa-11(1) (3). At Congress’s direction, see 42 U.S.C. § 2000aa-11(a), the Attorney General has issued guidelines for federal officers who want to obtain documentary materials from disinterested third parties. 42 U.S.C. § 2000aa-11. Under these rules, they should not use a search warrant to obtain documentary materials believed to be in the private possession of a disinterested third party physician, lawyer, or clergyman where the material sought or likely to be reviewed during the execution of the warrant contains confidential information on patients, clients, or parishioners. 28 C.F.R. § 59.4(b).

  5. Also, the Congress has expressed a special concern for publishers and journalists in the Privacy Protection Act, 42 U.S.C. 2000aa. Generally speaking, agents may not search for or seize any “work product materials” (defined by statute) from someone “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication.” 42 U.S.C. § 2000aa (a). In addition, as an even broader proposition, government officers cannot search for or seize “documentary materials” (also defined) from someone who possesses them in connection with a purpose to similarly publish. 42 U.S.C. § 2000aa (b). These protections do not apply to contraband, fruits of a crime, or things otherwise criminally possessed. 42 U.S.C. § 2000aa-7.

United States Patriot Act and the Digital Evidence

  1. On October 26, 2001, President Bush signed the USA Patriot Act (USAPA) into law. With this law we have given sweeping new powers to both domestic law enforcement and international intelligence agencies and have eliminated the checks and balances that previously gave courts the opportunity to ensure that these powers were not abused. Most of these checks and balances were put into place after previous misuse of surveillance powers by these agencies, including the revelation in 1974 that the FBI and foreign intelligence agencies had spied on over 10,000 U.S. citizens, including Martin Luther King.

  2. The passage of this act resulted in many changes concerning information systems and digital evidence:

  • The explanation of search warrant concerning e-mail communications, the warrant can apply even to records that are not in the district of the issuing court.

  • The authority of federal courts is expanded, to allow issuance of pen register ‘trap and trace devices’ anywhere in the United States.

  • Nowadays, records could be subpoenaed and obtained by search warrant from Internet services provided by cable companies, without even notifying the customer that the government wants to examine his records.

  • Investigators can obtain a voicemail evidence, to seize and listen to unopened voicemail messages stored with a third party provider, under a search warrant, rather than following previously difficult steps and process under a wiretap order.

  • Penalties and sentences have been increased for offences involving damages and hacking computers. The scope of the law is now applied to computers that are even located in other countries, if US interstate or foreign commerce is affected.

  • Investigators nowadays could subpoena certain records such as credit card numbers, and other payment information, addresses, and their session times and connection duration of customers from ISPs.

  • Investigators are allowed to intercept voice wire communications as evidence in cases.

References

[1] D.TITTEL: Scene of the Cybercrime, Syngress (2002) [2] The Role of Evidence in a Trial: http://www.slider.com/ [3] Computer Forensics Defined : http://www.forensics-intl.com/ [4] DOJ Computer Crime and Intellectual Property Section : http://www.cybercrime.gov [5] International Journal of Digital Evidence : http://www.ijde.org/ [6] Federal Rules of Evidence : http://www.law.cornell.edu/ [7] The International Association of Computer Investigation : http://www.cops.org/ [8] High Technology Crime Investigation Association : http://htcia.org [9] University of Dayton : cybercrimes http://www.cybercrimes.net/ [10] Computer Forensics : http://www.computerforensics.com

AdvertisementAd slot — add your AdSense ID in src/data/site.ts