Legal Issues Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm. Computer Forensics COEN 252 Issues of Evidence An information is admissible in court if it is • Relevant • Its probative value outweighs its prejudicial effect. Issues of Evidence • Foundation – Context for Information • Hearsay – Not admissible with exceptions • Chain of Custody – Establishes trustworthiness of evidence by preventing tampering Stipulation: Agreement between parties or concession by one party in a judicial proceeding. Exceptions to Hearsay • Admissions: – out-of-court statements contrary to penal or pecuniary interest, including those found on a computer. • Business Records – Made in the normal course of business. – Relied on by the business. – Made at or near the occurrence of the act the record purports to record. – Offered through a competent witness, either the custodian of the record or another who can testify to those issues. Computer-Generated Records • Computer generated records often fall under the business record exemption. • Courts might also start to make a distinction between computer-generated records and computer-stored records. Computer-Generated Records • Not a question of hear-say (is there better evidence available) • But a question of Authenticity. Is the generating program reliable? Breach of Chain of Custody • Not every breach makes the item inadmissible. • Not necessary to have the best security against tampering. • Government agents are assumed to be trustworthy. • But Chain of Custody • Working on the original. A forensic examination that is done directly on the original disk drive will make it difficult to argue that the evidence could not have been tampered with. Much better to make a “true copy” and examine the true copy. • Proof that it is a true copy. Best Evidence Rule • Copies are worse than originals, therefore they are not admissible unless the original has been destroyed. • Does not apply to various computer outputs. Acquisition of Evidence • Distinction between government agents and private citizens. • Illegal actions by private citizens can yield admissible evidence and lead to their punishment. • If a sworn law officer violates an amendment, the gained evidence is usually suppressed, but the officer is protected by sovereign immunity. Electronic Communications Privacy Act ("ECPA"), Title III • Extends protection against wiretapping to communications between computers • Know the exceptions • Know the consequences of violating the title Electronic Communications Privacy Act ("ECPA"), Title III • A person acting under the color of law can intercept electronic communication where such a person is party to the communication or one of the parties of the communication have given prior consent to such interception. Electronic Communications Privacy Act ("ECPA"), Title III "A person not acting under color of law" is also allowed to intercept an "electronic communication" where "such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception." The consent can be implicit, e.g. by using a computer protected with login banners. ECPA Title III Concerns Title III also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a "necessary incident to the rendition of his service" or to protect "the rights or property of the provider of that service." ECPA Title III Concerns Two exceptions to the last rule: • If there is no actual damage, then the right to monitor does not exist. • The government is not allow to do the monitoring, but they can profit from monitoring. Fourth Amendment The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Fourth Amendment • Computer Storage = Closed Container such as a briefcase • With Warrant: – Limits to warrant because of privilege or additional protection. • Without Warrant – Expectation of Privacy Fourth Amendment • No expectation of privacy – Public display – Material in some else’s hands – Consent by co-owner or authorized person • Exigent circumstances • Plain view exception • Lawful arrest Very difficult and interesting case law. Privacy Protection Act • Protects publishers against government searches of material that is acquired for publication • Reaction to the Daily Stanfordian case • Internet publishing allows much private computer material to fall under the PPA protection Electronic Communications Privacy Act • Protects third party data against law enforcement seizes • E.g. internet provider. Legally Privileged Documents • Need to prevent ongoing investigation from using legally privileged documents. • Medical records. • Attorney-client communications. • Priest-penitent communications.