Computer Forensics
BACS 371
Basic Law Terms and Concepts
Introduction



2
The legal system in the United States has a long
history.
It is based on Old English Common Law, but has
evolved into a uniquely complex system.
This system has many terms and concepts that
require explanation to ensure that computer forensic
professionals do not make mistakes that jeopardize
cases.
Definition of Crime


A crime is an offensive act against society that
violates a law and is punishable by the government.
Two important principles in this definition:
1.
2.

3
The act must violate at least one current criminal law.
It is the government (not the victim) that punishes the
violator.
Given this, until a law exists addressing an action,
there is no “crime” in doing it.
Criminal Statutes


Criminal laws are defined in rules called “criminal
statutes.”
All criminal statutes define crimes in terms of what are
known as the “elements” of the offense. These include:
1.
2.

The prosecutor tries to persuade the judge and/or jury
that the person charged with the crime (the
“defendant”):
1.
2.
4
Required acts
A required state of mind (“intent”)
Did the acts
Had the intent described in the statute
Cybercrime Statutes and Acts



5
Generally, laws and statutes lag behind the “latest
trends” in cyber crime.
Given that an act isn’t a crime until a law exists, this
means that many cyber exploits are allowed to
happen at least once free of punishment.
Once a law exists, it is still a challenge for the
statute to keep up with new cyber crime trends and
abuses.
Crime Categories and Sentencing

Crimes are divided into two broad categories:
Felonies—serious crimes punishable by fine and more than
one year in prison.
 Misdemeanors—lesser crimes punishable by fine and less
than one year in prison.


Sentencing guidelines give directions for sentencing
defendants to ensure consistency.
Tougher sentencing guidelines for computer crimes came into
effect in 2003. Since then these have been tested and finetuned to a certain extent.
 Now, certain types of computer crime can result in a life
sentence.

6
Cyber Crime Categories


The terms computer crime, cyber crime, information
crime, and high-tech crime are generally used
interchangeably.
Two categories of offenses that involve computers:
 Computer
as instrument—computer is used to commit
the crime.
 Computer as target—computer or its data is the target
of the crime.

7
In some cases, the computer can be both the target
and the instrument.
Investigation Types

There are 3 different types of investigations:
1.
2.
3.

Investigations have multiple stakeholders. Courtbased cases have:
1.
2.
3.
8
Internal Investigation – generally kept secret (initially)
Civil Investigation – between individuals
Criminal Investigation – between government and
individual
Plaintiff – entity that brings the charges
Defendant – entity that is charged
Lawyers (usually) & Judges
Civil vs. Criminal Charges


There are 2 major categories of criminal charges: civil
and criminal. Each has it’s own system of courts and
procedures.
Civil charges are brought by a person or company


Parties must show proof they are entitled to evidence.
Criminal charges can be brought only by the
government
Law enforcement agencies have authority to seize evidence.
 Penalties are generally more severe and can include loss of
liberty and/or life.

9
Comparing Criminal and Civil Laws
Characteristics
Criminal Law
Civil Law
Objective
To protect society’s
To allow an injured
interests by defining
private party to bring a
offenses against the public lawsuit for the injury
Purpose
To deter crime and punish
criminals
To deter injuries and
compensate the injured
party
Wrongful act
Violates a statute
Causes harm to an
individual, group of
people, or legal entity
Who brings charges
against an offender
A local, state, or federal
government body
A private party—a
person, company, or
group of people
(Continued)
10
Criminal and Civil Laws (Cont.)
Characteristics
Criminal Law
Civil Law
Deals with
Criminal violations
Noncriminal injuries
Authority to search for
and seize evidence
More immediate; law
agencies have power to
seize information and
issue subpoenas or
search warrants
Parties need to show
proof that they are
entitled to evidence
Burden of proof
Beyond a reasonable
doubt
Preponderance of the
evidence
Principal types of
penalties or
punishment
Capital punishment, fines,
or imprisonment
Monetary damages paid
to victims or some
equitable relief
11
Evidence Basics




12
Evidence is proof of a fact about what did or did not happen.
To be legally admissible, evidence must be reliable and
relevant.
At a minimum, to be admissible, evidence requires legal search
and seizure along with a valid chain of custody.
Three types of evidence can be used in legal proceedings:
1. Testimony of a witness – based on your 5 senses
2. Physical evidence – anything tangible
3. Electronic evidence – (e-evidence) digital evidence which,
by its nature, is intangible
Evidence Basics





13
Testimony of a witness is traditionally considered the “best”
form of evidence (even though there are documented problems
with this type of evidence).
Physical and electronic evidence are “circumstantial” evidence.
Circumstantial evidence is not a direct statement from an
eyewitness or participant. It can be admissible and can be
quite strong. Many cases are decided strictly based on this
type of evidence.
All e-evidence is, by its nature, circumstantial evidence.
Both cyber crimes and traditional crimes can leave cybertrails
of evidence.
Evidence vs. Testimony




14
Arguments by attorneys, comments by judges, and
witnesses’ answers to questions are not evidence.
Maps, models, simulations, or other materials used
to demonstrate and explain matters also are not
evidence.
Each of these are testimony which, based on the
ruling of a judge, may be allowed as evidence.
It is a subtle, but important distinction.
Use of Evidence



As stated previously, testimony is not automatically
evidence, but may be admissible and allowed as
evidence.
The job of the lawyer is to put evidence together
into a crime hypothesis that makes sense to the
judge and/or jury.
Evidence that:
Supports hypothesis = inculpatory
 Contradicts hypothesis = exculpatory

15
Forensic Use of E-Evidence




16
Federal rules of evidence state that accurate copies of
electronic data are “originals.”
What this means to forensic investigators is that an
exact copy of electronic evidence can be analyzed and
processed as if it were the original copy.
This is important because it means that the “best
evidence rule” can be applied to e-evidence.
Without this exception, analyst would be required to
bring the physical computer into the courtroom to admit
something as simple as an email into evidence.
Evidence Terms & Concepts
Admissible evidence - evidence allowed to be
presented at trial. Must be authenticated.
 Inadmissible evidence - evidence that cannot
be presented at trial.
 Material evidence - evidence relevant and
significant to the legal action.
 Immaterial evidence - evidence that is not
relevant or significant to the legal action.

17
Evidence Terms & Concepts
Inculpatory evidence - evidence that supports
a given theory.
 Exculpatory evidence - evidence that
contradicts a given theory.
 Tainted evidence - evidence obtained from
illegal search or seizure.
 Artifact evidence – evidence modified or
added to a crime scene that causes the
investigator to incorrectly think that it relates to
the crime.

18
Evidence Terms & Concepts
Circumstantial evidence - evidence that is not a
direct statement from an eyewitness or
participant.
 Documentary evidence - physical or electronic
evidence (which makes it circumstantial also).
 Hearsay evidence - secondhand evidence.
Generally inadmissible.
 Expert testimony - is generally admissible. It is
an exception to the hearsay rule.

19
Evidence Terms & Concepts
E-evidence - generic term for any electronic
evidence. E-evidence is another exception to
the hearsay rule.
 Rules of Evidence - published rules by which
the courts to determine what evidence is
admissible.
 Best Evidence Rule - “[i]f data are stored in a
computer or similar device, any printout or
other output readable by sight, shown to
reflect the data accurately, is an ‘original.’”

20
Discovery
Discovery is the process whereby each party has
a right to learn about the others evidence. This
is where it is determined if evidence is relevant.
 All evidence must be disclosed in advance.
 Evidence not disclosed in advance may be
deemed inadmissible.
 Includes information that must be provided by
each party if requested.
 There are many methods of discovery.

21
Discovery Methods

Interrogatories


Requests for admissions


Involves the inspection of documents and property
Depositions

22
Intended to ascertain the authenticity of a document or the
truth of an assertion
Requests for production


Written answers made under oath to written questions
Out-of-court testimony made under oath by the opposing
party or other witnesses
Electronic Discovery (E-Discovery)


Zubulake v. USB Warburg (2003) - Landmark case
involving e-discovery.
Based on this case, courts recognized five categories of
stored data which could be used for e-discovery.
1.
2.
3.
4.
5.

23
Active, online data
Near-line data
Offline storage/archives
Backup tapes
Erased, fragmented, or damaged data
The result was an increased demand for e-discovery
based on this (and related) rulings.
E-Discovery





24
Companies are required to take steps to preserve
e-evidence even before being told to do so.
When ordered to do so, companies are required to turn
over requested e-records in readable format by a
specified date.
Courts generally view the failure to respond to
e-discovery as an attempt to hide guilt.
Destruction of e-evidence is called “spoliation” and is
considered “obstruction of justice.”
Regardless of how expensive it is, companies must
comply with discovery requests and produce requested
records.
Summary






25
A crime an offense that violates an existing law.
Criminal laws are defined by criminal statutes and are
punishable according to sentencing guidelines.
Crimes are divided into two categories: felonies and
misdemeanors.
There are two categories of criminal charges: civil and
criminal.
Evidence is proof of a fact about what did or did not
happen.
For evidence to be used in a trial, it must be material
and admissible.
Summary (Cont.)





26
E-evidence is circumstantial by definition.
E-evidence is considered as an original copy if it is
collected properly.
Evidence that supports a hypothesis is inculpatory
and evidence that contradicts a hypothesis is
exculpatory.
The forensic analyst is objective and collects both
types of evidence.
e-discovery the process of disclosing electronic
evidence prior to trial.