Computer Forensics BACS 371 Constitutional Amendments & Digital Forensics Topic Outline 1st, 4th, 5th, and 14th Amendments Probable Cause Search & Seizure 4th Amendment Exceptions Warrants Subpoenas 2 Constitutional Amendments 3 The U.S. Constitution was originally ratified with 10 Amendments, now called “The Bill of Rights” The 4 Amendments that most closely relate to digital forensics are: 1st Amendment – Freedom of religion, speech, & press 4th Amendment – Protection against search & seizure 5th Amendment – Self incrimination, due process 14th Amendment – Equal protection, due process Constitutional Amendments 1st Amendment 4 “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” Forensics and the 5 st 1 Amendment Privileged information and obscenity/child pornography are the main forensic concern that the 1st Amendment embodies. Search warrants are not generally issued for anything that falls under the current definition of “the press.” Subpoenas can be obtained for specific information held by a “press” entity. There is some dispute as to whether an ISP is a provider of information or a medium of transport. Constitutional Amendments 4th Amendment “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” 6 Forensics and the th 4 Amendment Key forensic impact includes: “Reasonable” search and seizure Warrants Probable cause Places to be searched Things to be seized ~Details on this later in the presentation~ 7 Constitutional Amendments 5th Amendment "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation." 8 Forensics and the 9 th 5 Amendment Protects the right to “due process of law” at federal level Protects against testifying against yourself (“self incrimination”) Forcing someone to give up a password (for encryption or login purposes) can be considered as forcing them to testify against themselves. You can, however, require them to provide fingerprints, retina scans, voice samples which, if used to protect a system, would make evidence available for search. Constitutional Amendments 14th Amendment “Section. 1. All persons born or naturalized in the United States and subject to the jurisdiction thereof, are citizens of the United States and of the State wherein they reside. No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.” 10 Forensics and the 11 th 14 Amendment Amendment was created primarily in response to the Civil War Reinforces the concept of “due process of law” (this time at state level) Makes most of the original bill of rights also apply to the states. Prior to this, it was technically only applicable at the federal level. Constitutional Amendments The 4th Amendment deserves special attention as it relates to digital forensics. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” 12 th 4 13 Amendment to U.S. Constitution It does not specify citizens of the U.S. It says “people”; consequently, anyone physically in the boundaries of the country has this protection. It includes corporations (since they are treated as people legally). It does not apply to foreign nationals within the boundary of their own country. It only applies to searches conducted by the government, not private individuals. Has been interpreted as protecting people, not places. Only applies in situations where person has a “reasonable expectation of privacy.” Key Components to 1. 2. 3. 4. 14 th 4 Amendment Reasonable search and seizure Probable cause The place to be searched The things to be seized Each of these has very specific legal meaning and a good deal of historical case law to back them up. Notes on Key Components 15 The right to be secure is not unlimited. The government has the right to perform searches and seize items if it is “reasonable”. What is “reasonable” is viewed in the totality of the circumstances. A “search” and a “seizure” are 2 separate things. Search is an infringement of a person’s privacy (including tangible and intangible). “Seizure” is the legal act of taking something that could constitute evidence. Can be tangible (i.e., computer) or intangible (i.e., digital artifacts). (Electronic surveillance within a search has been deemed the seizure of words). Notes on Key Components cont. 16 Any evidence collected by illegal search is normally inadmissible (so called “fruits of the poisonous tree”). This is to discourage overly aggressive search and seizure. Probable cause is the reasonable belief that a crime has been, is being, or is about to be committed. This belief must be reliable and reasonable enough to convince a judge, court commissioner, or magistrate that it is valid. Probable cause information is detailed in a written affidavit. It must be sworn to in front of somebody who has the power to give oaths or affirmations. (Oaths invoke “God” as a witness while affirmations do not). Extreme details about where to search and what to look for are contained in the affidavit. This poses some problems when trying to get digital data. Key Exceptions to the 4th Amendment The 4th Amendment is not absolute. There are several exceptions where search can take place without a warrant. No “reasonable expectation of privacy” Consent Plain view Search incident to a lawful arrest Exigent Circumstances Workplace searches Inventory searches Border searchers 17 No Expectation of Privacy Exception 18 Katz v. United States (1967). Case that reexamined what “reasonable expectation of privacy” means. Case dealt with recordings made in a public phone booth. Ruling stated that going into a phone booth and closing the door gave one the expectation of privacy. Inverse of this ruling is that statements made in a public forum (i.e., Internet, Facebook) do not have the expectation of privacy. Consent Exception If you give permission, no warrant is necessary. At any time, consent can be revoked. 19 Consent must be given knowingly and voluntary. The scope must be understood based upon what a “typical reasonable person” would understand it to be. The more specific and detailed the request for consent, the better. If necessary to remove computer from its original location, you also need consent to seize. While not required, consent in writing is best and should notify party how to revoke consent. When joint ownership occurs, all must agree (applies to computer with multiple sign-ons). Plain View Exception 20 Apparent evidence in plain view can be seized without a warrant. The officer must be in the area legally. Computers with visible contraband showing can be seized without a warrant (but you can’t open any files manually to look for more without a warrant). Observations of potential evidence on the Internet are public domain and may be “searched” and “seized” without a warrant. Lawful Arrest Exception 21 Incident to a lawful arrest, officers are permitted to conduct a full search of a person’s person and the area immediately under their control. The limited area is called the “lunge-reach-rule” and extends to the distance a person could lunge to reach a weapon or destroy evidence. The search must be contemporaneous to the lawful arrest. It is “reasonable” to search a pager at arrest time. No formal rules for PDA’s or cell phones (yet). So, you still need a warrant for these devices. Exigent Circumstances Exception 22 Exigent (that is, emergency) circumstances can allow a warrantless search if the officer believes that physical harm could come to someone or evidence will be destroyed. Frequently applies to computer equipment because it is easy to destroy. If the officer believes that the delay needed to get the warrant will allow the evidence to be destroyed, this rule can be used. Workplace Search Exception 23 Law Enforcement personnel may search without a warrant with consent of the business in the workplace. 3rd party searches can be re-created for law enforcement (but not go beyond original search). If the 3rd party acts under the instruction of the officer, they become an “agent” of the government and have to follow the standard search rules. Work computers can usually be searched without a warrant if there is implied consent and no expectation of privacy. The extent of private sector search is determined by the expectation of privacy within the work environment. Official Banners Eliminate Reasonable Expectation of Privacy Inventory Search Exception 25 Routine collection of personal effects for inventory purposes does not require a warrant. If obvious contraband is found, it can be seized. Locked containers may not be searched for evidence without a warrant. Electronic media discovered during an inventory search cannot be accessed without a search warrant. Border Search Exception 26 Allows searches and seizures at international borders and their functional equivalent without a warrant or probable cause. The expectation of privacy is less at the border than in the interior of the country. Consequently, the balance between the interests of the Government and the privacy right of the individual is weighted much more favorably to the Government at the border. Search Warrants 27 Fundamentals of Warrants In cases where there is no 4th Amendment exception, a search warrant is generally needed to perform a legal search. Search Warrant – An order issued by a judge giving government officials express permission to enter an area and search for specific evidence pertaining to a specific crime. 28 Fundamentals of Warrants Warrants Must Describe: Probable cause A reasonable belief that a person has committed a crime (affidavit required) Places This to be searched, things to be seized must be specified in detail Gives government official the limited right to violate a person’s privacy 29 Drafting Warrant and Affidavit Affidavit A sworn statement that explains the basis for the affiant’s belief that the search is justified by probable cause Warrant Typically a one-page form, plus attachments, that describes the place to be searched, and the persons or things to be seized Warrant must be executed within 10 days 30 “Reasonable Expectation of Privacy” in Computers as Storage Devices To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or a file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation. Issues: 31 Are individual files each considered a “closed container?” Relinquishing control to 3rd parties Warrantless Searches Warrantless searches do not violate the 4th Amendment if: Search does not violate “reasonable expectation of privacy”, or Falls within an established exception to the warrant requirement (that is, the 4th Amendment exceptions covered previously). 32 Other Warrant Issues Multiple Warrants for Network Searches No-Knock Warrants Sneak-and-Peek Warrants Privileged Documents 33 Multiple Warrants for Network Search 34 When a computer network is being searched, multiple warrants may be required. This is intended to protect the privacy of the other parties that may have data stored on the network. A similar situation exists when a single computer has multiple logins which are owned and controlled by different people. No-Knock Warrants Unless otherwise noted, warrants must abide with the “knock and announce” rule. Some warrants are issued as “no-knock” when: It is reasonable that the suspect may aggressively repel the search The suspect may escape after the officer knocks It is likely that evidence will be destroyed after the officer knocks and announces 35 In digital cases, when a “kill switch” is anticipated, it is common to request this type of warrant Sneak & Peak Warrants 36 The Patriot Act of 2001 provided a new tool called “delayed notice” warrant (aka “sneak & peak”). This allows notification of the search to be delayed up to 90 days. Under normal circumstances, officers cannot seize evidence; however, judges can allow exceptions. For digital forensics, this would allow the officer to secretly make a copy of a computer file found during the secret search. Privileged Documents Some documents are not generally available via warrant (and hence are not “discoverable”). These are called “privileged documents” and generally fall into the following categories. Attorney-client Doctor-patient Work product content Protected intellectual property 37 Subpoenas A subpoena is not the same thing as a warrant. A subpoena does not give the right to search a person or location. Subpoenas do not give the right to seize any material evidence. A subpoena can do 2 things: 1. 2. 38 Command a person to appear (in person or with evidence) Command a person or organization to surrender (or allow examination) of specified tangible evidence Computer Specific Statues 39 Computer Fraud and Abuse Act of 1986 (18 USC § 1030) Child Pornography Protection Act (CPPA) Telecommunications Reform Act of 1996 Federal Wiretap Act Stored Communications Act Electronic Communication Privacy Act of 1986 Communications Assistance for Law Enforcement Act (CALEA) of 1994 – Amended in 2994 to include cell phones) Title III of the Omnibus Crime Control and Safe Streets Act of 1968 Foreign Intelligence Surveillance Act (FISA) of 1978 Comprehensive Crime Control Act of 1984 Privacy Protection Act of 1980 Digital Millennium Copyright Act (DMCA??)