Computer Forensics BACS 371 Evidence Collection & Admissibility Outline Evidence overview Evidence admissibility Challenges to evidence Evidence acquisition Preserving evidence Evidence authenticity Forensic methodology Special considerations 2 5 Rules of Evidence Admissibility – the evidence must be admissible in court. Authenticity – the evidence must relate to the incident in question Completeness – the evidence must be comprehensive Reliability – the evidence must be consistent and uncontaminated Believability – the evidence should be clearly understandable and believable by the jury Admissible Evidence? What makes evidence “admissible”? Short answer – if a judge says it is, it is… Judges use guidelines for admissibility: Is the evidence relevant? Is the evidence authentic and credible? Is the evidence competent? An overriding principle is the “exclusionary rule” which says it is not admissible if it was not collected legally. Is it Relevant? The question of relevance is usually the first considered by a judge. If it is not relevant, then it will not be admissible. To be considered relevant the evidence must satisfy 2 conditions: 1. 2. It must be material – directly relating to the case being presented. It must be probative – proves something that will help get to the truth of the situation. Is it Authentic and Credible? The question of authenticity is basically asking if the evidence is what it purports to be. This requires asking a number of questions which include: Is the material an opinion? If it is an opinion, is it the opinion of an expert witness? Was it collected correctly? Could it have been altered in any way? Is it Competent? It is not prejudicial in any way. This applies primarily to evidence not directly related to the case. It is not privileged. For example, it cannot involve attorney-client, doctor-patient, … or other privileged communication. It cannot be collected in violation of Constitutional rights. It cannot be hearsay (except for expert witnesses). It cannot violate an exclusionary rule. Withstanding Challenges to Evidence Criminal trials are often preceded by a suppression hearing. This is where the admissibility (i.e., suppression) of evidence is determined. At this hearing, the judge determines if the 4th Amendment was correctly followed. Also, if proper discovery procedure is not followed, defendants can challenge evidence admissibility. Exclusionary Rules Exclusionary rules test whether evidence will be admissible (judges use them). Exclusionary rules pertain to the following: Relevancy Privilege Opinion of an expert Hearsay Authentication Acquiring Evidence – Legal Aspects There are a number of pertinent legal aspects to acquiring evidence. These include: 10 The 4th Amendment affects how forensic analysts can acquire evidence Preserving the evidence Establish authenticity of the evidence Following a repeatable process to ensure admissibility 4th Amendment Considerations when Acquiring Evidence 11 When does evidence “seizure” occur? Who owns the computer that contains data? What type of image is “good enough” to be searched? Do attempts to delete data involve privacy or indicate a cover-up? When searching a network, where do you stop? What if one search leads to another? Where does one search stop and another begin? Preserving the Evidence Computer Forensics is the discipline of acquiring, preserving, retrieving, and presenting electronic data. Three C’s of evidence: Care - Take Care of the way you collect and handle it Control - Take Control of it by seizing and storing it properly Chain of Custody - Keep an accurate Chain of Custody 12 Preserving and Storing the Evidence Keep evidence in possession or control at all times Document movement of evidence between investigators (chain of custody). Secure evidence appropriately so that it can’t be tampered with or corrupted. Mathematically authenticate data. (i.e., hash values) 13 Preserving the Evidence Preserving the evidence means that you practice a defensible (objective, unbiased) approach that is: Performed in accordance with forensic science principles Based on standard or current best practices Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use of verified tools, if such certification exists Documented thoroughly 14 Establishing Authenticity You should use one of the following 3 criminal evidence rules: Authentication Best – show that it’s a true copy Evidence Rule – work with the original Exceptions to Hearsay rule – confessions or business records Forensic analyst tend to use authentication based upon hash values 15 Legal Authenticity Standards Over the years, several evidence standards have been devised. 16 Relevancy test – Anything that is materially relevant to case Frye Standard – Technique my be sufficiently established (general acceptance test) Coppolino Standard – Even if not generally accepted, court can accept if good foundation laid Marx Standard – No need to sacrifice common sense Daubert Standard – Rigorous test with special discovery procedures Forensic Methodology A forensic methodology is a well-defined, repeatable process used by forensic analysts to ensure that: Evidence is properly collected, prepared, and stored Evidence is analyzed in a consistent and thorough manner acceptable to the court Analyst objectivity is maintained Documentation is collected to ensure that a comprehensive report can be generated. 17 Brief Outline of the Scientific Method Successful forensic examinations generally follow the scientific method. 1. 2. 3. 4. 5. 18 Identify and research a problem Formulate a hypothesis Conceptually and empirically test the hypothesis Evaluate the hypothesis with regards to test results If hypothesis is acceptable, evaluate its impact. If not, reevaluate the hypothesis Special Considerations Digital Forensics has some special considerations when it comes to evidence. The plain view doctrine Multiple computer users Search with consent 19 Plain View Doctrine The plain view doctrine was developed for physical, tangible evidence. Digital evidence requires a more refined definition of “plain view” Inadvertence approach Prophylactic test approach Computers as containers approach 20 Multiple Computer Users 21 Any time a computer is configured for multiple users the issue of privacy becomes convoluted. Legal search in these cases revolves around the notion of “reasonable expectation of privacy.” Accounts with passwords are a strong case for individual account privacy. The problem is also present in network environments and cloud storage situations. Search with Consent 22 Multiple computer user accounts combined with forensic tools that cannot distinguish who actually owns a file can cause search with consent problems. The general rule is that consent cannot be given to another users files if an effort has been made to segregate the users (e.g., passwords, independent folders, …) The issue is clouded when the user accounts have administrative privilege (since they can reset passwords). Summary Evidence must be admissible, authentic, complete, reliable, and believable. Judges determine admissibility based on a set of exclusionary rules and other procedural concerns. Improper search and seizure can make even the best evidence inadmissible. There are various ways to establish the authenticity of evidence. Certain special considerations must be taken into account when working with digital evidence. 23