Legal Issues Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm. Computer Forensics COEN 152/252 Issues of Evidence An information is admissible in court if it is Relevant Its probative value outweighs its prejudicial effect. Issues of Evidence Best Evidence Rule The legal doctrine that an original piece of evidence, particularly a document, is superior to a copy. If the original is available, a copy will not be allowed as evidence in a trial. Issues of Evidence Foundation Context for Information Hearsay Statement made not by declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted In general not admissable Chain of Custody Establishes trustworthiness of evidence by preventing tampering Stipulation: Agreement between parties or concession by one party in a judicial proceeding. Hearsay Rule 801. Definitions That Apply to This Article; Exclusions from Hearsay (a) Statement. “Statement” means a person’s oral assertion, written assertion, or nonverbal conduct, if the person intended it as an assertion. (b) Declarant. “Declarant” means the person who made the statement. (c) Hearsay. “Hearsay” means a statement that: (1) the declarant does not make while testifying at the current trial or hearing; and (2) a party offers in evidence to prove the truth of the matter asserted in the statement. Exceptions to Hearsay Admission against interest: out-of-court statements contrary to penal or pecuniary interest, including those found on a computer. Business Records Made in the normal course of business. Relied on by the business. Made at or near the occurrence of the act the record purports to record. Offered through a competent witness, either the custodian of the record or another who can testify to those issues. Exceptions to Hearsay Official government records Must be properly kept. Writing about an event close to its occurrence used to refresh a witnesses memory. “Learned treatise” Judgments in other cases Spontaneous excited utterance Exceptions to Hearsay Contemporaneous statement which explains the a person’s state of mind at the time of an event. A statement which explains a person’s future intentions if that state of mind is in question. Prior testimony A declaration of the opposing party which was contrary to their best interest if the parity is not available at trial. Dying declaration by a person who believes (s) is dying. http://dictionary.law.com/ Exceptions to Hearsay A statement made about one’s mental set, feeling, pain, or health if the person is not available A statement about one’s own will when the person is not available Other exception at the judge’s discretion based on the reliability of the testimony. http://dictionary.law.com/ Exceptions to Hearsay Rule Relevant for computer-based evidence Records of regularly conducted activity Absence of entry in records kept in accordance with the provisions of paragraph (6) Nature of “Computer Evidence” Computer Evidence falls under Computer-generated evidence Logs, file-system, … Computer-stored evidence Email, photo, … Both need additional evidence for evaluation Does file-system show signs of tempering Is the file-system reliable When was the photo taken Was the clock on the camera off Nature of Computer Evidence Nonhearsay: Records created by a process that does not involve a human assertion Telephone toll records Cell tower logs Embedded GPS data ATM records Web server logs There is no assertion made by a human being, at best, a commando Nature of Computer Evidence Mixed Hearsay and Nonhearsay Combination of hearsay and nonhearsay Email containing header information and content Documents created by a human being, but with creation date from file system Nature of Computer Evidence Nonhearsay records: Are not human statements Result from a program designed to process information Either: There is no person involved Or: The human conduct is non-assertive Issue is Authentication Is the computer equipment and software functioning Nature of Computer Evidence While computer evidence often falls under the business record exception for hearsay, Mostly is nonhearsay The real question is authentication Does the evidence says what it purports to say? We get back to authentication when we talk about expert witnessing Proper Care of Evidence Evidence collected by the state needs to be protected from fraud. This lays a burden on the state to provably preserve the evidence. Chain of custody. Breach of Chain of Custody Not every breach makes the item inadmissible. Not necessary to have the best security against tampering. Government agents are assumed to be trustworthy. But Chain of Custody Seized device is put in an Evidence Locker. Typically a closet safeguarded against intrusion. Records allow reconstruction of who had physical control over the device. Chain of Custody Working on the original. A forensic examination that is done directly on the original disk drive will make it difficult to argue that the evidence could not have been tampered with. Much better to make a “true copy” and examine the true copy. Proof that it is a true copy. Best Evidence Rule Copies are worse than originals, therefore they are not admissible unless the original has been destroyed. Does not apply to various computer outputs. Best Evidence Rule Except as otherwise provided by statute, no evidence other than the original of a writing is admissible to prove the content of a writing. This section shall be known and may be cited as the best evidence rule. California Rules of Evidence 1500. Best Evidence Rule Exceptions: Printed representations of computer information and computer programs. Printed representations of images stored on video or digital media. Secondary evidence of writings that have been lost or destroyed without fraudulent intent of the proponent of the evidence. Secondary evidence of unavailable writings. Secondary evidence of writings an opponent has, but fails to produce as requested. Secondary evidence of collateral writings that would be inexpedient to produce. Best Evidence Rule Exceptions: Secondary evidence of writings recorded in public records, if the record or an attested or certified copy is made evidence of the writing by statue. Secondary evidence of voluminous writings. Copies of writings that were produced at the hearing and made available to the other side. Certain official records and certified copies of writings in official custody. Photographic copies made as business records. Photographic copies of documents lost or destroyed, if properly certified. Copies of business records produced in compliance with Sections 1560-1561. Future The law argues by analogy. Justice takes (eventually) account of technology. Digital storage has qualitative properties that make it fundamentally different from writings. Ease of alteration. Possibility of completely accurate copy & transmission. Current law is still based on the case of manual copy. If the problems are big enough, either precedent will change or statutes will make the proper exceptions. Acquisition of Evidence Distinction between government agents and private citizens. Illegal actions by private citizens can yield admissible evidence and lead to their punishment. If a sworn law officer violates an amendment, the gained evidence is usually suppressed, but the officer is protected by sovereign immunity. Sovereign Immunity A sovereign or a government cannot commit a legal wrong and is immune from civil suit or criminal prosecution. Prosecutorial Immunity Judges, legislators, prosecutors enjoy qualified or unqualified immunity. Property of the role, not the person. I.e. a prosecutor’s immunity depends on whether they are acting in a prosecutorial role, an investigative role, etc. Prosecutorial Immunity Jean v. Collins police officers have absolute immunity for failure to turn over exculpatory material over to a criminal defendant, because they are performing a prosecutorial task. They have qualified immunity for not turning over the exculpatory material over to the prosecutor. Law enforcement officers do not enjoy sovereign immunity for willfully violating civil rights. Electronic Communications Privacy Act ("ECPA"), Title III Extends protection against wiretapping to communications between computers Know the exceptions Know the consequences of violating the title Electronic Communications Privacy Act ("ECPA"), Title III A person acting under the color of law can intercept electronic communication where such a person is party to the communication or one of the parties of the communication have given prior consent to such interception. Electronic Communications Privacy Act ("ECPA"), Title III "A person not acting under color of law" is also allowed to intercept an "electronic communication" where "such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception." The consent can be implicit, e.g. by using a computer protected with login banners. ECPA Title III Concerns Title III also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a "necessary incident to the rendition of his service" or to protect "the rights or property of the provider of that service." ECPA Title III Concerns Two exceptions to the last rule: If there is no actual damage, then the right to monitor does not exist. The government is not allow to do the monitoring, but they can profit from monitoring. Fourth Amendment The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Fourth Amendment Computer Storage = Closed Container such as a briefcase With Warrant: Limits to warrant because of privilege or additional protection. Without Warrant Expectation of Privacy Fourth Amendment No expectation of privacy Public display Material in some else’s hands Consent by co-owner or authorized person Exigent circumstances Plain view exception Lawful arrest Very difficult and interesting case law. Fourth Amendment Fundamental question: Does the individual enjoy a reasonable expectation of privacy in electronic information stored within a storage device. Courts equate storage devices to “closed container” Fourth Amendment Reasonable Expectation of Privacy and Third Party Possession Difference between data in transit (usually need warrant) and data received by third party. Received by third party: Can owner reasonably expect privacy: Bank account information that account holders divulge to the bank. Fourth Amendment Fourth Amendment does not apply to private searches. Private party cannot act as government agents: Repairman discovers many file names indicating child pornography, opens those, discovers child pornography, and informs LE. LE can repeat the original private search, but not exceed it. Fourth Amendment Searches using innovative technology applied to ordinary devices might need a warrant: Kyllo v. United States Supreme Court held that the warrantless use of a thermal imager to reveal the relative amount of heat released from the various rooms of a suspect's home was a search that violated the Fourth Amendment. Fourth Amendment Exceptions to the Warrant Requirement Consent Government carries burden of proof that the consent was voluntary. Scope of consent depends on the facts of each case. E.g.: does consent to search premises includes consent of storage devices found there. Fourth Amendment Exceptions to the Warrant Requirement Exigent Circumstances “would cause a reasonable person to believe that entry . . . was necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement efforts.” Arises in computer cases because some electronic evidence is volatile. Reasons for exigent circumstances limit the scope of the search. Fourth Amendment Exceptions to the Warrant Requirement Plain View Agent must in lawful position to observe and access the evidence and its incriminating character must be immediately apparent. E.g.: LE agent makes search of hard drive, comes upon evidence of an unrelated crime while conducting the search. Search Incident to a Lawful Arrest Search incident to arrest must be reasonable Strip searches are usually not reasonable. Inventory searches are reasonable. o But that should not support a search through seized computer files. Fourth Amendment Exceptions to the Warrant Requirement Border Searches “Routine searches” do not require a warrant: United States Customs Agents learned that William Roberts, a suspect believed to be carrying computerized images of child pornography, was scheduled to fly from Houston, Texas to Paris, France on a particular day. On the day of the flight, the agents set up an inspection area in the jetway at the Houston airport with the sole purpose of searching Roberts. Roberts arrived at the inspection area and was told by the agents that they were searching for "currency" and "high technology or other data" that could not be exported legally. Id. at 681. After the agents searched Roberts' property and found a laptop computer and six Zip diskettes, Roberts agreed to sign a consent form permitting the agents to search his property. A subsequent search revealed several thousand images of child pornography. Fourth Amendment Workplace Searches O'Connor Supreme Court Decision: the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related. Fourth Amendment Workplace Searches Typical: A fellow employee who has equal control over a computer can consent to its search. Employers and supervisors who have authority over a computer can consent to its search. HELPFUL: An employment policy stating that the employer retains authority over its computers and networks. Fourth Amendment Multiple warrants might be needed in network searches. No-knock warrants: As a general matter, agents must announce their presence and authority prior to executing a search warrant. Sneak-and-Peek Warrants "surreptitious entry warrants" Privacy Protection Act Protects publishers against government searches of material that is acquired for publication Reaction to the Daily Stanfordian case Internet publishing allows much private computer material to fall under the PPA protection Privacy Protection Act Subject to certain exceptions, the PPA makes it unlawful for a government officer "to search for or seize" materials when (a) the materials are "work product materials" prepared, produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1); (b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and (c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“ OR Privacy Protection Act Subject to certain exceptions, the PPA makes it unlawful for a government officer "to search for or seize" materials when (a) the materials are "work product materials" prepared, produced, authored, or created "in anticipation of communicating such materials to the public," 42 U.S.C. § 2000aa-7(b)(1); (b) the materials include "mental impressions, conclusions, or theories" of its creator, 42 U.S.C. § 2000aa-7(b)(3); and (c) the materials are possessed for the purpose of communicating the material to the public by a person "reasonably believed to have a purpose to disseminate to the public" some form of "public communication.“ Privacy Protection Act Subject to certain exceptions, the PPA makes it unlawful for a government officer "to search for or seize" materials when the materials are "documentary materials" that contain "information," (b) the materials are possessed by a person "in connection with a purpose to disseminate to the public" some form of "public communication." Privacy Protection Act Exceptions the only materials searched for or seized are contraband, instrumentalities, or fruits of crime 2) there is reason to believe that the immediate seizure of such materials is necessary to prevent death or serious bodily injury 3) there is probable cause to believe that the person possessing such materials has committed or is committing the criminal offense to which the materials relate (an exception which is itself subject to several exceptions), 4) in a search for or seizure of "documentary materials" as defined by § 2000aa7(a), a subpoena has proven inadequate or there is reason to believe that a subpoena would not result in the production of the materials. Privacy Protection Act Was not intended for web journalism that raises questions of who is a journalist and what constitutes publication. Electronic Communications Privacy Act Protects third party data against law enforcement seizes E.g. internet provider. Electronic Communications Privacy Act Steve Jackson Games, Inc. v. Secret Service Steve Jackson Games, Inc. ("SJG") was primarily a publisher of role-playing games, but it also operated a network of thirteen computers that provided its customers with e-mail, published information about SJG products, and stored drafts of upcoming publications. Believing that the system administrator of SJG's computers had stored evidence of crimes, the Secret Service obtained a warrant and seized two of the thirteen computers connected to SJG's network, in addition to other materials. The Secret Service did not know that SJG's computers contained publishing materials until the day after the search. However, the Secret Service did not return the computers it seized until months later. At no time did the Secret Service believe that SJG itself was involved in the crime under investigation. Electronic Communications Privacy Act In Steve Jackson Games, the district court held the Secret Service liable under ECPA after it seized, reviewed, and (in some cases) deleted stored electronic communications seized pursuant to a valid search warrant. Pen/Trap Statute (amended 2001) Authorizes installation of pen-registers and trap-and-trace devices. Pen register only records dialing, routing, and address information for electronic outgoing communications. Trap-and-Trace: same for incoming communications. Court order for pen/trap device requires only a statement by the investigator that the information is likely to be relevant to a criminal investigation. USA Patriot Act (2001) Contains “sneak and peek” authority Delayed notification of physical searches for up to 90 days. Already norm in wiretap cases. Dalia v. U.S. 1979: o Feds implanted a hidden microphone pursuant to a search warrant. o Notification was delayed until surveillance was ended. Allows installation of electronic surveillance devices authorized for the whole U.S. important for working with IP providers. Gives immunity to persons providing technical assistance. Legally Privileged Documents Need to prevent ongoing investigation from using legally privileged documents. Medical records. Attorney-client communications. Priest-penitent communications. Case Law Kleiner vs. Burns, 2000 Defendant only produced limited correspondence in the original discovery request. Court imposed sanctions and enjoined defendant to try harder Rowe Entm’t Inc. v. William Morris Agency, Inc. (2002) Distribution of Costs of Discovery Zubulake v. UBS Warburg (2003) Standard gender discrimination case Court revisited costs of discovery Case Law Alexander v. FBI (1998) Limits large-scale digital discovery to targeted and appropriately worded searches of backed up and archived e-mail messages Crown Life Ins. v. Craig Ltd (1993) Sanctions imposed for precluding evidence and failure to comply with court order Brand Name Prescription Drug Antitrust Litigation (1995) Early case about burden of discovery Simon Prop. Group vs. mySimon Inc. Discovery extends to recoverable, but deleted files Case Law Santiago v. Miles (1988) Raw computer information is obtainable under discovery: special tool was created for extraction of data for the court. Anti-Monopoly Inc. v. Hasbro, Inc (1995) Not only hard copies, but also electronic documents are discoverable Playboy Ent. v. Welles (1999) Burden of cost factors is only limitation to discovery requests for copying and examining a hard drive for emails People v. Hawkins (2002) Importance of time in computers. Allowed printout of computer access times. Proper functioning of computer clock relevant to case. Case Law U.S. v. Allen (1997) “Merely raising the possibility of tampering is insufficient to render evidence inadmissible” U.S. v. Bonallo (1988) “The fact that it is possible to alter data contained in a computer is plainly insufficient to establish untrustworthiness” Arizona v.Yougblood (1988) Requires defendant to demonstrate that the police acted in bad faith in failing to preserve the evidence. Easaly, McCaleb & Assoc. v. Perry (1994) Deleted but recoverable files are discoverable RKI, Inc. v. Grimes (2001) Defendant was fined after defendant conducted a disk defrag before discovery in order to destroy evidence State v. Cook (2002) Upheld admissibility of bit stream analysis after export testimony on imaging process, authenticity methods, and possibility of tampering V Cable, Inc. v. Budnick (2001) Evidence collection by private agency is trustworthy under rule 803(6)