It’s a Computer, M’Lud!
Neil Barrett
Introduction








The law and computers
The nature of computer evidence
Obtaining evidence from computers
Preparing statements for court
The role of the expert witness
Courtroom experience
Current defence strategies and tactics
The future for computer evidence
The Law and Computers



Computer Misuse Act 1990
Data Protection Act 1998
Laws of Pornography




Obscene Publications Act 1959
Protection of Children Act 1978
Criminal Justice Act 1988
Laws of ‘Harm’


Theft Act 1968/1978
Offences Against the Person Act 1861
Computer Misuse Act 1990

Data is not ‘Property’



Accessing a computer illicitly is not ‘Fraud’



Oxford v Moss 1978
“Confidential information is not property”
R v Gold 1988
A password is not a ‘false instrument’
Judicial review produces a new law
Computer Misuse Act 1990 (2)

Section 1 – Unauthorised Access



Section 2 – Unauthorised Access with Intent



An offence to access a computer knowing that the access is
not authorised
Summary offence; 6 months and/or £5,000
An offence to commit Section 1 with intent to commit a
further arrestable offence
Arrestable offence; 5 years and/or £unlimited
Section 3 – Unauthorised Modification


An offence to modify any computer so as to impair the
operation of any computer
Arrestable offence; 5 years and/or £unlimited
Computer Misuse Act 1990 (3)

Outlaws hacking for:





Curiosity
To steal credit cards, information, etc
To damage something – web defacement, etc
Outlaws computer viruses
But not obviously Denial of Service attacks


Review currently underway
Bill failed in Lords – rightly so!
Implications of Computer Misuse
Act




Data stored on computers is not protected by
the laws of property
So must be protected under CMA
Means you must define ‘authorised’ access
Acceptable Use Policy statements

On internal computers and on Web sites!
Other Laws

Data Protection Act 1998

Makes an offence for the hacker to process personal data



But Principle 7 says you must enact ‘adequate technical
and organisational’ mechanisms to protect it
Protection of Children Act 1978


E.g. credit cards
An offence to publish ‘indecent photographs’ of children
Criminal Justice Act 1988

An offence knowingly to possess them
Other Laws (2)

Theft Acts



Offences Against The Person Act


An offence to demand money with threats
E.g., Denial of Service plus extortion
An offence to harass, threaten, etc
Also, laws against defamation

Slander or Libel?
Laws and Computers


A rich set of laws cover computer use and
misuse
Computer is the




Agent
Victim
Witness
Means that computers will be


‘in the witness box’; or
‘on the exhibits table’
Nature of Computer Evidence

Evidence is





‘That which can be seen’; or
‘That which shows something’
Computer data cannot be ‘seen’
But it can be used to show something
And it can be represented to a court

But the process of turning computer records into
evidence must be done carefully
Nature of Evidence

Direct versus Circumstantial


Real, Original and Hearsay


Computer evidence is ‘Direct’ if automatically produced;
otherwise ‘Circumstantial’
Again, relates to the ‘automatically produced’ aspect
Example, an email message



Real evidence is the hard disk drive
Original evidence is the header detail and records
Hearsay evidence is the email content
Nature of Evidence (2)

Hearsay evidence is generally not admissible




Unless special provision is made
Must be able to produce ‘Best Evidence’
In practice, means produce the disk drive as an
exhibit
But then derive further exhibits by the process
of forensics from this disk
Computer Forensics


The process of deriving evidence from
computer data
Requires that the data is shown to be reliably
obtained




Is not changed in any way
Is complete
Can be repeated
And most importantly, that it can be
understood!
Sources of Computer Evidence

Personal Computers


Server Computers




Principally, the disk drive
Running processes
Contents of file system
Removable media
Automatically-produced log files

E.g., firewall, IDS, proxy, etc
Evidence Process

Identify


Seize


Safely and responsibly take the best evidence to a secure
location
Receive


‘Bag and Tag’ Best Evidence
Transport


What sources are available?
Accept responsibility for the evidence
Store

Ensure securely held free from risk of contamination
Evidence Process (2)

Preserve


Reserve


Investigate the evidence on the preserved copy
Produce


Put the original Best Evidence source in a secure place
Analyse


Take a reliable copy of the evidence
Identify the exhibits that establish facts
Testify

Create a statement and go to court
Problems

Evidence from running computers



Volumes of data to be analysed
Making sure process of analysis doesn’t
change data


Use an ‘Imaging’ program like EnCase?
Proving you haven’t changed anything


How do you make this ‘repeatable’?
Best is to make change impossible
Presenting the stuff in court!
Statements
Statements (2)


Qualifications
Statement of understanding



Definitions of terms
Points to be addressed


“I am told that the defendant had a computer…”
“I am asked to consider…”
Findings
Expert Witnesses






Servants of the court
Help court to understand complex evidence
‘outside of their normal experience’
Allowed to express an opinion
Allowed to attend entire trial
Paid for attendance
Must be able to demonstrate their expertise

E.g., academic qualifications
Pre-Trial Experience




Experts for prosecution and for defence
Exchange statements
Raise and exchange ‘Rebuttal Statements’
Meet to agree evidence




What is agreed?
What is agreed as disagreed?
What points need not be put before the court?
Common terms and definitions
Courtroom Experience

Prosecution bats first


Examination


Initial points, then detail
Cross-examination


So definitions are presented by the expert called
for the prosecution
Defence tries to trip you up
Re-examination

Prosecution picks you up and dusts you down
Problems in Court

Being led by the defence questions


Being lured into providing arcane details


“It’s right, isn’t it…?”
“Perhaps the witness would care to explain public
key cryptography to the Jury?”
Being led outside area of expertise

“Perhaps the witness would care to explain how he
can be sure that this was a picture of a child?”
Defence Tactics


Current best defence is the ‘Trojan defence’
Computer was hacked




R v Caffrey – ‘Invisible’ hacker
Computer had a virus
Computer had a series of pop-ups
Most laws require the prosecution to prove
intent

Mens Rea?
Trojan Defence in Child
Pornography

Criminal Justice Act 1988


It is an offence to possess and indecent photograph
of a child
It is a defence for the accused to prove


He had not looked at it and had no reason to
believe it was indecent; or
He did not ask for it, it was not asked for on his
behalf, and he took steps to remove it as soon as
possible
Trojan Defence (2)






Pop up is an involuntary download
But still in possession
If pop-up, will have looked at it
Was it asked for on his behalf?
And if it’s still in Temporary Internet Files,
could we argue he did not take steps to remove
it?
And, crucially, is this fair?
The Future?






Encryption and secure deletion will spoil a lot
of current ‘Best Evidence’
But we will still have lots of records
Need to ensure ruling in R v Caffrey does not
spoil other cases
Need a way to educate juries
Need a way to train lawyers
Need broader knowledge of the issues!
Thank you!



neil.barrett@btinternet.com
07712 865774
Prof Neil Barrett
Centre for Forensic Computing
RMCS Shrivenham
University of Cranfield
Shrivenham
Swindon