It’s a Computer, M’Lud! Neil Barrett Introduction The law and computers The nature of computer evidence Obtaining evidence from computers Preparing statements for court The role of the expert witness Courtroom experience Current defence strategies and tactics The future for computer evidence The Law and Computers Computer Misuse Act 1990 Data Protection Act 1998 Laws of Pornography Obscene Publications Act 1959 Protection of Children Act 1978 Criminal Justice Act 1988 Laws of ‘Harm’ Theft Act 1968/1978 Offences Against the Person Act 1861 Computer Misuse Act 1990 Data is not ‘Property’ Accessing a computer illicitly is not ‘Fraud’ Oxford v Moss 1978 “Confidential information is not property” R v Gold 1988 A password is not a ‘false instrument’ Judicial review produces a new law Computer Misuse Act 1990 (2) Section 1 – Unauthorised Access Section 2 – Unauthorised Access with Intent An offence to access a computer knowing that the access is not authorised Summary offence; 6 months and/or £5,000 An offence to commit Section 1 with intent to commit a further arrestable offence Arrestable offence; 5 years and/or £unlimited Section 3 – Unauthorised Modification An offence to modify any computer so as to impair the operation of any computer Arrestable offence; 5 years and/or £unlimited Computer Misuse Act 1990 (3) Outlaws hacking for: Curiosity To steal credit cards, information, etc To damage something – web defacement, etc Outlaws computer viruses But not obviously Denial of Service attacks Review currently underway Bill failed in Lords – rightly so! Implications of Computer Misuse Act Data stored on computers is not protected by the laws of property So must be protected under CMA Means you must define ‘authorised’ access Acceptable Use Policy statements On internal computers and on Web sites! Other Laws Data Protection Act 1998 Makes an offence for the hacker to process personal data But Principle 7 says you must enact ‘adequate technical and organisational’ mechanisms to protect it Protection of Children Act 1978 E.g. credit cards An offence to publish ‘indecent photographs’ of children Criminal Justice Act 1988 An offence knowingly to possess them Other Laws (2) Theft Acts Offences Against The Person Act An offence to demand money with threats E.g., Denial of Service plus extortion An offence to harass, threaten, etc Also, laws against defamation Slander or Libel? Laws and Computers A rich set of laws cover computer use and misuse Computer is the Agent Victim Witness Means that computers will be ‘in the witness box’; or ‘on the exhibits table’ Nature of Computer Evidence Evidence is ‘That which can be seen’; or ‘That which shows something’ Computer data cannot be ‘seen’ But it can be used to show something And it can be represented to a court But the process of turning computer records into evidence must be done carefully Nature of Evidence Direct versus Circumstantial Real, Original and Hearsay Computer evidence is ‘Direct’ if automatically produced; otherwise ‘Circumstantial’ Again, relates to the ‘automatically produced’ aspect Example, an email message Real evidence is the hard disk drive Original evidence is the header detail and records Hearsay evidence is the email content Nature of Evidence (2) Hearsay evidence is generally not admissible Unless special provision is made Must be able to produce ‘Best Evidence’ In practice, means produce the disk drive as an exhibit But then derive further exhibits by the process of forensics from this disk Computer Forensics The process of deriving evidence from computer data Requires that the data is shown to be reliably obtained Is not changed in any way Is complete Can be repeated And most importantly, that it can be understood! Sources of Computer Evidence Personal Computers Server Computers Principally, the disk drive Running processes Contents of file system Removable media Automatically-produced log files E.g., firewall, IDS, proxy, etc Evidence Process Identify Seize Safely and responsibly take the best evidence to a secure location Receive ‘Bag and Tag’ Best Evidence Transport What sources are available? Accept responsibility for the evidence Store Ensure securely held free from risk of contamination Evidence Process (2) Preserve Reserve Investigate the evidence on the preserved copy Produce Put the original Best Evidence source in a secure place Analyse Take a reliable copy of the evidence Identify the exhibits that establish facts Testify Create a statement and go to court Problems Evidence from running computers Volumes of data to be analysed Making sure process of analysis doesn’t change data Use an ‘Imaging’ program like EnCase? Proving you haven’t changed anything How do you make this ‘repeatable’? Best is to make change impossible Presenting the stuff in court! Statements Statements (2) Qualifications Statement of understanding Definitions of terms Points to be addressed “I am told that the defendant had a computer…” “I am asked to consider…” Findings Expert Witnesses Servants of the court Help court to understand complex evidence ‘outside of their normal experience’ Allowed to express an opinion Allowed to attend entire trial Paid for attendance Must be able to demonstrate their expertise E.g., academic qualifications Pre-Trial Experience Experts for prosecution and for defence Exchange statements Raise and exchange ‘Rebuttal Statements’ Meet to agree evidence What is agreed? What is agreed as disagreed? What points need not be put before the court? Common terms and definitions Courtroom Experience Prosecution bats first Examination Initial points, then detail Cross-examination So definitions are presented by the expert called for the prosecution Defence tries to trip you up Re-examination Prosecution picks you up and dusts you down Problems in Court Being led by the defence questions Being lured into providing arcane details “It’s right, isn’t it…?” “Perhaps the witness would care to explain public key cryptography to the Jury?” Being led outside area of expertise “Perhaps the witness would care to explain how he can be sure that this was a picture of a child?” Defence Tactics Current best defence is the ‘Trojan defence’ Computer was hacked R v Caffrey – ‘Invisible’ hacker Computer had a virus Computer had a series of pop-ups Most laws require the prosecution to prove intent Mens Rea? Trojan Defence in Child Pornography Criminal Justice Act 1988 It is an offence to possess and indecent photograph of a child It is a defence for the accused to prove He had not looked at it and had no reason to believe it was indecent; or He did not ask for it, it was not asked for on his behalf, and he took steps to remove it as soon as possible Trojan Defence (2) Pop up is an involuntary download But still in possession If pop-up, will have looked at it Was it asked for on his behalf? And if it’s still in Temporary Internet Files, could we argue he did not take steps to remove it? And, crucially, is this fair? The Future? Encryption and secure deletion will spoil a lot of current ‘Best Evidence’ But we will still have lots of records Need to ensure ruling in R v Caffrey does not spoil other cases Need a way to educate juries Need a way to train lawyers Need broader knowledge of the issues! Thank you! neil.barrett@btinternet.com 07712 865774 Prof Neil Barrett Centre for Forensic Computing RMCS Shrivenham University of Cranfield Shrivenham Swindon