- Количество слайдов: 55
Law, Guidelines and Forensics Dr Jill Slay
Objectives • In this module we will discuss: – – – – Role of Computer Forensics in Law Enforcement Objective of Computer forensics Principles of evidence Problems with Computer evidence Australian Computer Crime Legislation Categorisations of E-crime Cybercrime Act of 2001 Forensic Computing and Business and Accounting Legislation and Guidelines
Role of Computer Forensics in Law Enforcement • • • Early cases involved fraud Later cases involved networking Nowadays three roles of computer in electronic crime 1. Computer as a tool 2. Computer as a target 3. Computer as storage device
Objective of Computer forensics • Types of examination – – – – – Content of data files Comparison of data to known document and data files File transactions, time and sequence Extraction of data files from computer Recovery of deleted data files Format conversion of data files Keyword searching in data Passwords recovered and decrypted Source code analysis and comparison Storage media examined
Objective of Computer forensics • Network history collection – Browser – Email • Graphics and Multimedia file examination
Most common crimes investigated internationally needing forensic Investigation • • Fraud Murder Drug crime Paedophilia Organised crime Terrorism Hacking
Principles of evidence • Computer evidence must be: – – – Admissible and conform to legal rules Authentic and be possible to tie the evidence to the incident Complete and tell the whole story, not one perspective Reliable and dependable in content and process Believable and understandable to a jury
Problems with Computer evidence • • Can be easily altered or deleted Can be invisibly and undetectably altered Can travel with other data Can be stored in a different format to that in which it is displayed • It is difficult for layman, police, judge and jury to understand
Problems with Computer evidence • In summary of previous slide, computer evidence is: – Mutable, subject to change – Volatile, reflecting system’s current state
Australian Computer Crime Legislation • Australian Federal and State law has had to be adapted to deal with the growth in magnitude and sophistication of computer crime. • Federal and State legislation is similar in its scope; – Federal legislation deals solely with offences committed against or using Commonwealth government IT infrastructure. – Each state has its own legislation and while we would expect to find major similarities between individual State legislations, we will also discover that there are some dissimilarities between the states.
Federal Criminal Legislation • Cybercrime Act of 2001. • In January 2001, the Model Criminal Code Damage and Computer Offences Report (Cybercrime Act 2001) was produced as a result of consultation between the varying Commonwealth and State justice and law enforcement agencies • This Commonwealth Act produces a number of new offences, such as denial of service, virus propagation and provides legislative ‘powers’ to aid law enforcement agencies in the investigation if these crimes.
Electronic Crime • The South Australian Police Department (SAPOL 2003) defines electronic crime as: ‘Offences where a computer or other electronic device is used as a tool in the commission of an offence, or as a target of an offence, or used as a storage device in the commission of an offence. ’
Categorisations of E-crime Tier 1 General duties • Examples of the types of offences that may fall into this category are: – – internet frauds threatening or offensive emails stolen computer hardware and software stalking other investigations of a similar typology.
Categorisations of E-crime • Tier 2 • CIB • Examples of the types of offences that may fall into this category are: – – – multi-jurisdictional and pattern crime internet fraud offences. unlawful computer access serious threats to harm or kill serious fraud or dishonesty offences child pornography and paedophilia matters other investigations of a similar typology.
Categorisations of E-crime • Tier 3 investigation responsibilities • Electronic Crime Section and will include • Electronic crimes of a significant, serious, political, national, international or terrorist nature. • Examples of the types of offences that may fall into this category are: – – terrorism high level computer hacking. infrastructure sabotage manufacture of malicious code (eg virus, worm and trojan). serious impairment of electronic communication (eg denial of service attacks) – other investigations of a similar typology.
Cybercrime Act of 2001. • The offences are divided into serious computer offences and other computer offences. • The offences are designed to address instances of hacking where Commonwealth data or data contained within Commonwealth computers are the target of offenders. • Additionally, crimes facilitated through the use of telecommunications services are also captured within these offences.
Serious Computer Offences • Unauthorised access, modification or impairment with intent to commit a serious offence (Section 477. 1 Criminal Code Act) • Unauthorised modification of data to cause impairment (Section 477. 2 Criminal Code Act) • Unauthorised impairment of electronic communication (Section 477. 3 Criminal Code Act)
Other Computer Offences • Unauthorised access to, or modification of, restricted data (Section 478. 1 Criminal Code Act) • Unauthorised impairment of data held on a computer disk etc. (Section 478. 2 Criminal Code Act) • Possession or control of data with intent to commit a computer offence (Section 478. 3 Criminal Code Act) • Producing, supplying or obtaining data with intent to commit a computer offence (Section 478. 4 Criminal Code Act)
Other Computer Offences • Unauthorised access to or modification of computer data (Section 86 C CLCA) • Unauthorised impairment of electronic communication (Section 86 D CLCA) • Use of a computer with intention to commit, facilitate the commission of an offence (Section 86 E CLCA) • Use of computer to commit, or facilitate the commission of, an offence outside the State (Section 86 F CLCA)
Other Computer Offences • Unauthorised modification of computer data (Section 86 G CLCA) • Unauthorised impairment of electronic communication (Section 86 h CLCA) • Possession of computer viruses etc with intent to commit a serious offence Section 86 I CLCA) • Unlawful operation of computer system (Section 44 S. O. A. ) • Unauthorised impairment of data held in credit card or on computer disk or other device (Section 44 A S. O. A. )
Thrust of legislation • In its entirety, this legislation deals with – unauthorised modification of data (without permission of the owner of the data), – impairment of communication within a network, – use of a computer to modify data (hacking) or to commit another offence inside or outside of the State and – all types denial of service.
Thrust of legislation 1. If an offender accesses a system and does no harm to it, they have still committed an offence. 2. it is an offence to damage data stored on a computer disk, credit card or other kind of device used to store data by electronic means 3. Other legislation includes: • Dishonest manipulation of machines (Section 141 CLCA) • Unlawful stalking (Section 19 AA CLCA) • Interference with approved system or equipment (Section 41 of the Casino Act) • Making available or supplying objectionable matter on on-line service (Section 75 C Classification (Publication, Films & Computer Games) Act) • Making available or supplying matter unsuitable for minors on on-line service (Section 75 D Classification (Publication, Films & Computer Games) Act)
Why is the Cybercrime legislation important? • We would expect that any kind of breach of this legislation which was prosecuted would then demand a forensic investigation: – Hacking – Denial of service – Pornography • Investigators need to be ready for this
But other crimes need forensic computing input • Fraud – examination of accounts • Murder – what was on victim’s pc, phone, i. Pod, pda • Suicide – was it really suicide? • Need to know the same answers if we arrest a suspect for: – Drug offence – Terrorism
Forensic Computing and Business and Accounting Legislation and Guidelines
New US Accounting Reform Laws and forensic computing • • • Sarbanes-Oxley Act of 2002 Enron case affects all multi-national companies mandates retention of electronic documents imposes strict criminal penalties for altering or destroying records, including those kept in electronic form, and • mandates production of electronic records and other documents when summoned • Computer forensics mandatory process whenever the results of a computer investigation may ultimately be presented in a legal or administrative proceeding.
Australian Guidelines • HB 171: 003 Guidelines for the management of IT evidence • gives ‘guidance on the management of electronic records that may be used in judicial or administrative proceedings, whether as a plaintiff, defendant or witness’ • useful where suspect criminal activity is to be referred to appropriate authorities for investigation. ’
IT Security Risk • The greatest risk we are thus managing in an IT Security sense is two fold: • If we do not ensure appropriate record keeping systems are designed and developed we will have no evidence for any kind of judicial or administrative investigation • If we do not take full cognisance of legal and forensic computing requirements our records, however technically accurate, may not be legally admissible in court
Basic principles for the management of IT evidence • In HB 171: 003 Guidelines for the management of IT evidence are presented. These include: • 1. ‘Obligation to provide records’ • 2. ‘Design for evidence’ • 3. ‘Evidence collection’ and ‘Custody of records’, • The guidelines give a full picture of how investigations must be carried out and also give information on principles for recovery of digital evidence (HB-171, 2003, p. 27), principles for evidence collection and the role and duties of expert witnesses in this context.
Challenges in court • Based on – Computer Forensics: The Need for Standardization and Certification by Matthew Meyers and Marc Rogers 1. Search and Seizure • • An illegal search and seizure or improper methodology employed during search and seizure can negatively affect the admissibility of the evidence. The Trojan defence (the big wooden horse did it!)
Challenges in court 2. The “Expert” • an area of contention is whether one can be considered an expert solely based on the ability to use a tool or software package, without the ability to clearly define how the tool works or reviewing the source code. • The majority of the tools and software used in computer forensics is proprietary and copyrighted, thus negating the ability to access the source code.
Challenges in court 3. Analysis and Preservation • If the evidence makes it through the first two stages, it must be proven that the analysis and preservation was conducted properly.
The Future • Defence lawyers will become more expert in forensic computing issues challenging – Prosecution expertise – Expert witnesses – Tools and techniques
An American Perspective from Professor Golden Richard III • Legal Issues – – – – – Investigatory needs vs. the right to privacy What constitutes computer crime? Fourth Amendment to the U. S. Constitution Search warrants vs. wiretap orders Fifth Amendment to the U. S. Constitution Jurisdiction: Who cares? Who prosecutes? Admissibility of evidence in court Chain of custody issues Digital Millennium Copyright Act (DMCA) Patriot Act
Privacy • Fourth Amendment – Government is not allowed unreasonable search and/or seizure of property – Does not apply for non-governmental (e. g. , corporate) investigators – Complicated—court tries to balance privacy and need to control crime – Individual must reasonably expect privacy in whatever scenario is being evaluated – Society must believe expectation of privacy is reasonable – Example: Sitting in a public park, counting pictures of people you’ve murdered…NO expectation of privacy!
Fourth Amendment • More Examples: – Random stops on highway • OK. Primarily to ensure highway safety, not investigate crime – Use of a phone booth • When door is shut, reasonable expectation of privacy • Can’t snoop without appropriate court orders • Can’t place microphone on outside of phone booth – Placing computer in outdoor trash • Not reasonable to expect that this is a private container • No right to privacy here, and police can search your trash legally
Fourth (2) • • Drug sniffing dogs are not considered a search Limited, “reveal only contraband” Commonly available? Yes? If a dog could sniff drugs in your house from the street, is it a search? Probably not, if “reveal only contraband” exception holds If dogs are replaced by a recently developed sniffing technology, legal? Probably not, because technology not in common use Dogs issue very controversial, many think that court needs to reconsider this issue
Fourth Amendment (3) • Thermal imager to find hotspots in a house, potentially indicates use of high-intensity lights to grow herbs… – Supreme Court said (in 2001) that use of thermal imager revealed things inside the house that could not have otherwise been discovered without a physical search, so violates 4 th amendment – Close decision, hinged on fact that thermal imager is not widely used by the public – If it was, then no reasonable expectation of privacy?
Fourth (4) • Fourth Amendment + Computers • From: http: //www. cybercrime. gov/s&smanual 2002. htm – To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer without a warrant if it would be prohibited from opening a closed container and examining its contents in the same situation. • Computer 3 rd party may render 4 th amendment rights void • Example: Getting computer fixed, technician discovers something illegal, turns you over to the police • Government can recreate search which was performed by a non-government entity (e. g. , your wife!) but not exceed the scope of the original search without a warrant
Fourth (5) • Bottom line: if you’re law enforcement, all this matters • Otherwise, Fourth Amendment doesn’t even apply • Doesn’t mean that you can hack into whatever you wish w/o worry. . • An individual or corporation’s right to search is governed by other laws
Fifth Amendment • Protection against self-incrimination in giving testimony • ‘No person shall be compelled in any criminal case to be a witness against himself’ • Applies if the act of producing papers or records has a selfincriminatory ‘communicative’ or ‘testimonial’ aspect • Never applies to corporations • Never applies to corporate records • Once document is given to another, fourth and fifth amendment protection is lost
Fifth (2) • Can not use the fifth amendment to avoid testifying against another individual (e. g. , friend, spouse) – Obstruction of justice • Encryption keys on shaky ground in US • Key itself does not incriminate you…material it PROTECTS may incriminate you • If key is written down, you must present it • If it’s memorized, you may be protected from revealing it (in the United States)
Encryption Keys • UK, India, Singapore, Malaysia – Must produce encryption keys when under warrant – UK: Gag clause: 5 years imprisonment for revealing that order to reveal encryption keys was served • US – When key in possession of third party, you’re probably in trouble – Third party cannot “claim the 5 th” to avoid disclosing keys – Essentially, to be protected you probably need to memorize the keys (as on previous slide)
More on Encryption Keys, 4 th, 5 th • “Self Incrimination and Cryptographic Keys” (Sergienko) • Documents receive very little protection under 4 th, 5 th amendments • View of Supreme Court seems to be that government can compel production of documents (“give me the document”) because government did not compel defendant to write the document in the first place • This article states that at least one view holds that written cryptographic keys cannot be distinguished from the documents they protect • If you can subpoena the documents, you can subpoena the written keys
More on Keys (2) • What about memorized keys? • Difference between physical evidence and testimonial evidence (blood sample vs. “I admit that I killed him”) • Non-cryptographic key (e. g. , a house key) is physical evidence • Physical key thus NOT protected! Courts have upheld seizure of such physical evidence under the 4 th Amendment and compulsory production OK under the 5 th • Choosing a key whose utterance confesses a crime (“ikilledjoebecauseididn’tlikehim”) may offer some protection • Uttering key is self-incriminating? ! • Dangerous ground here, though!
More on Keys (3) • If the key doesn’t have “testimonial content” (uttering it is admission of a crime), why is an encryption key different from a physical key? • Can’t refuse to produce physical key sowhy would it be OK to refuse to produce an encryption key? • Person may not be required to “restate, repeat, or affirm the truth of the contents of the documents sought” when such would be self-incriminating • Forcing production of key may ‘cause’ document to be restated in an intelligible fashion • If encryption key authenticates a document… • Person has never revealed key/document to anyone else • …then production of the key might authenticate the document • 5 th Amendment protection would be triggered
Admissibility of Evidence • Chain of custody must be thoroughly recorded • Any person in the chain might be called to testify that evidence was not modified or subjected to contamination • Older: Frye test – Is the technique generally accepted in its particular scientific community? • Newer: Daubert test – (e. g. , See: http: //www. skepticreport. com/mystics/dauberttest. htm) – A witness qualified as an expert by knowledge, skill, experience, training, or education, may testify in the form of an opinion or otherwise, if: • the testimony is based upon sufficient facts or data, • the testimony is the product of reliable principles and methods, and • the witness has applied the principles and methods reliably to the facts of the case.
Daubert (2) • Factors: – Whether theory or technique has been scientifically tested – Whether theory or technique has been subject to peer review or publication – The expected error rate of the technique used is known – Acceptance of theory or technique in the relevant scientific community
Daubert (3) • Other factors: – Is the expert testifying about something that comes out of their research directly, or have they developed opinions specifically for purposes of testifying? – Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion? – Has the expert adequately accounted for obvious alternative explanations? • “Might this have happened instead? ” • <
Privacy-Protecting Laws • (Explanations by Richard Salgado, Computer Crime Section, U. S. Dept. of Justice, in his SANS security lecture, these don’t constitute legal advice and all such disclaimers) • Federal Wiretap Act – Covers interception of voice and electronic communications “on-the-wire” – Generally illegal to intercept electronic communication, except in certain circumstances, among those on the following slide
Privacy-Protecting (2) • Provider exception – Can perform limited monitoring to protect rights and property of system under attack – Switchboard operator may overhear during call transfers – Line technician may overhear during repairs to phone lines • Consent exception – Permission to monitor, e. g. written permission or a login banner – Essentially, must “banner” all ports that allow access unless you have written permission • Court order
Privacy-Protecting (3) • Electronic Communications Privacy Act (ECPA) – – Covers access to stored voice and digital communications Covers what can be disclosed to law enforcement Question: Are communication services provided to the public? e. g. , AOL (yes): Restrictions with some exceptions: • Does provider believe that an emergency involving death or serious physical harm may result otherwise? • Consent? • Contents of communication inadvertently acquired, evidence of a crime? • Can disclose non-content (e. g. , logs of activity) to anyone not involved in government – e. g. , corporate, university (no): No restrictions on what can be disclosed to law enforcement • Pen/Trap Statute of 18 U. S. C. 3121 -27 – Covers real-time collection of addressing information (e. g. , packet headers, phone #s), not the contents of the communication – Rules more liberal than for wiretap
Access to Evidence for Law Enforcement • Preservation of Evidence letter – Letter from government asking that evidence not be erased as a matter of normal administrative procedures – e. g. , to AOL: “Please don’t delete logs related to…” – Lasts for 90 days • To get name, address, session info (e. g. , when user logged in, etc. ) – Subpoena • Stored files – Court order • Stored files containing electronic communications – Search warrant – For email that has been read, court order • Difficulty level: – Letter < subpoena < court order < search warrant < wiretap order
Patriot Act • So things weren’t complicated enough? • Hundreds of pages, complicated for non-lawyers • Much analysis of Patriot act is skewed (“it’s a threat to our very lives” vs. “it’s a wonderful anti-terrorism tool”) • Still, many citizens not happy • Basic: – significantly erodes requirements for law enforcement to show probable cause for warrants and wiretap orders – removes requirements to notify parties of a search warrant being served – e. g. , police may be able to enter a residence without informing party until later – Bad because party might have been able to better protect her rights by pointing out that address on warrant is incorrect – Bad because warrants are limited—in secret, impossible for party to object to “unauthorized” searches – “Good” because prevents evidence from being destroyed before seizure can take place
DMCA • Digital Millennium Copyright Act • Summary here: – http: //www. copyright. gov/legislation/dmca. pdf • Expands copyright law • Makes reverse engineering illegal in many circumstances • Illegal in many circumstances to defeat access controls or anticopying techniques • Example: Buy a DVD, making a copy of the DVD involves defeating the copy protection scheme, thus illegal • “Encryption research” exceptions – So vague that if you do some “encryption research” and release the results, you should be very careful – “research” vs. distribution of copy protection circumvention techniques – Research paper documenting circumvention with lots of technical explanation vs. a program that performs circumvention