This overview of the collection and admissibility of digital evidence in a criminal court of law isn’t meant to be a legal reference; as I am not an attorney. However, it was written for the consideration of Digital Forensic Investigators and businesses or business owners.
Special consideration should be given to the ability of corporate America to collect user behavior on corporate networks. Although there are many options on how corporations or employers extend the use of computing devices, including mobile devices, to their employees, most employers want to own the data that resides on corporate owned devices.
The use of a personally owned device for the use of business purposes can be confusing. Since the device is owned by the employee, one could ask who actually owns the data that resides on the device and because the device is owned by the employee, would they be protected by the 4th amendment for unauthorized search and seizure in the event the employer wanted to collect data on the employee owned device? In the event that the employer owns the device, they most likely will have an acceptable use policy that is acknowledge and signed by the employee. The employee consent of the user policy generally allows for an explicit notice to the employee that all corporate owned devices are subject to be monitored and the data collected is owned by the company. Conversely, if the employee owns the device and there is a need for the collection of digital evidence, the employee or person could seek the protection of the 5th Amendment.
Perhaps upon completion of these considerations as it pertains to the collection of network and application log data, organizations will be prompted to review their acceptable use policies and device policies. Understanding that the collection of network logs at some point will not only be maintained for the purpose of compliance or audit but for the eventual use as digital forensic evidence.
The rapid, widespread adoption of new technology often outpaces society’s development of a shared ethic governing its use and the ability of legal systems to deal with it. The handling of digital evidence is a perfect example.
Although computers have existed for more than 60 years, it has been only since the late 1980s, as computers have proliferated in businesses, homes, and government agencies, that digital evidence has been used to solve crimes and prosecute offenders.
Once the province of “computer crime” cases such as hacking, digital evidence is now found in every crime category. Too often, though, law enforcement agencies and the judiciary are ill-prepared to deal with the issues created by the increasing use of this evidence.
Some judges, attorneys, and jurors may harbor doubts about the reliability and significance of digital evidence. To prevent misunderstandings at trial, concepts must be explained in simple terms with carefully selected analogies and visual aids.
Prosecutors should not assume that investigators understand how to avoid creating confusion at trial. Technically sophisticated investigators or examiners should not assume that prosecutors fully grasp the problems encountered in recovering and analyzing the evidence. Prosecutors, investigators, and examiners should share their knowledge of technical problems and discuss strategies. Addressed to law enforcement and prosecutors, this report is subject to several important limitations and, therefore, is only a guide. First, it identifies and briefly addresses some of the key issues related to digital evidence. Second, many issues discussed are subject to laws that vary from jurisdiction to jurisdiction. Third, the technology and law in this area are rapidly evolving. Finally, this guide does not address the acquisition of digital evidence from outside the United States. (criminal investigators and prosecutors should consult the Office of International Affairs, U.S. Department of Justice, 202-–514–0000)”
The collection of digital evidence in criminal cases is governed at the Federal and State levels by numerous constitutional and statutory provisions, including statutes that regulate the communications and computer industries and that directly govern the gathering and use of digital evidence.
Both for purposes of admissibility and persuasive value of digital evidence, the prosecutor must show in court that the information obtained from the media is a true and accurate representation of the data originally contained in the media, irrespective of whether the acquisition was done entirely by law enforcement or in part or entirely by a civilian witness or victim (U.S. Department of Justice, 2007)
Three areas of Law Related to Computer Security
Three areas of law related to computer security will be examined:
- S. Constitution
- 4th Amendment “Protection against unreasonable search and seizure”
- 5th Amendment “Protection against self incrimination”
- S. Statutory Law
- 18 U.S.C. 2510-22 (The Wiretap Act)
- 18 U.S.C. 3121-27 (The Pen Registers and Trap and Trace Devices Statute)
- 18 U.S.C. 2701-12 (The Stored Wired and Electronic Communication Act)
- Federal Rules of Evidence
- Best Evidence
In the United States of America, there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: (1) authority to monitor and collect the data and (2) the admissibility of the collection methods. Of the three areas above, the U.S. Constitutional and U.S. Statutory Laws primarily govern the collection process, while the Federal Rules of Evidence deal primarily with admissibility. (Carnegie Mellon Software Engineering Institute, 2005)
The 4th Amendment to the U.S. Constitution
The 4th Amendment to the United States Constitution is as follows:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The 4th Amendment protects individuals from unreasonable searches and seizures conducted by agents of the government. It does not extend protection from searches conducted by private parties who are not acting as agents of the government. The question is whether or not your organization can be considered as “government”, or under the direction of a government agent, under the 4th Amendment. There isn’t always a bright line answer to that question (in law, a bright line is a rule that clearly and unambiguously delineates what is so and what is CMU/SEI-2005-HB-001 9 not). If in doubt, organizations should always seek the advice of legal counsel in determining the answer. (Carnegie Mellon Software Engineering Institute, 2005)
The 5th Amendment to the U.S. Constitution
The 5th Amendment provides that No person shall be compelled in any criminal case to be a witness against himself.
The core issue related to computer forensics is that under current jurisprudence the 5th Amendment’s protections against self incrimination extend to cryptographic keys. “Under the Fifth Amendment, an individual cannot be compelled to testify to his or her memorized key” [CDT 04]. The word “memorized” is an important qualifier, however, meaning that the key (passphrase) was never written down. Remember, the 5th Amendment only protects an individual from being compelled to provide incriminating testimony. Its protections do not extend to existing written and/or documentary evidence. This affects system or network administrators because if encrypted files are found during a collection or examination of a system or network, little can be done to force an individual to decrypt them. (Carnegie Mellon Software Engineering Institute, 2005)
U.S. Statutory Law
Wiretap Act/Electronic Communications Privacy Act
Generally speaking, the Wiretap Act, 18 U.S.C. §§ 2510-22, prohibits the interception of real- time electronic data communications (specifically the content), unless one of the statutory exceptions applies.
Pen Registers and Trap and Trace Devices
Whereas the Wiretap Act focuses on the content of electronic communications, this statute, 18 U.S.C. §§ 3121-27, prohibits the installation of a device that records or decodes dialing, routing, addressing, or signaling information for outgoing (Pen Registers) and incoming (Trap and Trace) wired or electronic communications, except for certain purposes.
Pen Register – 18 U.S.C.§ 3127(3)
The term “pen register” means a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.
Trap and Trace -18 U.S.C.§ 3127(4)
The term “trap and trace device” means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to CMU/SEI-2005-HB-001identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.
Stored Wired and Electronic Communications Act
The Stored Wired and Electronic Communication Act, 18 U.S.C. §§ 2701-12, deals with general protections for stored communications. There are several other statutes that may affect the level of protection, access, and disclosure of stored electronic communication, such as HIPAA and the Family Educational Rights and Privacy Act (FERPA). Consultation with legal counsel should be sought regarding whether your organization may be governed by these special types of privacy laws. (Carnegie Mellon Software Engineering Institute, 2005)
Legal Governance Related to Admissibility (Federal Rules of Evidence)
Hearsay is defined by the Federal Rule of Evidence 801(c) as “a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.” Further, according to Rule 802, “Hearsay is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress.”
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, published by the Computer Crime and Intellectual Property Section, Criminal Division, of the United States Department of Justice, is an excellent source for detailed information related to this topic, as well as other general topics dealing with electronic evidence [USDOJ 02]. Its importance to this topic relates to understanding the difference between computer- generated records and computer-stored records. Basically there are two types of computer records: those that “contain the writings of some person or persons and happen to be in electronic form” (i.e., computer-stored records) and those that “contain the output of computer programs, untouched by human hands” (i.e., computer-generated records).
It is important to understand the difference between these two types of computer records because computer-stored records can contain hearsay and computer-generated records, which IT professionals are more likely to deal with, cannot. In practice, however, most federal courts have viewed all computer records as potentially containing hearsay. But this view is likely to change:
As the federal courts develop a more nuanced appreciation of the distinctions to be made between different kinds of computer records, they are likely to see that the admission of computer records generally raises two distinct issues. First, the government must establish the authenticity of all computer records by providing “evidence sufficient to support a finding that the matter in question is what its proponent claims.” Fed. R. Evid. 901(a). Second, if the computer records are computer-stored records that contain human statements, the government must show that those human statements are not inadmissible hearsay.
In dealing with computer-generated records, two issues arise: authentication and reliability, which will be explained in subsequent sections.
There are twenty-four enumerated exceptions to the Hearsay Rule. Rule 803(6), “records of regularly conducted activity,” deals with issues pertinent to computer forensics. This exception deals with “regularly conducted business activities.” This is why an IT policy is so critical regarding network monitoring and incident response. The outcomes from random, ad hoc procedures will not fall under this exception. Rule 803(6) reads as follows:
A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term “business” as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.
The best example of this would be logging. If a company logs everything as a practice, it is very likely that those logs will be admissible. However, if only partial logging is done and during an incident additional logging is turned on, a question of admissibility may arise.
Authentication in Cyber Law
It is the burden of the person/party attempting to admit a computer-generated record to authenticate that record. Federal Rule of Evidence 901(a) states the following:
The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.
To authenticate a computer record, a person who acquired the record or caused the record to be generated can testify to the authenticity of the record (i.e., say that the record is what it purports to be). An example of this is when a system administrator records the open connections on a system by running a netstat command and has that information saved on a diskette. This same system administrator would need to authenticate this diskette at court by testifying that he or she ran the command that caused the output and, further, that the output was saved to that diskette. It is not important or required that the system administrator have programming knowledge and understand how the netstat command works or to be able to provide analysis of the results of the netstat command. All that is required is that the system administrator has first-hand knowledge, i.e., that he or she ran the command and generated the output that was then saved to the diskette.
In addition, chain of custody plays a significant role in the process of authentication. It is not enough to just testify after the fact about what was collected. Having a process in place that will track collected information and ensure that it is preserved and not tampered with is also required.
Another issue that IT personnel should be prepared to deal with is the reliability of the computer programs that generate the computer records. This area is of particular interest to IT staff, since it is where software that is used in the collection of information related to an incident may be challenged.
For the purpose of establishing reliability, computer programs are distinguished by whether they are or are not run in the normal course of business. An example of programs run in the normal course of business is RADIUS servers at an ISP supporting dial-up users. RADIUS servers provide several functions related to an ISP’s business operations. For example, a RADIUS server would be used to maintain logs of when users dial in to access the network. The ISP normally uses this information for billing purposes, but the same information may become important in the event of an incident. When the information is used to support an incident, the fact the program that generated the information was used in the normal course of business gives it reliability.
The more difficult situation in terms of reliability is when programs are used to collect information that are not run in the normal course of business. The guidance from the courts is more complicated in this area, as indicated in this excerpt from Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations:
The courts have indicated that the government can overcome this challenge so long as “the government provides sufficient facts to warrant a finding that the records are trustworthy and the opposing party is afforded an opportunity to inquire into the accuracy thereof[.]” United States v. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990). See also Liebert, 519 F.2d at 547; DeGeorgia, 420 F.2d. at 893 n.11. Compare Fed. R. Evid. 901(b)(9) (indicating that matters created according to a process or system can be authenticated with “[e]vidence describing a process or system used…and showing that the process or system produces an accurate result”)…the government may need to disclose “what operations the computer had been instructed to perform [as well as] the precise instruction that had been given” if the opposing party requests. Dioguardi, 428 F.2d at 1038 [USDOJ 02].
How does this translate into working knowledge for IT staff? Module 2, “File Systems, Du- plication, Wiping, and Trusted Tools,” will describe some of the technical implications of dealing with reliability issues.
The Best Evidence Rule
The Best Evidence rule (Federal Rule of Evidence 1002) states that to prove the content of writing, recording, or photograph, the original writing, recording, or photograph is ordinarily required. Federal Rule of Evidence 1001(3) defines “original”:
If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original”.
The courts have long recognized that at times it may be both impractical and unreasonable to require originals, which might be entire computers or large volumes of data, for information that otherwise could be represented in a chart or graph. In fact, in the 9th Circuit the courts require that during seizures of computers, on-site imaging must be done, leaving the original behind and taking only a “copy,” that is, a true bit by bit forensic image. (Carnegie Mellon Software Engineering Institute, 2005)
Additionally, the Texas Rules of Evidence and by the Code of Criminal Procedure.
- CODE OF CRIMINAL PROCEDURE: Title 1. Code of Criminal Procedure Chapter 38. Evidence in Criminal Actions: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.38.htm – 38.35
- TEXAS RULES OF EVIDENCE: http://www.txcourts.gov/media/1240932/Texas-Rules-of-Evidence-updated-with-amendments-effective-112016-.pdf
Requirements for Presenting Expert Evidence: Federal and State of Texas
In federal court, expert testimony is governed by Federal Rules of Evidence 702 through 706. Rule 702—Testimony of Experts—provides:
If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.
Under the federal rules, a testifying expert is any witness a party may use at trial to present evidence under Federal Rule of Evidence 702, 703, or 705. The Federal Rules of Civil Procedure make a distinction between experts retained or specially employed to provide expert testimony in the case—or one whose duties as the party’s employee regularly involve giving expert testimony—and other experts.
In state court, expert witnesses are governed by rules 702 through 706 of the Texas Rules of Evidence, which generally follow, but do not mirror, their federal counterparts. Rule 702 provides:
If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training or education may testify thereto in the form of an opinion or otherwise.
State rules define an expert as a “person with knowledge of relevant facts” only if that knowledge was obtained first- hand or if it was not obtained in preparation for trial or in anticipation of litigation. Further, under state rules, a testifying expert is an expert who may be called to testify as an expert witness at trial. The Texas rules make a further differentiation between experts retained by, employed by, or otherwise subject to the control of the responding party and other experts. (The Law Firm of Beck Redden, 2016)
Expert Reports Under the Texas Rules
Unlike the federal rules, the Texas rules do not require a party to automatically produce an expert report upon disclosing a testifying expert. (The Law Firm of Beck Redden, 2016)
A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.
Notes (Pub. L. 93–595, §1, Jan. 2, 1975, 88 Stat. 1937; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)
Notes of Advisory Committee on Proposed Rules
An intelligent evaluation of facts is often difficult or impossible without the application of some scientific, technical, or other specialized knowledge. The most common source of this knowledge is the expert witness, although there are other techniques for supplying it.
Rule 702 has been amended in response to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993), and to the many cases applying Daubert, including Kumho Tire Co. v. Carmichael, 119 S.Ct. 1167 (1999). In Daubert the Court charged trial judges with the responsibility of acting as gatekeepers to exclude unreliable expert testimony, and the Court in Kumho clarified that this gatekeeper function applies to all expert testimony, not just testimony based in science. See also Kumho, 119 S.Ct. at 1178 (citing the Committee Note to the proposed amendment to Rule 702, which had been released for public comment before the date of the Kumho decision). The amendment affirms the trial court’s role as gatekeeper and provides some general standards that the trial court must use to assess the reliability and helpfulness of proffered expert testimony. Consistently with Kumho, the Rule as amended provides that all types of expert testimony present questions of admissibility for the trial court in deciding whether the evidence is reliable and helpful. Consequently, the admissibility of all expert testimony is governed by the principles of Rule 104(a). Under that Rule, the proponent has the burden of establishing that the pertinent admissibility requirements are met by a preponderance of the evidence. See Bourjaily v. United States, 483 U.S. 171 (1987).
Daubert set forth a non-exclusive checklist for trial courts to use in assessing the reliability of scientific expert testimony. The specific factors explicated by the Daubert Court are (1) whether the expert’s technique or theory can be or has been tested—that is, whether the expert’s theory can be challenged in some objective sense, or whether it is instead simply a subjective, conclusory approach that cannot reasonably be assessed for reliability; (2) whether the technique or theory has been subject to peer review and publication; (3) the known or potential rate of error of the technique or theory when applied; (4) the existence and maintenance of standards and controls; and (5) whether the technique or theory has been generally accepted in the scientific community. The Court in Kumho held that these factors might also be applicable in assessing the reliability of nonscientific expert testimony, depending upon “the particular circumstances of the particular case at issue.” 119 S.Ct. at 1175. (Federal Rules of Evidence, 2016)
A digital forensics expert can be used in a variety of ways: as an expert witness, for litigation support, “to conduct Non-Invasive Data Acquisition (NIDA), to proactively investigate potential disputes . . . [prior to litigation], [and] to recover data negligently or intentionally destroyed.” Whether or not a digital forensics expert is retained to testify in court proceedings, a written report is still mandatory unless otherwise stipulated or ordered by the court. This written report, if properly done, practically negates the need to provide expert testimony.
Over the last several years, commercial hardware and software vendors who specialize in digital forensic analysis tools and applications have made significant improvements in the methodologies necessary to analyze digital evidence. As a result, what was once an almost entirely ad hoc manual-analysis process is now structured to a point where years of experience and training are no longer necessary for the production of a digital forensic report. This trend increased the number of forensic examiners and lowered costs, but also reduced the depth of knowledge held by the average forensic examiner.
As a result, the reviewer of a forensic expert report should scrutinize the qualifications of a forensic examiner to avoid the unfortunate scenario wherein an unqualified forensic examiner produces a flawed or unreliable report. While no uniform set of standards exists to gauge the competency of a digital forensic examiner, reviewers should consider the most appropriate combination of certification, education, and real- world experience, given the case at hand. The examiner’s training will likely include a number of hours in the classroom as well as practical experience in the real world and in the lab. This training should be considered in the context of the levels of experience and quality of the instructors and institutions administering such training.
While individual vendor certifications can have value, the education marketplace is seeing the emergence of vendor-neutral certification programs to validate technology skills of varying levels. Accordingly, as certification programs become more salable, the value of any particular certification must be assessed in the context of a growing industry in which establishing credentials is simply the monetization of a product. The true measure of expertise goes well beyond certification and solidly into the realm of actual field experience in real-world situations and/or years of study. Thus, the bench and the bar should interpret a forensic certification only as an indication of additional testing that the forensic examiner navigated in a particular area, or in a specific type of software, that is particular to that examiner’s education and experience.
Finally, in addition to technical expertise, an ideal expert will have experience on the witness stand. Although direct examination will set out the baseline requirements of a competent expert, the ability to calmly and confidently relay findings while undergoing rigorous cross-examination is critical.
A digital forensic report should document with sufficient detail the steps undertaken by the examiner so that an independent third-party could replicate the conclusions. This also means that the forensic images should be available for copying by a third-party. (The Law Firm of Beck Redden, 2016)
Structure of a Digital Forensic Report
Generally, the forensic report is outlined as follows:
(1) Brief summary of information
(2) Tools used in the investigation process, including their purpose and any
underlying assumptions associated with the tool
(3) Evidence Item #1 (For example: Employee A’s work computer)
(a) Summary of evidence found on Employee A’s work computer (b) Analysis of relevant portions of Employee A’s work computer
(i) Email history
(ii) Internet search history
(iii) USB registry analysis
(c) Repetition of above steps for other evidence items (which may include other computers and mobile devices, etc.)
(4) Recommendations and next steps for counsel to continue or cease investigation based on the findings in the report
Generally speaking, the report should not volunteer superfluous information that may be vulnerable to scrutiny under cross-examination. Further, all findings should be accurately qualified as to the limitations of the particular tool(s) used, the applicability of the current technology and industry-standard best practices, the methodology or techniques (such as search criteria or formulae), and the scope of the investigation.
The scope of the investigation is limited by relevancy and also by budget (a factor of which is the time necessary to conduct the investigation), which almost always places significant constraints on what data is found or not found and the inferences to be drawn therefrom. Moreover, the digital forensic report only investigates those areas where responsive evidence can be found. For example, in a case investigating the theft of proprietary software code, it would be outside the scope of the report to discuss a search for child pornography on the hard drive in question.
Further, when evaluating a digital forensic report, a reviewer should evaluate the substance of the report to ascertain if information overload exists. The digital forensic report should provide a cohesive and logical framework on its face and not delve into the underlying technical minutiae. In this context, information overload rests on whether the report contains hundreds of pictures, documents, or other such digital items in the body of the report that distract from the underlying conclusions.
Examiners must resist overtures by attorneys, however well-intended or abstract, to submit any testimony or work product that is disrespectful of the truth, including overstating, understating, or omitting findings. The findings should be concise and carefully circumscribed. The report cannot be tailored to support a particular outcome, as a material omission may constitute fraud. (Garrie, 2014).
Digital forensic science is a new forensic discipline however it is maturing. The procedural and legal collection, preservation, and analysis of digital evidence should strictly be pursued within a scientific and legal manner; ultimately delivering objective admissible evidence that can assist in establishing truth.
Carnegie Mellon Software Engineering Institute. (2005). First Responders Guide to Computer Forensics. Carnegie Mellon Software Engineering Institute. Carnegie Mellon University.
Federal Rules of Evidence. (2016, February 8). Cornell University Law School. Retrieved from Legal Information Institute: https://www.law.cornell.edu/rules/fre
Garrie, B. D. (2014, March). Digital Forensic Evidence in the Courtroom: Understanding Content and Quality. Northwestern Journal of Technology and Intellectual Property, 12(2).
The Law Firm of Beck Redden. (2016, February 8). The Rules Governing Expert Witnesses: Federal and State of Texas. Retrieved from http://www.beckredden.com: http://beckredden.com/uploads/1113/doc/4_Expert_Witnesses.pdf
U.S. Department of Justice. (2007). Digital Evidence in the Court: Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors. Washington: U.S. Department of Justice