Legal Aspects of Digital Forensics

Document Sample
Legal Aspects of Digital Forensics Powered By Docstoc
					Legal Aspects of    Taylan Sen, JD
                    Phillips Lytle, LLP
Digital Forensics
   Purposes of Digital Forensics
   Overview of legal system
        Federal
        Civil
   Liability from improperly conducted Digital Forensic analyses
   Legal Tools in helping to obtain evidence
        Warrants
        eDiscovery
   Admissibility of Digital Evidence
   Proactive actions that can be taken in light of eDiscovery

   Guidelines on how to perform a Digital Forensic Analysis
          -so that lawsuit is won, the right business decisions are made, and most importantly to
             keep YOU out of legal trouble!
Purposes of Digital Forensics
 Criminal lawsuit
 Civil lawsuit
 Human resources
     Employeemisconduct
     Harassment

   Economic research/espionage
U.S. Judicial System
 Federal
 State
 Hierarchical
 Rules
     Criminal
     Civil
Federal Court System
Federal Circuit Courts
Court Rules/Structure
   Court’s job is
       1. fact finding
       2. interpretation of the law
   Courts must follow not only follow written law but also
    previous decisions (stare decisis).
   Heirarchical
       Lower courts’ main job is fact finding
       Higher courts’ main job is interpretation of law
       Appeals go up
       Lower level courts must follow the decisions of their parents.
Types of Criminal cases
   Copyright infringement
   Theft of trade secret
   Fraud/embezzlement
   Vandalism
   Harassment
   Child pornography

        fines/incarceration
Client Investigation
   Case 1: Ex-employee left company to form his own
       Is he violating company intellectual property in his new
       Can we use a KeyStroke logger?

   Case 2: Ex-Franchisee is currently violating company’s
    trademark and copyright through their website
       What kind of Digital Forensic evidence is admissible?
            Internet Archive
            Whois/ DNS lookup?
Criminal Trial Overview
Criminal Trial must follow the “Federal Rules of Criminal

    Judge Chamberlain
     Haller: I don't want to
     hear explanations. The
     state of Alabama has a
     procedure. And that
     procedure is to have
     an arraignment. Are
     we clear on this?
Anatomy of a Criminal Trial
   Investigation
   Probable cause  warrant (search/arrest)
   Initial Appearance
        criminal complaint is accompanied by an affidavit that
        summarizes the evidence against the defendant.
        bail is set
   Arraignment/Grand Jury Hearing
   Discovery
   Pretrial Motions (motion in limine)
   Plea bargaining
   Trial
        Prosecution
        Defense
        Deliberation/Verdict (burden)
   Sentencing
   Appeal
Investigation: 4th Amendment
   “The right of the people to be secure in their persons, houses, papers, and effects, against
   unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but
   upon probable cause, supported by Oath or affirmation, and particularly describing the
   place to be searched, and the persons or things to be seized.”

         You do not have a carte blanche to perform a
   Digital Forensic search.
Investigation: What is a Warrant?

   A court order, issued by a judge
    or magistrate, authorizing an act
    which would otherwise be illegal
    in violating an individual’s rights.

   Affords the person executing the
    warrant protection from
    damages if the act is performed.
Obtaining a warrant
   4th amendment – “no Warrants shall issue, but upon probable cause,
    supported by Oath or affirmation, and particularly describing the
    place to be searched, and the persons or things to be seized.”
   Probable cause – “reasonable”, “prudent”:
        Direct observation of officer or secondary information based
             Totality of the circumstances
             Aguillar-Spinelli
                   Reliable and credible
                   Knowledge of underlying circumstances
             Digital Forensic Data is often the basis to obtain a warrant
   A warrant must be specific to place being searched
   Exceptions: Exigent circumstances, sufficiently attenuated
Warrants and the Aguilar-Spinelli
 # The magistrate must be informed of the
  reasons to support the conclusion that
  such an informant is reliable and credible.
 # The magistrate must be informed of
  some of the underlying circumstances
  relied on by the person providing the
Fruit of the poisonous tree
(exclusionary rule)
    Evidence which is collected or analyzed in violation of
    defendant’s constitutional rights is inadmissible for
    criminal prosecution in a court of law unless the
    evidence gathered is sufficiently attenuated from the
    illegal act.

    Your digital Forensic investigation must be conducted properly
Anatomy of a civil lawsuit
   Investigation
   Complaint/Answer
   Discovery
        eDiscovery
   Settlement negotiations
   Trial
        Prosecution
        Defense
   Deliberation/Verdict (burden)
   Appeal
Types of civil cases
   Breach of contract
   Copyright/trademark infringement
   Tortious interference
   Harassment/Slander
   Misuse of corporate resources
   Improper termination

       damages ($), injunction
Federal Rules of Civil Procedure
   Rule #26 – (B) Specific Limitations on Electronically Stored Information. A party need
    not provide discovery of electronically stored information from sources that the party
    identifies as not reasonably accessible because of undue burden or cost. On motion
    to compel discovery or for a protective order, the party from whom discovery is
    sought must show that the information is not reasonably accessible because of
    undue burden or cost. If that showing is made, the court may nonetheless order
    discovery from such sources if the requesting party shows good cause, considering
    the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.

   Rule #34 - (A) any designated documents or electronically stored information —
    including writings, drawings, graphs, charts, photographs, sound recordings, images,
    and other data or data compilations — stored in any medium from which information
    can be obtained either directly or, if necessary, after translation by the responding
    party into a reasonably usable form; or
Federal Rules of Evidence
 General rules
 Authentication and identification
 Hearsay
 Original evidence rule
 Expert Witnesses & Junk science
 Fruit of the poisonous tree
General Rules of Evidence
 Must not be unfairly prejudicial (previous
 Subsequent remedial measures
 Insurance coverage
 Witnesses must hav personal knowledge
Federal Rule Evidence 901
 “admissibility is satisfied by evidence sufficient
 to support a finding that the matter in question
 is what its proponent claims.”
Authentication and Identification
   901(a) - General Rule: Evidence must be shown to be
    authentic before allowed into trial.

   Authenticity can be shown through:
       901(b)(1) Testimony of witness with knowledge. Testimony that
        a matter is what it is claimed to be.
       901(b)(9) Process or system. Evidence describing a process or
        system used to produce a result and showing that the process or
        system produces an accurate result.

   Example: Are Internet Archive pages admissible?
Authentication - In re Vee Vinhnee,
     "...the focus is not on the circumstances of
      the creation of the record, but rather on the
      circumstances of the preservation of the
      record during the time it is in the file so as
      to assure that the document being proffered
      is the same as the document that originally
      was created."
     American Express – credit card records.
In re Vee Vinhnee, 2005
   "The logical questions extend beyond the identification of
    the particular computer equipment and programs used.
    The entity's policies and procedures for the use of the
    equipment, database, and programs are important. How
    access to the pertinent database is controlled and,
    separately, how access to the specific program is
    controlled are important questions. How changes in the
    database are logged or recorded, as well as the
    structure and implementation of backup systems and
    audit procedures for assuring the continuing integrity of
    the database, are pertinent to the question of whether
    records have been changed since their creation.”
Factors for consideration of Digital
Forensic Data
   1. The business uses a computer.

   2. The computer is reliable.

   3. The business has developed a procedure for inserting data into the computer.

   4. The procedure has built-in safeguards to ensure accuracy and identify errors.

   5. The business keeps the computer in a good state of repair.

   6. The witness had the computer readout certain data.

   7. The witness used the proper procedures to obtain the readout.

   8. The computer was in working order at the time the witness obtained the readout.

   9. The witness recognizes the exhibit as the readout.

   10. The witness explains how he or she recognizes the readout.

   11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.
Federal Rule of Evidence 801:
Hearsay is generally not allowed
   "Hearsay" is a statement, other than one
    made by the declarant while testifying at
    the trial or hearing, offered in evidence to
    prove the truth of the matter asserted.

   Exception: business records
Internet Archive

  Should Internet Archive records be
Telewizja Polska USA, Inc. v. Echostar,

   Polska granted EchoStar a license to use its trademarks to market the
    subscription package to its customers.
   Agreement ended, EchoStar continued to use Polska's name and
   Polska sued for trademark infringement
   Polska filed a motion in limine to exclude several Echostar trial exhibits,
    including screenshot printouts of Polska’s website from the Internet
    Archive’s “Wayback Machine”
   Plaintiff then contends that the exhibit has not been properly authenticated.
    1 Attached to the exhibits is an affidavit from Ms. Molly Davis, verifying that
    the Internet Archive Company retrieved copies of the website as it appeared
    on the dates in question from its electronic archives. Plaintiff labels the
    Internet Archive an unreliable source and claims that Defendant has not,
    therefore, met the threshold requirement for authentication.
Telewizja Polska USA, Inc. v. Echostar

   OUTCOME: Court finds affidavit from Internet
    Archive employee sufficient for laying a
    foundation and authenticating the Internet
    snapshots of Plaintiff’s website and thus denied
    motion in limine to limit evidence.
St. Luke's Cataract & Laser
Institute, P.A. v. Sanderson
2006 U.S. Dist Fla., 2006
   “… affidavit from a previous litigation, without
    more, is insufficient … However, an affidavit by
    Ms. Davis, or some other representative of
    Internet Archive with personal knowledge of its
    contents, verifying that the printouts Plaintiff
    seeks to admit are true and accurate copies of
    Internet Archive's records would satisfy
    Plaintiff's obligation to this Court.”
Authentication and Digital
 When gathering data, make sure it is done
  in a way that can be later authenticated in
  a court of law.
 Chain of custody.
 Records of who, when, where, and how
  the forensic analysis is done.
Federal Rule of Evidence 702
Technical/Scientific Evidence
  “If scientific, technical, or other specialized
  knowledge will assist the trier of fact to
  understand the evidence or determine a fact in
  issue, a witness qualified as an expert by
  knowledge, skill, experience, training, or
  education, may testify thereto in the form of an
  opinion or otherwise."
Daubert v. Merrell Dow
U.S. Supreme Court, 1993
   CLAIM: the drug Bendectin had caused the birth
   EVIDENCE: Test tube and live animal studies were
    conducted to show that Bendectin caused birth defects.

    scientific study demonstrated a link between Bendectin
    and birth defects
Daubert factors
1. Empirical testing: the theory or technique must
  be falsifiable, refutable, and testable.
2. Subjected to peer review and publication.
3. Known or potential error rate and the existence
4. The existence and maintenance of standards
  and controls concerning its operation.
5. Degree to which the theory and technique is
  generally accepted by a relevant scientific
Daubert and Digital Forensics
    Selection of your forensic analysis tools and techniques should be made with the
    Daubert factors in mind:

   Testing:
        Has this software tool/procedure been tested?
   Error Rate:
        Is there a known error rate of the procedure?
              Tool Implementation Error is from bugs in the code or from using the wrong specification.
              Abstraction Error is from the tool making decisions that do not have a 100% certainty: data reduction
               techniques or by processing data in a way that it was not originally designed for.
   Publication:
        Has the tool/procedure been published and subject to peer review?
        Is this a commercially offered tool/technique or something developed in house?
        OpenSource vs. proprietary software
              “Diebold Admits to Decade-old Voting Machine Bug”
   Acceptance:
        Is this tool technique used by experts in the field?
E Discovery Overview
   What exactly is discovery? - “the pre-trial phase in a lawsuit in which each party through the law
    of civil procedure can request documents and other evidence from other parties or can compel the
    production of evidence by using a subpoena or through other discovery devices, such as requests
    for production and depositions.”
   e-discovery
        Data types include: e-mail & documents on hard drives, backup tapes, PDA’s, CD’s, etc.
        use in depth automated searches
   Costly – especially when data storage infrastructure is not in place.
        Cost shifting
   Noncompliance - Courts are very unforgiving to parties who show signs of noncompliance with
    discovery requests.
        Qualcomm, Inc. v. Broadcom Corporation (S.D. Cal. August 6, 2007) $8.5 million fine for withholding emails.

   Need forward planning through:
        1. a document retention and destruction policy,
        2. data storage tools, and when litigation comes,
        3. efficient management of e-discovery process.
Document retention and destruction policy:
How does a company determine how long to retain

   The retention period of documents will depend on a
    number of considerations, including:
      the retention periods specified in state or federal regulations
      contractual obligations
      pending or reasonably foreseeable lawsuits or government
       proceedings relating to the subject matter of the documents
      statutes of limitations.

   In the absence of a specific legal duty to retain
    documents a company will need to determine whether
    there are business reasons to retain the documents and,
    if so, how long such reasons will remain viable.
Sources of the legal duty to retain data
   State and federal tax, labor, employment, and
    environmental laws
      Sarbanes Oxley Act
      HIPAA
   Contracts
   Litigation – legal duty to preserve relevant
      Federal Rules of Civil Procedure (amended
      Zubulake v. UBS Warburg LLC, 2004 WL
         1620866 (S.D.N.Y. July 20, 2004)

   Violations shall be fined and/or imprisoned for up
    to 20 years. (Section 802 of the Sarbanes-Oxley
Desired characteristics of a document
retention policy

     Should be specific
       when to destroy
       who should destroy
     Should be written
     Should be followed consistently
     Should not retain data you don’t need
     Should be distributed to employees
     Should be re-evaluated annually
Example Document Retention and
Destruction Policy
Suspension of the document
retention/destruction policy

    "Once a party reasonably anticipates
     litigation, it must suspend its routine
     document retention/destruction policy
     and put in place a ' litigation hold ' to
     ensure the preservation of relevant
     documents." (See Zubulake v. UBS
     Warburg LLC, 2004 WL 1620866
     (S.D.N.Y. July 20,2004)).
Other Digital Forensic Related
   Electronic Communications Privacy Act of 1986
   Pen/Trap Statute
   Wiretap Act
   US Patriot Act
   Computer Security Act of 1987
   Federal Privacy Act of 1974
   HIPAA 1996
   Computer Fraud and Abuse Act
   Economic Espionage Act
   Certain legal considerations must be made
    when performing a digital forensic analysis
    to ensure that
     No laws are broken that would subject the
      investigator to criminal or economic liability
     The evidence obtained is admissible in court

Shared By: