1 / 29

It’s a Computer , M’Lud!

It’s a Computer , M’Lud!. Neil Barrett. Introduction. The law and computers The nature of computer evidence Obtaining evidence from computers Preparing statements for court The role of the expert witness Courtroom experience Current defence strategies and tactics

Mia_John
Download Presentation

It’s a Computer , M’Lud!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. It’s a Computer, M’Lud! Neil Barrett

  2. Introduction • The law and computers • The nature of computer evidence • Obtaining evidence from computers • Preparing statements for court • The role of the expert witness • Courtroom experience • Current defence strategies and tactics • The future for computer evidence

  3. The Law and Computers • Computer Misuse Act 1990 • Data Protection Act 1998 • Laws of Pornography • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Laws of ‘Harm’ • Theft Act 1968/1978 • Offences Against the Person Act 1861

  4. Computer Misuse Act 1990 • Data is not ‘Property’ • Oxford v Moss 1978 • “Confidential information is not property” • Accessing a computer illicitly is not ‘Fraud’ • R v Gold 1988 • A password is not a ‘false instrument’ • Judicial review produces a new law

  5. Computer Misuse Act 1990 (2) • Section 1 – Unauthorised Access • An offence to access a computer knowing that the access is not authorised • Summary offence; 6 months and/or £5,000 • Section 2 – Unauthorised Access with Intent • An offence to commit Section 1 with intent to commit a further arrestable offence • Arrestable offence; 5 years and/or £unlimited • Section 3 – Unauthorised Modification • An offence to modify any computer so as to impair the operation of any computer • Arrestable offence; 5 years and/or £unlimited

  6. Computer Misuse Act 1990 (3) • Outlaws hacking for: • Curiosity • To steal credit cards, information, etc • To damage something – web defacement, etc • Outlaws computer viruses • But not obviously Denial of Service attacks • Review currently underway • Bill failed in Lords – rightly so!

  7. Implications of Computer Misuse Act • Data stored on computers is not protected by the laws of property • So must be protected under CMA • Means you must define ‘authorised’ access • Acceptable Use Policy statements • On internal computers and on Web sites!

  8. Other Laws • Data Protection Act 1998 • Makes an offence for the hacker to process personal data • E.g. credit cards • But Principle 7 says you must enact ‘adequate technical and organisational’ mechanisms to protect it • Protection of Children Act 1978 • An offence to publish ‘indecent photographs’ of children • Criminal Justice Act 1988 • An offence knowingly to possess them

  9. Other Laws (2) • Theft Acts • An offence to demand money with threats • E.g., Denial of Service plus extortion • Offences Against The Person Act • An offence to harass, threaten, etc • Also, laws against defamation • Slander or Libel?

  10. Laws and Computers • A rich set of laws cover computer use and misuse • Computer is the • Agent • Victim • Witness • Means that computers will be • ‘in the witness box’; or • ‘on the exhibits table’

  11. Nature of Computer Evidence • Evidence is • ‘That which can be seen’; or • ‘That which shows something’ • Computer data cannot be ‘seen’ • But it can be used to show something • And it can be represented to a court • But the process of turning computer records into evidence must be done carefully

  12. Nature of Evidence • Direct versus Circumstantial • Computer evidence is ‘Direct’ if automatically produced; otherwise ‘Circumstantial’ • Real, Original and Hearsay • Again, relates to the ‘automatically produced’ aspect • Example, an email message • Real evidence is the hard disk drive • Original evidence is the header detail and records • Hearsay evidence is the email content

  13. Nature of Evidence (2) • Hearsay evidence is generally not admissible • Unless special provision is made • Must be able to produce ‘Best Evidence’ • In practice, means produce the disk drive as an exhibit • But then derive further exhibits by the process of forensics from this disk

  14. Computer Forensics • The process of deriving evidence from computer data • Requires that the data is shown to be reliably obtained • Is not changed in any way • Is complete • Can be repeated • And most importantly, that it can be understood!

  15. Sources of Computer Evidence • Personal Computers • Principally, the disk drive • Server Computers • Running processes • Contents of file system • Removable media • Automatically-produced log files • E.g., firewall, IDS, proxy, etc

  16. Evidence Process • Identify • What sources are available? • Seize • ‘Bag and Tag’ Best Evidence • Transport • Safely and responsibly take the best evidence to a secure location • Receive • Accept responsibility for the evidence • Store • Ensure securely held free from risk of contamination

  17. Evidence Process (2) • Preserve • Take a reliable copy of the evidence • Reserve • Put the original Best Evidence source in a secure place • Analyse • Investigate the evidence on the preserved copy • Produce • Identify the exhibits that establish facts • Testify • Create a statement and go to court

  18. Problems • Evidence from running computers • How do you make this ‘repeatable’? • Volumes of data to be analysed • Making sure process of analysis doesn’t change data • Use an ‘Imaging’ program like EnCase? • Proving you haven’t changed anything • Best is to make change impossible • Presenting the stuff in court!

  19. Statements

  20. Statements (2) • Qualifications • Statement of understanding • “I am told that the defendant had a computer…” • Definitions of terms • Points to be addressed • “I am asked to consider…” • Findings

  21. Expert Witnesses • Servants of the court • Help court to understand complex evidence ‘outside of their normal experience’ • Allowed to express an opinion • Allowed to attend entire trial • Paid for attendance • Must be able to demonstrate their expertise • E.g., academic qualifications

  22. Pre-Trial Experience • Experts for prosecution and for defence • Exchange statements • Raise and exchange ‘Rebuttal Statements’ • Meet to agree evidence • What is agreed? • What is agreed as disagreed? • What points need not be put before the court? • Common terms and definitions

  23. Courtroom Experience • Prosecution bats first • So definitions are presented by the expert called for the prosecution • Examination • Initial points, then detail • Cross-examination • Defence tries to trip you up • Re-examination • Prosecution picks you up and dusts you down

  24. Problems in Court • Being led by the defence questions • “It’s right, isn’t it…?” • Being lured into providing arcane details • “Perhaps the witness would care to explain public key cryptography to the Jury?” • Being led outside area of expertise • “Perhaps the witness would care to explain how he can be sure that this was a picture of a child?”

  25. Defence Tactics • Current best defence is the ‘Trojan defence’ • Computer was hacked • R v Caffrey – ‘Invisible’ hacker • Computer had a virus • Computer had a series of pop-ups • Most laws require the prosecution to prove intent • Mens Rea?

  26. Trojan Defence in Child Pornography • Criminal Justice Act 1988 • It is an offence to possess and indecent photograph of a child • It is a defence for the accused to prove • He had not looked at it and had no reason to believe it was indecent; or • He did not ask for it, it was not asked for on his behalf, and he took steps to remove it as soon as possible

  27. Trojan Defence (2) • Pop up is an involuntary download • But still in possession • If pop-up, will have looked at it • Was it asked for on his behalf? • And if it’s still in Temporary Internet Files, could we argue he did not take steps to remove it? • And, crucially, is this fair?

  28. The Future? • Encryption and secure deletion will spoil a lot of current ‘Best Evidence’ • But we will still have lots of records • Need to ensure ruling in R v Caffrey does not spoil other cases • Need a way to educate juries • Need a way to train lawyers • Need broader knowledge of the issues!

  29. Thank you! • neil.barrett@btinternet.com • 07712 865774 • Prof Neil BarrettCentre for Forensic ComputingRMCS ShrivenhamUniversity of CranfieldShrivenhamSwindon

More Related