1 / 45

Computer Forensics For Lawyers

Computer Forensics For Lawyers. Judge Tanya Bullock Virginia Beach Juvenile & Domestic Relations District Court. Computers. Cell Phones/Smart Phones IPad/Tablet IPod GPS Wii, Nintendo DS, Xbox, PlayStation Fitness trackers And more…. Digital evidence.

dunneback
Download Presentation

Computer Forensics For Lawyers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Forensics For Lawyers Judge Tanya Bullock Virginia Beach Juvenile & Domestic Relations District Court

  2. Computers • Cell Phones/Smart Phones • IPad/Tablet • IPod • GPS • Wii, Nintendo DS, Xbox, PlayStation • Fitness trackers • And more…

  3. Digital evidence Information that has probative value to an issue in the case, that is stored or transmitted in binary form (computer language) and may be relied on in court Sometimes referred to as electronically stored information (ESI)

  4. Digital evidence There are two types of digital evidence: 1) User-created digital evidence. 2) Computer/Network-created digital evidence.

  5. Digital evidence User-created digital evidence includes: Text (email, documents, chats) Address books Bookmarks Databases Images (photos, drawings, diagrams) Video and sound files Web pages

  6. Digital evidence Computer/Network-created digital evidence includes: Email headers Metadata Activity logs Browser cache, history, cookies Backup and registry files Configuration files, swap files

  7. Inside the box vs. Outside the box

  8. Inside the box What the computer owner has possession of is “inside the box”. -Computer’s hard drive and other memory. -CDs and USB drives -iPods -Cell Phones -External Hard Drives

  9. Outside the box What is not stored on the owner’s computer or in the owner’s possession is “outside the box”. -Online email accounts (Gmail and Yahoo). -Internet shopping accounts. -Social networking accounts. -Backups of text messages. -Cell site location data. -Subscriber account records. -Contents of websites.

  10. Computer forensics The process of acquiring, preserving, analyzing and presenting digital evidence for use in investigations and court proceedings.

  11. Acquisition process • The process of collecting evidence should make no changes to the media being examined. • Collection of the evidence should be done in a manner that establishes a verifiable chain of custody, over the data, preserves data integrity and allows tracing of particular files or evidentiary items back to the original source. • The process should preserve the collected information and copies made of it, in its original form.

  12. Admissibility vs. Authenticity

  13. admissibility Lorraine v. Markel American Ins. Co. , 241 F..R.D. 534 (D. Md. 2007)

  14. In order for ESI to be admissible, the proponent admitting the digital evidence must: • Show the ESI is relevant • Establish admissible facts to show that the item is authentic • Deal with any hearsay • Determine if the best evidence rule applies or meets an exception • Argue that the probative value outweighs its prejudicial effect

  15. Cell phones

  16. Provider records Each provider keeps call detail records (CDR) of cell phone activity • Detailed records of each call • Tower location information and call duration • Data transfer sizes and rates • GPS information • Need warrant or court order to obtain information

  17. Records on the phone • Pictures, music, documents • Contact lists, notes, memos • Email, mail attachments, instant messages, text messages • Browser history/downloads

  18. Privacy rights • ECPA – Electronic Communications Privacy Act (1986) • HIPPA • FERPA – Family Education Rights and Privacy Act • Stored Communications Act • Wiretap Act • Many, many more…

  19. Text messages

  20. Dalton v. Commonwealth64 Va. App. 512 (2015)

  21. Dalton Holding: Text messages constitute writings which are subject to the best evidence rule.

  22. Best Evidence Rule To prove the content of a writing, the original writing is required, except as otherwise provided in these Rules, Rules of the Supreme Court of Virginia, or in a Virginia statute. (Va. Supreme Court Rule 2:1002)

  23. Best evidence rule Exceptions: • Originals lost or destroyed • Original not obtainable • Original in possession of opponent • Collateral matters

  24. authentication • Business records (some businesses backup cell phone data) • Forensic Examiner - Expert Witness • They generally can rule out if the digital evidence has been altered, changed or deleted • Note: Many devices will allow you to delete parts of a text message and leave the rest.

  25. authentication • Self Authentication • Witness personal knowledge • Distinctive characteristics

  26. Texting apps • Text Now • Fake Text Message • Anonymous Text • What’s App • Whisper • Snapchat • Cyber Dust • Kik • Text 4 Free • Many, many more

  27. Video-chat FaceTime Skype Tango Text’em Periscope

  28. Social media

  29. Social media Forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content --(Webster’s Dictionary)

  30. Social networking Commercial internet sites that provide subscribers server space to create a mini-website to which they control access

  31. Social media/e-discovery Survey shows percentage of Ediscovery requests that involve --- • Documents 68% • Databases 61% • Email 58% • Social media 41%

  32. Position of sn sites on customer acct. info. • Google – “it’s all content”, “we only accept process from local Superior Court (Santa Clara County California) or federal courts.” • Facebook – “it’s all content and we don’t comply with subpoenas in civil cases” • Twitter – only respond to law enforcement requests with a valid search warrant or court order, and they notify the user of the request before they turn over the information.

  33. AuthenticationJudge Paul Grimm

  34. Existing case law“clear as mud” Griffin v. State, 419 Md. 545 (2011) – Court of Appeals Holding: The proper means to authenticate printouts of postings on social media sites is as follows: • Ask the purported creator if she indeed created the profile and also if she added the posting in question; • Search the computer of the person who allegedly created the profile and posting and examine the computer’s internet history and hard drive to determine whether that computer was used to originate the social networking profile and posting in question; and

  35. Existing case law“clear as mud” • Obtain information directly from the social networking website that links the establishment of the profile to the person who allegedly created it and also links the posting sought to be introduced to the person who initiated it. See also: Commonwealth v. Wallick, Commonwealth v. Williams, People v. Beckley and State v. Eleck

  36. Existing case law“clear as mud” Tienda v. State, 358 S.W. 3d 633 (2012) – Texas Court of Appeals Holding: There were far more circumstantial indicia of authenticity in Tienda than in Griffin. There was ample circumstantial evidence – taken as a whole with all of the individual particular details considered in combination to support a finding that the Myspace pages belonged to the appellant and that he created and maintained them.

  37. At a minimum when confronted with digital evidence judges and attorneys should address the following questions: How was the evidence collected? Where was the evidence collected? What typesof evidence was collected? Who handled the evidence beforeit was collected? When was the evidence collected?

  38. hearsay Computer generated data is generally NOT hearsay because hearsay is a statement offered by a “declarant”. A declarant is defined as a person. Virginia Rules of Evidence 2:801

  39. 4th amendment The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures shall not be violated.

  40. 4th amendment Triggers: • Is there government activity? • Did that activity intrude upon a protected interest? • Does the defendant have standing (a protected interest in the object searched or seized)? The general rule is that warrantless searches are presumed unlawful

  41. exceptions • Terry Stop & Frisk • Search Incident to Arrest • Plain view/plain feel • Exigent circumstances • Inventory searches • Consent • Automobile exception

  42. Riley v. California134 S. Ct. 2473 (2014) Holding: Search incident to arrest does not allow law enforcement to search cell phones. Digital information on a cell phone does not fit within the search incident to arrest exception to the warrant requirement. (See also United States v. Wurie, 134 S. Ct. 999)

  43. Riley v. California134 S. Ct. 2473 (2014) • There is a reasonable expectation of privacy in our phones • 4th Amendment does not apply to abandoned property • Law applies to computers as well.

  44. Search warrants • Cell phones are equivalent to a house. • Law enforcement must be specific in what part of the phone they want to search as well as what they are looking for. • The warrant must be “specific and particular” about places and items to be seized

  45. Questions?

More Related