1 / 0

Computer Forensics BACS 371

Computer Forensics BACS 371. Basic Law Terms and Concepts. Introduction. The legal system in the United States has a long history. It is based on Old English Common Law, but has evolved into a uniquely complex system.

yul
Download Presentation

Computer Forensics BACS 371

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer ForensicsBACS 371 Basic Law Terms and Concepts
  2. Introduction The legal system in the United States has a long history. It is based on Old English Common Law, but has evolved into a uniquely complex system. This system has many terms and concepts that require explanation to ensure that computer forensic professionals do not make mistakes that jeopardize cases.
  3. Definition of Crime A crime is an offensive act against society that violates a law and is punishable by the government. Two important principles in this definition: The act must violate at least one current criminal law. It is the government (not the victim of the crime) that punishes the violator. Given this, until a law exists addressing an action, there is no “crime” in doing it.
  4. Criminal Statutes Criminal laws are defined in rules called “criminal statutes.” All criminal statutes define crimes in terms of what are known as the “elements” of the offense. These include: Required acts A required state of mind (“intent”) The prosecutor tries to persuade the judge and/or jury that the person charged with the crime (the “defendant”): Did the acts Had the intent described in the statute
  5. Cybercrime Statutes and Acts Generally, laws and statutes lag behind the “latest trends” in cyber crime. Given that an act isn’t a crime until a law exists, this means that many cyber exploits are allowed to happen at least once free of punishment. Once a law exists, it is still a challenge for the statute to keep up with new cyber crime trends and abuses.
  6. Crime Categories and Sentencing Crimes are divided into two broad categories: Felonies—serious crimes punishable by fine and more than one year in prison. Misdemeanors—lesser crimes punishable by fine and less than one year in prison. Sentencing guidelines give directions for sentencingdefendants to ensure consistency. Tougher sentencing guidelines for computer crimes came into effect in 2003. Since then these have been tested and fine-tuned to a certain extent. Now, certain types of computer crime can result in a life sentence.
  7. Cyber Crime Categories The terms computer crime, cyber crime, information crime, and high-tech crime are generally used interchangeably. Two categories of offenses that involve computers: Computer as instrument—computer is used to commit the crime. Computer as target—computer or its data is the target of the crime. In some cases, the computer can be both the target and the instrument.
  8. Investigation Types There are 3 different types of investigations: Internal Investigation – generally kept secret (initially) Civil Investigation – between individuals Criminal Investigation – between government and individual Investigations have multiple stakeholders. Court-based cases have: Plaintiff – entity that brings the charges Defendant – entity that is charged Lawyers (usually) & Judges
  9. Civil vs. Criminal Charges There are 2 major categories of criminal charges: civil and criminal. Each has it’s own systemof courts and procedures. Civil charges are brought by a person or company Parties must show proof they are entitled to evidence. Criminal charges can be brought only by the government Law enforcement agencies have authority to seize evidence. Penalties are generally more severe and can include loss of liberty and/or life.
  10. Comparing Criminal and Civil Laws (Continued)
  11. Criminal and Civil Laws (Cont.)
  12. Evidence Basics Evidence is proof of a fact about what did or did not happen. To be legally admissible, evidence must be reliable and relevant. At a minimum, to be admissible, evidence requires legal search and seizure along with a valid chain of custody. Three types of evidence can be used in legal proceedings: Testimony of a witness – based on your 5 senses Physical evidence – anything tangible Electronic evidence – (e-evidence) digital evidence which, by its nature, is intangible
  13. Evidence Basics Testimony of a witness is traditionally considered the “best” form of evidence (even though there are documented problems with this type of evidence). Physical and electronic evidence are “circumstantial” evidence. Circumstantial evidence is not a direct statement from an eyewitness or participant. It can be admissible and can be quite strong. Many cases are decided strictly based on this type of evidence. All e-evidence is, by its nature, circumstantial evidence. Both cyber crimes and traditional crimes can leave cybertrails of evidence.
  14. Evidence vs. Testimony Arguments by attorneys, comments by judges, and witnesses’ answers to questions are not evidence. Maps, models, simulations, or other materials used to demonstrate and explain matters also are not evidence. Each of these are testimony which, based on the ruling of a judge, may be allowed as evidence. It is a subtle, but important distinction.
  15. Use of Evidence As stated previously, testimony is notautomatically evidence, but may be admissible and allowed as evidence. The job of the lawyer is to put evidence together into a crime hypothesis that makes sense to the judge and/or jury. Evidence that: Supports hypothesis= inculpatory Contradicts hypothesis= exculpatory
  16. Forensic Use of E-Evidence Federal rules of evidence state that accurate copies of electronic data are “originals.” What this means to forensic investigators is that an exact copy of electronic evidence can be analyzed and processed as if it were the original copy. This is important because it means that the “best evidence rule” can be applied to e-evidence. Without this exception, analyst would be required to bring the physical computer into the courtroom to admit something as simple as an email into evidence.
  17. Evidence Terms & Concepts Admissible evidence - evidence allowed to be presented at trial. Must be authenticated. Inadmissible evidence - evidence that cannot be presented at trial. Material evidence - evidence relevant and significant to the legal action. Immaterial evidence - evidence that is not relevant or significant to the legal action.
  18. Evidence Terms & Concepts Inculpatoryevidence - evidence that supports a given theory. Exculpatory evidence - evidence that contradicts a given theory. Tainted evidence - evidence obtained from illegal search or seizure. Artifact evidence – evidence modified or added to a crime scene that causes the investigator to incorrectly think that it relates to the crime.
  19. Evidence Terms & Concepts Circumstantial evidence - evidence that is not a direct statement from an eyewitness or participant. Documentary evidence- physical or electronic evidence (which makes it circumstantial also). Hearsay evidence - secondhand evidence. Generally inadmissible. Expert testimony- is generally admissible. It is an exception to the hearsay rule.
  20. Evidence Terms & Concepts E-evidence- generic term for any electronic evidence. E-evidence is another exception to the hearsay rule. Rules of Evidence - published rules by which the courts to determine what evidence is admissible. Best Evidence Rule - “[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original.’”
  21. Discovery Discoveryis the process whereby each party has a right to learn about the others evidence. This is where it is determined if evidence is relevant. All evidence must be disclosed in advance. Evidence not disclosed in advance may be deemed inadmissible. Includes information that must be provided by each party if requested. There are many methods of discovery.
  22. Discovery Methods Interrogatories Written answers made under oath to written questions Requests for admissions Intended to ascertain the authenticity of a document or the truth of an assertion Requests for production Involves the inspection of documents and property Depositions Out-of-court testimony made under oath by the opposing party or other witnesses
  23. Electronic Discovery (E-Discovery) Zubulakev. USB Warburg (2003) - Landmark case involving e-discovery. Based on this case, courts recognized five categories of stored data which could be used for e-discovery. Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data The result was an increased demand for e-discovery based on this (and related) rulings.
  24. E-Discovery Companies are required to take steps to preserve e-evidence even before being told to do so. When ordered to do so, companies are required to turn over requested e-records in readable format by a specified date. Courts generally view the failure to respond to e-discovery as an attempt to hide guilt. Destruction of e-evidence is called “spoliation” and is considered “obstruction of justice.” Regardless of how expensive it is, companies must comply with discovery requests and produce requested records.
  25. Summary A crime an offense that violates an existing law. Criminal laws are defined by criminal statutes and are punishable according to sentencing guidelines. Crimes are divided into two categories: felonies and misdemeanors. There are two categories of criminal charges: civil and criminal. Evidence is proof of a fact about what did or did not happen. For evidence to be used in a trial, it must be material and admissible.
  26. Summary (Cont.) E-evidence is circumstantial by definition. E-evidence is considered as an original copy if it is collected properly. Evidence that supports a hypothesis is inculpatory and evidence that contradicts a hypothesis is exculpatory. The forensic analyst is objective and collects both types of evidence. e-discovery the process of disclosing electronic evidence prior to trial.
More Related