CYBERCRIMES: any crime in which a computer or other digital device plays a role, & thus involves digital evidence.
Fall 2009
Prof. Clancy
I. Sources, Types, & Locations of Digital Evidence
a. Digital Evidence: info of probative value that is stored or transmitted in binary form & may be relied upon in court.
b. User Created
i. Texts (documents, email, chats, instant messages)
ii. Address Books
iii. Bookmarks
iv. Databases
v. Images (photos, drawings, diagrams)
vi. Voice & Sound (films, voicemail, .wav files)
vii. Web Pages
viii. Hidden Files
c. Computer Created
i. Email Headers
ii. Metadata- information about the data
1. Digital Camera Images Metadata- date, time taken, exposure info, serial number, description of photo, location where taken
iii. Activity Logs
iv. Browser Cache, History, Cookies
v. Backup & Registry Files
vi. Configuration Files
vii. Printer Spool Files
viii. Swap Files & Other Transient Data
ix. Surveillance Tapes & Recordings
d. Forms of Digital Files
i. Present/Active- documents, spreadsheets, images, emails, etc.
ii. Archives- backups
iii. Deleted- files left in slack & unallocated space
iv. Encrypted or otherwise hidden
v. Compressed or corrupted
e. Forensics- evidence to establish an evidentiary basis for arguing about facts in court cases; involves preservation, identification, extraction, documentation, & interpretation of computer media for evidentiary/root cause analysis
i. Goal: reliably determine if evidence exists, and if so, to be able to use it in some subsequent action; w/o proper procedures, usefulness of info obtained is compromised.
ii. Deleted Files: computer analyst can recover deleted file/parts of deleted file from unallocated file space until file system writes new file or data over it.
iii. Metadata: does contain useful info about file
iv. Steps in Collecting Computer Forensics:
1. Seizing computer evidence (bagging & tagging)
2. Imaging seized materials
3. Searching image for evidence
4. Presenting digital evidence in court
v. Basic Steps: 3 As
1. Acquiring evidence w/o altering or damaging original
a. Handle carefully: chain of custody, evidence collection, evidence identification, transportation, and storage
b. Make copies; document, document, document
c. Preserve all the data; virtual snapshot (including reformatted, erased, slack, unallocated, & virtual memory data)
2. Authenticating that acquired evidence is same as data originally received
a. Proving that evidence to be analyzed is exactly same as what suspect/party left behind.
b. Readable text & pictures don’t magically appear at random; calculate hash values for original evidence & images/duplicates
3. Analyzing evidence w/o modifying it
a. Work on bit-stream image of evidence, never original to prevent damage to original
b. Analyze everything- clues may be in areas/files seemingly unrelated
c. Locations to Analyze
a. Existing files- mislabeled or hidden
b. Deleted Files- trash bin, etc.
c. Free Space- currently unoccupied or unallocated; may have held info before (deleted files, files moved during defragmentation, old virtual memory)
d. Slack Space- space not occupied by active file but not available for use by operating system.
e. Swap Space- virtual memory
f. Other sources of transient data- browser cache, history, cookies, residual chat data, activity logs, registry & registry back-up files.
vi. Countermeasures/Ways to hide data
1. Encryption
2. Password protection schemes
3. Steganography- hiding a pic w/in another pic
II. Search of Digital Evidence
a. Competing Views of the Nature of Digital Evidence Searches
i. Data are documents/containers analogy.
1. Rationale: cannot anticipate exact form of records; no principled distinction between digital and paper records
2. Warrant authorization includes containers reasonably likely to have items described in warrant; includes nontraditional, technological data; Data in computer storage = documents; writing or records include computer files;
3. Search limitations
a. Nature of crime
b. Nature of object sought
ii. Special approach to search of data.
1. Writings & computers are fundamentally different; must take special approach to digital evidence; w/ computers, you have tools that can refine the search, but in papers you may have to review a little of everything b/c no special “search” tool.
2. Different b/c vast array of info (docs, business records, financial r
rant
b. Put need to search off site in warrant
b. Plain View
i. Requirements:
1. Prior valid intrusion
2. Observing object in plain view
a. If police validly in position to observe screen
3. Incriminating character of object immediately apparent
a. Immediately apparent= probable cause
4. Any inadvertence requirement explicitly rejected
a. Rejected in Horton as not a requirement under 4th amend
ii. View #1
1. Data is analogous to document search: can look at all data to ascertain value
iii. View #2
1. Imposes limitations on search such as searching by file name or file type
c. 4th Amendment Applicability: Expectations of Privacy (Inside the Box)
i. Ask:
1. Does 4th Amend apply?
a. Need Gov’t intrustion (search)
b. Intrusion must invade protected interest (REP)
2. Was it satisfied?
ii. Two sided inquiry:
1. Government activity: search or seizure
2. Individual protected interest: liberty, privacy, possession; limitations: open fields, abandon property, standing
iii. Expectation of Privacy Analysis
1. In general
a. Search: must have legitimate expectation of privacy invaded by gov’t
2. Two Prongs (if either prong is missing, not protected interest)
a. Individual has subjective expectation of privacy
b. Society recognizes that expectation as reasonable
iv. Workplace Searches: When do you have REP in data stored on workplace computer?
1. Leventhal v. Knapek
a. Reasonable expectation of privacy?
a. Private office w/ door
b. Exclusive use of desk, filing cabinet, and computer
c. DOT had no general practice of routinely conducting searches of office computer
d. Had not placed Leventhal on notice that he should have no expectation of privacy in contents of his office computer
Anti-theft policy did not prevent mere storage of personal materials in office
