Obtaining and Using

Electronic Evidence:

Issues, Cases, and

Theories

Philip A. Guentert

Agenda

How do we obtain electronic evidence?

  What are we trying to prove? Thinking about

the elements of the offense

  Where is the electronic evidence? Looking for

proof of the cybercrime

  Where do we start? Preserving and identifying

Agenda

How do we use electronic evidence in

court?

  The admissibility of computer evidence:

hearsay and authentication

  The presentation of computer evidence:

THINKING ABOUT THE

ELEMENTS OF THE OFFENSE

Elements of §4 of Malayasian

Computer Crimes Act of 1997

Causing a computer to perform any

function with intent to secure access;

Where rhe access is unauthorized; Knowing that it is unauthorized;

And acting with the intent:

  to commit an offence involving fraud or

dishonesty or which causes injury as defined in the Penal Code; or

  To facilitate the commission of such offense

LOOKING FOR PROOF OF THE

CYBERCRIME

9

Where (watch)

NOW _{Where’s the}

evidence?

These are breath strips.

10

This watch has USB

PRESERVING AND

IDENTIFYING PROBATIVE

EVIDENCE

Preserving Electronic Evidence

Device or other computer

  Consult a specialist

  Photograph screen and device.

  Goal is to preserve: do not search device.

  When to interrupt or maintain power

  Collect peripherals, cables, and

documentation. Network

Investigative Questions

Cybercrime involves “people evidence” as

well as electronic evidence

What questions do you ask about a

Investigative Questions (cont.)

General for all cybercrime

  Contact info for system administrator

  When and where devices obtained

  Identity of those with access to devices and their level

of experience

  Scope of their access, local or remote

  Their usernames and passwords

  Which programs they use

  E-mail addresses, on-line storage

Investigative Questions (cont.)

Example for specific cybercrime: fraud   Victim questions:

Which accounts involved? Recent unusual activity?

Have you provided personal information to any organization or individual? For what purpose?

Recently completed credit applications or loan documents?

Maintain personal information on computer?

Have any financial statements gone missing in the mail?

Have you checked your credit reports?

  Suspect questions:

Where is computer? Was it used for on-line purchases?

U.S. v. Fei Yei (2007)

Four defendants convicted of economic

espionage charges based on their theft of trade secrets concerning integrated circuit design from Silicon Valley companies

Initial seizure at airport provided basis for

search warrants at residences

U.S. v. Fei Yei

Searches at residences provided basis for

e-mail searches at ISPs

Results:

  Five Yahoo e-mail accounts 25,000 pages of e-mails

  Yahoo groups account 500 pages of postings

  Hypermart FTP storage account

U.S. v. Vysochanskyy

(2005)

Ukrainian convicted of

selling thousands of copies of pirated

software through multiple web sites

Intermediaries in U.S.

U.S. v. Vysochanskyy

Obstacles for the network search v.

computer search

U.S. v. Fetterman (2004)

Defendant convicted of scheme to defraud

eBay buyers through shill bids and phony masterpieces

U.S. v. Fetterman

Over 500 auctions and $450,000 in sales

involved

Concealment as evidence of criminal

intent

  Over 50 phony eBay

user registrations

THE ADMISSIBILITY OF

COMPUTER RECORDS

Hearsay

People may misinterpret or misrepresent

their experiences

Hearsay is an out-of-court statement by a

person offered for its truth

Electronic evidence that is entirely

U.S. v. Blackburn: Correct holding?

Bank robber leaves eyeglasses in getaway car. At trial, prosecution offers computer-generated report showing that glasses match prescription of defendant.

Appellate court holds that report was hearsay that required

evidentiary foundation for

Authentication

Authenticating an exhibit requires

evidence sufficient to support finding that it is what its proponent claims it to be.

Authenticating computer records does not

Questions Judges Have About

Authenticity of Computer Evidence

Do I know what person produced the

computer record?

Can I rely on the computer program used

to produce the record?

Do I know whether the record was altered

U.S. v. Simpson

Court holds that chat room records for "Stavron" properly authenticated as statements of child-pornography defendant Simpson.

Circumstantial evidence included (1)chat with undercover agent giving real name as "B. Simpson" and a home address that matched Simpson's (2) access to the

THE PRESENTATION OF

COMPUTER RECORDS

Explaining Technical Evidence:

Expert Testimony

Rule 702: “If scientific, technical, or other

specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness

qualified as an expert by knowledge, skill, experience, training, or education, may

testify thereto in the form of an opinion or otherwise, if [following requirements

The value of expert testimony about

cybercrime is more than the opinion. . . .

[explanation of complex technical

Demonstrative aids

Rule 611(a): “The court shall exercise

reasonable control over the mode and order of interrogating witnesses and

Demonstrative aids (cont.)

Use during testimony—examples

  Map

  Diagram

Illustrate locations Illustrate process

  Selections from documents and

records

  Outline of testimony

  Model

Demonstrative aids (cont.)

Use during opening statement/closing

argument—examples

  Opening

Chronology Organization

  Closing

Key issue

Questions or comments

Philip A. Guentert

guenterpa@state.gov