Obtaining and Using
Electronic Evidence:
Issues, Cases, and
Theories
Philip A. Guentert
Agenda
How do we obtain electronic evidence?
What are we trying to prove? Thinking about
the elements of the offense
Where is the electronic evidence? Looking for
proof of the cybercrime
Where do we start? Preserving and identifying
Agenda
How do we use electronic evidence in
court?
The admissibility of computer evidence:
hearsay and authentication
The presentation of computer evidence:
THINKING ABOUT THE
ELEMENTS OF THE OFFENSE
Elements of §4 of Malayasian
Computer Crimes Act of 1997
Causing a computer to perform any
function with intent to secure access;
Where rhe access is unauthorized; Knowing that it is unauthorized;
And acting with the intent:
to commit an offence involving fraud or
dishonesty or which causes injury as defined in the Penal Code; or
To facilitate the commission of such offense
LOOKING FOR PROOF OF THE
CYBERCRIME
9
Where (watch)
NOW Where’s theevidence?
These are breath strips.
10
This watch has USB
PRESERVING AND
IDENTIFYING PROBATIVE
EVIDENCE
Preserving Electronic Evidence
Device or other computer
Consult a specialist
Photograph screen and device.
Goal is to preserve: do not search device.
When to interrupt or maintain power
Collect peripherals, cables, and
documentation. Network
Investigative Questions
Cybercrime involves “people evidence” as
well as electronic evidence
What questions do you ask about a
Investigative Questions (cont.)
General for all cybercrime
Contact info for system administrator
When and where devices obtained
Identity of those with access to devices and their level
of experience
Scope of their access, local or remote
Their usernames and passwords
Which programs they use
E-mail addresses, on-line storage
Investigative Questions (cont.)
Example for specific cybercrime: fraud Victim questions:
Which accounts involved? Recent unusual activity?
Have you provided personal information to any organization or individual? For what purpose?
Recently completed credit applications or loan documents?
Maintain personal information on computer?
Have any financial statements gone missing in the mail?
Have you checked your credit reports?
Suspect questions:
Where is computer? Was it used for on-line purchases?
U.S. v. Fei Yei (2007)
Four defendants convicted of economic
espionage charges based on their theft of trade secrets concerning integrated circuit design from Silicon Valley companies
Initial seizure at airport provided basis for
search warrants at residences
U.S. v. Fei Yei
Searches at residences provided basis for
e-mail searches at ISPs
Results:
Five Yahoo e-mail accounts 25,000 pages of e-mails
Yahoo groups account 500 pages of postings
Hypermart FTP storage account
U.S. v. Vysochanskyy
(2005)
Ukrainian convicted of
selling thousands of copies of pirated
software through multiple web sites
Intermediaries in U.S.
U.S. v. Vysochanskyy
Obstacles for the network search v.
computer search
U.S. v. Fetterman (2004)
Defendant convicted of scheme to defraud
eBay buyers through shill bids and phony masterpieces
U.S. v. Fetterman
Over 500 auctions and $450,000 in sales
involved
Concealment as evidence of criminal
intent
Over 50 phony eBay
user registrations
THE ADMISSIBILITY OF
COMPUTER RECORDS
Hearsay
People may misinterpret or misrepresent
their experiences
Hearsay is an out-of-court statement by a
person offered for its truth
Electronic evidence that is entirely
U.S. v. Blackburn: Correct holding?
Bank robber leaves eyeglasses in getaway car. At trial, prosecution offers computer-generated report showing that glasses match prescription of defendant.
Appellate court holds that report was hearsay that required
evidentiary foundation for
Authentication
Authenticating an exhibit requires
evidence sufficient to support finding that it is what its proponent claims it to be.
Authenticating computer records does not
Questions Judges Have About
Authenticity of Computer Evidence
Do I know what person produced thecomputer record?
Can I rely on the computer program used
to produce the record?
Do I know whether the record was altered
U.S. v. Simpson
Court holds that chat room records for "Stavron" properly authenticated as statements of child-pornography defendant Simpson.
Circumstantial evidence included (1)chat with undercover agent giving real name as "B. Simpson" and a home address that matched Simpson's (2) access to the
THE PRESENTATION OF
COMPUTER RECORDS
Explaining Technical Evidence:
Expert Testimony
Rule 702: “If scientific, technical, or other
specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness
qualified as an expert by knowledge, skill, experience, training, or education, may
testify thereto in the form of an opinion or otherwise, if [following requirements
The value of expert testimony about
cybercrime is more than the opinion. . . .
[explanation of complex technical
Demonstrative aids
Rule 611(a): “The court shall exercise
reasonable control over the mode and order of interrogating witnesses and
Demonstrative aids (cont.)
Use during testimony—examples
Map
Diagram
Illustrate locations Illustrate process
Selections from documents and
records
Outline of testimony
Model
Demonstrative aids (cont.)
Use during opening statement/closing
argument—examples
Opening
Chronology Organization
Closing
Key issue
Questions or comments
Philip A. Guentert
guenterpa@state.gov