At any time during the forensic investigation workflow, as discussed in Chapter 2, “Investigative Process Methodology,” it may be necessary to obtain legal advice regarding the current state of the case. This advice will provide the investigative team with a level of assurance that either (1) there is credible digital evidence to support legal proceedings or (2) the collected digital evidence does not support factual conclusions about the event(s) or incident(s).
Where the legal team determines that the strength of existing digital evidence is adequate, the investigation has met the criteria for progressing into formal legal proceedings. However, where the legal team determines that strength of existing digital evidence is deficient, the investigative team must work with the legal advisors to identify what additional actions and activities are required to progress into formal legal proceedings.
The Role of Technology in Crime
In relation to crime, technology can play multiple roles that can then be used to gather and process several types of evidence. Depending on how much digital evidence is contained within any given piece of technology, it may or may not be authorized for seizure and subsequent collection as evidence as part of an investigation. When technology plays a significant role in criminal activity, it is much easier to justify its seizure so evidence can be processed.
Through the years, several authors have tried to develop a standard classification scheme for the distinct roles technology can play in crime. In the 1970s, Donn Parker was one of the first individuals to recognize the potential seriousness of technology-related crimes, which led him to create the following four categories, which remain relevant today:
1. Object of crime applies when technology is affected by the crime (e.g., when a device is stolen or damaged).
2. Subject of crime applies when technology is in the environment in which the crime was committed (e.g., system infected by malware).
3. Tool of crime applies when technology is used to conduct or plan crime (e.g., illegally forged documents).
4. Symbol of crime applies when technology is used to deceive or intimidate (e.g., falsified investment profits).
Distinguishing when technology plays one role or another is important on many levels. For example, knowing when technology is an object or subject is important because, from the perspective of the practitioner, this demonstrates intent of the perpetrator. Also, when technology is a tool, like a gun or other weapon, this could lead to additional charges or increased punishment. However, although technology as a symbol may seem irrelevant because no actual system is involved in the crime, when categorized under this role technology is represented as an idea, a belief, or any entity that can be useful in understanding motivations for committing the crime. As an example, the chief executive officer (CEO) is a symbol of her organization and as such can become either the victim or target of crime because of what she symbolizes.
In 1994, the U.S. Department of Justice (USDOJ) developed its own categorization scheme that made a clear distinction between hardware, being physical components, and information, being data and programs that are stored or transmitted. It is important to note that with a single crime there is the potential to fall into one or more of these categories, for example, when a system is used as the instrument of crime, it may also contain information as evidence. The categories proposed by the USDOJ include:
• Hardware as contraband or fruits of crime, that is, any item that is illegal to be possessed or was obtained illegally
• Hardware as an instrumentality, that is, when technology played a role in committing the crime, such as a gun or weapon
• Hardware as evidence (i.e., scanners with unique characteristics that can be used and linked to the creation of digitized content)
• Information as contraband or fruits of crime, that is, computer programs that can encrypt content to conceal evidence
• Information as an instrumentality, that is, programs used to break into other systems
• Information as evidence, that is, digital artifacts revealing a user’s activities on a system
In 2002, the USDOJ updated the categorization scheme as part of the publication titled “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.” The most notable difference in the updated categorization was the realization that data and program content, not the hardware, is usually the target of the crime; but even when information is the target, collecting the hardware may be required.
In many geographic regions, there are laws and regulations that dictate how technology can be used, such as information privacy, anti-spamming, and data exporting. Designed to connect technology with risk, these laws and regulations can be generally grouped into one of the following categories. Online references related to the following types of laws and regulations can be found in the Resources section at the end of this book.
Information Technology (IT) Law
Unbeknownst to some, most activities on the Internet, whether for business or personal use, are governed by some type of law. Information technology law, otherwise referred to as technology law or IT law, are those laws that allow legal systems to regulate the collection, storage, and transmission of digital information within the boundaries of their jurisdictions, such as:
• Payment Card Industry Data Security Standard (PCI DSS): Originally introduced in 2008, and last revised in 2016, these standards cover both technical and operational system components included in or connected to cardholder data (i.e., credit cards).
• Sarbanes–Oxley Act (SOX): Introduced in 2002, this legislation is mandatory for all organizations to follow. It regulates financial practice and corporate governance.
• Health Insurance Portability and Accountability Act (HIPAA): Passed by the U.S. Congress in 1996, this legislation mandates industry-wide standards for the protection and confidential handling of protected health information to reduce fraud and abuse.
• General Data Protection Regulation (GDPR): Passed by the European Parliament in 2016, this legislation addresses the unified protection of personal data outside of the European Union with the primary objectives of (1) giving control over their personal information back to citizens and residents and (2) simplifying the regulatory environment for businesses to operate internationally.
In 2014, the U.S. Securities and Exchange Commission (SEC) laid charges against the chief executive officer (CEO) and chief financial officer (CFO) of a Florida-based computer equipment company for misrepresenting to external auditors and shareholders the state of its internal controls over financial reporting.
As required through SOX, a management report describing the internal controls over financial reporting is required and must be included in the annual report. This management report must be signed by both the CEO and CFO as a means of confirming they have disclosed all significant deficiencies and certifying the information in the management report is accurate.
Through an administrative proceeding, it was discovered that the CEO and CFO withheld information about deficiencies, the circumvention of inventory controls, and improper handling of accounts receivable and inventory recognition.
“Corporate executives have an obligation to take the Sarbanes–Oxley disclosure and certification requirements very seriously,” said Scott W. Friestad, associate director in the SEC’s Enforcement Division.
Internet law, or cyberlaw, refers to those laws and regulations that govern issues involving the use of the Internet. Claiming that there are laws that can achieve this form of regulation is somewhat of a stretch today because such laws would struggle to keep the international and volatile nature of the Internet in check. While a few international laws and regulation exist, the Internet is one of the most complex landscapes because it is not geographically bound and national laws do not apply globally across all countries and regions, such as:
• U.S. Electronic Communications Privacy Act: Originally introduced in 1986, this act applies to email, telephone conversations, and data stored electronically to protect communications when they are being created, when they are in transit, and when they are stored on computer systems. This act has since been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the Foreign Intelligence Surveillance Act (FISA) Amendments Act (2008).
• EU ePrivacy Act: Also known as Directive 2002/68/EC, this 2002 act defines rules to ensure security in the processing of personal data, the notification of personal data breaches, and the confidentiality of communications. It also bans unsolicited communications where the user has not given consent.
• Philippine (PH) Cybercrime Prevention Act: Officially recorded as Republic Act No. 10175 in 2012, this legislation addresses legal issues concerning online interactions and the Internet, such as cybersquatting, cybersex, identity theft, and illegal access to data.
In 2006, law enforcement conducted a series of raids throughout central Sweden where they seized several servers and other computer equipment involved in operating the file-sharing site known as The Pirate Bay (TPB).
In 2009, four individuals involved with operating TPB were put on trial for allowing its users to download copyrighted materials through their services and software offerings. The defense argued that the activities of these four individuals are legal under Swedish copyright laws because TPB did not host copyrighted content; it simply acted as a search engine to direct its users to locations where they could download music and films.
As part of the ruling, it was ordered that TPB’s site be shut down.
Perhaps the most common type of technology-related law, computer law is an ever-evolving area of the legal system that has grown mostly as result of increased use of technology to commit crimes. Areas of interest for computer laws include legalities such as file sharing, intellectual property, privacy, and electronic signatures, such as:
• United Kingdom (UK) Computer Misuse Act: Enacted in 1990, this law introduced three criminal offenses related to computer crimes:
1. Unauthorized access to computer material
2. Unauthorized access with intent to commit or facilitate commission of further offenses
3. Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computers and other related equipment
• Australian (AU) Cybercrime Act: Enacted in 2001, this law introduced criminal offenses related to computer crimes:
477.1: Unauthorized access, modification, or impairment with intent to commit a serious offense
477.2: Unauthorized modification of data to cause impairment
477.3: Unauthorized impairment of electronic communication
478.1: Unauthorized access to, or modification of, restricted data
478.2: Unauthorized impairment of data held on a computer disk or similar equipment
478.3: Possession or control of data with intent to commit a computer offense
478.4: Producing, supplying, or obtaining data with intent to commit a computer offense
Between 1999 and 2000, at least forty large U.S. companies—such as Online Information Bureau (OIB), eBay, and Speakeasy—experienced similar attacks where perpetrators hacked into their networks and then attempted to extort money. From a digital forensics investigation, it was determined that Internet traffic for all of these attacks originated from a single internet protocol (IP) address in Russia. Through further investigation, the Federal Bureau of Investigation (FBI) identified Alexey Ivanov as the perpetrator of these activities.
In 2000, the FBI constructed a false company called Invita Security which they used as a front for inviting Ivanov to interview for a job. He was accompanied by his companion Vasiliy Gorshkov, and the pair was interviewed by Invita, where it was explained that the company was looking for hackers that could break into the network of potential customers in an effort to persuade those companies to hire Invita.
Ivanov and Gorshkov were charged with several crimes, including computer fraud, conspiracy, hacking, and extortion. A move was made to dismiss the indictment, claiming that the court lacked jurisdiction because the pair was physically in Russia when the offenses were committed, so they could not be charged with violations under U.S. law. The U.S. court denied the motion on the basis that the intended and actual effects of the criminals’ actions occurred within the United States and because the statutes under which charges were laid already extended extraterritorially; the U.S. Patriot Act increased the scope of the Computer Fraud and Abuse Act to expressly cover systems outside of the United States.
Both Ivanov and Gorshkov pled guilty to the charges and were sentenced to a U.S. prison.
Within the legal system, a precedent is any legal case that establishes a rule subsequently used when deciding a similar issue of fact. Within some legal systems, decisions made within the higher courts (e.g., Supreme Court) are mandatory and must be followed by lower courts; this is also known as binding precedent. On the opposite end of the spectrum, decisions made in lower-level courts are not binding to higher courts. However, there are times when higher courts will adopt these decisions because of their importance; this is known as persuasive precedent. Every once and a while, a decision made by the courts will be so significant that it establishes a new legal principle or changes an existing law; this is referred to as a landmark decision. When a decision is made by courts at the same level, while it should be carefully considered, it is not mandatory that it be followed.
Brady Rule: Inculpatory and Exculpatory Evidence
One of the main goals of conducting an investigation is to establish factual conclusions that are based on credible evidence. With the totality of evidence taken into consideration, practitioners may encounter specific findings that need to be assessed further before factual conclusions can be drawn. Of importance, practitioners need to pay special attention when either of the following types of evidence exists:
• Inculpatory evidence is any evidence that demonstrates, or tends to show, a person’s involvement in an act that establishes an indication of guilt. For example, a person uses his corporate email account to send confidential customer data to his friend, and that act is flagged in security monitoring technologies; this could be considered inculpatory evidence.
• Exculpatory evidence is any evidence that is favorable to a person and that exonerates, or tends to exonerate, involvement in an act that establishes an indication of innocence. Following the example above, through the analysis of electronically stored information (ESI) it was identified that unauthorized access to the person’s email was gained to send the confidential customer data through email; this could be considered exculpatory evidence.
It is important to know that the suppression of exculpatory evidence is a violation of court rules and can lead to implausible facts. In 1963, U.S. court rulings in the matter of Brady v. Maryland 373 U.S. 83 were a milestone in setting a precedence for disclosing exculpatory evidence. In a statement, Brady went on record claiming that he was innocent and that his friend had committed the crime. However, the state of Maryland intentionally suppressed a written statement from the friend that contained a confession to committing the murder. As result, the Brady rule was created: suppression of evidence favorable to a person is a violation of due process, and evidence that proves innocence must be disclosed.
Frye versus Daubert Standard: General Acceptance Testing
The advancements in and adoption of technology over the past fifty years has allowed for increased capabilities to apply new scientific techniques for gathering, processing, and presenting digital evidence. However, use of these techniques can provide opportunity to challenge the results and raise concern around its effect on the judicial process.
Within the context of criminal law, there is a need for the admissibility of evidence submitted during trial to be scientifically demonstrated as result of proper validation and verification testing. Traditionally, courts have resolved the need for general acceptance testing by applying rulings of the matter involving U.S. v. Frye, 293 F. 1013 (D.C. Cir. 1923). During this trial, a lie detector test was used to support the defendant’s claim that he was telling the truth when he denied committing murder. However, the court ruled that evidence was inadmissible because the scientific principles upon which the lie detector test was based were not “sufficiently established to have gained general acceptance in the particular field in which it belongs.” As a result, the Frye standard, Frye test, or general acceptance test became the standard by which scientific evidence and the expert opinion of scientific technique is legally admissible only where it has been generally accepted in the relevant scientific community. The Frye standard had precedence for many years, until it was superseded by the Daubert standard.
The Daubert standard came about in 1993 as result of a U.S. Supreme Court decision in the matter of Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579. Through this ruling, it was identified that Federal Rules of Evidence 702 did not incorporate a general acceptance test for assessing whether the testimony of scientific experts was based on reasoning or scientific methodology that was properly applied to facts. Furthermore, the court outlined that evidence based on innovative or unusual knowledge is only admissible after it has been established as reliable and scientifically valid. To meet the requirements under this ruling, the Daubert standard was created where specific criteria were established for determining the reliability of scientific techniques as follows:
1. Has the theory or technique in question undergone empirical testing?
2. Has the theory or technique been subjected to peer review and publication?
3. Does the theory or technique have any known or potential error rate?
4. Do standards exist, and are they maintained, for the control of the theory or technique’s operation?
5. Has the theory or technique received general acceptance in the relevant scientific community?
Under the Daubert standard, for ESI to be legally admissible as evidence, documented testing and experimentation must be completed to demonstrate repeatable and reproducible results. Achieving this legal standard means that organizations must ensure that all tools and equipment used while investigators are interacting with the evidence meet the above criteria as demonstrated through proper validation and verification testing.
Jurisdiction is the power, or right, of a legal system (i.e., court, law enforcement) to exercise its authority in deciding over a (1) person, relating to the authority for trying individuals as a defendant; (2) subject matter, relating to authority originating from the country’s laws and regulations; or (3) territory, relating to the geographic area where a court has authority to decide. In some cases, depending on the crime committed, concurrent jurisdiction can exist where two different legal systems have simultaneous authority over the same case.
In the simplest of scenarios, a legal matter can be tried in the location (i.e., country, region, district) where the crime took place. However, with the ways in which technology, such as the Internet, has an extensive global reach and crimes are committed using this delivery channel spanning several countries, it has become somewhat challenging to determine where to prosecute. In cases when there is contention over where a case should be tried, the jurisdiction needs to be assessed and alternatives considered.
Although modern technology adds an additional layer of complexity to issues of jurisdiction, international courts are becoming more familiar with laws and regulations relating to technology and are making more informed decisions about which legal system has jurisdiction.
For the legal team to provide educated and accurate advisement on the current state of an investigation, not only will they need to know laws around evidence admissibility, they will also need to be knowledgeable in applicable information technology (IT), cyberlaws, and computing laws. This requires that legal advisors be trained and are experienced so that they are readily equipped to provide appropriate counsel in response to digital evidence being presented as part of an investigation report, as discussed in Chapter 15, “Maintaining Evidence-Based Reporting.”
As an example, an information technology (IT) attorney is an individual who is educated and knowledgeable in legal matters as they relate to technology. In addition to having a law degree, these attorneys should be trained and knowledgeable in several areas of technology to provide the organization with support in terms of:
• Drafting, negotiating, interpreting, and maintaining (where needed) technology-related documentation (e.g., agreements, contracts, reports)
• Ensuring digital evidence is gathered, stored, and handled in compliance with applicable privacy policies, regulations, and laws
• Providing high quality, specialized, and practical advice for how to proceed with investigative matters
With legal resources trained and educated in appropriate cyberlaws, organizations are equipped to determine if the findings of an investigation are credible enough to be upheld in a court of law or if additional actions are required. Throughout the investigation, legal advice could be required to facilitate decision making related to the following issues:
Laws and regulations exist that impose controls over the proper and effective use of digital evidence during an investigation. Generally, the three areas where legal advice can be provided are:
• Security controls resulting from laws and/or regulations that set a precedent to restrict the necessary identification and disclosure of information protected as privileged or confidential
• Practices governing the identification and disclosure of information within a reasonable timeframe when formal legal proceedings have been filed
• Rules of evidence on the admissibility of information for legal proceedings
Depending on the nature of business performed, organizations can face commercial disputes over contractual commitments and obligations. When these disputes involve external entities such as business partners, competitors, shareholders, suppliers, or customers, consultation with the legal team is required to advise and guide the organization towards resolution.
The purpose of conducting a forensic investigation is not to find fault or blame in the actions of an employee. However, where an investigation reveals credible facts about the involvement of an employee, based on the nature of the employee’s actions a decision must be made on the most appropriate course of action to deal with the employee. Through consultation with the legal team, organizations can ensure that when it comes time to take action and deal with the employee, they do not go beyond the boundaries of their authority or violate any legal rights that could result in unwanted liabilities.
At any point during the investigation an action, circumstance, or event might be identified which could reasonably be expected to result in some form of legal action against the organization, such as a breach of customer information. When this occurs, the investigative team should involve legal resources to determine how to properly manage the situation and the best course of action to take (e.g., engaging public and corporate affairs to formally manage information sharing, contacting law enforcement due to the involvement of criminal actions).
As digital evidence is being analyzed, investigators work to correlate and corroborate different sources of digital evidence that might lead to credible findings where prosecution and/or punishment, both internal and external, are possible. In these circumstances, involving the legal team could improve the likelihood of the organization getting restitution for any losses they experienced or ensure that claims (i.e., insurance) are proper substantiated.
One possible outcome of a successful cyber-attack could be the unintentional or malicious exfiltration of sensitive and/or confidential information (e.g., personally identifiable information [PII]). In conjunction with other teams within the organization (e.g., privacy, public and corporate affairs), legal can assist in assessing the severity of the information disclosure, as well as the impact it has on partners, customers, and/or investors, and establish when/if the notification of the data exposure must be distributed.
Depending on the severity and impact to the organization, a decision could be made to contact appropriate law enforcement agencies to further assist with the investigation. While a decision to involve law enforcement could help to identify whether organized crime is involved, or to engage law enforcement personnel in other jurisdictions, it is important that organizations understand that they could be required to surrender control of the investigation.
At any point during an investigation, it may be necessary to obtain legal advice regarding the current state of the case. Making these decisions requires that attorneys who will be involved throughout the forensics investigation be trained and educated in applicable laws and regulations to ensure that accurate and timely legal counsel is provided to determine if sufficient credible facts exist or if additional evidence is required to make an informed decision about the investigative findings.