We always commence a digital forensics investigation with the assumption that we’ll one day have to defend our work in a court of law. With that in mind, it should come as no surprise that we need to be cognisant of the laws applicable to our work as we go about the business of conducting an investigation. Information security in general has often found itself to be a field that draws interest from both technologists and legal professionals alike, but digital forensics unquestionably belongs slap bang in the middle of these two fields. Effective lawyers take the time to learn about the technical issues, and savvy technologists, including investigators, take the time to learn about the legalities.
In this chapter we’ll examine various legal factors that come into play during a forensics investigation. We’ll take a look at several specific pieces of legislation that may have direct or indirect impacts on an investigator as they go about their work. Finally, we’ll look at the ethical standards required of an investigator.
CRIMES WITHOUT BORDERS
To throw in some additional legal complexity, digital crimes can easily bleed across international borders. Internet traffic flows don’t yield to consider jurisdiction as they bounce from node to node. The need for stronger, more specific laws applicable to digital crimes is well recognised, and as a result a number of countries have taken great strides in implementing such laws. The challenge is actually enforcing them if the suspect is geographically located outside the victim’s local jurisdiction. In the United States there is even some complexity within the nation’s borders, as different states can have different laws. International cooperation in computer crime cases does occur, but not always. It’s become almost a running joke in information security circles that many incidents and breaches are blamed on either Russian or Chinese actors by default, because cooperation with these countries on cybercrime issues is extremely limited, and there is more than a smidgen of evidence of state-sponsored online criminal activity originating from them. It is undoubtedly true that there are many attacks that originate from Russia and China; however, just seeing a Russian or Chinese IP address in a log file isn’t enough to attribute an attack to one particular nation. Tools and techniques, or hacker tradecraft (to use an intelligence community term), are much better indicators to go on when looking to perform accurate attribution.
A recent example of the challenges and controversy that can be associated with the attribution of digital crimes is the 2014 Sony Pictures incident. The film studio was the target of a severely damaging attack that came to a head on the morning of Monday 24th November. That morning, several Sony Pictures employees found their workstations were completely unusable as wiper malware that had been installed previously was triggered. Data was lost, and an ominous message appeared on the screens of those devices.
The message warned Sony Pictures that a group calling themselves the Guardians of Peace were behind the attack. Initially the group demanded money and made it clear they had a significant volume of confidential Sony Pictures data, leaking some on the internet that day. Over the coming days the group continued to leak emails and unreleased films.
A few weeks after the start of the attack the narrative coming out of Sony and the FBI suggested that hackers working for the North Korean regime were suspected of being responsible for the attack in apparent retaliation for the upcoming Sony Pictures film The Interview. The film featured a plot in which two journalists are hired to assassinate the North Korean leader, Kim Jong-Un.
The FBI formally attributed the incident to North Korea on 17th December 2014, and based that attribution on analysis of the malware, the IP addresses used to launch the attack, and similarities of the incident with one that affected South Korean banks in 2013.
The FBI did not release detailed information about the indicators that had led them to this attribution, which led many information security professionals to question its validity. There were rumours that over 100 terabytes of data were stolen, which would have taken significant time to exfiltrate, and many questioned whether North Korea would have had the infrastructure to support this. Likewise, it is very uncommon for state-sponsored attackers to operate in such an overt fashion, such as with the ominous message on the workstations.
Given this, the industry pressed the FBI to release more details, something that hasn’t happened to date. As a direct result of the attribution, US President Barack Obama issued an Executive Order applying additional financial sanctions on North Korea.
It is not just criminal law enforcement that should be aware of the challenges of reaching across borders. If you’re involved in incident response or digital forensics for a company with global reach, you will likely run into challenges specific to the suspect’s jurisdiction. In Europe, for instance, privacy laws are much stricter than in the United States – for example the European General Data Protection Regulation (GDPR), which levels the playing field across European Union member states and provides EU citizens with a published set of rights pertaining to their data. This can create hurdles that must be overcome during an investigation launched from the US, for example, against computers and employees residing in Europe.
I’ve been fortunate enough to work in both Europe and the United States, and throughout my career I’ve always been intrigued by the cultural differences when it comes to privacy expectations. In the United States it is not that difficult to find out where a person lives, which elections they voted in and who they live with; it’s all public record. Conversely, in Europe this information is much more protected.
In one instance I recall rolling out a web content filtering system at a multinational company. The US portion of the rollout was completed with little drama, but once it was time to deploy in Europe the employees were not happy about the prospect of their website usage being monitored, and works councils became involved. In France, a works council is required for any company with 50 or more employees and it operates in a similar fashion to a trade union. This was not something I had been aware of at this point. Eventually the rollout was completed, but several changes had to be made to the deployment after works council approval.
Laws are closely intertwined with the second topic in this chapter, ethics. Tremendous trust is placed in a digital forensic investigator. In order to do the job, an investigator has to dive into a treasure trove of sensitive, compromising and deeply personal data. In order to have a long and successful digital forensics career, operating in an ethically sound matter is of the utmost importance.
LAWS APPLICABLE TO FORENSICS
There is a wide variety of crimes and situations that a digital forensics professional can become involved in investigating, and therefore a significant spread in terms of the legislation that can be applicable to their work. Given this, it would be impracticable to list every potential piece of applicable legislation in this book, but we can review some of the most common legislation that an investigator should keep in mind at all times.
United Kingdom
The UK has three legal systems that are in step with the geography of the country. English law applies to England and Wales, Scots law applies to Scotland, and Northern Ireland law applies to Northern Ireland. Plenty of legislation in the United Kingdom applies across all three legal systems; there may, however, be slight variances between them.
Computer Misuse Act 1990
The foundational legislation for all computer crime in the UK, the Computer Misuse Act applies across all three legal systems and frequently forms the basis for charging a suspect with a digital crime. Section 1 of the act deals with directly hacking into a computer. ‘Unauthorised access to computer material’, as it is referred to in the legislation, could also be invoked to cover obtaining access through credential theft, such as phishing. The legislation was updated in 2006 by way of the Police and Justice bill. That update increased the maximum custodial sentence for Section 1 offences from six months to two years in prison.
Section 2 of the Computer Misuse Act expands on Section 1 and covers intent to commit additional offences after obtaining unauthorised access to a machine, for example obtaining access to a server, stealing data or using that data to commit fraud. The maximum penalty for Section 2 offences is five years in prison.
In September 2016, 25-year-old Adam Penny was convicted under Section 2 of the Computer Misuse Act. He was sentenced to five years in prison after hacking into the website of a gold bullion dealer and stealing customer data. Using this customer data he was able to direct his accomplices to wait outside an address where a gold delivery was expected. The gold was intercepted, and subsequently sold on.
Penny was guilty under Section 1 for breaking into the website, and Section 2 for using that as a platform to facilitate the theft of gold.
Section 3 of the Computer Misuse Act covers ‘unauthorised acts with the intent to impair operation’. At the time of writing, Section 3 was primarily concerned with the introduction of computer viruses to a system that would deliberately prevent a computer from operating properly, but in more recent times it has also been referenced in cases involving those suspected of launching denial of service attacks. Of course, you don’t need access to a machine to perform those, hence the difference between Section 2 and Section 3 offences. Section 3 offences are punishable by a maximum 10-year jail sentence.
Section 3A of the Computer Misuse Act was introduced in 2006 and created a new offence targeting those who supply, offer to supply or obtain hacking tools and resources that could be used to commit Section 1 or Section 3 offences. These offences are punishable by way of a maximum two-year jail sentence. An example of a Section 3A offence would be operating a DDoS-for-hire service.
Police and Criminal Evidence Act 1984
Known as PACE, this act is a wide-ranging piece of legislation that provides the legislative framework for the police in England and Wales to combat crime. An equivalent act exists in Northern Ireland: the Police and Criminal Evidence (Northern Ireland) Order 1989. In Scotland, the majority of the PACE provisions are included in the Criminal Procedure (Scotland) Act 1995.
The Act is not computer specific, but it does cover the codes of practice to be followed by police officers during search and seizure activities. It also includes evidence collection and handling procedures, and rules for interviewing suspects – all topics that may very well form part of an investigation concerning a digital crime. If an officer fails to conform to the codes of practice contained within PACE during an investigation then evidence could be rendered inadmissible.
As digital forensic investigators our mostly likely exposure to PACE would be if we were working directly for, or as a contractor for, a police force during a criminal investigation where a digital forensics acquisition is required. Section 8 of PACE covers search warrants, a type of court order issued by a judge that gives a police officer the power to enter premises to search for evidence that a criminal act has occurred. Such a warrant can also include a provision allowing the officer to bring along a specifically authorised person, such as a civilian digital forensics expert, to assist in the search and seizure.
Regulation of Investigatory Powers Act 2000
Known as RIPA, the Regulation of Investigatory Powers Act was created in response to the challenges involved with performing surveillance and investigation in the internet era. The Act regulates the manner in which certain public entities, which can include intelligence and security services, as well as police forces, can perform certain surveillance functions, and from what level such functions need to be authorised.
As an example, RIPA enables intelligence services to demand that an internet service provider provide access to certain communications in secret for the purposes of detecting serious crime or protecting the economic well-being of the United Kingdom.
In the world of digital forensics, we may be exposed to RIPA if working for an organisation that is subject to an order issued by a public body under the provisions of RIPA, or if working for a public body that is able to issue such an order. For instance, if working in national security as a forensic investigator, a function may be to uncover evidence of a particular crime from some captured internet traffic.
Protection of Children Act 1978 and Sexual Offences Act 2003
The proliferation of sexual crimes, particularly those targeting children via the internet, is well documented. Child-pornography-related cases are unfortunately a relatively common type of case that digital forensic investigators may find themselves working on. In the United Kingdom, the Protection of Children Act 1978 covers the creation, possession and distribution of indecent images of children. A 1994 amendment to the act, by way of the Criminal Justice and Public Order Act, specifically called out images created by, or altered with, computers. The Act was again amended in 2003 through the Sexual Offences Act, which introduced more specific terminology and created a number of new types of offence. Importantly, the Sexual Offences Act altered the original 1978 definition of a child, from ‘a person under the age of 16’ to ‘a person under the age of 18’. This legislation is of particular importance to investigators, as it compels us, or anyone else who becomes aware of a crime against a child, to report it to the police promptly.
Good Practice Guide for Digital Evidence
Though not a law, the UK Association of Chief Police Officers (ACPO) has published a document entitled Good Practice Guide for Digital Evidence, the latest version of which should always be close by for anyone working in the field.38 The document is designed for law enforcement professionals who may be exposed to digital evidence during the course of their work, and contains the recommended practices to be followed at all times from both technological and legal perspectives. The Good Practice Guide is built around four key principles of digital evidence.
• ‘Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.’
• ‘Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence to explain the relevance and implications of their actions.’
• ‘Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.’
• ‘Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.’
These four general principles provide a solid foundation on which to conduct a digital forensics investigation.
United States
In the United States, laws concerning digital crimes exist at both the state and federal levels. The principal agency involved in investigating larger-scale computer crimes is the United States Secret Service, which is a federal law enforcement agency, and hence many of the higher-profile prosecutions are based on federal law.
Computer Fraud and Abuse Act
Enacted by the United States Congress in 1986, the Computer Fraud and Abuse Act (CFAA) was designed to address the gap between existing wire and mail fraud laws and the growing prevalence of computer crime. Although some laws specific to computer crime had been introduced two years prior through the Comprehensive Crime Control Act of 1984, the United States Congress and Senate continued to discuss the laws throughout 1985, before enacting the initial version of the CFAA in 1986. Since then, the CFAA has been amended multiple times.
A quirk of the law is that, technically speaking, the only computers covered by it are so-called ‘protected computers’. Computers in this category are defined as being:
• ‘Exclusively for the use of a financial institution or the United States Government, or any other computer, when the conduct constituting the offence affects the computer’s use by or for the financial institution or the Government.’
• ‘Used in or affecting interstate or foreign commerce or communication, including a computer located outside of the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.’39
This definition was introduced to quell federalism concerns (concerns that the federal government would infringe upon the rights of the individual states), by suggesting that only computers involved in interstate communications would be covered by the Act. However, in practice, any computer connected to the internet is likely to be communicating over state lines, given the geographical diversity of services on the internet, and as a result nearly all such computers and devices are covered by the CFAA.
The CFAA is similar to the Computer Misuse Act in the United Kingdom, in that it is used as the basis for prosecuting most computer crimes. The terminology used in the CFAA to describe what would be considered hacking is ‘access without authorisation, or exceeding authorised access’. The CFAA contains penalties ranging between one and ten years depending on the nature of the crime. For second convictions under the CFAA, the length of a prison stay can range from 10 to 20 years.
Specific offences covered by the CFAA include:
• Obtaining national security information.
• Accessing a computer and obtaining information without authorisation, or in excess of authorisation.
• Trespassing in a Government computer.
• Accessing a computer to defraud and obtain value.
• Intentionally damaging by knowing transmission (of malicious code, or a given command etc.).
• Recklessly damaging by intentional access.
• Negligently causing damage and loss by intentional access.
• Trafficking in passwords.
• Extortion involving computers.
In addition to the custodial sentences afforded by the CFAA, it also contains provisions for victims of crime to bring civil cases in pursuit of financial compensation.
Electronic Communications Privacy Act (EPCA)
The ECPA is an important law as it is used to ensure protections are afforded to digital transmissions between computers. Title 1 of the law was an update to the Federal Wiretap Act of 1968, which is why ECPA is sometimes still referred to as the Wiretap Act. The 1968 law was of course designed primarily with telephone calls in mind, rather than internet traffic. The updated Wiretap Act prohibits interception, or attempted interception, of any wire, oral or electronic communication. As an example, a man-in-the-middle attack between two hosts on a network would be considered a violation of the ECPA.
As with any law, there are exceptions, and one that we’ve already touched on in this chapter is the use of technologies such as SSL proxies to monitor and filter web traffic for safety and security purposes. The Wiretap Act provides an exception which states that an employee of operators (of networks) and service providers can intercept communications ‘in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service’. This can be used as a basis for the argument that corporate IT teams have every right to perform SSL decryption, and is usually supplemented with employees accepting that their transmissions may be monitored at work, through the signing of an acceptable use policy (AUP).
There are also exceptions for law enforcement officers to perform interceptions for the purpose of surveillance and investigation, but they are subject to a series of procedures, including obtaining a warrant to perform the interception. A judge can issue a warrant allowing a law enforcement officer to intercept communications for up to 30 days in exchange for evidence showing probable cause that an individual is planning or has already committed a crime.
Stored Communications Act
Title 2 of the ECPA is known as the Stored Communications Act (SCA) and provides protections for electronic transmissions that have reached their final destinations and therefore are no longer in transit. This covers items like emails stored on computers. The SCA protections are far less stringent than those in the ECPA for data in transit. One example of this lack of protection is the so-called 180-day rule. This rule states that data stored for more than 180 days is to be considered abandoned, and as a result requires less judicial review for a law enforcement officer to obtain it. Privacy advocates are critical of this rule because in 1986, when it was written, email services were very different from how they are today. In the mid-1980s emails were stored temporarily on servers before being transferred to a client computer. Today, with free services such as Outlook.com and Gmail, people often do not delete any emails, and they reside on the provider’s server for years. Under the SCA, law enforcement can use the 180-day rule to obtain these messages.
To update this somewhat outdated aspect of the SCA, the Email Privacy Act has been proposed to afford additional protections to stored email messages. However, since it was first proposed in 2015, the bill has not yet made it into law.
Identity Theft Penalty Enhancement Act
A growing criminal activity around the world is identity theft, which involves illegally using the identity of another person to open lines of credit, make purchases and commit other types of fraud. Introduced in 2004, the Identity Theft Penalty Enhancement Act makes provisions for courts to deal with this relatively new crime. Custodial sentences of two years in prison are prescribed by the Act. There are also rules to prohibit a court from placing a person convicted of identity theft on probation.
Patriot Act
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, to use its unabbreviated title, the Patriot Act was a law enacted a little after a month following the 11 September terrorist attacks against the United States.
The law is fairly wide-ranging, and provides a variety of provisions to reduce legal barriers for law enforcement and intelligence services to disrupt terrorist plots. In the immediate aftermath of the 11 September attacks there was widespread fear and concern that the intelligence services of the United States hadn’t been able to detect and prevent the events that killed 2,977 innocent people. Of particular interest to us in the digital forensics field is Title 2, which is named ‘Enhanced Surveillance Procedures’. This title updated sections of the ECPA, and effectively reduced the barriers for law enforcement professionals to obtain wiretap warrants for the purposes of performing surveillance on both US and non-US citizens. The law has caused some alarm among privacy advocates.
In 2015, the law was extended following the passage of the USA Freedom Act. However, as a result of the mass surveillance revelations made by leaker Edward Snowden, certain parts of the Patriot Act were eliminated, placing more restrictions on the National Security Agency’s surveillance programmes.
CAN-SPAM
Everyone has received at least one spam email by now, and we all know how annoying they can be. The CAN-SPAM Act was signed into law in 2003 to address the increasing frustration and damage caused by unsolicited spam email. The law applies to all marketing email sent to US citizens and has several provisions for protecting recipients. Notably, there is a requirement that all marketing emails come with a visible and functional unsubscribe function.
There are also requirements applicable to the content of an email; for instance, the from and subject lines must be relevant, and the physical address of the sender must be included.
Finally, the Act placed technical restrictions on the sending of a message, laying out a number of rules, including the prohibition of open relays (servers that permit the sending of mail from any source), banning empty messages and false email headers.
Child pornography laws
In the United States, suspects in child pornography cases can be tried under both federal and state laws. At the federal level, the principal law concerning child pornography is known as the Child Protection and Obscenity Enforcement Act of 1988. The law lays out record-keeping requirements for producers of pornographic materials, under which they must keep track of the ages of models filmed during pornographic shoots.
There are also laws in the United States criminal code that explicitly prohibit the creation and handling of pornographic images of children, and additional laws specific to parents or guardians of minors (under the age of 18) who fail to protect them from becoming involved in the production of child pornography.
Best practices for seizing electronic evidence
Similar to the ACPO guidelines in the United Kingdom, the Secret Service in the United States provides guidance on best practices for seizing electronic evidence.40 If you recall, the ACPO guidelines centre around four key principles. The US Secret Service guidelines feature eight golden rules:
• ‘Officer safety – secure the scene and make it safe.’
• ‘If you reasonably believe that the computer is involved in the crime you are investigating, take immediate steps to preserve the evidence.’
• ‘Do you have a legal basis to seize the computer?’
• ‘Do not access any computer files. If the computer is off, leave it off. If it is on, do not start searching through the computer.’
• ‘If the computer is on, go to the appropriate sections in this guide on how to properly shut down the computer and prepare it for transportation as evidence.’
• ‘If you reasonably believe that the computer is destroying evidence, immediately shut down the computer by pulling the power cord from the back of the computer.’
• ‘If a camera is available, and the computer is on, take pictures of the computer screen. If the computer is off, take pictures of the computer, the location of the computer and any electronic media attached.’
• ‘Do special legal considerations apply (doctor, attorney, clergy, psychiatrist, newspapers, publishers, etc.)?’
Europe
Within the European Union, a 2013 directive on cybercrime required member states to tackle larger-scale digital crimes through the use of specific laws and tough penalties. For the first time, the use of botnets in digital crimes was specifically called out in the directive.
GDPR
The General Data Protection Regulation took effect across Europe on 25 May 2018. As previously discussed during the incident response portion of the book, there are various articles in this legislation that apply directly to incident response, particularly around breach notification. From a digital forensics investigation perspective, there are elements of GDPR that apply not only directly to the case itself but also to the activities performed by the investigator.
The core of GDPR is about protecting the rights of individuals regarding how personal data about them is processed. Processing includes data collection, storage, transmission and disclosure. There are articles that describe the need for consent from an individual to process their personal data, and articles that frame the conditions under which a ‘processor’, such as a business, can keep personal data.
Article 25 of the legislation is entitled ‘Data protection by design and by default’, and describes how processors must demonstrably apply the most stringent privacy controls possible to end users of their products and services. Importantly, GDPR describes how the processor must continually show compliance with the legislation.
A frequent topic of conversation around GDPR is the severity of the sanctions that can be imposed for non-compliance. Fines can be imposed to the tune of 20 million euros or four per cent of an organisation’s annual worldwide turnover, whichever is greater. That isn’t a small amount of money. As an investigator working in Europe, cases that involve proving a client was compliant with GDPR at the time of an incident are likely to become more commonplace.
Investigators themselves should be aware of how GDPR applies to the work they are doing. If you’re working on data collected by a processor as part of a case, which is highly likely, the investigator is also considered a processor. Just as we in the information security field preach good security practices, GDPR requires us to take a hard look at our own processes and procedures, to make sure they’re up to scratch.
ETHICAL CONSIDERATIONS
Given the content and context of some of the laws just reviewed, you should have a very clear understanding of the sensitivity of the situations in which digital forensic investigators can find themselves. It is for this reason that we must act with integrity and in an ethical manner at all times.
Being an ethical professional
Ethics in this profession covers a large range of topics, from reasonably believing that you’re competent to perform the given investigation, to acting within the confines of the law. Clearly, it is not a good situation to be using your technical skills for good by day, and then committing crimes with those same skills at night. Such activity could lead to serious questioning of your integrity as a person, and therefore call into question all of your previous work.
Various professional bodies that cover forensic science, computer security and everything in between have enacted various ethical standards to which members must subscribe. Examples of such organisations include the International Association of Computer Investigative Specialists (IACIS)41 and the American Academy of Forensic Sciences.42 Typically, such standards include provisions for ensuring that laws are followed, conflicts of interest are avoided and opinions are given without prejudice.
Sometimes it can be plainly obvious that a suspect is a bad person doing a bad thing, but without sufficient evidence to prove it we may find ourselves frustrated. It is in this scenario that our ethics might be tested. We must at all times show no bias and give opinions that are based solely on the evidence we have in front of us. Having worked with a number of law enforcement professionals, who frequently find themselves in similar ethical dilemmas, the most frequent advice I’ve received is to trust the process. If someone is guilty, but we can’t prove it in this case, then we will be able to in the next case. It’s not worth putting your professional integrity on the line to attempt to expedite the inevitable.
We’re privileged to work in this field, we can help people, but only if we help ourselves first. Always, always act with integrity and morality and be ethical during any digital forensics investigation.
SUMMARY
In this chapter, we emphasised the importance of treating every investigation as if the actions taken during the investigation will need to be defended against scrutiny of the highest order in a criminal court. We discussed legal challenges unique to digital forensics investigations, including cases that span multiple jurisdictions.
We introduced a number of relevant pieces of legislation from the United Kingdom, United States and Europe that pertain to digital crimes and investigations. Finally, we talked about published frameworks for handling digital evidence, such as the ACPO Good Practice Guide and Best Practices for Seizing Electronic Evidence, as published by the United States Secret Service.
With this important context, in the next chapter we’ll introduce the tools and techniques used to make sure that evidence is collected in accordance with the rules and regulations we’ve just discussed.
38 Williams, J. (2012) Good Practice Guide for Digital Evidence. Association of Chief Police Officers. Available from http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf [30 April 2018].
39 US House of Representatives (2017) [USC07] 18 USC 1030: Fraud and related activity in connection with computers. Office of the Law Revision Counsel. Available from http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title18-section1030&num=0&edition=prelim [20 April 2018].
40 US Department of Homeland Security (2017) NCJRS Abstract – Best Practices for Seizing Electronic Evidence. National Criminal Justice Reference Service. Available from https://www.ncjrs.gov/app/publications/abstract.aspx?id=239359 [30 April 2018].