Legal Aspects of Digital Forensics Daniel J. Ryan The George Washington University Washington, D. C. [email protected] Gal Shpantzer The George Washington University Washington, D. C. gal@pikpu k.com ABSTRACT Of the disciplines that comprise Informati on Assurance, digital forensics is perhaps the one most closel y defined by legal requirements, and one whose growth and evolution is informed and guided by case law, regulatory changes, and the ability of cyberlawyers and digital forensics experts to take the products of forensic tools and processes to court. The tension between privacy rights and law enforcement’s need to search and seize digital evidence sometimes mirrors, and frequently extends, the extant tensions inherent in rules of evidence. This legal foundation makes forensics tools and techniques for recovery, handling, analysis an d preservation of digital evidence unique among the technical arcana of IA, as opposed to firewalls, antivirus, routing, or intrusion detection, among others, where progress is made with much less scrutiny and guidance from legal scholars. This paper seeks to explore some of the legal aspects of forensics a s an art within IA. We start with a real worl d case of an institution that suffer ed from a lack of forensic capability, moving on to a discussion of some of the most important court cases that guided the development of the field in the last two decades. Then we look ahead to some of the challenges looming for practitioners of digital forensics. Categories and Subject Descriptors K.5 Legal Aspects of Computing K.5.2 Governmental Issues [Regulation] Keywords Digital evidence, computer forensics. 1. INTRODUCTION Imagine that hackers have targeted your organization. In a series of attacks, your network is penetrated and the intruders install an illicit program that sends out derogatory messages about senior executives and managers in your organization to various committees with responsibility for overseeing the management of your organization, using the names of random members of your organization as the senders of the messages. Imagine that other attacks result in the destruction of valuable intellectual capital and digital assets resident on your systems and networks. A great deal of un favorable publicity and embarrassment results. But you have implemented a new intrusion detection system, and your sysop uses its audit logs to trace the intrusions back to a former member of your organization, aided and abetted by a current member. Law enforcement is notified and the two are arrested and charged with feloniously altering computer data, with willfully using your computer networ k without authori ty, with causing a computer to malfunction, and with other related crimes. Greatly relieved, the public relations department is directed to prepare and distribute a press release stating that the hackers have been caught and arrested, naming the cul prits and quoting several of your executives regarding their nefarious activities. Then lawyers for th e alleged hackers mount their own attack – on the evidence your sysop gathered. Th ey assert that your intrusion detection system is unproven technology, and that the evidence was not gathered, stored, or analyzed properly. At a preliminary hearing the judge r ules that the evidence is insufficient to refer the case to a grand jury, and the charges are dropped. Within days, a multimillion dollar lawsuit is filed alleging defamation of character and false imprisonment. Attorneys for the “hackers” claim the two men suffered great embarrassment and damage totheir reputations, and that they lost jobs and money as a result of the charges filed against them charges that were la ter dropped. The suit claims your organization viol ated their civil rights, and that their prosecution was in stigated out of malice with out any legal or factual basis. Is such a scenario realistic? This scenario is similar to wha t happened to George Mason University in a recent case. [1] The message? Lack of due care and attention to the legal rules surrounding the collection and uses of digital evidence can not only make the evidence worth less, it can leave investigators vulnerable to liability in countersuits. 2. THRESHOLD CONSIDERATIONS As every Perry Mason fan knows, evidence, to be admissible in court, must be r elevant, material and competent, and its probative value must outweigh any prejudicial effect. Digital evidence is not unique with regard to relevancy and materiality, but because it can be easily duplicated and modified, often without leaving any traces, digital evidence can present special problems related to competency. Moreover, to even reach the point where specific competenc y questions are answered, digital evidence must survive the threshold test posed by Daubert [2] of its competency as a class of evidence. From 1923 until 1993, the admissibility of expert scient ific evidence was cont rolled by a heuristic known as the Frye test after a District of Columbia Court of Appeals case [3] in which the test was first articulated. The Frye test held the expert scientific evi dence was admissible only if the scientific community generally accepted the scientific principles upon which it was based. In Daubert, th e Court held that Rule 702 of the Federal Rules of Evidence, adopted in 1973, supplanted Frye. Rule 702 provides: "If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise." This implies that the scientific evidence proposed possesses the scientific validity to be considered competent as evidence if it is grounded in the methods and procedures of science. There is no specific test that can be used to determine whether digital evidence possesses the requisite scient ific validity. The Court in Daubert suggested several factors to be
View Full Document
Unlocking...