Upload
tina801
View
217
Download
0
Embed Size (px)
Citation preview
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 1/23
t2hapter
Federol Rules ondCriminol Codes
G#mme'er #Bjecfrye.sAfter reading this chapter and completing the exercises,you will be able to do the following:
r Identify federal rules ofevidence and other principles ofdue process ofthe law
r Explain the legal foundation and reasons for pretrial motions regardingevidence.
r ldentify the limitations on expectations of privacy.
r Explain the major anticrime laws and amendments impacting discoveryand use ofe-evidence.
lntroductionpederal rules and laws are changed t9 bring Qem up to date with new technol-
I' ogy. crimes. threats. and evidence. Rules are regulations that govern legalc.onduct, procedures, and praclices. I aws are regulations that govern the conductof the people of a society or nation. These rules and laws directly impact inves-tigative procedures and the admissibility of evidence. Investigators who do notunderstand them run the risk of compromising cases, convicting innocent people,or letting guilty people go free. You need to know what constitutes a legal search,what laws govern obtaining e-evidence and securing it so that the chain ofevidence is not compromised, what telecommunications may lawfully be inter-cepted or examined after they have been received and what privacy rightsemployees and other individuals have. Consider the need to understand rulesand laws in these cases. Before seizing a computer or other hardware, oneneeds to consider whether the Fourth Amendment requires a search warrant.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 2/23
408 CHAPTER l2 | Federal Rules and Criminal Godes
Before accessing stored electronic communications, one needs to consider the
requirements of the Electronic Communication Privacy Act. To conduct real-time
electronic surveillance, a wiretap order may be needed from a judge.
In this chapter, you learn about due process of the law, federal rules of
evidence and procedure, and anticrime laws. These laws are important to know
because even cases that center on physical evidence and eyewitness testimony
may require collecting e-evidence to guide or corroborate the physical evidence.
You will learn about the authority granted to investigators under privacy laws and
the limitations those laws impose to protect civil rights. Many of these laws are
highly controversial and subject to heated debates. At the same time, crimes are
increasingly computer-technology-dependent. These forces will drive changes
in privacy laws as the privacy versus security battles play out. This chapter also
provides the framework for understanding the ethical challenges and demands of
giving testimony in court that are covered in the next chapter.
Due Process of the Law
Dueprocess
ofthe luw is a fundamental principle to ensure that all civil and
criminal cases follow federal or state rules to prevent any preiudiciul, or :unequ;al,
treatment. This chapter focuses on federal rules and cases for two reasons. First,
cases that involve the Internet or telecommunications typically are federal cases
because they cut across state boundaries. Second, states'rules are patterned after
federal rules and are sufficiently similar for the level of this chapter.
Due process is guaranteed in the FifthAmendment to the U.S. Constitution,
which states: "No person shall . . . be deprived of life, liberty, or property, with-
out due process of law."
Federal Rules of civil Procedure, Federal Rules of Criminal Procedure, and
Federal Rules of Evidence, which were introduced in Chapter 1, are the primary
rules ensuring due process. In federal courts, evidentiary rules are governed by
the Federal Rules of Evidence. State courts follow their own state rules of evi-dence. This chapter discusses the rules in greater detail now that you have a solid
understanding of the technology and criminal components of e-evidence.
d-;rpfum f* ff*dmrmf ffi*;dms #f #n*m*#*rrs
The Low School of Cornell University mointoins upto-dote Federol Rules
of Criminol Procedure ot www.lqw.cornell.edu/rules /frcrmp/.Federol Rules of Civil Procedure ore ot www.low.cornell. edul
ruleslfrcp/.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 3/23
e{ oue Process of the Law 4O
Federal Rules of Procedure Regulate productionof EvidenceThe rederal Rules of civil Procedure were adopted in 193g. Until 1970, ruleshad developed to deal only with physical or tangible evidence. Specifically, thelaw of criminal procedure has evolved to regulate the mechanisms common tothe investigation of physical crimes, namely the collection of physical evidenceand eyewitness testimony-and not e-evidence (Kerr, 2005)_ So the rules youlearn about are expected to change.
Rules 26 and34 regulate the production of evidence. Then an amendmentin Rule 34(a) took effect that made electronic data subject to discovery, whilealso providing protections (in the form ofexceptions to the rule) for the partywhose electronic data was being searched. For decades, this amendment had nostriking impact because only computer hard-copy printouts were routine in legalmatters. A far-reaching impact did not begin until the late-1990s when the dis-covery of "electronically stored information" contained on the computer itselfbecame routine. This change raised issues about e-evidence-how it could beauthenticated, proved to be reliable, and determined to be admissible in criminalor civil proceedings. This section reviews the current and evolving status oflaws pertaining to the processes of authentication, reliability, and admissibility.
It also discusses the requirements for laying a proper foundation for e-evidenceand serving as an expert witness.
On April 12,. 2006, the U.S. Supreme Court opproved the pro-posed omendments to the Federol Rules of Civil procedure. Theserules concern the discovery of "electronicolly stored informotion"lESl). These rule chonges offect Rules
,l6,26,33,34,37,45,
ondForm 35.The rules hove been sent to congress ond will become effective on
December 1,2006, unless Congress octs to chonge or defer the omend-ments. The omendments ore ovoiloble on the U.S-. courts' web site qt:www.uscourls.gov/rules/newrules6.htm l#cvO8O4.
, Proposed omendments will impose greoter precision ond furtherchonge_th: yqy. lowyers ond courts o[prooch e-discovery. ln por-ticulor, Rule l6(b)(5) reguires the disciosure of e-discoveiy duringthe initiol pretriol confeience. Discovery requests would'hove tIbe more specificolly toilored becouse' of ihe huge volume of
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 4/23
4tO CHAPTER t2 I Federal Rules and CriminalCodes
W
e-evidence. This discussion should be specific regording the subiectmotter, time periods, ond identificotion of persons or groups fromwhom discovery moy be sought. And the porties need to negotiotehow the documents will be produced very eorly in the cose. lt couldtoke lowyers months to negotiote ihe formot in which documentswould be produced-imoges, TIFF, PDF, or notive formot-ondwhot metodoto would be included (Hsieh, 2006). For exomple, in
Louren Corp. v. Cenlury Geophysicol Corp., the plointiff sought toinspect the defendont's computers for evidence to supporl its cloimthot the defendont hod unlowfully used the plointiff's licensed soft-
wqre. lt took the porties ond the court over o yeor to resolve voriousdiscovery disputes. The court finolly compelled inspection of thecomputers,
Proposed omended Rule 34(b) would ollow the requesting porty to
"specify the form in which eleclronicolly stored informotion is to beproduced." Specific informotion on these pending rules ond the stotus ofother omendments con be found by selecting the "Pending Rules Amend-
ments Awoiting Finol Action" hyperlink in the upper left corner of theWeb poge www.uscourts.gov/rules/ #1udiciolo9o5. Also see
www. uscou rts. gov/ru les/com menf 2OO5 /CVAu gO4. pdf .
Another proposed chonge to Rule 26(b)(2)(B) would require o
court order for e-evidence thot is "not reosonobly occessible becouseof undue burden or cost." This rule moy leod to lengthy discussions
obout whot is or is not reosonobly occessible becouse it shifts the costburden to the requesting porty.
Laying a Proper Foundation for E-Evidence
In 1975, the Federal Rules of Evidence were adopted. They govern theadmissibility of evidence, including electronic records or data. Some of these
rules are referred to as exclusionary rulesbecause they specify the types ofevidence that are excluded-and thus cannot be presented at trial. In estab-
lishing admissibility, many rules of evidence concentrate first on the
evidence's relevancy. After evidence is found to be relevant, then it must
survive several tests based on the rules of evidence in order to be admissible.Figure l2.l shows that relevant evidence which has not been excluded is
admissible evidence.
Exclusionary Rules Exclusionary rules are specific Federal Rules
of Evidence that test whether evidence will be admissibte. Some ol these
rules test whether there is a specific rule that bars the admissibility of
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 5/23
/tl(lF Due Process ofthe Law 4t
FIGURE 12.1 Relevant evidence that has not beenexcluded is admissible evidence.
evidence, such as hearsay or
bars its admissibility, therebusiness rule exception to the
following:
privilege. Even if there is a specific rule that
may be exceptions to the rule, such as thehearsay rule. Exclusionary rules pertain to the
r s.elevancy. The evidence has a logical and varuable connection to anissue of the case.
r Privilege. Protects attorney-client communications and keeps thosecommunications confidential.
r opinion of expert. Qualified experts may testify under certain condi-tions even though they were not eyewitnesses.
r Hearsay. Rule against using "out of court" statement offeredto
provetruth.
r Authentication. The evidence is what it purports (claims) to be.
These rules as they apply to e-evidence are described in Table 12.1. TheLegal Information Institute (LII) of Cornell University publishes the elevenarticles of the Federal Rules of Evidence at www.law.cornell.edu/rules/fre/.This is a free service provided by the LII.
As the Rules listed in Table 12.1 describe, evidence may be inadmissible ifit falls into a category that makes it inadmissible, such as hearsay or privilege;or it is irrelevant, prejudicial, misleading, or causes delays that substantiallyoutweigh its probative value. Evidence has probative value if it is sufficiently
useful to prove something important.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 6/23
412 CHAPTER t 2 I Federal Rules and Criminal Codes
TABLE t2'l Federal Rules of Evidence pertaining to e-evidence'
Rule 1 04(a). PreliminarY
Questions of AdmissibilitY
GenerallY
Rule 401. Definition of
Relevant Evidence
Rule 402. Relevant Evidence
Generally Admissible;
lrrelevant Evidence
lnadmissible
Preliminary questions concerning the
qualification of an expert witness or the
admissibility of evidence are decided by
the court.
Relevant evidence means evidence thatcan make some fact or issue more
probable or less probable than it would
be without the evidence.
All relevant evidence is admissible,
except as otherwise provided by the
Constitution of the United States, by Acl
of Congress, by these rules, or by other
rules of the Supreme Court. Evidence
that is not relevant is not admissible'
Rule 403. Exclusion of
Relevant Evidence on
Grounds of Prejudice,
Confusion, orWaste
of Time
Even if it is relevant, evidence may be
excluded if its Probative value is
substantially outweighed by the dangerof unfair prejudice, confusion of the
issues, misleading the jury, unnecessary
delay, or waste of time.
methods reliably to the facts o{ the case'
This rule broadly governs the admissibility
of expert testimony. lt outlines what is
necessary to be qualified as an expert'
A witness is qualified as an expert by
knowledge, skill, experience, training, or
education. Under Rule 702, the test is:
lf scientific, technical, or other specialized
knowledge will help lhe trier of fact ( jury
or judge) understand the evidence,a
quatified expertmay testify if (1) the
testimony is based upon sufficient facts or
data, (2)1he testimony is the product of
reliable principles and methods, and (3)the
witness has applied the principles and
Testimony in the form of an opinion-that
is not inadmissible for some other
reason-is allowed because the opinion
is an issue for the trier of fact to decide'
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 7/23
6{ Ou" Process of the Law 4 t
Rule 802. Hearsay Rule Hearsay is not admissible except asprovided by these rules or by other rulesof the Supreme Court.
Rule 803(6). Business
Exception Rule
Business records that are made during
the ordinary course of business areadmissible. Conversely, business recordsthat are made for use in a civil or criminalcase are not admissible.
Rule 901(a). Requirement ofAuthentication or ldentification,General provision
The requirement of authentication oridentification is satisfied by evidence thatsupports that the "matter" is what itsproponent claims it is.
@&rmryr*ffi m bl}/*rl# k #nmrsxmd
#exsfr*m ffi,rr*cf*ry
vi s i t Pre n ti ce-H o I l's cyb ro ry o t www.to I ki ustice.c om / cybrary.ospfor o comprehensive directory of Web sites ,.eloteJ t; ffi;
"rijen.i,orensics, ond other criminol iustice topics.
Hearsay Evidence Hearsay Rule 802 can block admissibility unless someexception applies to the evidence. For example, if the author of an electronicrecord is not available to verify the truth of the matter, the electronic recordwould be hearsay. As such, it would be inadmissible unless it fit into one of the
exceptions to the hearsay rule. Electronic records that are business recordsmade during the ordinary course of business are admissible under the businessrecords exception rule in Rule 803(6). Therefore, business records, which arehearsay, can be admitted as evidence because they are an exception to hearsay.The reason for their exception is that their regular use in the business of a com-pany ensures a high degree ofaccuracy so additional verification is not needed.
Motions to Suppress Evidence euestions of admissibility and motionsto suppress evidence are handled before trial. A judge may hold a hearing todetermine whether or not evidence is admissible. In those cases, the jury neverhears of the evidence. A motion by a lawyer for such a hearing before trial iscalled a motion in limine (pronounced lim-in-nay). courts prefer this approach
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 8/23
414 CHAPTEB t Z I Feaeral Rules and Criminal Codes
because it limits the jury's exposure to inadmissible evidence, which might
influence jury members regardless of attempts to ignore it (Eichhorn, 1989).
Federal Rule 702 Test for Admissibility Evidence is not the only thing that
is subject to tests of admissibility. A forensic examiner's qualifications can be
challenged or the tools or methodologies used in a forensic investigation can be
objected to. These challenges or objections are heard outside the presence ofthe
jury during a pretrial hearing under Federal Rule 702 (as defined in Table 12.1).
From 1923 to 1993, the test for admissibility of expert witness testimony
and methodologies was based on the 1923 ruling in Fryte v. United States (1923).
The Frye test, as it came to be known, requires that the scientific principle upon
which the work is based is "sufficiently established to have gained general
acceptance in the parlicular field in which it belongs." using Ftye, a judge had to
test the admissibility of expert testimony before allowing it in court.
In part because ofthe problems caused by the "general acceptance" crite-
ria, the Frye test that Rule 702had been relying on was replaced (superceded)
by the Daubert test in 1993. In 1993,the Supreme Court issued an opinion in
the case of Daubert v. Merrell Dow Pharmaceuticals that abandoned the earlier
Frye standard in federal cases and set a new standard. A judge must take into
account the following:
1. Whether the theory or technique can be and has been tested
2. Whether it has been subjected to peer review and publication
3. The known or potential error
4. The general acceptance of the theory in the scientific community
. 5. Whether the proffered testimony is based upon the expert's special skill
The Daubert test is primarily a question of relevance, or "fit," of the evi-
dence. The Supreme Court holds that in order for testimony to be used it must
be sufficiently tied to the facts ofthe case to help understand an issue being dis-
puted (Norberg, 2006). For the full text of the Daubert test, visit the Supreme
Court Collection of the Legal Information Institute at supct.law.cornell.edu/
s up ctlhtmU 9 2 -l02.ZS.html.
Authenticating E-Mail Messages and other E-Evidence
A physical document can be authenticated by either direct evidence or
circumstantial evidence. Examples of circumstantial evidence would be the
paper document's appearance, content, or substance. The same circumstantial
evidence the courts use to authenticate physical documents applies to e-mail
messages.
In order to authenticate an e-mail message, Rule 901 requires that the per-
son (proponent) who introduces the message provide "evidence sufficient to
iupport a finding that the fe-mail message] is what its proponent claims."
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 9/23
6( or" Process of the Law 41
The reliability of e-evidence itself and the reliability of the methods andprocedures used must be established too. Rule 901 generally can be satisfied byproofthat:
1. The computer equipment is accepted in the fierd as standard and compe-tent and was in good working order.
2. Qualified computer operators were employed.
3. Proper procedures were followed in connection with the input and output
of information.
4. A reliable software program and hardware were used.
5. The equipment was programmed and operated correctly.
6. The exhibit is properly identified as the output in question.
Proof must be provided for all six of these issues or for all issues thatapply to the handling of the evidence. It is not a surprise that opposing counselwill challenge the authentication of the e-evidence. In fact, evidence should bechallenged to ensure that it accurately and fully represents the truth.
circumstantial E-Mail Evidence Authenticates other E-Mail A good
of example of how e-mail messages can be authenticated to meet Rule 901 isin united states v. siddiqui (Robins, 2003). rn. siddiqui, the defendant wasconvicted of fraud, making false statements, and obstruciing a federal investiga-tion in connection with an award he had applied for from the National ScienceFoundation (NSF). The issue of the case was that the defendant, Siddiqui, hadfalsified documents (letters recommending him for the NSF award) in the namesof two other individuals; and the defendant had then urged those two individualsto support the falsified documents. E-mail messages between Siddiqui and thetwo individuals containing incriminating information were recovered and usedas e-evidence.
Siddiqui appealed. He challenged the district court's decision to admit intoevidence several e-mail messages between himself and the two individuals. Thecourt held that the appearance, contents, substance, internal patterns, and othercircumstances of these e-mail messages authenticated them. The Eleventh Cir-cuit pointed to the following facts:
1. The e-mail messages reflected an e-mail address that included a varia-tion of the defendant's name and a uniform resource locator (URL) forthe defendant's employer.
2. The e-mail address in these messages was consistent with one in anothere-mail message that was introduced into evidence by the defendant as an
e-mail message from the defendant to one of the two other individuals.
3. The contents of the messages indicated that the author knew the details
of the defendant's conduct in connection with the NSF award.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 10/23
416 CHAPTER l2l Federal Rules and Crimina! Godes
4. One of the e-mail messages referred to a visit the defendant had made to
a particular event attended by the defendant and by the recipient ofthe
message.
5. The e-mail messages referred to the author by a nickname recognizedby
the recipients.
6. The e-mail messages occurred during the same time period in which the
recipients spoke to the defendant by telephone and had conversations
consistent in content with the e-mailmessages.
This case presents several important lessons for computer forensics inves-
tigators. It illustrates the larger and more comprehensive role of e-mail evidence
in a case. E-mail messages not directly on point may be relevant to the case as
the proof needed to authenticate other e-mail. The content of e-mail messages
may relate to other documents of the author, or have a style that is consistent
with other communication patterns.
The issue of style is equally critical when e-mail has been planted or
forged. E-mail forgers may not be aware of distinctive writing styles or rules of
evidence and, out of habit, use their own writing style'
Circumstantial Evidence Authenticates Chat Room Session Circum-
stantial evidence was used to authenticate e-evidence in the tJnited States v.
Simpson case. The case involved a hard-copy printout of an online chat room
session that Simpson had participated in. The government was able to authenticate
ln o sexuol horossment cose brought by on occountont ogoinst her mon-
oger, the monoger produced on +moil messoge ollegedly sent to him by
thl occountont, which she denied hoving sent. The comPony ot which
both employees worked required personnel to shore computers' Employ-
ees were olso required to'reveol their e-moil posswords, so thot if on
employee *or ouiof the office, colleogues could hove occess to e-moil
messoges on thot employee's computer. The computer forensics investi-
gotor concluded thot, bosed on these policies, it wos not possible to ver-
ify whether or not the occountont hod sent emoil. The occountont
produced e-moil she hod sent to the monoger ond thot he hod sent to herover o yeor's time. The grommor, sentence structure, punctu-otion, ond
other style feotures in thJdisputed e-moil messoge cleorly differed from
other e-moil sent by the occountont ond supported her cloim thot she hod
not sent the disputed +moil. The controdictory evidence kiggered-o
wider seorch of e-moil of the monoger ond informotion technology stoff.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 11/23
a printout of a chat room session between a detective and the defendant Simpson.Even though Simpson did not use his full name in the chat room when communi-cating with the detective, he provided his first initial and last name. The initial andlast name were the same as the defendant's, and the e-mail address belonged to thedefendant. Pages found near a computer in Simpson's home contained the name,street address, e-mail address, and telephone number that the detective had given tothe individual in the chat room session.
When considered all together, the circumstantial evidence was sufficient
to authenticate the communication as one that occurred in a chat room sessionbetween Simpson and the detective.
This case illustrates how different types of evidence can be used forauthentication. It also reaffirms the importance of detailed documentation ofmaterials found near a computer, as was discussed in prior chapters. Next, wewill examine the anticrime and privacy laws.
Anticrime Laws
congress responds to changing technology and high-tech crimes by amendingexisting laws if possible or by issuing new laws (statutes). The most authorita-tive federal statutes affecting computer forensics are the Electronic Communi-cations Privacy Act (ECPA), the Federal wiretap Statute, the pen/Trap Statute,the cFAA, and the usA PATRIoT Act. The ECpA extended the wiretap Statuteto include authority over digital transmissions over computer networks.
A highly contentious response by president George w Bush as part of hiswar against terroflsm was the use of warrantless electronic surveillance. The orderwas issued without the consent of Congress and violates the Fourth Amendment.
Electronic Communications privacy Act of 19g6
Incertain
situations, the Electronic communicationsprivacy
Act (ECpA) of!98f t4keq precedence over the right to privacy guaranteed by the FourthAmendment. The ECPA applies to stored computer files that had been transmit-ted over a network. This law applies only to stored computer information andnot to real-time interception of communications. Real-time interception ofcomputer information in transit falls under the Federal Wiretap Statute of 1968.
The ECPA permits an ISP to look through all stored messages, includinge-maii'waiting in an inbox, or recently sent and received mail. Some ISpstemporarily store all messages that pass through the system. The ECpA nor-mally prevents the ISP from disclosing the messages to others, but there areexceptions. Law enforcement with proper warrants or administrative subpoenascan collect basic information about users from ISps, including their names.
They might also be allowed access to the content of stored messages.
6( Anticrime Laws 41
I
iRiskI
jAn employee whoI uses his employer's
lcomputer for
ipersonol communi-
lcotions ossumes
, the risk thot theselcommunicotions
1moy be occessedi ril(Jy oe QCCeSSecl
lby the employer or
iby others.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 12/23
4t 8 CHAPTER t 2 I Federal Rules and Criminal Codes
Wupreme Court
I
Congress made the ECPA the primary law by which to address claims of
privacy violations in the communications field. This law's goal is to balance pri-
vacy rights with law enforcement needs-while protecting Fourth Amendment
rights against unreasonable search and seizure whenever possible.
The authority given to law enforcement by the ECPA has sparked fierce
opposition by privacy advocates. The full text of the ECPA is available at
www.usiia.org/le gis/ecpa.html.
Limitations of Privacy Laws The belief that a person has a reasonable
expectation of privacy under all circumstances is wrong. People try to hide their
crimes by claiming that they expected privacy. By law, privacy expectations
depend on several factors. For example, if circumstances show that a computer
user had no reasonable expectation ofprivacy, then police do not need a search
warrant to obtain information (Nimsger, 2003). Users of computer equipment
owned by an employer, company, or government agency fall into this category.
Companies and government agencies can specify explicitly in their acceptable
use policies (AUP) that employees have no right to privacy or privacy expecta-
tions when they use company equipment for e-mail or the Internet.
In the case of tlS. v. Simons (2000), a government employee working for
the Central Intelligence Agency (CIA) was suspected of using his office
computer to download pornography. Without getting a warrant, the CIA
remotely accessed Simons'computer and found files containing photos of child
pornography, which is a federal crime. Simons tried to suppress the photos by
claiming a FourthAmendment violation of his expectation of privacy. However,
the CIA had an AUP that allowed it to "periodically audit, inspect, and/or mon-
itor . . . users' Internet access." The Court determined that because of this AUP'
Simons had no reasonable expectation of privacy and that no warrant was
required for the search-making his files admissible.
Defers toCongress
The courts usuolly
defer to Congress's
iudgment when
confronted withFourth Amendment
chollenges to elec-
tronic surveillonce.
Alon Scott hod shredded documents into strips 5/32 of on inch wide
to destroy the evidence they contoined of his income tox evqsion.
Government ogents retrieved those strips from the trosh in front of
Scott's home ond then reossembled them into documentory evidence
thot helped prove Scott's crime. After he wos chorged with o crime,
Scott orgued thot he hod creoted o reosonoble expectotion of privocy
in the dlcuments by shredding them, so thot reconstructing them with-
out o worront violoted his Fourth Amendment rights (Kerr, 2001).
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 13/23
61( Anticrlme Laws 41
According to the First Circuit court, Scott's cose reveoled "o foiledottempt of secrecy by reoson of underestimotion of police resourceful-ness, not invosion of constitutionolly protected privocy.,,
The use of technology-the shiedder-to destroy the poper doesnot provide constitutionol protection. As o result, ogents did not needo worront to reconstruct Scott's shredded documents ond return them
to o reodoble form. The government's reconstruction of Scott's com-municotions did not violote his reosonoble expectotion of privocybecouse he hod no foundotion for thot expectotion.
ln terms of e-eviden.c?, o .person who encrypts incriminofingelectronic documents ond then deletes them, ossuming they won't bEdeciphered by outhorities, connot moke o vqlid cloim-thot he hod onexpectotion of privocy.
Courts'Interpretation of FourthAmendment protection In the 19g0s,a series ol courl cases were triggered by defendants' claiming that their right toFourlh Amendment protection had been violated. For example , in United States v.
Jacobsen, the Supreme court considered whether the Fourth Amendmentrequired the government to obtain a search warrant before conducting a field teston white powder that agents had seized from the defendant. The purpose of thefield test was to determine whether the powder contained cocaine. The defendantargued that the chemical field test violated his reasonable expectation that thecontents of the white powder would remain a secret (private), and thus violatedhis Fourlh Amendment "reasonable expectation of privacy." In an opinion by Jus-tice Stevens, the Supreme Courl disagreed with that logic by stating:
The concept oJ'an interest in privacy that society is prepared torecognize as reasonable is, by its very natLrre, critically dffirent.fiom the mere expectation, however well justified, that certain facts
will not come to the attention of the authorities....A chemical testthat merely discloses whether or not a particular substance iscocaine does not compromise any legitimate interest in privucy.
Because cocaine was illegal contraband the defendant had no right to pos-sess it and no extraconstitutional right to stop the government from conductingthe test to identify it. The defendant's expectation that the identity of the illegalpowder would remain a secret did not establish a constitutionally recognizablereasonable expectation of privacy.
Federal Wiretap Statute of 1968The ECPA amended the Federal wiretap Statute of 1968 to include the inter-
ception of electronic communications, including e-mail. The USA pATRIor
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 14/23
42O CHAPTEB t Z I Federal Rules and Griminal Codes
Act also expanded the list of criminal activities for which wiretaps can be
ordered. Wiretaps are ordered when terrorist bombings, hijackings, or other vio-
lent crimes are susPected.
The Federal Wiretap Statute provides,
,'Immecliately upon the expiration of the period [covered by the wire-
tap orderJ . . . recordings shall be made available to the judge
isstring such order and sealed under his directions. . . . The presence
of the seal ... or a satisfactory explanationfor the absence thereof,
shall be a prerequisite .for the use or disclosure of the contents "
of the intercept. [18 U-5.C. 2518(B)(a)]
This provision of the statute requires that the recordings captured during
the time of the wiretap be given to the judge within a reasonable amount of
time-or the contents of those recordings are inadmissible. The judge must, in
effect, "seal the evidence" to prevent tampering as part ofthe chain ofcustody'
This period of time is not specified in the statute. Defense attorneys had tried to
get wiretaps thrown out by claiming that there was a delay getting the record-
ings to the judge.
In some cases, coults have used theo'service provider exemption" to find
that any company furnishing computer hardware and software may access its
employees' .-1nult files. For example, in Bohach v. City of Reno (1996), a fed-
eral court rejected privacy claims under the ECPA raised by two police offi-
cers in Reno, Nevada. Officer John Bohach had sent messages to other
members of the department over the departmenth Alphapage messaging
system. Several months later, an internal affairs investigation was being
conducted based on the contents of those messages. Bohach and another offi-
cer filed a lawsuit against the City of Reno claiming that the department's
accessing and retrieving the old messages violated the federal wiretap
statutes. The court disagreed. The court reasoned that because the nature of
the Alphapage messages wefe essentially e-mail, the officers could not have
."u.onubly believed them to be private. Also, thecourt cited a department
order informing employees that their messages would be "logged on the net-
work" and that sending certain types of messages was prohibited. The court
found that the city was a "service provider" as defined under the ECPA and
was "free to access the stored message as it pleased." Therefore, the court
found that the city had not violated the ECPA.
Pen/TraP Statute, Section 216,,Trap and trace" information is so called because collecting the information
originally required the telephone company to trace the phone line using
a tool known as a terminating trap. The pen register is a mechanical
device that can be attached to a specific telephone line at a telephone office.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 15/23
61( Anttcrtme Laws 42
Apulsation of the dial on a line to which the pen register is attached recordson a paper tape dashes equal to the number dialed. The paper tape thenbecomes a permanent and complete record of outgoing calls and thenumbers called on the particular line. Immediately aftei the number isdialed, but before the call is answered, the pen register mechanically andautomatically disconnects. There is no recording or monitoring or tn"conversation.
The pen register and trap and trace statute, or the pen/Trap statute,
governs the collection of noncontent traffic information associated with com-munications, such as the phone numbers dialed by a particular telephone.Rather than the strict probable cause necessary for wiretapi ,pen register ordersrequire only certification from a law enforcement officer that "the informationlikely lo be obtained is relevant to an ongoing criminal investigation.'. If theapplication for installation of a penltrap device contains these elements, thecourt will authorize it.
This statute was enacted as part of ECpA. Section 216 updates thePen/Trap Statute in three ways:
1. The amendments clarify that law enforcement may use pen/traporders to trace communications
on the Internet and other computernetworks.
2. Penltrap orders issued by federal courts now have nationwide effect.
3. Law enforcement authorities must file a special report with the courtwhenever they use apenltrap order to install their own monitoring deviceon computers belonging to a public provider.
Counteffeit Access Device and ComputerFraud and Abuse ActCongress's first battle against computer crime was the passage of the Counter-
feit Access Device and Computer Fraud and Abuse Act in 19g6. This legislationprimarily covered illegal access or use of protected government computersystems. It was aimed at individuals who broke into or stole data from govern-ment computers. This law was too narrow, so congress amended it twice, oncethrough the GFAA in 1994 and then through the National Information Infra-structure Protection Act (NII) in 1996. The CFAA is also referred to as Title 1gusc $1030.
Title lB of the CFAA deals with "crimes and criminal procedure.,,
Section 1030 of ritle l8 deals with "Fraud and related activity in connec-tion with computers." Under lB usc $1030, the government does nothave to prove that an individual who accessed a federal interest computernetwork unauthorized had intended to damage it, only that he intended to
access it.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 16/23
422 CHAPTER t z I Federal Rules and Griminal Godes
Section 225 o[ the
oct is relevont to
computerforensics
investigotors. lt
gives immunity from
civil lowsuits to
ony person who
provides technicol
ossistonce in
obtoining electronic
informotion
USA PATRIOT Act
Even before the USA PATRIOT Act, federal agencies had broad legal powers to
monitor telephone conversations, e-mail, pagers, wireless phones, computers,
and all other electronic communications and communications devices. The USA
PATRIOT Act greatly broadened the FBI's authority to gather this information'
The uSA PATzuOT Act made it lawfu1 for an officer to intercept a computer
trespasser's wire or electronic communicatlon transmitted to or through a pfo-
tected computer. The act included new guidance relating to computer crime and
e-evidence. The Field Guidance on New Authorities that Relate to Computer
Crime and Electronic Evidence Enacted in the \JSA Patriot Act of 2001 provides
the authority to do several things. Authorizations include:
1. Intercepting voice communications in computer hacking investigations
2. Allowing law enforcement to trace communications on the Internet and
other computer networks within the pen and trap statute (pen/trap statute)
- 3. Intercepting communications of computertrespassers
4. Writing nationwide search warrants for e-mail
5. Deterring and preventing cyberterrorism
pursuont to o court I
order or volidi
request foriemergencyI
ossistonce.i
There ore two sources of outhority for federol wiretops within the
United Stotes.
The first outhority is the Federol Wiretop Act, or Title lll, of,l968.
It wos exponded in,l986
by the ECPA. li.sets procedures for court
outhorizoiion of reohime surveillonce of electronic communicotions,
including voice, e-moil, fox, ond lnternet, in criminol investigotions.Before u"sing o wiretop, on offidovit must be submitted to o iudge thot
there is pro-boble couse to believe thot o crime hos been, is being, or
is obout to be committed. Bosed on the offidovit, the iucige then issues
the wiretop or denies it. Under extreme circumstonces, o iudge's order
moy not be necessory.'The
second outhority is the Foreign lntelligence Surveillonce Act
(FISA) of 1978. FISA ollows wiretop[ing in the United Stotes bosed
on proboble couse thot the person is o member of o foreign terrorist
group or on ogent of o foreign power.. For U.S. citizens ond permo-
ient'resident o-liens, proboble couse thot the person is engoged in
criminol octivities is needed. For others, suspicion of criminol octivity
is not required for the wiretop. The USA PATRIOT Act ollows Prosecu-
tors to use FISA for the pripor" of gothering evidence in criminol
investigotions of notionol security crimes.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 17/23
6( Anticrime Laws 42
The law raised the maximum penalty for hackers who damaged protectedcomputers. See the Field Guidance on New Authorities That Relate to ComputerCrime and Electronic Evidence Enacted in the uSA patriot Act of 2001 atwwn'.usdoj.gov/criminal/cybercrime/patriotAct.htm. The guide developsand supports cybersecurity forensic capabilities. visit www.cybercrime.gov/PatriotAct.htm for the latest provisions of the law.
#egnrfexd,&6rfd*mmre,{#? ##r#y;rf,$rf* f -e e fThe l99B^_Digitol Millennium copyright Act permits music componiesto force lsPs to turn over the nomes
-ofsuspected music pirotes upon
subpoeno from ony U.s. District Court clerk's offi." ond *ithort o
iudge's signoture.
ln United sfofes v. Forest ond Gorner, the U.S. Court of Appeols forthe sixth circuit (Jonuory 27, 2oo4l reiected o defendont's efforts toexclude evidence thot hod been obtoined by federol ogents who usedcell'site dala. Agents used doto from the defendon'i's cellulor tele-p.hong service provider to trock his movements ofter the ogents lostvisuol contoct. The court reiected his orguments, which he hId bosedon Title lll of the omnibus Crime control ond Sofe streets Act of l96gond Fourth Amendment. Drug Enforcement Agency (DEA) ogentssecured court orders giving them outhority to inteicepithe defend"ont'scellulor pl.onq colls. lt o-lso required the cellulor service provider todisclose oll subscriber informotion relevont to the investigoiion.
While conducting surveillonce of the defendont o,id o codefen-dont, the..ogents lost trock of them. The ogents then dioled the defen-dont's cell phone s.everql times ond used t[e provider's computer dototo determine which cell tronsmission towers were being
,,hit,,by thol
ph9le. The cell-site doto reveoled the defendont's ge"nerol locotionond helped cotch him.
on oppeol of his conviction, the defendont orgued thot the ceil-site doto ond resulting evidence should hove Leen suppressedbecouse. they .turned his phone into o trocking device-ond thotvioloted his rights under both Title lll ond the Four'ih Amendmenr.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 18/23
424 CHAPTER t Z I federal Rules and Criminal Codes
&F
ln on opinion by Judge Ronold Lee Gilmon, the court found thot the
cell-site doto cleorlydoes-not foll within Title lll's definitions of orol com-
municotion or wire communicotion, ond thot the only other siotutory cot-
egory thot the doto might fit into is electronic communicotion. The court
oiini"d out, howev"r,lhot even ossuming thot cell-site doto does meet
ih. d"finltion of electronic communicotion, Title lll provides suppression
os o remedy only for the illegol interceptions of orol or wire communico-tions ond not for the illegol interception of electronic communicotions'
The court reoched thl some conclusion with regord to the defendont's
orgument thot the outhorities turned his cell phone into o,trocking-d^ey'1cg
*iihtn the meoning of 1B U.S.C. 53l,|7. The court ruled thot S3l'lZdoes not provide sJppression os o remedy-regordless of wheiher or not
o phone fits the definition of o trocking. device under thot stotute.'
The defendont olso cloimed thotihe cell-site doto ond resulting evi-
dence should be suppressed under the exclusionory rule of the Fourth
Amendment. But the court ruled thot the defendont hod no legitimote
expectotion of privocy in his movements olong o public highwoy.
Sneak and Peek Provision The primary stated purposes of the USA
PATRIOT Act are to "deter and punish terrorist acts in the United States and
around the world [and] to enhance law enforcement investigatory tools'" The
Act changed the point at which individuals being searched-the targets-are to
be notified of that search. Prior to this Act, the target was notified when the
physical search was being made. The PATRIOT Act permits an investigator to
delay notification (Wegm an, 2004).
This notification delay has been described as a sneak und peek provision,
mostly by critics of the act (Shulman,2003). Law enforcement can delay noti-
fyingifre target for up to 90 days and then get another delay by showing some
gooJ.uu... To obtain authority for delayed notification, an investigator must
iho* u need for the delay, such as danger to the life or safety ofan individual,
risk of flight from prosecution, witness or evidence tampering, or that immedi-
ate notice would,,seriously jeopardize" an investigation (wegman,2004).
Expanded Power for Surveillance Three examples of expanded powers
for surveillance and search ofe-evidence provided by the act are:
1. Judicial supervision of telephone and Internet surveillance by law
enforcement is limited.
2. Law enforcement and intelligence agencies have broad access to sensi-
tive medical, mental health, financial, and educational records with limi-
ted judicial oversight.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 19/23
3. The government has the power to conduct secret searches of individuals'homes and businesses, including monitoring books bought from book-stores or borrowed from libraries.
The USA PATRIOT Act requires that an agency that sets up surveillanceusing its own pen/trap device on a packet-switched public data network identify:
1. Any officers who installed or accessed the device to obtain informationfrom the network
The date and time the device was instarled and uninstalled and the dura-tion of each time the device was accessed
The configuration of the device at the time of installation, plus any latermodification
Any information that the device has collected
Electronic Surveillance lssuesThe issue of electronic surveillance became a grave matter in the United Statesin late 2005 and early 2006-and the resolution may impact the use of wiretap-ping and collection of electronic evidence.
on December 16,2005, James Risen and Eric Lichtblau of the New yorkTimes reported that President George W. Bush authorized the National SecurityAgency (NSA) to spy on Americans without warrants. (Their article is reprintehat www.commondreams.org/headlines05/1216-0l.htm.) This order ignoredprocedures of the Foreign Intelligence Surveillance Act (FISA).
The New York Times article reported that in 2002 Bush issued an execu-tive order authorizing the NSA to track and intercept international telephoneand e-mail traffic into or out of the United States when one party was believedto have ties with al Qaeda. Initially, neither Bush nor the white House con-firmed nor denied that the president had ignored the law. In his radio broadcaston Decembe r 17 , 2005 , Bush admitted that the New york Times was correct.
Many legal scholars have argued that by issuing the warrantless wiretap-
ping in violation of FISA and bypassing congress, the president committed animpeachable offense. only congress can decide whether to allow such wiretaps(Dean,2005).
First reports indicated that the NSA limited monitoring to foreign callsoriginating in the United States or abroad and that fewer than 500 calls werebeing monitored at a time. But later reports indicated that the NSA was ,.data
mining" millions of calls by using access to telecommunications companies,switching stations through which foreign communications traffic flows.
on January 6, 2006, Morton H. Halperin, the executive director of theopen Society Policy center at www.opensocietypolicycenter.org, released thememo addressing the legal issues in 'A Legal Analysis of the NSA warrantlessSurveillance Program." In response, on February 6,2006, the Hon. Alberto R.
Gonzales, attorney general of the United States, released a prepared statement
6( Anticrime Laws 42
lnternet InterestsAre Revealing
Evidence of Websurfing reveols
much more obouton individuol thon
)
3.
4.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 20/23
426 CHAPTEB 12 I Federal Rules and Griminal Godes
available at www.usdoj.gov/aglspeeches/2006/aSspeech-060206.htmI in
which he defended the surveillance program. His defense was "Congress and
the American people are interested in two fundamental questions: is this pro-
gram necessu.y urra is it lawful. The answer to both questions is yes." Gonzales
also attacked critics by stating that "These press accounts are in almost every
case, in one way or another, misinformed, confused, or wrong'"
For articles on the current state of this issue, visit the National Security
Agency (1[S/) section of Findlaw news archives at news.findlaw.comflegalnews/
documents/archive-n.html.
Gomputer Fraud and Abuse Act
The CFAA was the first law to address computer crime in which the computer
is the subject of the crime. That is, it applies to crimes that do not have an
analogy in traditional crime. Such crimes include the use of viruses or other
malwaie, sniffers, logic bombs, and bots. The GFAA has been used to prosecute
virus creators, hackers, information and identity thieves, and people who use
computers to commit fraud.
Table 12.2 lists key terms used in the Computer Fraud and Abuse Act.
TABLE 12.2 Definitions of the key terms in lhe Computer Fraud and AbuseAcf (Federal Statute 18 U.S.C. $1030).
Protected A protected computer means a computer that:
Computer r ls used by a financial institution (broadly defined)
r ls used bY the U.S. government
r Affects domestic, interstate commerce or
communications of the United States
r Affects foreign commerce or communications of the
United Statesln effect, every computer connected to the lnternet is a
protectedcomputer.Protectedcomputersinclude-computers
located outside the United States' This allows U'S'
prosecution of hackers who attack foreign computers'
There are two references regarding authorized access
specified in the statute:
r Without Authorization-"Access without authority"applies
to any outsider who breaks in and uses a computer for any
purpose. (Because this applies only to outsiders, it does
not apply to emPloYees.)
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 21/23
6( Anticrime Laws 42
r Exceeding Authorized Access-,,Access in excessof authority" applies to anyone who has authorizedaccess to a computer and uses that access toobtain or alter information that he is not allowed
to obtain or alter.Damage is defined as any impairment to the integrity oravailability of data, a program, a system, or information. Thatimpairment must cause:
r A loss to one or more persons (or companies)during any 1-year period totaling at least$5,000 in value
r The modification or impairment of medical records
I Physical injury to any person
I A threat to public health or safety
r Damage to a government computer system used
for administering justice, national defense, or nationalsecurity
Loss Loss is defined as any reasonable cost to any victim,including the cost of:
r Responding to an offense
r Conducting a damage assessment
. I Restoring the data, program, system, or information to itscondition prior to the offense
r Lost revenue or other damages because of interruptionof service
lf there has been damage to a protected computerthat has caused damage, the next issue iswhether the conduct was intentional, reckless,or negligent.
r "lntentional conduct" means conduct by anyonewho knowingly transmits a "program, information,code, or command" that causes damage to aprotected computer. This applies to both insidersand outsiders.
r "Reckless conduct" means intentional access to aprotected computer without authority that unintentionallybut recklessly causes damage. This applies only tooutsiders.
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 22/23
CHAPTEB 12 I Federal Rules and Criminal Codes
A troil of electronic doto from U.S. Web sites led to the convictions of
more thon 22 British customers who hod bought psychedelic drugs
online. Customers were identified from e-evidence collected during o
U.S. DEA sting operotion-Operotion Web Tryp. The evidence led
police to oddresses ocross the UK.'For severol yeors, psychedelic drugs known os "reseorch chem-
icols" hod been sold openly from U.S. Web sites. Since mony of
the reseorch drugs ore too powerful psychedelicolly to cotch on
with users or deolers, they ore ovoiloble only from e-commerce
sites.
The online drug trode come to the ottention of U.S. low
enforcers in Morch 2004 ofter Jomes Downs, 22, died from on
occidentol overdose of 2-CT-21 he ordered online. lnvestigotors
troced his purchoses to o Los Vegos reseorch chemicols Web
site, which imported chemicols from lobs in Chino qnd lndio. Thot
yeor, the DEA shut down the Web sites ond orrested the site
operotors.
' Eoch e-commerce Web site hod thousonds of customers in the
United Stotes ond Europe. Customers could order their drugs with
one-click systems of poyment vio credit cord or PoyPol, ond their pur-
choses weie delivered the next doy by FedEx ond other corriers. Cus-
tomer records ond credit cord detoils were gothered from seized
computers. After investigotors hod verified the intelligence, detoils
were sent to UK police forces.
Reseorch chemicols ore not officiolly listed os controlled sub-
stonces under U.S. drug lows. Therefore, the Web site operotors
were prosecuted under o lo* thot prohibits the possession ond..sup-
ply of chemicols "substontiolly similor" to controlled drugs' All the
oferotorsfoce life sentences,.ond severol hove been chorged with
cousing deoth or serious iniury' ln Moy ?095,operotor Dovid
Linder-wos found guilty on 27 chorges, including drug-conspirocy
ond money loundering. He wos sentenced to o totol of 410 yeors
in prison'ond
order"d to poy bock $200,000 in. profits from
the'Web site. The severity of his sentence wos reloted to the deoth
of on 'lB-yeor-old New York mon who overdosed on the
drug olpho-methyltryptomine (AMT) purchosed from Linder's site
(McCondless, 2005).
7/29/2019 Forensics CH 12
http://slidepdf.com/reader/full/forensics-ch-12 23/23
6( r".t Your Skills 42
In this chapter, you have learned about the Federal Rules of Evidence and proce-dure that directly impact investigative procedures and the admissibility of evidence.Actual federal cases and court decisions were presented to illustrate the toughchallenges to an investigator's experience, evidence handling, hardware, and proce-dures. clearly, investigators need a working knowledge orwhat constitutes a tegatsearch
so as not to compromise cases, convict innocent people, or let guilty p.opl.go free. Before seizing computers, FourthAmendment r"u..h warrant requirementsneed to be met. Before accessing stored data, the requirements of the ElectronicCommunication Privacy Act must be considered. Conducting real-time electronicsurveillance may require a wiretap order from a judge. In the next chapter, you willlearn how to present testimony about evidence and methods in court or legal action.
Amendments to anticrime legisration, particularly the USA pATRIorAct,have given greater search and seizure authority to law officials and investiga-tors-at the expense of privacy. The next chapter also examines ethical issuesand dilemmas.
MULTIPLE CHOICE QUESTIONSl. what is the fundamental principle guaranteed by the Fifth Amendment
to ensure that civil and criminal cases follow federal or state rules fairly?
A Due process ofthe case.
.B. Due process of the law.
C. Rules of criminal evidence.
D. Due protection under the law.
2. What is meant by prejudicial treatment?
A. Deprived protection.
B. Discrimination against minorities.
C. Equal treatment.
D. Unequal treatment.
3. when the 1970 amendment to Rule 34(a) made electronic data subject todiscovery what type of evidence was used soon afterward in legal actions?
A. Computer printouts.
B. Internet historv records.
C. E-mail.
D. Cellular phone records.