Forensics CH 12

7/29/2019 Forensics CH 12

http://slidepdf.com/reader/full/forensics-ch-12 1/23

t2hapter

Federol Rules ondCriminol Codes

G#mme'er #Bjecfrye.sAfter reading this chapter and completing the exercises,you will be able to do the following:

r Identify federal rules ofevidence and other principles ofdue process ofthe law

r Explain the legal foundation and reasons for pretrial motions regardingevidence.

r ldentify the limitations on expectations of privacy.

r Explain the major anticrime laws and amendments impacting discoveryand use ofe-evidence.

lntroductionpederal rules and laws are changed t9 bring Qem up to date with new technol-

I' ogy. crimes. threats. and evidence. Rules are regulations that govern legalc.onduct, procedures, and praclices. I aws are regulations that govern the conductof the people of a society or nation. These rules and laws directly impact inves-tigative procedures and the admissibility of evidence. Investigators who do notunderstand them run the risk of compromising cases, convicting innocent people,or letting guilty people go free. You need to know what constitutes a legal search,what laws govern obtaining e-evidence and securing it so that the chain ofevidence is not compromised, what telecommunications may lawfully be inter-cepted or examined after they have been received and what privacy rightsemployees and other individuals have. Consider the need to understand rulesand laws in these cases. Before seizing a computer or other hardware, oneneeds to consider whether the Fourth Amendment requires a search warrant.



408 CHAPTER l2 | Federal Rules and Criminal Godes

Before accessing stored electronic communications, one needs to consider the

requirements of the Electronic Communication Privacy Act. To conduct real-time

electronic surveillance, a wiretap order may be needed from a judge.

In this chapter, you learn about due process of the law, federal rules of

evidence and procedure, and anticrime laws. These laws are important to know

because even cases that center on physical evidence and eyewitness testimony

may require collecting e-evidence to guide or corroborate the physical evidence.

You will learn about the authority granted to investigators under privacy laws and

the limitations those laws impose to protect civil rights. Many of these laws are

highly controversial and subject to heated debates. At the same time, crimes are

increasingly computer-technology-dependent. These forces will drive changes

in privacy laws as the privacy versus security battles play out. This chapter also

provides the framework for understanding the ethical challenges and demands of

giving testimony in court that are covered in the next chapter.

Due Process of the Law

Dueprocess

ofthe luw is a fundamental principle to ensure that all civil and

criminal cases follow federal or state rules to prevent any preiudiciul, or :unequ;al,

treatment. This chapter focuses on federal rules and cases for two reasons. First,

cases that involve the Internet or telecommunications typically are federal cases

because they cut across state boundaries. Second, states'rules are patterned after

federal rules and are sufficiently similar for the level of this chapter.

Due process is guaranteed in the FifthAmendment to the U.S. Constitution,

which states: "No person shall . . . be deprived of life, liberty, or property, with-

out due process of law."

Federal Rules of civil Procedure, Federal Rules of Criminal Procedure, and

Federal Rules of Evidence, which were introduced in Chapter 1, are the primary

rules ensuring due process. In federal courts, evidentiary rules are governed by

the Federal Rules of Evidence. State courts follow their own state rules of evi-dence. This chapter discusses the rules in greater detail now that you have a solid

understanding of the technology and criminal components of e-evidence.

d-;rpfum f* ff*dmrmf ffi*;dms #f #n*m*#*rrs

The Low School of Cornell University mointoins upto-dote Federol Rules

of Criminol Procedure ot www.lqw.cornell.edu/rules /frcrmp/.Federol Rules of Civil Procedure ore ot www.low.cornell. edul

ruleslfrcp/.



e{ oue Process of the Law 4O

Federal Rules of Procedure Regulate productionof EvidenceThe rederal Rules of civil Procedure were adopted in 193g. Until 1970, ruleshad developed to deal only with physical or tangible evidence. Specifically, thelaw of criminal procedure has evolved to regulate the mechanisms common tothe investigation of physical crimes, namely the collection of physical evidenceand eyewitness testimony-and not e-evidence (Kerr, 2005)_ So the rules youlearn about are expected to change.

Rules 26 and34 regulate the production of evidence. Then an amendmentin Rule 34(a) took effect that made electronic data subject to discovery, whilealso providing protections (in the form ofexceptions to the rule) for the partywhose electronic data was being searched. For decades, this amendment had nostriking impact because only computer hard-copy printouts were routine in legalmatters. A far-reaching impact did not begin until the late-1990s when the dis-covery of "electronically stored information" contained on the computer itselfbecame routine. This change raised issues about e-evidence-how it could beauthenticated, proved to be reliable, and determined to be admissible in criminalor civil proceedings. This section reviews the current and evolving status oflaws pertaining to the processes of authentication, reliability, and admissibility.

It also discusses the requirements for laying a proper foundation for e-evidenceand serving as an expert witness.

On April 12,. 2006, the U.S. Supreme Court opproved the pro-posed omendments to the Federol Rules of Civil procedure. Theserules concern the discovery of "electronicolly stored informotion"lESl). These rule chonges offect Rules

,l6,26,33,34,37,45,

ondForm 35.The rules hove been sent to congress ond will become effective on

December 1,2006, unless Congress octs to chonge or defer the omend-ments. The omendments ore ovoiloble on the U.S-. courts' web site qt:www.uscourls.gov/rules/newrules6.htm l#cvO8O4.

, Proposed omendments will impose greoter precision ond furtherchonge_th: yqy. lowyers ond courts o[prooch e-discovery. ln por-ticulor, Rule l6(b)(5) reguires the disciosure of e-discoveiy duringthe initiol pretriol confeience. Discovery requests would'hove tIbe more specificolly toilored becouse' of ihe huge volume of



4tO CHAPTER t2 I Federal Rules and CriminalCodes

W

e-evidence. This discussion should be specific regording the subiectmotter, time periods, ond identificotion of persons or groups fromwhom discovery moy be sought. And the porties need to negotiotehow the documents will be produced very eorly in the cose. lt couldtoke lowyers months to negotiote ihe formot in which documentswould be produced-imoges, TIFF, PDF, or notive formot-ondwhot metodoto would be included (Hsieh, 2006). For exomple, in

Louren Corp. v. Cenlury Geophysicol Corp., the plointiff sought toinspect the defendont's computers for evidence to supporl its cloimthot the defendont hod unlowfully used the plointiff's licensed soft-

wqre. lt took the porties ond the court over o yeor to resolve voriousdiscovery disputes. The court finolly compelled inspection of thecomputers,

Proposed omended Rule 34(b) would ollow the requesting porty to

"specify the form in which eleclronicolly stored informotion is to beproduced." Specific informotion on these pending rules ond the stotus ofother omendments con be found by selecting the "Pending Rules Amend-

ments Awoiting Finol Action" hyperlink in the upper left corner of theWeb poge www.uscourts.gov/rules/ #1udiciolo9o5. Also see

www. uscou rts. gov/ru les/com menf 2OO5 /CVAu gO4. pdf .

Another proposed chonge to Rule 26(b)(2)(B) would require o

court order for e-evidence thot is "not reosonobly occessible becouseof undue burden or cost." This rule moy leod to lengthy discussions

obout whot is or is not reosonobly occessible becouse it shifts the costburden to the requesting porty.

Laying a Proper Foundation for E-Evidence

In 1975, the Federal Rules of Evidence were adopted. They govern theadmissibility of evidence, including electronic records or data. Some of these

rules are referred to as exclusionary rulesbecause they specify the types ofevidence that are excluded-and thus cannot be presented at trial. In estab-

lishing admissibility, many rules of evidence concentrate first on the

evidence's relevancy. After evidence is found to be relevant, then it must

survive several tests based on the rules of evidence in order to be admissible.Figure l2.l shows that relevant evidence which has not been excluded is

admissible evidence.

Exclusionary Rules Exclusionary rules are specific Federal Rules

of Evidence that test whether evidence will be admissibte. Some ol these

rules test whether there is a specific rule that bars the admissibility of



/tl(lF Due Process ofthe Law 4t

FIGURE 12.1 Relevant evidence that has not beenexcluded is admissible evidence.

evidence, such as hearsay or

bars its admissibility, therebusiness rule exception to the

following:

privilege. Even if there is a specific rule that

may be exceptions to the rule, such as thehearsay rule. Exclusionary rules pertain to the

r s.elevancy. The evidence has a logical and varuable connection to anissue of the case.

r Privilege. Protects attorney-client communications and keeps thosecommunications confidential.

r opinion of expert. Qualified experts may testify under certain condi-tions even though they were not eyewitnesses.

r Hearsay. Rule against using "out of court" statement offeredto

provetruth.

r Authentication. The evidence is what it purports (claims) to be.

These rules as they apply to e-evidence are described in Table 12.1. TheLegal Information Institute (LII) of Cornell University publishes the elevenarticles of the Federal Rules of Evidence at www.law.cornell.edu/rules/fre/.This is a free service provided by the LII.

As the Rules listed in Table 12.1 describe, evidence may be inadmissible ifit falls into a category that makes it inadmissible, such as hearsay or privilege;or it is irrelevant, prejudicial, misleading, or causes delays that substantiallyoutweigh its probative value. Evidence has probative value if it is sufficiently

useful to prove something important.



412 CHAPTER t 2 I Federal Rules and Criminal Codes

TABLE t2'l Federal Rules of Evidence pertaining to e-evidence'

Rule 1 04(a). PreliminarY

Questions of AdmissibilitY

GenerallY

Rule 401. Definition of

Relevant Evidence

Rule 402. Relevant Evidence

Generally Admissible;

lrrelevant Evidence

lnadmissible

Preliminary questions concerning the

qualification of an expert witness or the

admissibility of evidence are decided by

the court.

Relevant evidence means evidence thatcan make some fact or issue more

probable or less probable than it would

be without the evidence.

All relevant evidence is admissible,

except as otherwise provided by the

Constitution of the United States, by Acl

of Congress, by these rules, or by other

rules of the Supreme Court. Evidence

that is not relevant is not admissible'

Rule 403. Exclusion of

Relevant Evidence on

Grounds of Prejudice,

Confusion, orWaste

of Time

Even if it is relevant, evidence may be

excluded if its Probative value is

substantially outweighed by the dangerof unfair prejudice, confusion of the

issues, misleading the jury, unnecessary

delay, or waste of time.

methods reliably to the facts o{ the case'

This rule broadly governs the admissibility

of expert testimony. lt outlines what is

necessary to be qualified as an expert'

A witness is qualified as an expert by

knowledge, skill, experience, training, or

education. Under Rule 702, the test is:

lf scientific, technical, or other specialized

knowledge will help lhe trier of fact ( jury

or judge) understand the evidence,a

quatified expertmay testify if (1) the

testimony is based upon sufficient facts or

data, (2)1he testimony is the product of

reliable principles and methods, and (3)the

witness has applied the principles and

Testimony in the form of an opinion-that

is not inadmissible for some other

reason-is allowed because the opinion

is an issue for the trier of fact to decide'



6{ Ou" Process of the Law 4 t

Rule 802. Hearsay Rule Hearsay is not admissible except asprovided by these rules or by other rulesof the Supreme Court.

Rule 803(6). Business

Exception Rule

Business records that are made during

the ordinary course of business areadmissible. Conversely, business recordsthat are made for use in a civil or criminalcase are not admissible.

Rule 901(a). Requirement ofAuthentication or ldentification,General provision

The requirement of authentication oridentification is satisfied by evidence thatsupports that the "matter" is what itsproponent claims it is.

@&rmryr*ffi m bl}/*rl# k #nmrsxmd

#exsfr*m ffi,rr*cf*ry

vi s i t Pre n ti ce-H o I l's cyb ro ry o t www.to I ki ustice.c om / cybrary.ospfor o comprehensive directory of Web sites ,.eloteJ t; ffi;

"rijen.i,orensics, ond other criminol iustice topics.

Hearsay Evidence Hearsay Rule 802 can block admissibility unless someexception applies to the evidence. For example, if the author of an electronicrecord is not available to verify the truth of the matter, the electronic recordwould be hearsay. As such, it would be inadmissible unless it fit into one of the

exceptions to the hearsay rule. Electronic records that are business recordsmade during the ordinary course of business are admissible under the businessrecords exception rule in Rule 803(6). Therefore, business records, which arehearsay, can be admitted as evidence because they are an exception to hearsay.The reason for their exception is that their regular use in the business of a com-pany ensures a high degree ofaccuracy so additional verification is not needed.

Motions to Suppress Evidence euestions of admissibility and motionsto suppress evidence are handled before trial. A judge may hold a hearing todetermine whether or not evidence is admissible. In those cases, the jury neverhears of the evidence. A motion by a lawyer for such a hearing before trial iscalled a motion in limine (pronounced lim-in-nay). courts prefer this approach



414 CHAPTEB t Z I Feaeral Rules and Criminal Codes

because it limits the jury's exposure to inadmissible evidence, which might

influence jury members regardless of attempts to ignore it (Eichhorn, 1989).

Federal Rule 702 Test for Admissibility Evidence is not the only thing that

is subject to tests of admissibility. A forensic examiner's qualifications can be

challenged or the tools or methodologies used in a forensic investigation can be

objected to. These challenges or objections are heard outside the presence ofthe

jury during a pretrial hearing under Federal Rule 702 (as defined in Table 12.1).

From 1923 to 1993, the test for admissibility of expert witness testimony

and methodologies was based on the 1923 ruling in Fryte v. United States (1923).

The Frye test, as it came to be known, requires that the scientific principle upon

which the work is based is "sufficiently established to have gained general

acceptance in the parlicular field in which it belongs." using Ftye, a judge had to

test the admissibility of expert testimony before allowing it in court.

In part because ofthe problems caused by the "general acceptance" crite-

ria, the Frye test that Rule 702had been relying on was replaced (superceded)

by the Daubert test in 1993. In 1993,the Supreme Court issued an opinion in

the case of Daubert v. Merrell Dow Pharmaceuticals that abandoned the earlier

Frye standard in federal cases and set a new standard. A judge must take into

account the following:

1. Whether the theory or technique can be and has been tested

2. Whether it has been subjected to peer review and publication

3. The known or potential error

4. The general acceptance of the theory in the scientific community

. 5. Whether the proffered testimony is based upon the expert's special skill

The Daubert test is primarily a question of relevance, or "fit," of the evi-

dence. The Supreme Court holds that in order for testimony to be used it must

be sufficiently tied to the facts ofthe case to help understand an issue being dis-

puted (Norberg, 2006). For the full text of the Daubert test, visit the Supreme

Court Collection of the Legal Information Institute at supct.law.cornell.edu/

s up ctlhtmU 9 2 -l02.ZS.html.

Authenticating E-Mail Messages and other E-Evidence

A physical document can be authenticated by either direct evidence or

circumstantial evidence. Examples of circumstantial evidence would be the

paper document's appearance, content, or substance. The same circumstantial

evidence the courts use to authenticate physical documents applies to e-mail

messages.

In order to authenticate an e-mail message, Rule 901 requires that the per-

son (proponent) who introduces the message provide "evidence sufficient to

iupport a finding that the fe-mail message] is what its proponent claims."



6( or" Process of the Law 41

The reliability of e-evidence itself and the reliability of the methods andprocedures used must be established too. Rule 901 generally can be satisfied byproofthat:

1. The computer equipment is accepted in the fierd as standard and compe-tent and was in good working order.

2. Qualified computer operators were employed.

3. Proper procedures were followed in connection with the input and output

of information.

4. A reliable software program and hardware were used.

5. The equipment was programmed and operated correctly.

6. The exhibit is properly identified as the output in question.

Proof must be provided for all six of these issues or for all issues thatapply to the handling of the evidence. It is not a surprise that opposing counselwill challenge the authentication of the e-evidence. In fact, evidence should bechallenged to ensure that it accurately and fully represents the truth.

circumstantial E-Mail Evidence Authenticates other E-Mail A good

of example of how e-mail messages can be authenticated to meet Rule 901 isin united states v. siddiqui (Robins, 2003). rn. siddiqui, the defendant wasconvicted of fraud, making false statements, and obstruciing a federal investiga-tion in connection with an award he had applied for from the National ScienceFoundation (NSF). The issue of the case was that the defendant, Siddiqui, hadfalsified documents (letters recommending him for the NSF award) in the namesof two other individuals; and the defendant had then urged those two individualsto support the falsified documents. E-mail messages between Siddiqui and thetwo individuals containing incriminating information were recovered and usedas e-evidence.

Siddiqui appealed. He challenged the district court's decision to admit intoevidence several e-mail messages between himself and the two individuals. Thecourt held that the appearance, contents, substance, internal patterns, and othercircumstances of these e-mail messages authenticated them. The Eleventh Cir-cuit pointed to the following facts:

1. The e-mail messages reflected an e-mail address that included a varia-tion of the defendant's name and a uniform resource locator (URL) forthe defendant's employer.

2. The e-mail address in these messages was consistent with one in anothere-mail message that was introduced into evidence by the defendant as an

e-mail message from the defendant to one of the two other individuals.

3. The contents of the messages indicated that the author knew the details

of the defendant's conduct in connection with the NSF award.



416 CHAPTER l2l Federal Rules and Crimina! Godes

4. One of the e-mail messages referred to a visit the defendant had made to

a particular event attended by the defendant and by the recipient ofthe

message.

5. The e-mail messages referred to the author by a nickname recognizedby

the recipients.

6. The e-mail messages occurred during the same time period in which the

recipients spoke to the defendant by telephone and had conversations

consistent in content with the e-mailmessages.

This case presents several important lessons for computer forensics inves-

tigators. It illustrates the larger and more comprehensive role of e-mail evidence

in a case. E-mail messages not directly on point may be relevant to the case as

the proof needed to authenticate other e-mail. The content of e-mail messages

may relate to other documents of the author, or have a style that is consistent

with other communication patterns.

The issue of style is equally critical when e-mail has been planted or

forged. E-mail forgers may not be aware of distinctive writing styles or rules of

evidence and, out of habit, use their own writing style'

Circumstantial Evidence Authenticates Chat Room Session Circum-

stantial evidence was used to authenticate e-evidence in the tJnited States v.

Simpson case. The case involved a hard-copy printout of an online chat room

session that Simpson had participated in. The government was able to authenticate

ln o sexuol horossment cose brought by on occountont ogoinst her mon-

oger, the monoger produced on +moil messoge ollegedly sent to him by

thl occountont, which she denied hoving sent. The comPony ot which

both employees worked required personnel to shore computers' Employ-

ees were olso required to'reveol their e-moil posswords, so thot if on

employee *or ouiof the office, colleogues could hove occess to e-moil

messoges on thot employee's computer. The computer forensics investi-

gotor concluded thot, bosed on these policies, it wos not possible to ver-

ify whether or not the occountont hod sent emoil. The occountont

produced e-moil she hod sent to the monoger ond thot he hod sent to herover o yeor's time. The grommor, sentence structure, punctu-otion, ond

other style feotures in thJdisputed e-moil messoge cleorly differed from

other e-moil sent by the occountont ond supported her cloim thot she hod

not sent the disputed +moil. The controdictory evidence kiggered-o

wider seorch of e-moil of the monoger ond informotion technology stoff.



a printout of a chat room session between a detective and the defendant Simpson.Even though Simpson did not use his full name in the chat room when communi-cating with the detective, he provided his first initial and last name. The initial andlast name were the same as the defendant's, and the e-mail address belonged to thedefendant. Pages found near a computer in Simpson's home contained the name,street address, e-mail address, and telephone number that the detective had given tothe individual in the chat room session.

When considered all together, the circumstantial evidence was sufficient

to authenticate the communication as one that occurred in a chat room sessionbetween Simpson and the detective.

This case illustrates how different types of evidence can be used forauthentication. It also reaffirms the importance of detailed documentation ofmaterials found near a computer, as was discussed in prior chapters. Next, wewill examine the anticrime and privacy laws.

Anticrime Laws

congress responds to changing technology and high-tech crimes by amendingexisting laws if possible or by issuing new laws (statutes). The most authorita-tive federal statutes affecting computer forensics are the Electronic Communi-cations Privacy Act (ECPA), the Federal wiretap Statute, the pen/Trap Statute,the cFAA, and the usA PATRIoT Act. The ECpA extended the wiretap Statuteto include authority over digital transmissions over computer networks.

A highly contentious response by president George w Bush as part of hiswar against terroflsm was the use of warrantless electronic surveillance. The orderwas issued without the consent of Congress and violates the Fourth Amendment.

Electronic Communications privacy Act of 19g6

Incertain

situations, the Electronic communicationsprivacy

Act (ECpA) of!98f t4keq precedence over the right to privacy guaranteed by the FourthAmendment. The ECPA applies to stored computer files that had been transmit-ted over a network. This law applies only to stored computer information andnot to real-time interception of communications. Real-time interception ofcomputer information in transit falls under the Federal Wiretap Statute of 1968.

The ECPA permits an ISP to look through all stored messages, includinge-maii'waiting in an inbox, or recently sent and received mail. Some ISpstemporarily store all messages that pass through the system. The ECpA nor-mally prevents the ISP from disclosing the messages to others, but there areexceptions. Law enforcement with proper warrants or administrative subpoenascan collect basic information about users from ISps, including their names.

They might also be allowed access to the content of stored messages.

6( Anticrime Laws 41

I

iRiskI

jAn employee whoI uses his employer's

lcomputer for

ipersonol communi-

lcotions ossumes

, the risk thot theselcommunicotions

1moy be occessedi ril(Jy oe QCCeSSecl

lby the employer or

iby others.



4t 8 CHAPTER t 2 I Federal Rules and Criminal Codes

Wupreme Court

I

Congress made the ECPA the primary law by which to address claims of

privacy violations in the communications field. This law's goal is to balance pri-

vacy rights with law enforcement needs-while protecting Fourth Amendment

rights against unreasonable search and seizure whenever possible.

The authority given to law enforcement by the ECPA has sparked fierce

opposition by privacy advocates. The full text of the ECPA is available at

www.usiia.org/le gis/ecpa.html.

Limitations of Privacy Laws The belief that a person has a reasonable

expectation of privacy under all circumstances is wrong. People try to hide their

crimes by claiming that they expected privacy. By law, privacy expectations

depend on several factors. For example, if circumstances show that a computer

user had no reasonable expectation ofprivacy, then police do not need a search

warrant to obtain information (Nimsger, 2003). Users of computer equipment

owned by an employer, company, or government agency fall into this category.

Companies and government agencies can specify explicitly in their acceptable

use policies (AUP) that employees have no right to privacy or privacy expecta-

tions when they use company equipment for e-mail or the Internet.

In the case of tlS. v. Simons (2000), a government employee working for

the Central Intelligence Agency (CIA) was suspected of using his office

computer to download pornography. Without getting a warrant, the CIA

remotely accessed Simons'computer and found files containing photos of child

pornography, which is a federal crime. Simons tried to suppress the photos by

claiming a FourthAmendment violation of his expectation of privacy. However,

the CIA had an AUP that allowed it to "periodically audit, inspect, and/or mon-

itor . . . users' Internet access." The Court determined that because of this AUP'

Simons had no reasonable expectation of privacy and that no warrant was

required for the search-making his files admissible.

Defers toCongress

The courts usuolly

defer to Congress's

iudgment when

confronted withFourth Amendment

chollenges to elec-

tronic surveillonce.

Alon Scott hod shredded documents into strips 5/32 of on inch wide

to destroy the evidence they contoined of his income tox evqsion.

Government ogents retrieved those strips from the trosh in front of

Scott's home ond then reossembled them into documentory evidence

thot helped prove Scott's crime. After he wos chorged with o crime,

Scott orgued thot he hod creoted o reosonoble expectotion of privocy

in the dlcuments by shredding them, so thot reconstructing them with-

out o worront violoted his Fourth Amendment rights (Kerr, 2001).



61( Anticrlme Laws 41

According to the First Circuit court, Scott's cose reveoled "o foiledottempt of secrecy by reoson of underestimotion of police resourceful-ness, not invosion of constitutionolly protected privocy.,,

The use of technology-the shiedder-to destroy the poper doesnot provide constitutionol protection. As o result, ogents did not needo worront to reconstruct Scott's shredded documents ond return them

to o reodoble form. The government's reconstruction of Scott's com-municotions did not violote his reosonoble expectotion of privocybecouse he hod no foundotion for thot expectotion.

ln terms of e-eviden.c?, o .person who encrypts incriminofingelectronic documents ond then deletes them, ossuming they won't bEdeciphered by outhorities, connot moke o vqlid cloim-thot he hod onexpectotion of privocy.

Courts'Interpretation of FourthAmendment protection In the 19g0s,a series ol courl cases were triggered by defendants' claiming that their right toFourlh Amendment protection had been violated. For example , in United States v.

Jacobsen, the Supreme court considered whether the Fourth Amendmentrequired the government to obtain a search warrant before conducting a field teston white powder that agents had seized from the defendant. The purpose of thefield test was to determine whether the powder contained cocaine. The defendantargued that the chemical field test violated his reasonable expectation that thecontents of the white powder would remain a secret (private), and thus violatedhis Fourlh Amendment "reasonable expectation of privacy." In an opinion by Jus-tice Stevens, the Supreme Courl disagreed with that logic by stating:

The concept oJ'an interest in privacy that society is prepared torecognize as reasonable is, by its very natLrre, critically dffirent.fiom the mere expectation, however well justified, that certain facts

will not come to the attention of the authorities....A chemical testthat merely discloses whether or not a particular substance iscocaine does not compromise any legitimate interest in privucy.

Because cocaine was illegal contraband the defendant had no right to pos-sess it and no extraconstitutional right to stop the government from conductingthe test to identify it. The defendant's expectation that the identity of the illegalpowder would remain a secret did not establish a constitutionally recognizablereasonable expectation of privacy.

Federal Wiretap Statute of 1968The ECPA amended the Federal wiretap Statute of 1968 to include the inter-

ception of electronic communications, including e-mail. The USA pATRIor



42O CHAPTEB t Z I Federal Rules and Griminal Codes

Act also expanded the list of criminal activities for which wiretaps can be

ordered. Wiretaps are ordered when terrorist bombings, hijackings, or other vio-

lent crimes are susPected.

The Federal Wiretap Statute provides,

,'Immecliately upon the expiration of the period [covered by the wire-

tap orderJ . . . recordings shall be made available to the judge

isstring such order and sealed under his directions. . . . The presence

of the seal ... or a satisfactory explanationfor the absence thereof,

shall be a prerequisite .for the use or disclosure of the contents "

of the intercept. [18 U-5.C. 2518(B)(a)]

This provision of the statute requires that the recordings captured during

the time of the wiretap be given to the judge within a reasonable amount of

time-or the contents of those recordings are inadmissible. The judge must, in

effect, "seal the evidence" to prevent tampering as part ofthe chain ofcustody'

This period of time is not specified in the statute. Defense attorneys had tried to

get wiretaps thrown out by claiming that there was a delay getting the record-

ings to the judge.

In some cases, coults have used theo'service provider exemption" to find

that any company furnishing computer hardware and software may access its

employees' .-1nult files. For example, in Bohach v. City of Reno (1996), a fed-

eral court rejected privacy claims under the ECPA raised by two police offi-

cers in Reno, Nevada. Officer John Bohach had sent messages to other

members of the department over the departmenth Alphapage messaging

system. Several months later, an internal affairs investigation was being

conducted based on the contents of those messages. Bohach and another offi-

cer filed a lawsuit against the City of Reno claiming that the department's

accessing and retrieving the old messages violated the federal wiretap

statutes. The court disagreed. The court reasoned that because the nature of

the Alphapage messages wefe essentially e-mail, the officers could not have

."u.onubly believed them to be private. Also, thecourt cited a department

order informing employees that their messages would be "logged on the net-

work" and that sending certain types of messages was prohibited. The court

found that the city was a "service provider" as defined under the ECPA and

was "free to access the stored message as it pleased." Therefore, the court

found that the city had not violated the ECPA.

Pen/TraP Statute, Section 216,,Trap and trace" information is so called because collecting the information

originally required the telephone company to trace the phone line using

a tool known as a terminating trap. The pen register is a mechanical

device that can be attached to a specific telephone line at a telephone office.



61( Anttcrtme Laws 42

Apulsation of the dial on a line to which the pen register is attached recordson a paper tape dashes equal to the number dialed. The paper tape thenbecomes a permanent and complete record of outgoing calls and thenumbers called on the particular line. Immediately aftei the number isdialed, but before the call is answered, the pen register mechanically andautomatically disconnects. There is no recording or monitoring or tn"conversation.

The pen register and trap and trace statute, or the pen/Trap statute,

governs the collection of noncontent traffic information associated with com-munications, such as the phone numbers dialed by a particular telephone.Rather than the strict probable cause necessary for wiretapi ,pen register ordersrequire only certification from a law enforcement officer that "the informationlikely lo be obtained is relevant to an ongoing criminal investigation.'. If theapplication for installation of a penltrap device contains these elements, thecourt will authorize it.

This statute was enacted as part of ECpA. Section 216 updates thePen/Trap Statute in three ways:

1. The amendments clarify that law enforcement may use pen/traporders to trace communications

on the Internet and other computernetworks.

2. Penltrap orders issued by federal courts now have nationwide effect.

3. Law enforcement authorities must file a special report with the courtwhenever they use apenltrap order to install their own monitoring deviceon computers belonging to a public provider.

Counteffeit Access Device and ComputerFraud and Abuse ActCongress's first battle against computer crime was the passage of the Counter-

feit Access Device and Computer Fraud and Abuse Act in 19g6. This legislationprimarily covered illegal access or use of protected government computersystems. It was aimed at individuals who broke into or stole data from govern-ment computers. This law was too narrow, so congress amended it twice, oncethrough the GFAA in 1994 and then through the National Information Infra-structure Protection Act (NII) in 1996. The CFAA is also referred to as Title 1gusc $1030.

Title lB of the CFAA deals with "crimes and criminal procedure.,,

Section 1030 of ritle l8 deals with "Fraud and related activity in connec-tion with computers." Under lB usc $1030, the government does nothave to prove that an individual who accessed a federal interest computernetwork unauthorized had intended to damage it, only that he intended to

access it.



422 CHAPTER t z I Federal Rules and Griminal Godes

Section 225 o[ the

oct is relevont to

computerforensics

investigotors. lt

gives immunity from

civil lowsuits to

ony person who

provides technicol

ossistonce in

obtoining electronic

informotion

USA PATRIOT Act

Even before the USA PATRIOT Act, federal agencies had broad legal powers to

monitor telephone conversations, e-mail, pagers, wireless phones, computers,

and all other electronic communications and communications devices. The USA

PATRIOT Act greatly broadened the FBI's authority to gather this information'

The uSA PATzuOT Act made it lawfu1 for an officer to intercept a computer

trespasser's wire or electronic communicatlon transmitted to or through a pfo-

tected computer. The act included new guidance relating to computer crime and

e-evidence. The Field Guidance on New Authorities that Relate to Computer

Crime and Electronic Evidence Enacted in the \JSA Patriot Act of 2001 provides

the authority to do several things. Authorizations include:

1. Intercepting voice communications in computer hacking investigations

2. Allowing law enforcement to trace communications on the Internet and

other computer networks within the pen and trap statute (pen/trap statute)

- 3. Intercepting communications of computertrespassers

4. Writing nationwide search warrants for e-mail

5. Deterring and preventing cyberterrorism

pursuont to o court I

order or volidi

request foriemergencyI

ossistonce.i

There ore two sources of outhority for federol wiretops within the

United Stotes.

The first outhority is the Federol Wiretop Act, or Title lll, of,l968.

It wos exponded in,l986

by the ECPA. li.sets procedures for court

outhorizoiion of reohime surveillonce of electronic communicotions,

including voice, e-moil, fox, ond lnternet, in criminol investigotions.Before u"sing o wiretop, on offidovit must be submitted to o iudge thot

there is pro-boble couse to believe thot o crime hos been, is being, or

is obout to be committed. Bosed on the offidovit, the iucige then issues

the wiretop or denies it. Under extreme circumstonces, o iudge's order

moy not be necessory.'The

second outhority is the Foreign lntelligence Surveillonce Act

(FISA) of 1978. FISA ollows wiretop[ing in the United Stotes bosed

on proboble couse thot the person is o member of o foreign terrorist

group or on ogent of o foreign power.. For U.S. citizens ond permo-

ient'resident o-liens, proboble couse thot the person is engoged in

criminol octivities is needed. For others, suspicion of criminol octivity

is not required for the wiretop. The USA PATRIOT Act ollows Prosecu-

tors to use FISA for the pripor" of gothering evidence in criminol

investigotions of notionol security crimes.




The law raised the maximum penalty for hackers who damaged protectedcomputers. See the Field Guidance on New Authorities That Relate to ComputerCrime and Electronic Evidence Enacted in the uSA patriot Act of 2001 atwwn'.usdoj.gov/criminal/cybercrime/patriotAct.htm. The guide developsand supports cybersecurity forensic capabilities. visit www.cybercrime.gov/PatriotAct.htm for the latest provisions of the law.

#egnrfexd,&6rfd*mmre,{#? ##r#y;rf,$rf* f -e e fThe l99B^_Digitol Millennium copyright Act permits music componiesto force lsPs to turn over the nomes

-ofsuspected music pirotes upon

subpoeno from ony U.s. District Court clerk's offi." ond *ithort o

iudge's signoture.

ln United sfofes v. Forest ond Gorner, the U.S. Court of Appeols forthe sixth circuit (Jonuory 27, 2oo4l reiected o defendont's efforts toexclude evidence thot hod been obtoined by federol ogents who usedcell'site dala. Agents used doto from the defendon'i's cellulor tele-p.hong service provider to trock his movements ofter the ogents lostvisuol contoct. The court reiected his orguments, which he hId bosedon Title lll of the omnibus Crime control ond Sofe streets Act of l96gond Fourth Amendment. Drug Enforcement Agency (DEA) ogentssecured court orders giving them outhority to inteicepithe defend"ont'scellulor pl.onq colls. lt o-lso required the cellulor service provider todisclose oll subscriber informotion relevont to the investigoiion.

While conducting surveillonce of the defendont o,id o codefen-dont, the..ogents lost trock of them. The ogents then dioled the defen-dont's cell phone s.everql times ond used t[e provider's computer dototo determine which cell tronsmission towers were being

,,hit,,by thol

ph9le. The cell-site doto reveoled the defendont's ge"nerol locotionond helped cotch him.

on oppeol of his conviction, the defendont orgued thot the ceil-site doto ond resulting evidence should hove Leen suppressedbecouse. they .turned his phone into o trocking device-ond thotvioloted his rights under both Title lll ond the Four'ih Amendmenr.



424 CHAPTER t Z I federal Rules and Criminal Codes

&F

ln on opinion by Judge Ronold Lee Gilmon, the court found thot the

cell-site doto cleorlydoes-not foll within Title lll's definitions of orol com-

municotion or wire communicotion, ond thot the only other siotutory cot-

egory thot the doto might fit into is electronic communicotion. The court

oiini"d out, howev"r,lhot even ossuming thot cell-site doto does meet

ih. d"finltion of electronic communicotion, Title lll provides suppression

os o remedy only for the illegol interceptions of orol or wire communico-tions ond not for the illegol interception of electronic communicotions'

The court reoched thl some conclusion with regord to the defendont's

orgument thot the outhorities turned his cell phone into o,trocking-d^ey'1cg

*iihtn the meoning of 1B U.S.C. 53l,|7. The court ruled thot S3l'lZdoes not provide sJppression os o remedy-regordless of wheiher or not

o phone fits the definition of o trocking. device under thot stotute.'

The defendont olso cloimed thotihe cell-site doto ond resulting evi-

dence should be suppressed under the exclusionory rule of the Fourth

Amendment. But the court ruled thot the defendont hod no legitimote

expectotion of privocy in his movements olong o public highwoy.

Sneak and Peek Provision The primary stated purposes of the USA

PATRIOT Act are to "deter and punish terrorist acts in the United States and

around the world [and] to enhance law enforcement investigatory tools'" The

Act changed the point at which individuals being searched-the targets-are to

be notified of that search. Prior to this Act, the target was notified when the

physical search was being made. The PATRIOT Act permits an investigator to

delay notification (Wegm an, 2004).

This notification delay has been described as a sneak und peek provision,

mostly by critics of the act (Shulman,2003). Law enforcement can delay noti-

fyingifre target for up to 90 days and then get another delay by showing some

gooJ.uu... To obtain authority for delayed notification, an investigator must

iho* u need for the delay, such as danger to the life or safety ofan individual,

risk of flight from prosecution, witness or evidence tampering, or that immedi-

ate notice would,,seriously jeopardize" an investigation (wegman,2004).

Expanded Power for Surveillance Three examples of expanded powers

for surveillance and search ofe-evidence provided by the act are:

1. Judicial supervision of telephone and Internet surveillance by law

enforcement is limited.

2. Law enforcement and intelligence agencies have broad access to sensi-

tive medical, mental health, financial, and educational records with limi-

ted judicial oversight.



3. The government has the power to conduct secret searches of individuals'homes and businesses, including monitoring books bought from book-stores or borrowed from libraries.

The USA PATRIOT Act requires that an agency that sets up surveillanceusing its own pen/trap device on a packet-switched public data network identify:

1. Any officers who installed or accessed the device to obtain informationfrom the network

The date and time the device was instarled and uninstalled and the dura-tion of each time the device was accessed

The configuration of the device at the time of installation, plus any latermodification

Any information that the device has collected

Electronic Surveillance lssuesThe issue of electronic surveillance became a grave matter in the United Statesin late 2005 and early 2006-and the resolution may impact the use of wiretap-ping and collection of electronic evidence.

on December 16,2005, James Risen and Eric Lichtblau of the New yorkTimes reported that President George W. Bush authorized the National SecurityAgency (NSA) to spy on Americans without warrants. (Their article is reprintehat www.commondreams.org/headlines05/1216-0l.htm.) This order ignoredprocedures of the Foreign Intelligence Surveillance Act (FISA).

The New York Times article reported that in 2002 Bush issued an execu-tive order authorizing the NSA to track and intercept international telephoneand e-mail traffic into or out of the United States when one party was believedto have ties with al Qaeda. Initially, neither Bush nor the white House con-firmed nor denied that the president had ignored the law. In his radio broadcaston Decembe r 17 , 2005 , Bush admitted that the New york Times was correct.

Many legal scholars have argued that by issuing the warrantless wiretap-

ping in violation of FISA and bypassing congress, the president committed animpeachable offense. only congress can decide whether to allow such wiretaps(Dean,2005).

First reports indicated that the NSA limited monitoring to foreign callsoriginating in the United States or abroad and that fewer than 500 calls werebeing monitored at a time. But later reports indicated that the NSA was ,.data

mining" millions of calls by using access to telecommunications companies,switching stations through which foreign communications traffic flows.

on January 6, 2006, Morton H. Halperin, the executive director of theopen Society Policy center at www.opensocietypolicycenter.org, released thememo addressing the legal issues in 'A Legal Analysis of the NSA warrantlessSurveillance Program." In response, on February 6,2006, the Hon. Alberto R.

Gonzales, attorney general of the United States, released a prepared statement


lnternet InterestsAre Revealing

Evidence of Websurfing reveols

much more obouton individuol thon

)

3.

4.



426 CHAPTEB 12 I Federal Rules and Griminal Godes

available at www.usdoj.gov/aglspeeches/2006/aSspeech-060206.htmI in

which he defended the surveillance program. His defense was "Congress and

the American people are interested in two fundamental questions: is this pro-

gram necessu.y urra is it lawful. The answer to both questions is yes." Gonzales

also attacked critics by stating that "These press accounts are in almost every

case, in one way or another, misinformed, confused, or wrong'"

For articles on the current state of this issue, visit the National Security

Agency (1[S/) section of Findlaw news archives at news.findlaw.comflegalnews/

documents/archive-n.html.

Gomputer Fraud and Abuse Act

The CFAA was the first law to address computer crime in which the computer

is the subject of the crime. That is, it applies to crimes that do not have an

analogy in traditional crime. Such crimes include the use of viruses or other

malwaie, sniffers, logic bombs, and bots. The GFAA has been used to prosecute

virus creators, hackers, information and identity thieves, and people who use

computers to commit fraud.

Table 12.2 lists key terms used in the Computer Fraud and Abuse Act.

TABLE 12.2 Definitions of the key terms in lhe Computer Fraud and AbuseAcf (Federal Statute 18 U.S.C. $1030).

Protected A protected computer means a computer that:

Computer r ls used by a financial institution (broadly defined)

r ls used bY the U.S. government

r Affects domestic, interstate commerce or

communications of the United States

r Affects foreign commerce or communications of the

United Statesln effect, every computer connected to the lnternet is a

protectedcomputer.Protectedcomputersinclude-computers

located outside the United States' This allows U'S'

prosecution of hackers who attack foreign computers'

There are two references regarding authorized access

specified in the statute:

r Without Authorization-"Access without authority"applies

to any outsider who breaks in and uses a computer for any

purpose. (Because this applies only to outsiders, it does

not apply to emPloYees.)




r Exceeding Authorized Access-,,Access in excessof authority" applies to anyone who has authorizedaccess to a computer and uses that access toobtain or alter information that he is not allowed

to obtain or alter.Damage is defined as any impairment to the integrity oravailability of data, a program, a system, or information. Thatimpairment must cause:

r A loss to one or more persons (or companies)during any 1-year period totaling at least$5,000 in value

r The modification or impairment of medical records

I Physical injury to any person

I A threat to public health or safety

r Damage to a government computer system used

for administering justice, national defense, or nationalsecurity

Loss Loss is defined as any reasonable cost to any victim,including the cost of:

r Responding to an offense

r Conducting a damage assessment

. I Restoring the data, program, system, or information to itscondition prior to the offense

r Lost revenue or other damages because of interruptionof service

lf there has been damage to a protected computerthat has caused damage, the next issue iswhether the conduct was intentional, reckless,or negligent.

r "lntentional conduct" means conduct by anyonewho knowingly transmits a "program, information,code, or command" that causes damage to aprotected computer. This applies to both insidersand outsiders.

r "Reckless conduct" means intentional access to aprotected computer without authority that unintentionallybut recklessly causes damage. This applies only tooutsiders.



CHAPTEB 12 I Federal Rules and Criminal Codes

A troil of electronic doto from U.S. Web sites led to the convictions of

more thon 22 British customers who hod bought psychedelic drugs

online. Customers were identified from e-evidence collected during o

U.S. DEA sting operotion-Operotion Web Tryp. The evidence led

police to oddresses ocross the UK.'For severol yeors, psychedelic drugs known os "reseorch chem-

icols" hod been sold openly from U.S. Web sites. Since mony of

the reseorch drugs ore too powerful psychedelicolly to cotch on

with users or deolers, they ore ovoiloble only from e-commerce

sites.

The online drug trode come to the ottention of U.S. low

enforcers in Morch 2004 ofter Jomes Downs, 22, died from on

occidentol overdose of 2-CT-21 he ordered online. lnvestigotors

troced his purchoses to o Los Vegos reseorch chemicols Web

site, which imported chemicols from lobs in Chino qnd lndio. Thot

yeor, the DEA shut down the Web sites ond orrested the site

operotors.

' Eoch e-commerce Web site hod thousonds of customers in the

United Stotes ond Europe. Customers could order their drugs with

one-click systems of poyment vio credit cord or PoyPol, ond their pur-

choses weie delivered the next doy by FedEx ond other corriers. Cus-

tomer records ond credit cord detoils were gothered from seized

computers. After investigotors hod verified the intelligence, detoils

were sent to UK police forces.

Reseorch chemicols ore not officiolly listed os controlled sub-

stonces under U.S. drug lows. Therefore, the Web site operotors

were prosecuted under o lo* thot prohibits the possession ond..sup-

ply of chemicols "substontiolly similor" to controlled drugs' All the

oferotorsfoce life sentences,.ond severol hove been chorged with

cousing deoth or serious iniury' ln Moy ?095,operotor Dovid

Linder-wos found guilty on 27 chorges, including drug-conspirocy

ond money loundering. He wos sentenced to o totol of 410 yeors

in prison'ond

order"d to poy bock $200,000 in. profits from

the'Web site. The severity of his sentence wos reloted to the deoth

of on 'lB-yeor-old New York mon who overdosed on the

drug olpho-methyltryptomine (AMT) purchosed from Linder's site

(McCondless, 2005).



6( r".t Your Skills 42

In this chapter, you have learned about the Federal Rules of Evidence and proce-dure that directly impact investigative procedures and the admissibility of evidence.Actual federal cases and court decisions were presented to illustrate the toughchallenges to an investigator's experience, evidence handling, hardware, and proce-dures. clearly, investigators need a working knowledge orwhat constitutes a tegatsearch

so as not to compromise cases, convict innocent people, or let guilty p.opl.go free. Before seizing computers, FourthAmendment r"u..h warrant requirementsneed to be met. Before accessing stored data, the requirements of the ElectronicCommunication Privacy Act must be considered. Conducting real-time electronicsurveillance may require a wiretap order from a judge. In the next chapter, you willlearn how to present testimony about evidence and methods in court or legal action.

Amendments to anticrime legisration, particularly the USA pATRIorAct,have given greater search and seizure authority to law officials and investiga-tors-at the expense of privacy. The next chapter also examines ethical issuesand dilemmas.

MULTIPLE CHOICE QUESTIONSl. what is the fundamental principle guaranteed by the Fifth Amendment

to ensure that civil and criminal cases follow federal or state rules fairly?

A Due process ofthe case.

.B. Due process of the law.

C. Rules of criminal evidence.

D. Due protection under the law.

2. What is meant by prejudicial treatment?

A. Deprived protection.

B. Discrimination against minorities.

C. Equal treatment.

D. Unequal treatment.

3. when the 1970 amendment to Rule 34(a) made electronic data subject todiscovery what type of evidence was used soon afterward in legal actions?

A. Computer printouts.

B. Internet historv records.

C. E-mail.

D. Cellular phone records.

Documents

Forensics CH 12