CYBERCRIMES CERTIFICATIONS COURSE

(1)

CYBERCRIMES

CERTIFICATIONS COURSE

TCLEOSE Course #3210

(2)

WARNING

This presentation is being given a rating of

B

expect excessively boring material to be discussed for the next 6 hours....unless the speaker gets on a roll in which it might be for the next 8-10 hours.

(3)

(4)

(5)

EULA

¨ Any and all statements made by the presenter are the

opinion of the presenter and do not represent in any way the opinion of the Harris County Pct 4

Constable’s Office, the Houston Metro ICAC, the State of Texas, The United States, the United

Nations, the Planet Earth or any sane individual

¨ Any portion of this class that you like or find helpful

is the sole idea and property of Eric Devlin.

¨ Any portion of this class that you dislike or find

offensive is the sole idea and property of Gary Spurger & Stephen Driver.

(6)

Unit 9

Liabilities Associated

with

(7)

¨ The evidence that a Cybercrime investigator will obtain

during the course of their investigation is sensitive in nature.

¨ Some evidence is contraband outright (Child

Pornography) and carries significant penalties simply for possessing it

¨ Other evidence can have far reaching consequences for

innocents, including personal or financial stress

¨ The evidence is not simply a “Hard Drive”, “a

Computer”, or “a CD”, rather it is the data contained within that physical object

¨ The Investigator should never commingle evidence with

(8)

¨ Use of an Investigation Machine vs. Use of Everyday

Machine

¡ An Investigation Machine is a specific device

designated for use during undercover or sensitive investigations

ú Removed from your Department Network

ú Secured from use by individuals other than the investigator

¡ EveryDay Machine is a device used during common

every day work like writing reports, department emails, and other activities

ú Attached to your Department Network

(9)

¨ Benefits of an “Investigative Machine” approach

¡ Your machine that you conduct investigative actions

on is subject to subpoena from the defense attorney

ú If subpoenaed, only the investigative machine is

removed, and the daily machine is still available for use.

¡ Your investigative machine is going to need the

ability to download and install programs and look at dangerous material, subjecting itself to an increased chance of infection

¡ Prevents unauthorized individuals from obtaining

(10)

¨ Sensitivity of Data also pertains to the type of evidence an

investigator seeks.

¡ Know the Bounds of Your authority to search

ú ex. Search Warrant on Fraud Case and during

forensic examination, child pornography is found

 3 possible paths (Which one is best)

•

Path 1- forge ahead and look for everything

•

Path 2- forge ahead and continue your exam still looking for only the fraud information

•

Path 3- Pause, obtain a new search warrant based upon updated

(11)

¨

Finding Contraband on a Preview or

Consent

¡

Contraband is seizable without a

warrant

¡

If on a consent to search, and you find

child pornography, even if the

consenting party withdraws their

consent, the device is still taken. A

search warrant needs to be obtained to

continue the forensic exam.

(12)

9.2 Federal Rules of Evidence

¨

The Federal Rules of Evidence have

begun to modernize in regards to

computer records and cyber evidence.

¨

They have begun to move toward the

concept that computer evidence has an

inherent reliability and is not subject to

hearsay rules.

(13)

Federal Rule of Evidence 803(6)

Records of Regularly Conducted Activity

¨ A memorandum, report, record, or data compilation, in any

form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information

transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make

the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of

trustworthiness.

¨ The term "business" as used in this paragraph includes

business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.

(14)

Federal Rule of Evidence 803(6)

Authenticity and the Alteration of Computer Records

¨ Computer records can be altered easily, and opposing

parties often allege that computer records lack

authenticity because they have been tampered with or changed after they were created.

¨ The courts have responded with considerable skepticism

to such unsupported claims that computer records have been altered.

¨ Absent specific evidence that tampering occurred, the

mere possibility of tampering does not affect the authenticity of a computer record.

(15)

Federal Rule of Evidence 803(6)

Establishing the Reliability of

Computer Programs

¨ The authenticity of computer-generated records sometimes

implicates the reliability of the computer programs that create the records.

¨ For example, a computer-generated record might not be

authentic if the program that creates the record contains serious programming errors. If the program's output is inaccurate, the record may not be "what its proponent claims" according to Fed. R. Evid. 901.

¨ Prosecutors may note the conceptual overlap between

establishing the authenticity of a computer-generated

record and establishing the trustworthiness of a computer record for the business record exception to the hearsay rule. In fact, federal courts that evaluate the authenticity of

(16)

¨ This analysis is technically incorrect in many cases:

computer records generated entirely by computers cannot contain hearsay and cannot qualify for the business records exception because they do not contain human "statements." As a practical matter, however, prosecutors who lay a foundation to

establish a computer-generated record as a business record will also lay the foundation to establish the

record's authenticity.

¨ Evidence that a computer program is sufficiently

trustworthy so that its results qualify as business records according to Fed. R. Evid. 803(6) also

establishes the authenticity of the record. Compare United States v. Saputski, 496 F.2d 140, 142 (9th Cir. 1974).

(17)

Federal Rule of Evidence 803(6)

Identifying the Author of

Computer-Stored Records

¨ Although handwritten records may be penned in a

distinctive handwriting style, computer-stored records consist of a long string of zeros and ones that do not necessarily identify their author.

¨ This is a particular problem with Internet

communications, which offer their authors an unusual degree of anonymity.

(18)

¨ For example, Internet technologies permit users to

send effectively anonymous e-mails, and Internet Relay Chat channels permit users to communicate without disclosing their real names.

¨ When prosecutors seek the admission of such

computer-stored records against a defendant, the defendant may challenge the authenticity of the record by challenging the identity of its author.

(19)

How to Identify Ownership?

¨ Circumstantial evidence generally provides the key to

establishing the authorship and authenticity of a computer record.

¡ For example, in United States v. Simpson, 152 F.3d 1241 (10th

Cir. 1998), prosecutors sought to show that the defendant had

conversed with an undercover FBI agent in an Internet chat room devoted to child pornography.

¡ The government offered a printout of an Internet chat

conversation between the agent and an individual identified as "Stavron," and sought to show that "Stavron" was the defendant.

(20)

¡ The district court admitted the printout in evidence at trial. On

appeal following his conviction, Simpson argued that "because the government could not identify that the statements attributed to

[him] were in his handwriting, his writing style, or his voice," the printout had not been authenticated and should have been

excluded. Id. at 1249.

¨ The defendant in this case also argued on appeal that the

evidence should not be admissible because the path to the suspect files was different because the files had been

moved. Those files could then contain different content data. The appeal was subsequently denied on both counts.

(21)

9.3 The Patriot Act

¨ The Patriot Act was passed in 2001 in response to the

terrorist attacks on 9/11. The purpose of the act was to ease the restrictions on law enforcement efforts to gather data in relation to intelligence gathering and domestic security.

(22)

¨ For pen registers and trap and trace orders, the standard

for issuing those orders is that it must simply be relevant to the criminal investigation, and the judge has no

discretion in issuing the order, if relevance is shown, the judge MUST issue the trap and trace order.

¨ Grand Jury Subpoenas may not be issued for credit card

numbers and banking information used to purchase goods and services over cyberspace.

(23)

¨ c) Originally if you wished to receive stored electronic

mail it required a federal wire tap order, which is more burdensome than other requests. The Patriot Act defined stored electronic communications as obtainable through a search warrant.

¨ d) Allowed for ISP’s to provide immediate disclosure of

identifying information including I.P. addresses and private customer information if it is shown that a reasonable person might believe that there is an immediate risk of death of serious bodily injury. (provides civil protection)

(24)

¨ e) Expanded the trap and trace requirements to include

cable companies that offer more than just television services. Originally in an effort to protect government from finding out what TV shows you were watched the Cable Companies were immune from trap and trace

orders.

¨ Federal Cyber search warrants such as ISP’s and Emails

do not have to be executed in the jurisdiction they are signed. Ex. A California federal court can issue a search warrant for an ISP or email in New Jersey.

(25)

9.4 The Electronic Communications

Privacy Act

¨ Sets out the provisions for access, use, disclosure,

interception and privacy protections of electronic communications. The law was enacted in 1986 and covers various forms of wire and electronic

communications

¨ Title 18 of the United States Code encompasses the

(26)

¨ According to the U.S. Code, electronic communications

"means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce."

¨ ECPA prohibits unlawful access and certain disclosures of

communication contents.

¨ Additionally, the law prevents government entities from

requiring disclosure of electronic communications from a provider without proper procedure.

(27)

¨ This Act basically spells out for ISPs the information

which they may release and under what form of legal authorization.

¨ For specific information a Subpoena, Court Order or

Search Warrant will be required to obtain the data the investigator seeks.

¨ Normally for a Cybercrime it will be either a

(28)

Legal Update #1

¨ US v. Abel Lopez

¡ The defendant is arrested during a transaction for dealing

meth to an undercover officer

¡ The defendant has a cell phone on him, no evidence of use

of the phone during the operation

¡ Officers search the phone, and record the numbers called,

text messages, and phone list.

¡ The court reached the conclusion that the phone is not a

computer but rather just like a diary or address book.

This is bad law and is completely contrary to all of the other emerging trends.

(29)

Texas Version of Legal Update 1

State of Texas vs. Anthony Granville

!

¨ a High School student was arrested for class “C”

misdemeanor and booked into county jail (student was 17).

¨ His cellphone was placed in the jail property room, a School Resource Officer (officer was employed by municipal police officer) checked the phone out and conducted search on the device.

¨ The Texas Court of Criminal Appeals ruled that a

cellphone is not like a “pair of pants or bag of groceries where the owner loses all rights to privacy upon being booked in.”

(30)

Texas Version of Legal Update 1

Part 2

¨ The court found that people have a legitimate

expectation of privacy in the contents of their cellphone.

¨ The court went further and talked about the a search

incident to arrest.

¨ “[O]nce law enforcement officers have reduced luggage or other

personal property not immediately associated with the person of the arrestee to their exclusive control, and there is no longer any danger that the arrestee might gain access to the property to

seize a weapon or destroy evidence, a search of that property is no longer incident to the arrest.”

(31)

Texas Version of Legal Update 1

Part 3

¨_{“In such circumstances, the police may legitimately “seize” the}

property and hold it while they seek a search warrant.But they may not embark upon a general, evidence-gathering

search,especially of a cell phone which contains “much more personal information . . . than could ever fit in a wallet, address book, briefcase, or any of the other traditional containers that the government has invoked”

!

¨_{The court found that someone arrested still retains an}

expectation of privacy, just a reduced one and that the purpose of search incident to arrest is to be limited to promoting officer safety and preventing evidence from being destroyed

(32)

9.5 Privacy Protection

Act of 1980

¨ Title 42, Chapter 21A, Subchapter I, Part A, Section

2000aa

¨ Searches and seizures by government officers and

employees in connection with investigation or prosecution of criminal offenses

(33)

Work Product Materials

¨ Notwithstanding any other law, it shall be unlawful for a

government officer or employee, in connection with the

investigation or prosecution of a criminal offense, to search for or seize any work product materials possessed by a

person reasonably believed to have a purpose to

disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate or foreign commerce

(34)

¨ but this provision shall not impair or affect the ability of

any government officer or employee, pursuant to otherwise applicable law, to search for or seize such materials, if

¡ there is probable cause to believe that the person possessing such

materials has committed or is committing the criminal offense to which the materials relate

 a government officer or employee may not search for or seize such

materials under the provisions of this paragraph if the offense to which the materials relate consists of the receipt, possession, communication, or

withholding of such materials or the information contained therein

¡ there is reason to believe that the immediate seizure of such

materials is necessary to prevent the death of, or serious bodily injury to, a human being.

(35)

¨ such a search or seizure may be conducted under the

provisions of this paragraph if the offense consists of

¡ the receipt, possession, or communication of information

relating to the national defense, classified information, or

restricted data under the provisions of section 793, 794, 797, or 798 of title 18, or section 2274, 2275, or 2277 of this title, or section 783 of title 50,

¡ if the offense involves the production, possession, receipt,

mailing, sale, distribution, shipment, or transportation of child pornography, the sexual exploitation of children, or the sale or purchase of children under section 2251, 2251A, 2252, or

(36)

What does this all Mean?

¨ When in doubt, ask the person a plain and simple question

to the effect – do you have protected material on your computer.

¨ If they answer in the affirmative, it is up to the

investigator to provide them with a copy of their work without delay.

¡ This does not mean six months from the date of seizure. ¡ The person has a right to their literary work if it is to be

published in some form in a public venue.

¡ The courts have held under this act that a law enforcement

official may be personally civilly liable for damages and inconvenience to the person whom the items were taken.

(42)

9.6 Reasonable Expectation of

Privacy

¨ Unless a person is using a computer which does not

belong to him/her and they have not been given notice the machine is subject to search,

¨ Individuals have a reasonable expectation to privacy

just as if you were to use a pay phone in a train station.

(43)

¨ This expectation may also transcend into the work place if

the person has not been given the notice they may not perform personal functions on a work computer.

¨ This is especially true in a work environment where the

employee is the only person using the computer and no ground work has been laid before as to the expectation of privacy.

(44)

¨ In an environment where two persons use the same

computer and have a unified login:

¡ either party may consent to a voluntary search of the computer as it

is plain neither has an expectation of personal privacy – someone else has normal access to the computer.

¨ If both parties have separate logins then the expectation of

privacy is attached and one may not consent for another

¡ Think of it as a room in which the parents do not go for their teen

child who now has a lock on the door.

¨ We work the reasonableness much the same ways for

(45)

LEGAL UPDATE #2

¨ US v. Jones, No 10-1259, United States Supreme Court.

¡ Installation of GPS device on suspect’s car could be a

search based upon circumstances surrounding the installation and monitoring

¡ Circumstances to be considered

ú How the installation will be done

ú What method for the installation

ú What method for the monitoring

ú Length of time to monitor

CYBERCRIMES CERTIFICATIONS COURSE

CYBERCRIMES

CERTIFICATIONS COURSE

WARNING

This presentation is being given a rating of

B

EULA

Unit 9

Liabilities Associated

with

•

•

•

Finding Contraband on a Preview or

Consent

Contraband is seizable without a

warrant

If on a consent to search, and you find

child pornography, even if the

consenting party withdraws their

consent, the device is still taken. A

search warrant needs to be obtained to

continue the forensic exam.

9.2 Federal Rules of Evidence

The Federal Rules of Evidence have

begun to modernize in regards to

computer records and cyber evidence.

They have begun to move toward the

concept that computer evidence has an

inherent reliability and is not subject to

hearsay rules.

Federal Rule of Evidence 803(6)

Records of Regularly Conducted Activity

Federal Rule of Evidence 803(6)

Establishing the Reliability of

Computer Programs

Federal Rule of Evidence 803(6)

Identifying the Author of

Computer-Stored Records

How to Identify Ownership?

9.3 The Patriot Act

9.4 The Electronic Communications

Privacy Act

Legal Update #1

Texas Version of Legal Update 1

State of Texas vs. Anthony Granville

Texas Version of Legal Update 1

Part 2

Texas Version of Legal Update 1

Part 3

9.5 Privacy Protection

Act of 1980

Work Product Materials

Other Documents

What does this all Mean?

9.6 Reasonable Expectation of

Privacy

LEGAL UPDATE #2