It’s a Computer, M’Lud! Neil Barrett

Introduction The law and computers The law and computers The nature of computer evidence The nature of computer evidence Obtaining evidence from computers Obtaining evidence from computers Preparing statements for court Preparing statements for court The role of the expert witness The role of the expert witness Courtroom experience Courtroom experience Current defence strategies and tactics Current defence strategies and tactics The future for computer evidence The future for computer evidence

The Law and Computers Computer Misuse Act 1990 Computer Misuse Act 1990 Data Protection Act 1998 Data Protection Act 1998 Laws of Pornography Laws of Pornography Obscene Publications Act 1959 Obscene Publications Act 1959 Protection of Children Act 1978 Protection of Children Act 1978 Criminal Justice Act 1988 Criminal Justice Act 1988 Laws of ‘Harm’ Laws of ‘Harm’ Theft Act 1968/1978 Theft Act 1968/1978 Offences Against the Person Act 1861 Offences Against the Person Act 1861

Computer Misuse Act 1990 Data is not ‘Property’ Data is not ‘Property’ Oxford v Moss 1978 Oxford v Moss 1978 “Confidential information is not property” “Confidential information is not property” Accessing a computer illicitly is not ‘Fraud’ Accessing a computer illicitly is not ‘Fraud’ R v Gold 1988 R v Gold 1988 A password is not a ‘false instrument’ A password is not a ‘false instrument’ Judicial review produces a new law Judicial review produces a new law

Computer Misuse Act 1990 (2) Section 1 – Unauthorised Access Section 1 – Unauthorised Access An offence to access a computer knowing that the access is not authorised An offence to access a computer knowing that the access is not authorised Summary offence; 6 months and/or £5,000 Summary offence; 6 months and/or £5,000 Section 2 – Unauthorised Access with Intent Section 2 – Unauthorised Access with Intent An offence to commit Section 1 with intent to commit a further arrestable offence An offence to commit Section 1 with intent to commit a further arrestable offence Arrestable offence; 5 years and/or £unlimited Arrestable offence; 5 years and/or £unlimited Section 3 – Unauthorised Modification Section 3 – Unauthorised Modification An offence to modify any computer so as to impair the operation of any computer An offence to modify any computer so as to impair the operation of any computer Arrestable offence; 5 years and/or £unlimited Arrestable offence; 5 years and/or £unlimited

Computer Misuse Act 1990 (3) Outlaws hacking for: Outlaws hacking for: Curiosity Curiosity To steal credit cards, information, etc To steal credit cards, information, etc To damage something – web defacement, etc To damage something – web defacement, etc Outlaws computer viruses Outlaws computer viruses But not obviously Denial of Service attacks But not obviously Denial of Service attacks Review currently underway Review currently underway Bill failed in Lords – rightly so! Bill failed in Lords – rightly so!

Implications of Computer Misuse Act Data stored on computers is not protected by the laws of property Data stored on computers is not protected by the laws of property So must be protected under CMA So must be protected under CMA Means you must define ‘authorised’ access Means you must define ‘authorised’ access Acceptable Use Policy statements Acceptable Use Policy statements On internal computers and on Web sites! On internal computers and on Web sites!

Other Laws Data Protection Act 1998 Data Protection Act 1998 Makes an offence for the hacker to process personal data Makes an offence for the hacker to process personal data E.g. credit cards E.g. credit cards But Principle 7 says you must enact ‘adequate technical and organisational’ mechanisms to protect it But Principle 7 says you must enact ‘adequate technical and organisational’ mechanisms to protect it Protection of Children Act 1978 Protection of Children Act 1978 An offence to publish ‘indecent photographs’ of children An offence to publish ‘indecent photographs’ of children Criminal Justice Act 1988 Criminal Justice Act 1988 An offence knowingly to possess them An offence knowingly to possess them

Other Laws (2) Theft Acts Theft Acts An offence to demand money with threats An offence to demand money with threats E.g., Denial of Service plus extortion E.g., Denial of Service plus extortion Offences Against The Person Act Offences Against The Person Act An offence to harass, threaten, etc An offence to harass, threaten, etc Also, laws against defamation Also, laws against defamation Slander or Libel? Slander or Libel?

Laws and Computers A rich set of laws cover computer use and misuse A rich set of laws cover computer use and misuse Computer is the Computer is the Agent Agent Victim Victim Witness Witness Means that computers will be Means that computers will be ‘in the witness box’; or ‘in the witness box’; or ‘on the exhibits table’ ‘on the exhibits table’

Nature of Computer Evidence Evidence is Evidence is ‘That which can be seen’; or ‘That which can be seen’; or ‘That which shows something’ ‘That which shows something’ Computer data cannot be ‘seen’ Computer data cannot be ‘seen’ But it can be used to show something But it can be used to show something And it can be represented to a court And it can be represented to a court But the process of turning computer records into evidence must be done carefully But the process of turning computer records into evidence must be done carefully

Nature of Evidence Direct versus Circumstantial Direct versus Circumstantial Computer evidence is ‘Direct’ if automatically produced; otherwise ‘Circumstantial’ Computer evidence is ‘Direct’ if automatically produced; otherwise ‘Circumstantial’ Real, Original and Hearsay Real, Original and Hearsay Again, relates to the ‘automatically produced’ aspect Again, relates to the ‘automatically produced’ aspect Example, an message Example, an message Real evidence is the hard disk drive Real evidence is the hard disk drive Original evidence is the header detail and records Original evidence is the header detail and records Hearsay evidence is the content Hearsay evidence is the content

Nature of Evidence (2) Hearsay evidence is generally not admissible Hearsay evidence is generally not admissible Unless special provision is made Unless special provision is made Must be able to produce ‘Best Evidence’ Must be able to produce ‘Best Evidence’ In practice, means produce the disk drive as an exhibit In practice, means produce the disk drive as an exhibit But then derive further exhibits by the process of forensics from this disk But then derive further exhibits by the process of forensics from this disk

Computer Forensics The process of deriving evidence from computer data The process of deriving evidence from computer data Requires that the data is shown to be reliably obtained Requires that the data is shown to be reliably obtained Is not changed in any way Is not changed in any way Is complete Is complete Can be repeated Can be repeated And most importantly, that it can be understood! And most importantly, that it can be understood!

Sources of Computer Evidence Personal Computers Personal Computers Principally, the disk drive Principally, the disk drive Server Computers Server Computers Running processes Running processes Contents of file system Contents of file system Removable media Removable media Automatically-produced log files Automatically-produced log files E.g., firewall, IDS, proxy, etc E.g., firewall, IDS, proxy, etc

Evidence Process Identify Identify What sources are available? What sources are available? Seize Seize ‘Bag and Tag’ Best Evidence ‘Bag and Tag’ Best Evidence Transport Transport Safely and responsibly take the best evidence to a secure location Safely and responsibly take the best evidence to a secure location Receive Receive Accept responsibility for the evidence Accept responsibility for the evidence Store Store Ensure securely held free from risk of contamination Ensure securely held free from risk of contamination

Evidence Process (2) Preserve Preserve Take a reliable copy of the evidence Take a reliable copy of the evidence Reserve Reserve Put the original Best Evidence source in a secure place Put the original Best Evidence source in a secure place Analyse Analyse Investigate the evidence on the preserved copy Investigate the evidence on the preserved copy Produce Produce Identify the exhibits that establish facts Identify the exhibits that establish facts Testify Testify Create a statement and go to court Create a statement and go to court

Problems Evidence from running computers Evidence from running computers How do you make this ‘repeatable’? How do you make this ‘repeatable’? Volumes of data to be analysed Volumes of data to be analysed Making sure process of analysis doesn’t change data Making sure process of analysis doesn’t change data Use an ‘Imaging’ program like EnCase? Use an ‘Imaging’ program like EnCase? Proving you haven’t changed anything Proving you haven’t changed anything Best is to make change impossible Best is to make change impossible Presenting the stuff in court! Presenting the stuff in court!

Statements

Statements (2) Qualifications Qualifications Statement of understanding Statement of understanding “I am told that the defendant had a computer…” “I am told that the defendant had a computer…” Definitions of terms Definitions of terms Points to be addressed Points to be addressed “I am asked to consider…” “I am asked to consider…” Findings Findings

Expert Witnesses Servants of the court Servants of the court Help court to understand complex evidence ‘outside of their normal experience’ Help court to understand complex evidence ‘outside of their normal experience’ Allowed to express an opinion Allowed to express an opinion Allowed to attend entire trial Allowed to attend entire trial Paid for attendance Paid for attendance Must be able to demonstrate their expertise Must be able to demonstrate their expertise E.g., academic qualifications E.g., academic qualifications

Pre-Trial Experience Experts for prosecution and for defence Experts for prosecution and for defence Exchange statements Exchange statements Raise and exchange ‘Rebuttal Statements’ Raise and exchange ‘Rebuttal Statements’ Meet to agree evidence Meet to agree evidence What is agreed? What is agreed? What is agreed as disagreed? What is agreed as disagreed? What points need not be put before the court? What points need not be put before the court? Common terms and definitions Common terms and definitions

Courtroom Experience Prosecution bats first Prosecution bats first So definitions are presented by the expert called for the prosecution So definitions are presented by the expert called for the prosecution Examination Examination Initial points, then detail Initial points, then detail Cross-examination Cross-examination Defence tries to trip you up Defence tries to trip you up Re-examination Re-examination Prosecution picks you up and dusts you down Prosecution picks you up and dusts you down

Problems in Court Being led by the defence questions Being led by the defence questions “It’s right, isn’t it…?” “It’s right, isn’t it…?” Being lured into providing arcane details Being lured into providing arcane details “Perhaps the witness would care to explain public key cryptography to the Jury?” “Perhaps the witness would care to explain public key cryptography to the Jury?” Being led outside area of expertise Being led outside area of expertise “Perhaps the witness would care to explain how he can be sure that this was a picture of a child?” “Perhaps the witness would care to explain how he can be sure that this was a picture of a child?”

Defence Tactics Current best defence is the ‘Trojan defence’ Current best defence is the ‘Trojan defence’ Computer was hacked Computer was hacked R v Caffrey – ‘Invisible’ hacker R v Caffrey – ‘Invisible’ hacker Computer had a virus Computer had a virus Computer had a series of pop-ups Computer had a series of pop-ups Most laws require the prosecution to prove intent Most laws require the prosecution to prove intent Mens Rea? Mens Rea?

Trojan Defence in Child Pornography Criminal Justice Act 1988 Criminal Justice Act 1988 It is an offence to possess and indecent photograph of a child It is an offence to possess and indecent photograph of a child It is a defence for the accused to prove It is a defence for the accused to prove He had not looked at it and had no reason to believe it was indecent; or He had not looked at it and had no reason to believe it was indecent; or He did not ask for it, it was not asked for on his behalf, and he took steps to remove it as soon as possible He did not ask for it, it was not asked for on his behalf, and he took steps to remove it as soon as possible

Trojan Defence (2) Pop up is an involuntary download Pop up is an involuntary download But still in possession But still in possession If pop-up, will have looked at it If pop-up, will have looked at it Was it asked for on his behalf? Was it asked for on his behalf? And if it’s still in Temporary Internet Files, could we argue he did not take steps to remove it? And if it’s still in Temporary Internet Files, could we argue he did not take steps to remove it? And, crucially, is this fair? And, crucially, is this fair?

The Future? Encryption and secure deletion will spoil a lot of current ‘Best Evidence’ Encryption and secure deletion will spoil a lot of current ‘Best Evidence’ But we will still have lots of records But we will still have lots of records Need to ensure ruling in R v Caffrey does not spoil other cases Need to ensure ruling in R v Caffrey does not spoil other cases Need a way to educate juries Need a way to educate juries Need a way to train lawyers Need a way to train lawyers Need broader knowledge of the issues! Need broader knowledge of the issues!

Thank you! Prof Neil Barrett Centre for Forensic Computing RMCS Shrivenham University of Cranfield Shrivenham Swindon Prof Neil Barrett Centre for Forensic Computing RMCS Shrivenham University of Cranfield Shrivenham Swindon