Computer Forensics BACS 371 Applicable Laws and Statutes

Outline Basic Categories of Computer Crime Constitutional Amendments Relevant Laws & Statutes Pen/Trap Statue Federal Wiretap Act Electronic Communications Privacy Act (ECPA) Privacy Protection Act Foreign Intelligence Surveillance Act (FISA) Computer Fraud & Abuse Act (CFAA) U.S. Patriot Act

Categories of Computer Crime1 A computer can be the object of a crime A computer can be the subject of a crime The computer can be used as the tool for conducting or planning a crime Includes… compromising a computer and using that computer as a source for further attacks The symbol of the computer itself can be used to intimidate or deceive The most significant omission, according to Casey, is computers as sources of digital evidence 1 from Donn Parker as described in Eoghan Casey, Digital Evidence and Computer Crime

USDOJ Categories1 Hardware as Contraband or Fruits of a Crime Hardware as an Instrumentality Hardware as Evidence Information as Contraband or Fruits of a Crime Information as an Instrumentality Information as Evidence 1 US Dept of Justice, Search and Seizure Guidelines Document

Categories of Computer Crime Computers as targets Computers as storage devices Computers as communication tools Same ole stuff, but computers are involved!! Computers as targets: Attack on the confidentiality, integrity, or availability of a computer’s information or services. Acquire information on the computer Control the target system without authorization or payment Alter integrity of data or interfere with delivery of service Computers as storage devices: Passive storage of information concerning a crime. Computers as a communication tool: Traditional crimes committed online. Email or chat used to plan a crime.

Computers as Targets Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites

Computers as Means (tool) Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft Identity theft Phishing Pyramid schemes Chain letters

Computers as Storage Drug trafficking Book making Burglary Homicide Child pornography

Web Related Crime Cyber-squatting Internet gambling Cyber stalking and harassment Child pornography Drug dealing Cyber terrorism Cyberplanning

The Key Point… The main point is that computers can be used in a wide variety of criminal activities. Since a “crime” requires an existing statute, that places a heavy burden on law makers. More often than not, the law lags behind the crimes that are in progress. The remainder of this slide set talks about the legal “weapons” against cyber crime. As a forensic analyst, you need to know about these laws so you will be aware of what is and is not a “crime”.

Constitutional Amendments There are several Constitutional Amendments that are directly related to computer forensics. The most important one is the 4th Amendment. It protects people from “unreasonable” searching by government agents without probable cause. With the exclusion of a set of “exceptions”, this right cannot be impinged upon. It is important for you to understand it because failure to follow it can render evidence inadmissible. From a forensics standpoint, underlying the 4th Amendment is the right to “privacy.” Surprisingly, this right is not stated anywhere in the Constitution. Rather, it is inferred by the court from several of the Constitutional Amendments.

Constitutional Amendments Other important Amendments to the forensic analyst are the 1st ,5th, and 14th. The 1st Amendment guarantees the right to freedom of speech and religion. Privileged information and what constitutes the “press” are the links to forensics. The 5th relates to self incrimination and guarantees “due process of the law” (which links to forensics). The 14th came about after the Civil War and also supports the notion of “due process of the law.” We will go into detail about the Constitutional Amendments in a later lecture.

Laws and Statutes As criminals devise new ways to use computers for crime, the justice system attempts to keep up by making new laws. These laws are written to stop past criminal activity. As technology progresses, the laws have to be re- written and amended. The following are the major laws and statutes used to fight cyber crime.

Pen/Trap Statute Governs the collection of non-content traffic data, such as numbers dialed by a particular phone. Section 216 updates the statute in three ways: Law enforcement may use pen/trap orders to trace communications on the Internet and other networks Pen/trap orders issued by federal courts have nationwide effect Law enforcement must file special report when they use a pen/trap order to install their own monitoring device on computers belonging to a public provider This law was updated several times to include the Internet and Cross-state data traffic. With regard to computer networks, the Pen/Trap statute includes most e-mail header information (e.g., “to”, and “from” fields, as well as information identifying which computers the e-mail passed on its route). If the subject line or the content is captured, then the Wiretap Act is the appropriate statute to consider. Pen register orders require only certification from a law enforcement officer that the information is likely to be relevant (for probable cause purposes). Slide taken directly from slideset associated with: Volonino, Anzaldua, & Godwin “Computer Forensics: Principles and Practices”, Prentice-Hall 2006.

Title III of the Omnibus Crime Control and Safe Streets Act of 1968 aka “Federal Wiretap Act” 18 USC § § 2510-2522 Covers illegal interception of voice and e-communications in real-time as they traverse networks. Protects against unauthorized interception of communication Delineates specific requirements for wiretapping: Requires probable cause Requires court approval Requires that alternative avenues be exhausted “Innocent” conversations must be excluded Requires disclosure of surveillance upon conclusion of investigation Originally passed in 1968 and focused on telephone calls. Was modified to include computer communications (referred to as “e-communications” in the act). Title III gives greater protection to the contents of communication than it gives to information about the communication.

Electronic Communications Privacy Act of 1986 The ECPA (18 USC §§ 2701 – 2712) deals primarily with stored computer files that have been transmitted over a network. 3 main categories are covered: Communications (e-mail, voicemail, other files) Transactional data (logs of who called who) Subscriber/session information Basically, it amended Title III of the Wiretap Act to extend to different types of electronic communications (including e-mail). In certain situations, ECPA takes precedence over the right to privacy implied by the 4th Amendment Only applies to stored computer information and not to real-time interception (that’s wire-tap act) ECPA allows ISPs to look through all stored messages (including e-mail waiting in an inbox and recently sent and received mail). Had a good deal of concern about who the data could be shared with. With proper legal authority, content of stored messages can be seized.

Electronic Communications Privacy Act of 1986 Title I Statutory procedures for intercepting wire, oral, and electronic communications Extended to digital communications and non-common carrier communications Title II – Stored Communications Act Protects communications not in transmission which have been stored in some way Title III Provides for law enforcement monitoring of electronic communications Prior to title I, only audio communications were covered (by wiretap act). When computer networks became popular, the old law did not apply. Title II (stored communications act) is designed to protect communications not in transmission that have been stored or saved.

Requirements Under Title III Must be authorized by Federal District Court Judge Must demonstrate probable cause – with specifics Must identify previous attempts at evidence collection and indicate why unsuccessful Generally limited to 30 days Progress reports must be issued every 7-10 days Surveillance must be terminated when objective is met Subjects must be notified when surveillance terminated Service providers must cooperate with authorities possessing a valid court order After surveillance, subject must be given an inventory of what was catalogued. Any party to an illegal interception may be charged with a Federal offense punishable by 5 years in prison and/or fine

ECPA Information Categories Less difficult to acquire Basic Subscriber Information Name, address, telephone connection records, length of service, subscriber identity, means and sources of payment Records Pertaining to a Subscriber Account logs, cell site data, e-mail addresses, … Contents Actual files stored in the account “Electronic Storage” contents for ECS providers Contents stored by RCS providers Contents held by neither As you move down the list, the information becomes harder to get (from a legal standpoint). More privacy concerns to get content than to get name and address. More difficult to acquire

ECPA Mechanisms for Government Entity to Compel Disclosure Subpoena Basic Subscriber information Subpoena without Prior Notice Opened e-mail Court Order Account logs and transactional records Court Order without Prior Notice Everything in an account except for unopened e-mail Search Warrant Full contents of account No notice to subscriber required Less difficult to acquire This is the range of mechanisms used to get the different categories of information. Note that Subpoena relatively “easier” to get than a full search warrant. This is due to the fact that the legal system wants to preserve 4th amendment privacy rights. More difficult to acquire

Privacy Protection Act of 1980 PPA (42 USC § 2000) Unlawful for local, state, or Federal law enforcement authorities to search or seize those materials which may be publishable Expand the 1968 Wiretap Act to include electronic bulletin boards Protects “work product” including impressions, conclusions, opinions, or theories “documentary materials” including mechanically, magnetically, or electronically recorded cards, tapes or discs

Privacy Protection Act of 1980 Matters when search may result in seizure of 1st Amendment materials (publishing, …) “Congress probably intended the PPA to apply only when law enforcement intentionally targeted First Amendment material that related to a crime.” Incidental seizure of PPA-protected material commingled on a suspect’s computer with evidence of a crime does not give rise to PPA liability. However, subsequent search of such material was mostly forbidden This puts analyst in the difficult position of having to search through things it’s okay to look at and not through things it is not okay to look at.

Foreign Intelligence Surveillance Act (FISA) of 1978 Regulates wiretaps in national security cases Broader than Title III Allows more invasive searches Lower probable-cause threshold Differences No requirement to disclose content or existence of surveillance No protection for non-US citizens For citizens, probable cause that criminal activity engagement is required For others, suspicion of criminal activity is not required Allows wiretapping in the US based on probable cause that person is a terrorist

Computer Fraud and Abuse Act Computer Fraud and Abuse Act (CFAA) First law to address computer crime in which the computer is the subject of the crime First law that does not have an analog to traditional crime CFAA has been used to prosecute virus creators, hackers, information and identity thieves, and people who use computers to commit fraud Slide taken directly from slideset associated with: Volonino, Anzaldua, & Godwin “Computer Forensics: Principles and Practices”, Prentice-Hall 2006.

Computer Fraud and Abuse Act of 1986 Originally, very narrow in scope and not very effective Makes it… A felony to knowingly access a computer without authorization, or in excess of authorization, in order to obtain classified United States defense or foreign relations information. A misdemeanor to knowingly access a computer without authorization, in excess of authorization, in order to obtain information contained in a financial record of a financial institution or in a consumer file of a consumer reporting agency. A misdemeanor to knowingly access a computer without authorization, or in excess of authorization, in order to use, modify, destroy, or disclose information in, or prevent authorized use of, a computer operated on behalf of the United States if such conduct would affect the government’s use of the computer. The Act also made it a crime to attempt to or conspire to commit any of the three acts defined above.

Computer Fraud and Abuse Act of 1986 - Revised Original Act was modified to include: Federal Interest Computer – expanded to include any computer which is used in interstate or foreign commerce or communications Expanded criminal intent from “knowingly” to “intentionally” Made it a misdemeanor to gain unauthorized access to financial information from any financial institution or credit reporting agency, any information in the possession of the government, any private information where the defendants conduct involved interstate or foreign commerce A felony if the activity involved an expectation of gain or if the offense was in the furtherance of another crime Current Act protects computers involved in Interstate commerce or communication, Federal Interest, Government computers Illegal actions included theft, destruction, or corruption of sensitive information

Computer Fraud and Abuse Act of 1986 – Further Amendments 1988 Protections expanded to include all FDIC-insured institutions 1990 Expanding protections to foreign banks 1994 Developed three levels of intent Intentional – did it on purpose Reckless – should have known better Negligent – you were careless, but didn’t mean to Incorporated provisions for Denial of Service (DoS) attacks and potential harm to systems or components

Key Terms in the CFAA Key Terms This Term Means . . . Protected computer A protected computer means a computer that: Is used by a financial institution Is used by the U.S. government Affects domestic, interstate commerce Affects foreign commerce Authorized access Two categories of unauthorized access: Without authorization Exceeding authorized access Damage Damage is defined as any impairment to the integrity or availability of data Slide taken directly from slideset associated with: Volonino, Anzaldua, & Godwin “Computer Forensics: Principles and Practices”, Prentice-Hall 2006.

Key Terms in the CFAA (Cont.) This Term Means . . . Loss Any reasonable cost to any victim, including: Responding to an offense Conducting a damage assessment Restoring the data, program, etc. Lost revenue or other damages Conduct Determines if the damage done was: Intentional conduct Reckless conduct Negligent Slide taken directly from slideset associated with: Volonino, Anzaldua, & Godwin “Computer Forensics: Principles and Practices”, Prentice-Hall 2006.

USA PATRIOT Act1 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Greatly broadened FBI’s authority to gather electronic evidence Allows: Intercept voice communications in computer hacking cases Trace communications on the Internet Subpoena for cable company records Intercept communications of computer trespassers ISPs can disclose content and non-content information in emergency situations Nationwide search warrants for e-mail “Sneak & Peek” – Permits investigator to delay notification of “search” Establishment of Regional Computer Forensic laboratories 1http://www.usdoj.gov/criminal/cybercrime/PatriotAct.htm