|< Day Day Up >|| |
Computers have appeared in the course of litigation for over 25 years. In 1977, there were 291 U.S. federal cases and 246 state cases in which the word computer appeared and which were sufficiently important to be noted in the Lexis database. In the UK, there were only 20. However, as early as 1968, the computer’s existence was considered sufficiently important for special provisions to be made in the English Civil Evidence Act.
The following description is designed to give a summary of the issues rather than attempt to give a complete guide. As far as one can tell, noncontentious cases tend not to be reported, and the arrival of computers in commercial disputes and in criminal cases did not create immediate difficulties. Judges sought to allow computer-based evidence on the basis that it was no different from forms of evidence with which they were already familiar: documents, business books, weighing machines, calculating machines, films, and audio tapes. This is not to say that such cases were without difficulty; however, no completely new principles were required. Quite soon, though, it became apparent that many new situations were arising and that analogies with more traditional evidential material were beginning to break down. Some of these were tackled in legislation, as with the English 1968 Act and the U.S. Federal Rules of Evidence in 1976. But many were addressed in a series of court cases. Not all of the key cases deal directly with computers. But they do have a bearing on them as they relate to matters that are characteristic of computer-originated evidence. For example, computer-originated evidence or information that is not immediately readable by a human being, is usually gathered by a mechanical counting or weighing instrument. The calculation could also be performed by a mechanical or electronic device.
The focus of most of this legislation and judicial activity was determining the admissibility of the evidence. The common law and legislative rules are those that have arisen as a result of judicial decisions and specific law. They extend beyond mere guidance. They are rules that a court must follow; the thought behind these rules may have been to impose standards and uniformity in helping a court test authenticity, reliability, and completeness. Nevertheless, they have acquired a status of their own and in some cases prevent a court from making ad hoc common sense decisions about the quality of evidence. The usual effect is that once a judge has declared evidence inadmissible (that is, failing to conform to the rules), the evidence is never put to a jury; for a variety of reasons that will become apparent shortly. It is not wholly possible for someone interested in the practical aspects of computer forensics (that is, the issues of demonstrating authenticity, reliability, completeness, or lack thereof) to separate out the legal tests.
Now let’s look at some of the more common questions that computer forensics can hope to answer. The following conclusions are not exhaustive, nor is the order significant.
Documents: To prove authenticity; alternatively, to demonstrate a forgery. This is the direct analogy to proving a print-based document
Reports: Computer generated from human input. This is the situation where a series of original events or transactions are input by human beings, but where after regular computer processing, a large number of reports, both via print-out and on-screen can be generated. Examples would include the order/sales/ inventory applications used by many commercial organizations and retail banking.
Real evidence: Machine-readable measurements and the like (weighing, counting, or otherwise recording events); the reading of the contents of magnetic stripes and bar codes and smart cards
Reports generated from machine-readable measurements, and the like: Items that have been counted, weighed, and so on, and the results then processed and collated.
Electronic transactions: To prove that a transaction took place, or to demonstrate a presumption that had taken place was incorrect. Typical examples would include money transfers, ATM transactions, securities settlement, and EDIs.
Conclusions reached by search programs: These are programs that have searched documents, reports, and so on, for names and patterns. Typical users of such programs are auditors and investigators.
Event reconstruction: To show a sequence of events or transactions passing through a complex computer system. This is related to the proving of electronic transactions, but with more pro-active means of investigation event reconstruction—to show how a computer installation or process dependent on a computer may have failed. Typical examples include computer contract disputes (when a computer failed to deliver acceptable levels of service and blame must be apportioned), disaster investigations, and failed trade situations in securities dealing systems.
Liability in a situation: This is where CAD designs have relied on autocompletion or filling-in by a program (in other respects, a CAD design is a straightforward computer-held document). Liability in a situation is also where a computer program has made a decision (or recommendation) based on the application of rules and formulae; where the legal issue is the quality and reliability of the application program, and the rules with which it has been fed.
The following occasions could arise in any of a number of forms of litigation:
Breach of contract
Tort, including negligence
Breach of confidence
Breach of securities industry legislation and regulation and/or Companies Acts
Copyright and other intellectual property disputes
Consumer protection law obligations (and other examples of no-fault liability)
Data protection law legislation
Criminal matters such as:
Theft acts, including deception
Demanding money with menaces
Companies law, Securities industry, and banking offenses
Criminal offenses concerned with copyright and intellectual property
Trading standards offenses
Computer Misuse Act offenses
As mentioned earlier, the most likely situations are that computer-based evidence makes a contribution to an investigation or to litigation and is not the whole of it.
The following is a provisional list of actions for some of the principle forensic methods. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these methods have been mentioned in passing already:
Safe seizure of computer systems and files, to avoid contamination and/ or interference
Safe collection of data and software
Safe and noncontaminating copying of disks and other data media
Reviewing and reporting on data media
Sourcing and reviewing of back-up and archived files
Recovery/reconstruction of deleted files—logical methods
Recovery of material from swap and cache files
Recovery of deleted/damaged files—physical methods
Core-dump: collecting an image of the contents of the active memory of a computer at a particular time
Estimating if files have been used to generate forged output
Reviewing of single computers for proper working during relevant period, including service logs, fault records, and the like
Proving/testing of reports produced by complex client/server applications
Reviewing of complex computer systems and networks for proper working during relevant period, including service logs, fault records, and the like
Review of system/program documentation for: design methods, testing, audit, revisions, and operations management
Reviewing of applications programs for proper working during relevant period, including service logs, fault records, and the like
Identification and examination of audit trails
Identification and review of monitoring logs
Telecoms call path tracing (PTTs or path-tracing telecoms and telecoms utilities companies only)
Reviewing of access control services—quality and resilience of facilities (hardware and software, identification/authentication services)
Reviewing and assessment of access control services—quality of security management
Reviewing and assessment of encryption methods—resilience and implementation
Setting up of proactive monitoring to detect unauthorized or suspect activity within application programs and operating systems, and across local area and wide area networks
Monitoring of e-mail
Use of special alarm or trace programs
Use of honey pots
Interaction with third parties (suppliers, emergency response teams, and law enforcement agencies)
Reviewing and assessment of measuring devices and other sources of real evidence, including service logs, fault records, and the like
Use of routine search programs to examine the contents of a file
Use of purpose-written search programs to examine the contents of a file
Reconciliation of multisource files
Examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties
Complex computer intrusion
Disaster affecting computer-driven machinery or process
Review of expert or rule-based systems
Reverse compilation of suspect code
Use of computer programs that purport to provide simulations or animations of events: review of accuracy, reliability, and quality
|< Day Day Up >|| |