Module 8: Digital Evidence Quiz

Questions and Answers

Which characteristic of digital evidence is most directly affected by the obsolescence of technology?

Falsification and Deletion

Dependency on Machinery (correct)

Volume and Replication

Metadata

What is a primary concern regarding the use of third-party tools in handling digital evidence?

Verifying the metadata accuracy of the files created by the tools

The potential for reduced falsification due to the use of sophisticated technology

Ensuring the tools improve the volume of evidence

The potential for increased costs due to the complexity of tools (correct)

Why is understanding the process of digital evidence retrieval so critical?

It ensures that the initial volume of evidence is maximised.

It reveals opportunities for evidence to be potentially accumulated at various steps. (correct)

It limits the risk of falsification during the evidence retrieval process

It allows for easier verification of metadata without external tools.

If specialized software is needed to interpret a specific piece of digital evidence, what is the most immediate implication?

The cost of retrieval may escalate significantly.

What does 'digital evidence' most critically depend on to be considered as usable?

The machinery used to make it intelligible

Which aspect of digital evidence is most vulnerable if individuals don't fully grasp the retrieval and processing procedures?

The ability to discover potentially relevant information.

Which of these options is NOT explicitly a listed characteristic of digital evidence within the content provided?

Encryption.

Which of the following best describes a challenge associated with gathering and storing electronic evidence?

The abundance of digital copies stored in different locations.

What type of metadata provides a 'digital history' of a document?

Provenance metadata

What is the primary difficulty in managing electronic records from a risk assessment perspective?

The ease with which they can be altered or tampered with.

Under the Evidence Act (EA), what is the definition of 'electronic records'?

A record generated, communicated, received, or stored by electronic means.

According to the content, what makes digital evidence admissible in Court proceedings?

Its relevance to the case.

Which of the following is an example of structural metadata?

Data about data.

What is the best description of the role of metadata in digital forensics?

Metadata is a hidden attribute or piece of information that is relevant in investigations.

What would most accurately describe 'Use Metadata'?

The record of the ways in which the document has been accessed or changed over time.

What is an example of what Illustration (g) of s 9 EA is related to?

The admissibility of an electronic record as evidence.

What must you have to commence proceedings against an unknown person?

A sufficiently certain description of the unknown person

What is a limitation of winning a judgment against an unknown person?

The judgment cannot be enforced if the person is unknown

Which of the following options is NOT available when you know where your assets are?

Retrieve them without any legal proceedings

Under which act do Singapore Courts have the authority to issue injunctions and search orders?

Supreme Court of Judicature Act 1969

What application process is mentioned for registering foreign judgments in Singapore?

Reciprocal Enforcement of Foreign Judgments Act 1959

What is the primary purpose of understanding the 'why' and 'how' of electronic record creation in a forensic investigation?

To ascertain the types of information collected and their relevance.

Which of the following data points would be MOST useful in creating a chronology of events during an online transaction?

The timestamp of the transaction.

What is a significant challenge in developing a universal tool for extracting data from mobile devices?

The vast array of differing hardware and software standards.

What is the primary risk associated with not disabling network connectivity on a mobile device during the seizure phase?

Remote access and potential alteration of data via apps and networks.

What is the purpose of 'hashing' in the acquisition phase of mobile forensics?

To determine if the acquired image has been altered since it was created.

In the mobile forensic process, what immediately follows the seizure phase?

Data acquisition.

What is the MOST critical reason for disabling all external connections on a mobile device during the seizure process?

To prevent deletion of data or locking of the device via remote kill-switches.

Which of the following best describes the meaning of 'sector-level duplicate' in the context of digital forensics?

A bit-for-bit identical copy of the entire storage media.

Why is it important to avoid using anti-forensic techniques during data acquisition?

To guarantee the accuracy of forensic analysis.

What is the significance of 'Communication Shielding' in the context of mobile device forensics?

It's the act of disabling all means of communication to prevent remote tempering.

What is the main purpose of hashing in forensic analysis?

To verify that data has not been altered

What is a forensic image?

A bit by bit copy of a digital storage device

Which of the following describes a unique feature of hashing algorithms?

Each hash value is of fixed length and unique.

Why is forensic imaging important in legal proceedings?

It ensures the evidence is admissible in court without alteration.

What does the fixed length of hash output imply about the hash values?

Hash values act as unique identifiers for the original data.

What occurs if a file is altered after hashing?

A different hash value will be produced.

Which statement best describes the relationship between hashing and evidence integrity?

Hashing provides a way to demonstrate evidence has not been altered.

Which aspect is crucial for a forensic examiner when selecting a method for analysis?

The model and type of the device.

What happens to deleted or hidden data during forensic imaging?

It is included in the forensic image.

In terms of data analysis, what advantage does creating a forensic image offer to investigators?

Investigators can work without altering the original evidence.

Study Notes

SMU Academy Graduate Certificate in Law & Technology

• The program covers the certificate in Law & Technology
• Module 8 is focused on Crimes of the Digital Economy
• Day 2 of the module was presented by Bryan Leow

Introduction/Housekeeping Rules

• Housekeeping rules were part of the introductory segment of the course
• The material was classified as restricted

Areas Covered

• Digital evidence and importance of computer forensics are covered
• Investigating and taking enforcement action against digital crimes committed overseas
• Recovering assets moved outside of Singapore
• Class assessment hypotheticals will be part of the module

Digital Evidence & Computer Forensics

• Digital evidence is information transmitted or stored digitally
• Digital evidence must be verified for authenticity, relevance, hearsay issues, and whether copies are acceptable or the original must be produced

What is Evidence

• In criminal cases, the prosecution needs to prove its case beyond a reasonable doubt – the standard of proof
• It is the prosecution’s burden to adduce evidence proving the accused's guilt
• Evidence is deemed admissible if it relates to a fact in issue
• Evidence includes oral statements by witnesses in court and documentary evidence for court inspection
• The court will determine the appropriate weight of the admitted evidence

What is Digital Evidence (cont'd)

• Digital evidence specifically refers to probative material stored or transmitted digitally
• The court verifies if the evidence is authentic, relevant, and whether copies or originals are admissible

Why Digital Evidence is Important

• Digital evidence may showcase unique information not found in tangible form or from other sources
• For example, an electronic document's print out versus a hard copy can show unique differences

Key Features of Digital Evidence

• The processing of digital evidence often depends on specific machinery and software
• High volume of replicated digital information stored across various media and potentially multiple jurisdictions is a factor to consider
• Metadata, a form of hidden information embedded in digital files, is crucial
• Digital evidence can easily be falsified or deleted

Dependency on Machinery

• Digital information is only rendered intelligible through external (third party) hardware and software
• The cost of retrieving evidence may increase if software/hardware is obsolete or difficult to procure

Volume and Replication

• Modern digital information is easily generated in high volumes and replicated across diverse media and jurisdictions
• This poses a challenge to gathering and storing evidence systematically

Metadata

• Metadata is hidden information displayed when an electronic document is opened
• There are six main types of metadata
  • Descriptive metadata (what, when, who)
  • Structural metadata (data about data)
  • Administrative metadata (background information)
  • Preservation metadata (digital signatures)
  • Provenance metadata (digital history)
  • Use metadata (footprint history)

Falsification and Deletion

• Digital evidence can easily be altered or tampered with
• However it may be difficult to destroy such evidence

Use of Digital Evidence at Trial

• The Evidence Act governs the admission of evidence in court proceedings
• Electronic records are defined as any record generated, communicated, received, or stored electronically in an information system, or transmitted from one system to another
• The key test of admissibility is relevancy
• Contents of documents may be proved via primary or secondary evidence (s 63 EA)
• Documents must be proved by primary evidence, usually the document itself presented to the court (s 66 EA)
• If an electronic record accurately reflects a document, it is considered primary evidence (Explanation 3 to s 64 EA)

Presumptions for Digital Evidence at Trial

• Four presumptions apply to electronic records
  • Ordinarily produces accurate communication of an electronic record (s116A(1) EA)
  • Usually generated / stored during the usual course of business by a neutral third party (s116A(2) EA)
  • Generated / stored by an adverse party to the party seeking to admit the evidence (s116A(3) EA)
  • Recorded / stored from a document produced via an approved process (s116A(6) EA)

1st Presumption

• If a device or process is designed to produce/communicate an electronic record, it is presumed to have done so accurately, unless disproven
• This presumption is a relevant fact for the court to consider

Example of the 1st Presumption

• This presumption would apply to printed e-mails and other records
• The presumption is based on the broad understanding and common use of the device/process rather than sophisticated technical details

2nd Presumption

• Records are authentic if generated in the ordinary course of business by a neutral third party not associated with the case
• This is relevant for the court to presume authenticity

Example of the 2nd Presumption

• Chat logs of a forum owner concerning an intended criminal activity outside of Singapore are deemed authentic, and the court can likely presume it was not altered

3rd Presumption

• If an electronic record is produced by an adverse party, the court assumes its authenticity unless proven otherwise

4th Presumption

• Electronic records produced from an approved process, are presumed to accurately reflect the original document
• This usually involves certified imaging systems for converting physical documents into electronic images

What is Computer Forensics

• Computer forensics utilizes investigation and analysis techniques to gather evidence from a computer device to be presented in court
• The goal of applying forensic techniques is to produce a documented chain of evidence, to determine what occurred on the device and who was responsible for it

What is Encryption

• Data encryption translates data into coded text, enabling only those with the decryption key to view it
• Decryption reverses the encryption process, decoding the encrypted data
• Encryption is a popular data security mechanism

Examples of Encryption

• Symmetric encryption (using the same key for encryption and decryption) - Rotational cipher
• Asymmetric encryption (using a public and private key pair for security)

Considerations in Determining What Electronic Records Are Available

• Electronic evidence comes in many diverse forms (word documents, excel spreadsheets, browsing history, text messages)
• It's pertinent to ascertain which events and details are being recorded in a device, and how relevant they are to any computer-related criminal activity

Overview of the Forensic Process

• Extracting data from a mobile device has four unique phases: Seizure, Acquisition, Analysis, and Reporting

Phase 1: Seizure

• The goal is to collect and preserve the mobile device's existing digital evidence without altering it
• This involves disabling network, internet, Bluetooth connections, to prevent data alteration within the device
• Remote kill switches on the device can be engaged, so preventing any data destruction measures is also a factor

Phase 2: Acquisition

• A sector-level duplicate of the device’s media is needed
• This is ascertained thru imaging and acquisition processes
• Verified using "hashing" to ensure the original evidence is unaltered

What is Hashing/Forensic Imaging

• Creating a unique value (a hash value) from any data
• A bit-by-bit copy of the device's digital storage is created
• The image is an exact replica, including all data, metadata, and even removed data
• It is integral to maintain the integrity of digital evidence
• Tools like EnCase, FTK Imager, dd and Magnet Axiom aid in the processes

Phase 3: Analysis

• Three general levels of analysis for mobile device contents:
  • 1st Level - Taking screenshots during the relevant information retrieval
  • 2nd Level - Using Forensic Tools for identifiable object retrieval
  • 3rd Level - Physical Recovery Process ("Chip-off) for data retrieval
• Relevant mobile information may exist outside the immediate mobile device itself, especially if the device was synced with third party applications (like Google)

Phase 4: Reporting

• The process of presenting any collected data in a report
• Report structure depends on the intended audience
• Court-related reports will be included with affidavits of evidence

Investigating and taking enforcement action against digital crimes committed overseas

• The topic of investigating and taking action against digital crimes outside Singapore is addressed.

Key Challenges for Law Enforcement

• Anonymity afforded by the internet
• Transnational nature of cybercrime
• Speed and scale of cybercrime
• Ease of access to cybercrime tools and services is a factor

Steps taken to address the key challenges

• Establishing specialized forces like Cybercrime Command
• Utilizing relevant local and international legislation and cooperation
• Example is use of the Singapore Police Force Cybercrime Command setup in 2015

SPF Cybercrime Command

• Set up in December 2015
• Aims to integrate cyber investigations, forensics, and intelligence into a single command
• Coordination with other agencies like AGC and CSA (eg. Attorney-General's Chambers and the Commercial Affairs Department)

Use of Relevant Legislation

• Extraterritorial reach of the Criminal Matters Act (CMA)
• Overview of the Mutual Assistance in Criminal Matters Act
• Overview of the Extradition Act

Extraterritorial Reach of the CMA

• Singapore Courts will have jurisdiction in some instances where a crime involves Singaporeans
• Circumstances may involve whether any of the accused is a Singapore citizen
• Location of crime, computer, program and data may affect jurisdiction and the court's involvement

Overview of the Mutual Assistance in Criminal Matters Act

• Singapore can request assistance from other countries
• The assistance can involve the retrieval of evidence, other materials and/or witness testimony in criminal investigations
• Facilitating international cooperation in preventing and fighting cybercrime

Overview of the Extradition Act

• Extradition is a formal process for transporting accused/convicted individuals from one country to another
• Previous legislation includes offences regarding computer materials, fraud and property offences that potentially affect Singapore
• Modernised extradition act has updated and expanded on the circumstances when such assistance will be given, and clarified the evidential procedures and other processes involved in such proceedings

Modern Extradition Act

• The determination of whether an extradition is necessary is based on threshold approach; determined by the maximum sentence of offence/s
• This act also clarifies whether any person can be surrendered and determines cases that do not require extradition
• Procedures to expedite extradition have been made more streamlined

International Engagement and Cooperation

• International engagement and cooperation is crucial
• Fostering cooperation across different levels (operational, regional, and international) is a method in combating transnational cybercrime
• Enhancement of capabilities thru collaboration and support at a global and regional level

UN Convention on Cybercrime

• Adopted 9 December 2024 by the United Nations
• The purpose of this convention is to efficiently prevent and fight cybercrime
• Encouraging international cooperation and support for capacity building in areas such as technical assistance to developing countries (where appropriate)

UN Convention on Cybercrime (cont'd)

• International extension of jurisdiction can apply to a person accused of a crime and a national of that State Party (when crime is committed against them)
• Obligation rests on the State Party to submit a case without undue delay
• This would follow, with the corresponding domestic law, applicable for any other similar offence

Online Criminal Harms Act

• The act enables the government to take swift action to combat online criminal activities
• This Act proactively disrupts scams and malicious activities before they cause harm to more individuals
• The act is progressively operationalized from 1 Feb 2024
• Act obligates certain providers to take measures, such as for online services to combat such scams proactively

Online Criminal Harms Act (cont'd)

• Directions can be issued to online platforms where criminal activity is suspected
• This includes websites, online accounts and activities related to cyber scams and malicious activities
• The government can utilize the act to proactively disrupt malicious activities which affect Singapore citizens

The next step in prevention

• The Ministry of Home Affairs (MHA) contemplates granting police officers powers to restrict banking transactions to disrupt ongoing scams, particularly money transfer scams
• The restriction will be limited (30 days and potentially more extensions), to empower the police with time to convince the victims of ongoing fraud and deception

Discussion

• Class discussion pertaining to two uploaded articles, where a request under MACMA or EA is denied- and also what approach the authorities would take

Recovering assets moved outside of Singapore

• Methods to recover assets moved from Singapore are addressed in the discussion
• Focuses on legal processes to retrieve assets from other jurisdictions when necessary

Differences between criminal and civil proceedings

• Criminal proceedings aim for punishment and deterrence
• Civil proceedings aim for compensation or asset recovery

Recovery under Criminal Law

• Singapore has mechanisms to deal with property seized during criminal investigations
• Removal and distribution of seized property is done thru a disposal inquiry under s 370 of the Criminal Procedure Code 2010

Disposal inquiry (Key principles)

• Dispelling disputes regarding title ownership of seized assets, even when there are competing claims
• The process is not conclusive. Parties may still use other civil procedures to settle disputed ownership claims
• Intended to be inexpensive and expedient for asset distribution
• A person's lawful right to possess seized property is based on justifiable grounds like lawful possession of it

Civil recourse in Singapore

• Important inquiries at the outset include preliminary questions or whether a crime occurred, who is responsible, and the present location of the assets
• Speed is essential in preventing asset disposal or loss

(or why identification is important)

• There is no specific rule requiring a respondent to be named or specified
• A sufficiently precise description of an individual/ entity is nonetheless needed, whether suing unknown persons, or for interim relief
• The courts will usually not grant an order in the absence of a clear indication of who committed a crime, and what is the exact nature of assets

Where oh where your assets are

• Two methods for asset recovery when the assets' location is known
  • First, go to the jurisdiction where the assets are located and file a claim or case
  • Second, if the country recognizes Singapore judgments, assets can be registered there

Don't know the who or the where

• Singapore courts can issue injunctions and search orders
• These are interim measures that can be granted urgently before a full civil hearing/trial

What kind of orders can be granted

• Proprietary injunction – aims to preserve assets when a claim relating to that asset is made
• Freezing injunction – aims to freeze/preserve assets within/outside of Singapore, or globally, preventing disposal of stolen assets

Disclosure orders

• Supplemental orders related to the main injunction will help locate assets or property in dispute
• They will usually include ascertaining details of assets, identifying the existence of assets involved in the fraud, ownership of assets, as well as other involved parties

What kind of orders can be granted (cont'd)

• Singapore courts may or may not grant disclosure orders as a standalone process, to request information from third parties in situations where a claimant aims to trace assets
• There are instances when such orders were not granted

Parallel civil and criminal proceedings

• It may be possible that criminal and civil proceedings are done concurrently
• Courts have made it clear that parallel criminal proceedings will not have an automatic stay on the civil proceedings
• If a claimant is concerned/ worried about prejudice, the civil claimant must show that the civil trial will prejudice the criminal trial

Recap

• Fundamentally distinct processes (criminal/civil procedures) to recover stolen assets.
• Courts are willing to provide interim relief when the wrongdoer is overseas

Class Discussion - Hypothetical

• A hypothetical case study is presented and is discussed by the class
• Details of the hypothetical scenario include:
  • A encounters online job advertisement
  • A provides details required by B, and the proceeds were transferred overseas
  • A becomes aware of wrongdoing
  • A and related parties are involved in an ongoing dispute to recover assets

Identify: Offences that may be charged, Should they be charged? What evidence to prove offences?

• These are questions regarding the hypothetical case study's implications, where offences involved, and who is accountable
• Various legal offences may be chargeable relevant to the hypothetical case study scenario

End of the Day (class)

• Closing of the day's session, and thanking everyone for their time spent participating in the class session

Description

Test your knowledge on the characteristics and challenges of digital evidence. This quiz covers key concepts such as the impact of technology obsolescence, the importance of retrieval processes, and the concerns around third-party tools. Understand the nuances of digital evidence management through a series of thought-provoking questions.