SEC524 Computer and Network Forensics Lectures 03 and 04 PDF

Summary

These are lecture slides from King Fahd University of Petroleum & Minerals on SEC524 Computer and Network Forensics. The topics covered include Saudi Arabian cyber crime laws, court systems, rules of evidence, cybercrime expert testimony, and witness ethics in cybercrime investigations.

Full Transcript

King Fahd University of Petroleum & Minerals
College of Computer Sciences & Engineering

SEC524 Computer and Network
Forensics

Lectures 03 and 04
Cyber Crimes & Legal Issues
These slides are based on:
Guide to Comp. Forensics and Investigations: Processing Digital Evidence, Bill Nelson et al. (Ch. 15-16)

Incident response & computer forensics, Jason Luttgens et al. (Ch. 9)

Computer and information security handbook, John Vacca (Ch. 40)

Anti-Cyber Crime Law

Mike Mabey Class Notes
 Outline

Saudi Arabia Cyber Crimes Laws
Forensics and the Court System
Rules of Evidence
Expert Testimony in Cyber Crime Investigations
Ethics for the Expert Witness

2
 Saudi Arabia Cyber Crimes Laws

Anti-Cyber Crime Law

First edition was issued by Royal Decree No. (M/17), dated 8 Rabi 1,
1428 (26 March 2007), and consists of sixteen (16) provisions
Provides key definitions, scope and objective, sentences, and fines

The law aims at combating cyber crimes by identifying such crimes
and determining their punishments

Additionally, Arab Cybercrime Agreement Number 126 of 2012 is
approved by Saudi Arabia
Addresses the rise in electronic crime (credit card frauds, internet crimes, cyber
terrorism, creation & distribution of viruses, hacking, system interference,...)
Aims at strengthening cooperation between Arab countries in combating cyber
crimes
Signifies the importance of enforcing the Copyrights Law
3
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 1: Set of definitions used throughout the articles of this law

Article 2: Lists the objectives of this law

1. Enhancement of information security
2. Protection of rights pertaining to the legitimate use of computers and
information networks
3. Protection of public interest, morals, and communal values
4. Protection of National Economy

4
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Articles 3 – 7: Identify cyber crimes and their imposed punishments
Summary of Cyber Crime Punishment
A maximum of one year of jail
Article 3: Spying, Unlawful access, Invasion of privacy, and defamation and a fine up to 500,000 Riyals
or either
A maximum of three years of
Article 4: Using Internet for fraudulent transactions jail and a fine up to 2,000,000
Riyals or either
Article 5: Denial of Service, Unlawful access to computers or networks A maximum of four years of
with intention to delete, destroy, breakdown, leak or alter jail and a fine up to 3,000,000
private data Riyals or either
Article 6: Impinging on public order, religious values, public morals and
A maximum of five years of jail
privacy Human Trafficking, Pornography, Gambling, and
and a fine up to 3,000,000
narcotic and psychotropic drugs, through information
Riyals or either
networks or computers
A maximum of ten years of jail
Article 7: Terrorist related cybercrimes and jeopardizing security of the
and a fine up to 5,000,000
country or its national economy
Riyals or either

5
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 8: The imprisonment and the fine may not be less than half
the maximum if the crime was coupled with one of the following:

1. The crime is perpetrated through organized crime
2. The offender holds a public office and the crime perpetrated relates to this
office, or if he perpetrates the crime using his power or influence
3. The luring and exploiting of minors and the like
4. The offender has been previously convicted of similar crimes within or outside
the Kingdom

6
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 9: Any person who incites, assists or collaborates with others
to commit any of the crimes stipulated in this law shall be subject to
a punishment not exceeding the maximum punishment designated
for such crimes, if the crime is committed as a result of said
incitement, assistance or collaboration, and he shall be subject to a
punishment not exceeding half the maximum punishment
designated, if the intended crime is not committed

Article 10: Any person who attempts to commit any of the crimes
stipulated in this Law shall be subject to a punishment not
exceeding half the maximum punishment designated for said crimes

7
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 11: The competent court may exempt may an offender from
such punishments if he informs the competent authority of the
crime prior to its discovery and prior to the infliction of damage. If
the culprit informs the competent authority after the occurrence of
the crime, the exemption from punishment shall be granted if the
information he provides eventually leads to the arrest of other
culprits and the seizure of the means used in the perpetration of the
crime

Article 12: Application of this law shall not prejudice the provisions
of relevant laws, especially those pertaining to intellectual property
rights, nor relevant international agreements to which the Kingdom
is party

8
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 13: Without prejudice to the rights of bona fide persons,
equipment software, and means used in perpetrating any of the
crimes stipulated in this Law or the proceeds generated therefrom
may be confiscated. In addition. The web site or the venue where
the service is provided may be shut down permanently or
temporarily if it is the source for perpetuating the crime and the
crime is committed with the owner's knowledge

Article 14: The Communications and Information Technology
Commission, pursuant to its powers, shall provide the assistance
and technical support to competent security agencies during the
investigation stages of such crimes and during trial

9
 Saudi Arabia Cyber Crimes Laws (Cntd)

16 articles of Anti-Cyber Crime Law include:
Article 15: The Bureau of Investigation and Public Prosecution shall
carry out the investigation and prosecution of crimes stipulated in
this Law

Article 16: This Law shall be published in the Official Gazette and
shall enter into force one hundred twenty days after the date of
publication

10
 Forensics and the Court System

Recall: Cyber forensics is concerned with the acquisition,
preservation, and analysis of electronically stored info in
such a way that ensures its admissibility for use as
evidence, exhibits, or demonstratives in a court of law
It is not a covert ability to tap into a vast, secret repository of info
about everything that ever happened on, or to, a computer

May involve handling hardware in unique circumstances and doing
things with both hardware and software that typically are not things
that the makers or manufacturers intended

11
 Forensics and the Court System (Cntd)

Not everything a user ever did on a computer is 100%
knowable beyond a shadow of a doubt or even beyond
reasonable doubt
Somethings are certainly knowable with varying degrees of certainty
There is nothing that can happen on a computer using a keyboard and a mouse
that cannot be replicated with a software program or macro of some sort

So, degrees of certainty exist and require definition, such
as: How heavy is the burden of proof?
Anyone studying cyber forensics must understand:
Core principles of what it means to be in a position of authority
Most forensic toolsets have a feature that allows an investigator to “reveal all”
about hundreds of thousands of files, and can create legal and ethical issues
What varying degrees of certainty an examiner may attest without
finding he/she has overstepped his/her mandate

12
 Forensics and the Court System (Cntd)

Usefulness of evidence
For an evidence to be useful in a case the evidence must be:
1. Admissible: Must be able to be used in court or elsewhere

2. Authentic: Evidence relates to incident in relevant way

3. Complete: No tunnel vision, exculpatory evidence for alternative suspects

4. Reliable: No question about authenticity and veracity

5. Believable: Clear, easy to understand, and believable by a jury

13
 Forensics and the Court System (Cntd)

Admissibility of the evidence collection/analysis techniques
Whether the theory or technique has been reliably tested

Whether the theory or technique has been subject to peer review
and publication

What is the known or potential rate of error of the method used

Whether the theory or method has been generally accepted by the
scientific community

14
 Rules of Evidence

Major objective of forensics is to acquire, preserve, and
analyze evidence to be used in a court of law

Hence, the general rules of evidence are:
Authenticity
Admissibility
Completeness
Reliability/Accuracy

15
 Rules of Evidence (Cntd)

Rules of evidence: Authenticity
Can we explicitly link files, data to specific individuals and events?

Typically uses:
Access control
Logging, audit logs
Collateral evidence
Crypto-based authentication
Non-repudiation

16
 Rules of Evidence (Cntd)

Rules of evidence: Admissibility
Legal rules that determine if potential evidence can be considered
by a court
Must be obtained in a manner which ensures the authenticity and
validity, and that no tampering had taken place
No possible evidence is damaged, destroyed, or compromised by the
procedures used to collect it
Preventing viruses from being introduced to a computer during the
analysis process
Extracted relevant evidence is properly handled and protected from
later mechanical or electromagnetic damage
Establishing & maintaining a continuing chain of custody
Limiting the amount of time business operations are affected
Not divulging and respecting any ethically and legally client-attorney
information inadvertently acquired during a forensic exploration
17
 Rules of Evidence (Cntd)

Rules of evidence: Admissibility (Cntd)
Chain of custody
When you are given an original copy of media to deal with, you need to
document the handling:
Where it was stored
Who had access to it and when
What was done to it
Shows that the integrity of evidence/data was preserved and not open to
compromise
Route the evidence takes from the time you find it until the case is closed or
goes to court
Time attributes allow an investigator to develop timeline of the incident (M-A-C)
mtime: Modified time (changed by modifying a file’s content.)
atime: Accessed time (changed by reading a file or running a program.
ctime: Changed time (keeps track of when the meta-information about the file was changed, for
example, owner, group, file permission, or access privilege settings), and can be used as
approximate dtime (deleted time)

18
 Rules of Evidence (Cntd)

Rules of evidence: Completeness
Evidence must tell a complete narrative of a set of particular
circumstances, setting the context for the events being examined so
as to avoid “any confusion or wrongful impression”

If an adverse party feels evidence lacks completeness, they may
require introduction of additional evidence “to be considered
contemporaneously with the [evidence] originally introduced”

Source: Doctrine of Completeness, Legal Information Institute at Cornell University Law
School

19
 Rules of Evidence (Cntd)

Rules of evidence: Reliability/Accuracy
Reliability of the computer process that created the content not the
data content itself

Can we explain how an exhibit came into being?
What does the computer system do?
What are its inputs?
What are the internal processes?
What are the controls?

20
 Expert Testimony in Cyber Crime Investigations

We will consider:
Guidelines for giving testimony as fact witness or expert witness

Guidelines for testifying in court, depositions, and hearings

Procedures for preparing forensics evidence for testimony

How to avoid some common problems of testimony

21
 Expert Testimony in Cyber Crime Investigations

Guidelines for giving testimony as fact or expert witness
Fact witness
You provide only the facts you have found in your investigation
You present evidence as is, explain what it is, how it was obtained, and you don’t
offer conclusions; only the facts and ordinary inferences based on that evidence
Expert witness
You have opinions about what you have found or observed
You form these opinions from experience and deductive reasoning based on facts
found during an investigation
For either type of testimony, you need to prepare thoroughly
Establish communication early with your attorney
Before you start processing evidence, learn about victim, complainant, opposing
experts or fact witnesses, and opposing attorney as soon as possible
Learn basic points of dispute, and take notes, but keep them in rough draft form
and record only the facts (keep your opinions to a minimum at this point)

22
 Expert Testimony in Cyber Crime Investigations

Guidelines for giving testimony as fact or... (Cntd)
In your analysis and reporting, develop and maintain a standard
method of processing to help you prepare for testimony later
Use peer review (new development in the field of digital forensics)
Take advantage of your professional network and request peer reviews to help
support your findings
Use the Internet to research opposing experts and try to find their
strengths and weaknesses in previous testimonies
Consider the following questions when preparing your testimony:
What’s the client’s overall theory of the case?
What’s my story of the case (the central facts relevant to my testimony)?
What can I say with confidence?
How does my opinion fit into the theory of the case?
What’s the scope of the case? Have I gone too far?
Have I identified the client’s needs for how my testimony fit into the overall
theory of the case?
23
 Expert Testimony in Cyber Crime Investigations

Guidelines for testifying in court, depositions, and hearings
Provide the court with:
Other cases in which you have testified as an expert
Any published writings
Previous compensation you received when giving testimony
To qualify your testimony, present your curriculum vitae (CV) that
lists your education, training, and professional experience
Describe tasks you’ve performed that define specific accomplishments
List your general and professional education, and professional training
Include a log that reflects every testimony you have given as an expert
Prepare technical definitions you may need for a nontechnical
audience (e.g., what is MD5, and SHA-1, timestamp,...)
Understand the trial process
Typical order of trial proceedings is pretrial motion, impaneling the jury (if used),
opening statements, plaintiff and defense presentations, rebuttal, closing
arguments, and jury instructions (if used)
24
 Expert Testimony in Cyber Crime Investigations

Guidelines for testifying in court,... (Cntd)
Be professional and polite when presenting yourself to any attorney
or the court
Try to learn the jury, judge, and other attorneys’ level of knowledge
on and attitudes toward computers and technology
two responses you should be prepared to use often as a witness if
asked a question you can’t answer:
“That is beyond the scope of my expertise”, or
“I was not asked to investigate that”
These statements make it clear that you understand your limitations
Your delivery is an important part of how you answer questions and
affects the impact you have on the court/jury
Use simple and direct language, avoid humor, build repetition into your
explanations, use chronological order to describe events, when giving an opinion,
cite the source of the evidence the opinion is based on,...
Use graphics as much as possible during your testimony
25
 Expert Testimony in Cyber Crime Investigations

Procedures for preparing forensics evidence for testimony
Prepare answers for questions on the steps used to collect and
preserve the evidence

Prepare to explain specific features of the computer, OS, and
applications from which the evidence was collected

Prepare to explain how these applications and digital forensics tools
interact

26
 Expert Testimony in Cyber Crime Investigations

How to avoid some common problems of testimony
You should recognize when conflict-of-interest issues apply to your
case and discuss any concerns with the attorney who hires you
Avoid agreeing to review a case unless you’re under contract with
that person
Avoid conversations with opposing attorneys
No such thing as an “off the record” conversation with opposing attorneys after
you have been retained; refer them to the attorney who retained you
You should receive payment for your testimony before testifying
If you haven’t been paid, it might seem that you have a contingent interest in
the litigation—that your payment depends on the resolution of the case
When you’re testifying, don’t talk to anyone during court recess
If jury is used in a case, then if a juror approaches and says
anything to you, decline to talk with him/her and promptly report
the contact to the attorney who retained you
This event must be reported to the court
27
 Ethics for the Expert Witness

We will consider:
How ethics and codes apply to expert witnesses

Ethical difficulties in expert testimony

28
 Ethics for the Expert Witness (Cntd)

How ethics and codes apply to expert witnesses
Ethics are the rules you internalize and use to measure your
performance
The standards that others apply to you or that you’re compelled to
adhere to by external forces, such as licensing bodies, can be called
ethics, but they’re more accurately described as rules of conduct
Many professions call these rules codes of professional conduct or
responsibility
Maintain objectivity and confidentiality
Sustain unbiased opinions of your cases, and avoid making conclusions about the
findings until all reasonable leads have been exhausted, and you considered all
the available facts
Ignore external biases to maintain the integrity of the fact-finding in all
investigations
Keep the case confidential Until you are designated as a witness or required to
release a report at the direction of the attorney or court

29
 Ethics for the Expert Witness (Cntd)

Ethical difficulties in expert testimony
There are inherent conflicts between the goals of attorneys and the
goals of expert witnesses
Attorneys look to sway the judge or jury with the most articulate, understandable
expert, who is generally the most persuasive expert rather than the best scientist
In contrast, science requires experts to focus on the evidence without the
influence of others’ objectives
To provide reliable and valid testimony, the expert has the “ethical
responsibility to present a complete and unbiased picture of the
research relevant to the case at hand”

30