COMPUTER FORENSICS: ADMISSIBILITY OF EVIDENCE IN CRIMINAL CASES
By
Jerry Wegman
Associate Professor of Business Law
ABSTRACT
Computers
and the Internet have become a pervasive element in modern life. This technology is also used by those who
engage in crime and other misconduct. Effective investigation of these offenses
requires evidence derived from computers, telecommunications and the Internet.
The
need for digital evidence has led to a new area of criminal investigation: Computer
Forensics. Forensic investigators
identify, extract, preserve and document computer and other digital
evidence. This new field is less than
fifteen years old, and is rapidly evolving.
Education in this field has focused largely on its technical
aspects. However, there are significant
legal issues and ethical problems that investigators must deal with. Failure to follow proper legal procedure will
result in evidence being ruled inadmissible in court. As a result, a guilty criminal might go
free. Failure to behave in an ethical
manner will erode public confidence in law enforcement, making its job more
difficult and less effective.
This
paper will provide an introduction to the most significant legal issue in computer
forensics: admissibility of evidence in criminal cases. The law of search and seizure, as it relates
to digital equipment, will be reviewed. Interception of electronic
communications and accessing stored digital information will be examined. Public policy in the form of federal
legislation will be discussed. Finally,
ethical concerns will be considered.
INTRODUCTION
On
The antidote to this problem is effective investigation and prosecution.
Critical evidence needed to convict cyber-criminals is located on computers, networks and the Internet. However, this evidence is often difficult to obtain. It may have been deleted, overwritten, encrypted or hidden in a vast database (Schultz 2001). Nevertheless, cyber-detectives have developed techniques to salvage such information. A new investigative specialty has thus emerged: “Computer Forensics”. This term, first used in 1991, refers to the identification, extraction, preservation and documentation of computer based evidence (Armstrong 2000).
An important legal challenge faces cyber-
investigators: not only must they discover incriminating evidence they must
also do it in a lawful manner. Otherwise,
the evidence will not be admissible in court.
As Marcella and
Investigators must have a working knowledge of legal issues involved in computer forensics. They must know what constitutes a legal search of a stand-alone computer as opposed to a network; what laws govern obtaining evidence and securing it so that the chain of evidence is not compromised; what telecommunications may lawfully be intercepted or examined after they have been received; what legally protected privacy rights employees and other individuals possess. This paper will address all these concerns.
Because computer forensics is such a new field, investigative and legal norms are just now emerging. Little has been written about the legal requirements for admissibility of computer forensic evidence, or about the ethical and regulatory issues related to this new field. First we will examine the admissibility of evidence in a criminal prosecution, both with and without a search warrant. Next, public policy in the form of federal legislation will be discussed. Finally, ethical implications will be considered.
SEARCHING WITH A WARRANT
The balance between the individual's
right of privacy and the government’s right to violate that privacy by
searching and seizing property is defined by the Fourth Amendment to the U.S.
Constitution. This amendment, part of
the Bill of Rights, was adopted in 1791 in response to British soldiers breaking
into colonists’ homes in search of pamphlets or other evidence supporting
independence before the Revolutionary War (Del Bianco
2002). It is in frequent use in law
enforcement today, as police searches and seizures must comply with its
requirements. The Amendment reads:
The right of the people to be
secure in their persons, houses, papers and effects against unreasonable
searches and seizures shall not be violated, and no Warrants shall issue, but
upon probable cause, supported by Oath or affirmation, and particularly
describing the place to be searched and the persons or things to be seized.
The Amendment interposes a magistrate as an impartial arbiter between the defendant and the police. The magistrate may issue a search warrant if he/she is convinced that probable cause exists to support a belief that evidence of a crime is located at a premises. The officer must prepare an affidavit that describes the basis for probable cause, and the affidavit must limit the area to be searched and evidence searched for. The warrant thus gives the police only a limited right to violate a citizen’s privacy. If the police exceed that limited right, or if a warrant is required but the police have not first obtained one, then any evidence seized must be suppressed (U.S. Department of Justice 2002).
Suppressed evidence may not be used in court. In many cases the criminal charges will be
dismissed, even though the guilt of the defendant is clear. However, if other, untainted evidence exists supporting conviction, the defendant may be convicted
on the strength of that evidence (Dershowitz 2002). Criminal trials are often preceded by a
suppression hearing, at which the admissibility or suppression of evidence is
determined. Often a guilty plea is
obtained following the suppression hearing.
Thus the issue of suppression, driven by a determination of whether the
Fourth Amendment has been correctly followed by the police, is often the
determining factor in criminal cases.
In a traditional, “old fashioned” case, a detective would receive information from a reliable informant that contraband, for example drugs, was located at a premises. The detective would prepare a statement describing the informant’s reliability and that the informant had recently observed drugs at the premises. The detective would take the affidavit to a judge, who would determine whether probable cause existed. If that determination was positive, the judge would sign the search warrant authorizing the detective to search for and seize a specific type and quantity of drugs at that premises. The detective would then go to the location and execute the warrant (Skibell 2003).
However, in a computer forensics case there is added complexity. The contraband might consist of child
pornography or records of drug sales.
This information might be located on a laptop computer, but it might also
be located on a network server in another state or in a foreign country. The information might be located on a hard
drive, a diskette or a CD. The
contraband information might be very difficult to recognize: it could be
encrypted, misleadingly titled, or buried among a large number of innocent
files (Villano 2001). It could take considerable time to identify
the contraband.
As noted above, a search warrant
gives only limited authority to the police to search. The search should be no more extensive than necessary,
as justified by probable cause. Thus, if
the probable cause indicates that the contraband is located in a file on a CD,
this would not justify seizing every computer and server on the premises
(Brenner 2001/2002). The extent of the
search is tailored to the extent of the probable cause. If the police wish to seize a computer and
analyze it at a later time, the probable cause statement should demonstrate the
impracticality or danger of examining the computer on the premises hence the
need to confiscate it and analyze it off-site.
A new question facing law
enforcement since passage of the Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT
Act) in 2001 is when to notify the target of a search. Normally the target is notified at the time a
physical search is made. However the USA
PATRIOT Act amended Title 18, Sec. 3103a of the United States Code to permit
delayed notification. This has been
described as a “sneak and peek” provision by critics of the Act (Shulman 2003). Law
enforcement may now delay notification of the target for up to 90 days, with
another delay possible upon a showing of good cause. In order to obtain authority for delayed
notification, an investigator must show a need for the delay, such as danger to
the life or safety of an individual, risk of flight from prosecution, witness
or evidence tampering, or that immediate notice would “seriously jeopardize” an investigation.
Another legal issue in computer
forensic cases is how much time the police may have to analyze a computer after
seizing it. Federal Rule of Criminal
Procedure 41(c)(1) gives the police 10 days after
issuance of the warrant to serve it. But
there is nothing in the Rule about how long the police may keep and analyze the
computer. Nevertheless, some magistrates
issuing warrants for computers have demanded such time limits, and some
prosecutors have complied. In the case of United State v. Brunette, 76 F. Supp. 2d 30 (1999), a magistrate
issued a warrant on condition that the police complete their examination of the
computer within 30 days. When the police
took two days longer than the allowed time, the court suppressed child
pornography evidence obtained after the deadline. As a practical matter, the search of a
computer in police custody should be done as quickly as possible (Brenner 2002). This is especially important if the computer
is needed for the operation of a business.
SEARCHING WITHOUT A WARRANT
In the Unites State Supreme Court
case of Illinois v. Andreas, 463 U.S.
765 (1983), the Court held that a search warrant is not needed if the target
does not have a “reasonable expectation of privacy” in the area searched. In U.S.
v. Barth, 26 F. Supp. 2d 929 (1998) a U.S. District Court held
that the owner of a computer has a reasonable expectation of privacy in the
information stored on that computer.
However, if the computer owner transfers possession of the computer to a
third party, for example for repair, that expectation of privacy may be lost,
because numerous repair personnel would then have access to the computer and
its stored contents.
Earlier non-computer cases suggest
that when information is divulged to third parties the expectation of privacy
may be lost. In U.S. v. Miller, 425 U.S. 435 (1976) the Supreme Court held that the
expectation of privacy is lost when bank account information is divulged to the
bank. In Couch v. U.S., 409 U.S. 322 (1973) the Supreme Court held that a
client had no reasonable expectation of privacy in information divulged to his
accountant. Cyber examples would include
posting a message on an Internet bulletin board or sending an email to a chat
room.
The loss of a reasonable expectation of privacy, and therefore the loss of Fourth Amendment protection is extremely important because much information is transmitted to networks and to the Internet. If circumstances suggest the sender had no reasonable expectation of privacy, then no warrant is required by the police in order to obtain that information (Nimsger 2003).
In the case of U.S. v. Simons, 206 F.3d 392 (2000) a government employee working for the Central Intelligence Agency was suspected of using his office computer to download pornography. The CIA, acting without a warrant, remotely accessed the computer, and discovered photos of child pornography. In the criminal case that resulted, Simmons tried to suppress those photos, claiming a violation of the Fourth Amendment. However, the CIA had an Internet use policy that allowed it to “periodically audit, inspect, and/or monitor … users’ Internet access”. The Court determined that in light of this formal policy, the employee had no reasonable expectation of privacy hence no warrant was required for the government search.
No warrant is needed when the target consents to a search of his/her computer. No warrant is needed where a third party, such as a spouse, parent, employer or co-worker consents to the search, so long as the third party has equal control over the computer.
No warrant is required when probable cause exists but there is an “emergency”, leaving no time or opportunity to obtain a warrant. An example is U.S. v. David, 756 F. Supp. 1385 (1991), where agents observing the target deleting files immediately seized the computer.
In some cases the Electronic Communications Privacy Act (ECPA), 18 U.S.C. Sec. 2701-2712 (1986) is the controlling legal authority, rather than the Fourth Amendment. Typically this occurs when information is transmitted to a network and is then stored under the control of a network administrator. This will be discussed below in the section on public policy.
WORKPLACE SEARCHES
The widespread use of computers and
Internet access in the workplace has tempted many to use these facilities for
crime. The seminal case involving the
admissibility of evidence derived from a workplace search is O’Connor v. Ortega, 480 U.S. 709
(1987). This case makes an important
distinction between workplaces that are in the private sector as opposed to
those in the public sector. As noted
above, an employer may be able to give effective consent to the police to
search an employee’s computer. However,
if the employer is the government, the government would be giving itself
consent. The O’Connor decision held such consent to be invalid. Let us therefore first consider the situation
relating to private sector employment.
As noted earlier, a fellow employee
who has equal control over a computer can consent to its search. If that search reveals evidence incriminating
to another employee, the warrantless search does not
violate the Fourth Amendment and the evidence is admissible. Employers and supervisors who have authority
over an employee’s computer can also consent to its search. It is helpful if the employer has a formal
employment policy stating that the employer retains authority over its
computers and network, as in the Simons
case, noted above.
The foregoing discussion deals with
a situation in which the police seek and obtain consent from an employer to conduct
a search of an employee’s computer. A
different situation exists where a private employer conducts the search on
his/her own initiative, without police involvement. For example, the employer may have reason to
suspect that the employee is spending considerable time buying and selling on
eBay using the office computer. Upon searching
the computer, the employer discovers evidence of embezzlement and contacts the
police. Such a search does not violate
the Fourth Amendment, because the Amendment only limits government searches,
not searches by private persons.
Evidence thus obtained is therefore admissible in the criminal trial
against that employee. Such private
searches rarely violate the Fourth Amendment (U.S. Department of Justice 2002).
The situation is quite different if
the employer is the government. As noted
above, the O’Connor case holds that
the government can not give itself effective consent to search an employee’s
computer. In such a case the government
will have to seek other authority for a search, such as a search warrant.
PUBLIC POLICY CONSIDERATIONS
Congress has responded to the
changing technological landscape. The
most important federal statutes affecting computer forensics are the Electronic
Communications Privacy Act (ECPA), the Wiretap Statute, the Pen/Trap Statute
and the USA PATRIOT Act.
The Electronic Communications Privacy Act (ECPA) 1986
As noted above in the section on warrantless searches, ECPA often is the controlling legal
authority with regard to stored computer
files that have been transmitted to a network administrator. It is important to note that this discussion
involves stored computer information, as opposed to the real-time interception of communications. Interception falls under the Wiretap statute,
discussed below.
Stored information includes all Internet communications,
such as email stored on an Internet Service Provider’s (ISP) servers.
ECPA is a highly nuanced example of
public policy. Congress felt that
information stored on a network deserved varying levels of privacy protection,
depending on how important or sensitive the information was. Accordingly, in
Title 18, Section 2703 of the U.S. Code ECPA created five categories of
sensitivity. The more sensitive the
category, the greater the justification the government must show in order to
obtain the information from a third party (usually the system administrator). The most sensitive information consists of the
content of un-retrieved communications such as email that has resided in
electronic storage for 180 days or less. After 180 days the information is considered
“stale” and not deserving of the top category of protection, so does not
require a full search warrant for access. The least sensitive category includes only
basic information such as the name of the subscriber and how bills are paid. To
obtain that information, the government needs only an administrative subpoena. An administrative subpoena can be issued by a
government agency on its own, without prior approval by a court. For example, the FBI could issue an
administrative subpoena for good cause.
That subpoena could latter be challenged, and if a court later decided that
good cause did not exist then information obtained under that subpoena would be
suppressed.
The Wiretap Statute (Title III), amended 1986
While ECPA regulates government
access to stored computer information
in the hands of third parties, the Wiretap statute deals with direct surveillance
or real-time interception of electronic communications by government agents. The Wiretap statute is commonly known as
Title III, because it was first passed as Title III of the Omnibus Crime
Control and Safe Streets Act of 1968, 18 United States Code Sec. 2510-2522, amended
in 1986. A government investigator who was
accessing a target computer as messages were being sent would be subject to the
Wiretap statute (Strang 2001). Wiretaps most commonly affect telephone
conversations.
Before the government may wiretap,
a court order must be obtained. Court
orders vary widely in the amount of justification that must be demonstrated for
their issuance. Section 2518 of the
Wiretap statute requires a substantial amount of justification. This includes a demonstration of probable
cause to believe that the interception will produce evidence relating to a
felony; that normal investigative procedures have either failed, are unlikely
to succeed, or are too dangerous; that the computer or other electronic device
is being used in the commission of a crime; and finally, that the surveillance
will be conducted in a manner that will minimize the interception of innocent
communications. If a judge is satisfied
that all these requirements have been met he or she will sign the court order.
The target will be notified only after the wiretap order has expired. In comparison, a court order for a pen/trap
device requires only a statement by the investigator that it is his/her belief
that the information likely to be obtained is “relevant” to a criminal
investigation.
The Pen/Trap Statute, amended 2001
The Pen/Trap statute, 18
The
On
Perhaps the most controversial provision of the Patriot Act is the so-called “sneak and peek” authority conveyed in Section 213 of the Act (Shulman 2003). This Section provides delayed notification to the targets of searches. The Act modifies the U.S. Criminal Code, Title 18, Sections 3103a and 2705. These modifications allow the government to delay notification of physical searches for up to 90 days. Extensions may be given for good cause. However, the delayed notification provision is restricted to cases where the government demonstrates an urgent need for delay, including situations where the life or physical safety of an individual is in jeopardy, or to avoid the destruction of evidence. Excerpts of Section 2705 are reproduced in Appendix A.
Delayed notification is not an entirely new element in federal criminal law. It is the norm in wiretap cases, as noted above, and was used and upheld in the seminal U.S. Supreme Court case of Dalia v. U.S. in 1979. In that case federal investigators entered a home, searched and implanted a hidden microphone pursuant to a search warrant. Notice was delayed until the surveillance ended. What is new about the Patriot Act is that it provides for delayed notification in ordinary physical searches. In the past delayed notification has been used only in connection with electronic surveillance (Carter and Spafford 2003).
The Act
also makes it easier for law enforcement to install an electronic surveillance
device. Formerly, a wiretap order or pen
register order had to be obtained in the jurisdiction in which the device was
to be installed. Internet communications
typically involve Internet service providers located in many
jurisdictions. Sections 216 and 220
allow devices to be installed anywhere in the
Section 225 of the Act is of particular importance to computer forensic investigators and providers of information to the government. It gives immunity from civil lawsuits to any person who provides technical or other assistance in obtaining electronic information pursuant to a court order or valid request for emergency assistance.
The Act
contains numerous other provisions expanding the scope of forensic investigations. However, it also contains a “sunset”
provision. Under this provision the Act
will terminate on
Computer forensics is specifically supported by the Patriot Act. Section 816 authorizes the expenditure of $50 million for the creation and support of regional computer forensic laboratories. These laboratories will conduct investigations and also train investigators.
ETHICAL CONCERNS
Ethical concerns relating to the
use of computer forensics include proper use of prosecutorial and police
discretion. Prosecutors and police
officers are invested with considerable discretion in exercising their
authority (Healy and Manak 1971). For example, if a motorist is driving 5 miles
over the posted speed limit, an officer stopping that motorist could issue a
ticket or merely give a warning. An officer
who, for example, tickets Blacks going 5 miles over the speed limit while
giving warnings to Whites is abusing his/her discretion. On the other hand an officer who gives
warnings to all motorists traveling 5 miles over the speed limit if they have
clean driving records is not abusing discretion.
Effective exercise of discretion requires a proper balance of law enforcement zeal and respect for individual liberties (Goldberg 2002). For example when an agent applies for a search warrant, the agent must decide whether to apply for a conventional warrant, which requires prompt notice to the target or whether to apply for a “sneak and peek” warrant with it’s delayed notice feature. Effective investigation will likely be promoted if the target is unaware of the search. But the intrusion upon privacy and the “big brother” impact will be greater (Brenner 2002). Is the greater damage to privacy justified?
A similar issue faces an agent applying for a pen/trap order. All that is needed to obtain the order is for the agent to certify his/her belief that the information to be gained is “relevant” to an ongoing investigation. How relevant must it be? There could be temptation to exaggerate the relevance in order to obtain the order.
An ethical dilemma also faces the custodian of electronic records such as a network administrator or Internet service provider (Holtzman 2002). As noted above in the section dealing with the USA PATRIOT Act, Section 225 of that Act gives immunity to one who complies with a court order or valid request for emergency assistance. If the government has a court order there is no problem. Without a court order however, immunity is not automatic, because a court might later determine that the “emergency” was not valid.
Imagine for example that you are a network administrator. A federal officer comes to your office and says that he believes that a terror attack is planned in an hour. He needs confidential customer information in your custody. He does not have a court order, warrant or any other formal authority. If you turn over the information you may save lives, but you are also exposing yourself and your firm to potential civil liability if a court later determines that no valid emergency existed. What should you do? How much evidence should you demand before you turn over the information?
A partial answer to these dilemmas lies in educating investigators regarding their lawful obligations under the Constitution and federal statutes. This educational process should include emphasizing the importance of maintaining public support for law enforcement. This support can be eroded by heavy-handed use of techniques like “sneak and peek” searches. Role-playing, for example, can help sensitize investigators to ethical dilemmas such as those described above. This would allow investigators to consider ethical dilemmas before they occur, and to resolve them in an unstressed classroom environment with the help of an instructor. Hopefully this will help lead to more responsible exercise of discretion by those entrusted with our security.
CONCLUSION
Computer crime threatens our commercial and personal safety. Computer forensics has developed as an indispensable tool for law enforcement. But in the digital world, as in the physical world, the goals of law enforcement are balanced with the goals of maintaining personal liberty and privacy. Computer forensic investigators must be aware of the legal environment in which they work, or they risk having the evidence they obtain being ruled inadmissible.
Forensic investigators should understand that before they seize a computer or other electronic hardware they must consider whether the Fourth Amendment requires a search warrant. They should be aware that if they wish to access stored electronic communications, they will need to comply with the Electronic Communication Privacy Act. If they wish to conduct real-time electronic surveillance, they will need to obtain a wiretap order from a judge.
Computer forensic investigators face ethical dilemmas. They must exercise their discretion wisely,
balancing their prosecutorial zeal with respect for citizens’ individual
liberties. Criminal investigators in
APPENDIX A: Delayed Notification of Searches
TITLE 18 - CRIMES
AND CRIMINAL PROCEDURE
Sec. 2705. Delayed notice.
(a) Delay of Notification.
(1) A governmental entity
acting
under section
2703(b) of this title may -
(A) where a court order is sought, include in the application a
request, which the court shall grant, for an order delaying
the
notification
required under section 2703(b) of this title for a
period not to exceed ninety days, if the court determines
that
there is reason to
believe that notification of the existence of
the court order may
have an adverse result described in paragraph
(2) of this subsection …
***
(2) An adverse
result for the purposes of paragraph (1) of this
subsection is -
(A) endangering the
life or physical safety of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with evidence;
(D) intimidation of potential witnesses; or
(E) otherwise seriously jeopardizing an investigation or unduly
delaying a trial.
(3) The
governmental entity shall maintain a true copy of
certification
under paragraph (1)(B).
(4) Extensions of
the delay of notification provided in section
2703 of up to ninety days each may be
granted by the court upon
application, or
by certification by a governmental entity, but only
in accordance with subsection (b) of this section.
REFERENCES
Armstrong, I (2000). Computer Forensics, SC Magazine, April 2000.
Bass, A (2003). Identity
Crisis. CSO Magazine,
Brenner, S.W., Frederiksen B.A.
(2001/2002). Computer Searches and
Seizures: Some Unresolved Issues.
Brenner, S.W. (2002).
The Privacy Privilege: Law Enforcement, Technology, and the
Constitution. Journal of Technology Law and Policy, 7/123.
CSO (2003). Cybercrime
will only get worse. CSO Magazine
CSI/FBI (2003). Computer Crime and Security
Survey. Retrieved
from http://www.gocsi.com/press/20030528.jhtml.
Carter, B., Spafford, E.H. (2003).
Getting Physical with
the Digital Investigation Process.
International Journal of Digital
Evidence, 2/2.
Del Bianco, H. (2002). The Case for Civil Liberties.
Dershowitz, A.M. (2002). Why
Terrorism Works.
Federal Trade Commission (2004). Report of
Goldberg, M. (2002). Watching the Detectives. CIO Magazine, June 2002.
Healy, P.F. and Manak (ed)
(1971). The Prosecutor’s Deskbook.
Holtzman, D.H. (2002). Charting Ethical Waters. CSO Magazine, November 2002.
Marcella, A.J.,
Nimsger, K.M. (2002). Same Game, New Rules. Legal Times,
Nimsger, K.M. (2003). Digging for E-Data. TRIAL, January 2003.
Phillips, D.E. (2002). Appreciating the Art of the Ethical Hack. Legal Times,
Schultz, D.H., Keena, J.R. (2001).
E-Trail Trek. Verdicts and Settlements,
Shulman, R. (2003).
Skibell, R. (2003). Cybercrimes and
Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act. Berkely Technology Law
Journal, 18/909.
Strang, R. (2001). Recognizing and Meeting
Title III Concerns in Computer Investigations.
Uniting and Strengthening
Villano, M. (2001). I.T.
Autopsy. CIO Magazine, March 2001.