CyberSecurity Malaysia | An Agency Under MOSTI
Obtaining and Using
Electronic Evidence:
Issues, Cases, and
Theories
Philip A. Guentert
Attaché, U.S. Justice Department
American Embassy Bangkok
Agenda
How do we obtain electronic evidence?
What are we trying to prove? Thinking about
the elements of the offense
Where is the electronic evidence? Looking for
proof of the cybercrime
Where do we start? Preserving and identifying
probative electronic evidence
Agenda
How do we use electronic evidence in
court?
The admissibility of computer evidence:
hearsay and authentication
The presentation of computer evidence:
expert testimony and demonstrative exhibits
HOW DO WE OBTAIN ELECTRONIC EVIDENCE?
THINKING ABOUT THE
ELEMENTS OF THE OFFENSE
Picture the conclusion of your case. . . .
Elements of §4 of Malayasian
Computer Crimes Act of 1997
Causing a computer to perform any
function with intent to secure access;
Where rhe access is unauthorized;
Knowing that it is unauthorized;
And acting with the intent:
to commit an offence involving fraud or
dishonesty or which causes injury as defined
in the Penal Code; or
To facilitate the commission of such offense
by oneself or another
HOW DO WE OBTAIN ELECTRONIC EVIDENCE
LOOKING FOR PROOF OF THE
CYBERCRIME
Where?
Where’s the
evidence?
PDA
USB
PDA
Hard
Drive
USB
USB
USB
CELL
CF
CARD
8
Where (watch)
NOW Where’s the
evidence?
This is a USB
watch.
These are
breath strips.
9
This watch
has USB
storage!
10
11
12
During a search do you seize. . . ?
HOW DO WE OBTAIN ELECTRONIC EVIDENCE?
PRESERVING AND
IDENTIFYING PROBATIVE
EVIDENCE
Preserving Electronic Evidence
Device or other computer
Consult a specialist
Photograph screen and device.
Goal is to preserve: do not search device.
When to interrupt or maintain power
Collect peripherals, cables, and
documentation.
Network
Log retention
Investigative Questions
Cybercrime involves “people evidence” as
well as electronic evidence
What questions do you ask about a
cybercrime?
Investigative Questions (cont.)
General for all cybercrime
Contact info for system administrator
When and where devices obtained
Identity of those with access to devices and their level
of experience
Scope of their access, local or remote
Their usernames and passwords
Which programs they use
E-mail addresses, on-line storage
Presence or use of “wiping” software
Investigative Questions (cont.)
Example for specific cybercrime: fraud
Victim questions:
Which accounts involved? Recent unusual activity?
Have you provided personal information to any organization
or individual? For what purpose?
Recently completed credit applications or loan documents?
Maintain personal information on computer?
Have any financial statements gone missing in the mail?
Have you checked your credit reports?
Suspect questions:
Where is computer? Was it used for on-line purchases?
Does your computer contain photo or scanner software?
E-mail is a critical source of electronic
evidence
U.S. v. Fei Yei (2007)
Four defendants convicted of economic
espionage charges based on their theft of
trade secrets concerning integrated circuit
design from Silicon Valley companies
Initial seizure at airport provided basis for
search warrants at residences
U.S. v. Fei Yei
Searches at residences provided basis for
e-mail searches at ISPs
Results:
Five Yahoo e-mail accounts
25,000 pages of e-mails
Yahoo groups account
500 pages of postings
Hypermart FTP storage account
Files stored at a remote location accessed by any
individual with the password
U.S. v. Vysochanskyy (2005)
Ukrainian convicted of
selling thousands of
copies of pirated
software through multiple
web sites
Intermediaries in U.S.
and elsewhere forwarded
payments to accounts in
Lithuania and elsewhere
U.S. v. Vysochanskyy
Obstacles for the network search v.
computer search
E-mail search made arrest possible
U.S. v. Fetterman (2004)
Defendant convicted of scheme to defraud
eBay buyers through shill bids and phony
masterpieces
KENNETH WALTON
U.S. v. Fetterman
Over 500 auctions and $450,000 in sales
involved
Concealment as evidence of criminal
intent
Over 50 phony eBay
user registrations
Shill feedback
HOW DO WE USE ELECTRONIC EVIDENCE IN COURT?
THE ADMISSIBILITY OF
COMPUTER RECORDS
Admissibility of Electronic
Evidence
• Inputs data
• Legal issue:
hearsay
human
computer
• Stores data
and/or . . .
• Generates
data
• Seizes
evidence
• Legal issue:
authenticity
human
Hearsay
People may misinterpret or misrepresent
their experiences
Hearsay is an out-of-court statement by a
person offered for its truth
Electronic evidence that is entirely
computer-generated is
not hearsay
U.S. v. Blackburn:
Correct holding?
Bank robber leaves eyeglasses in
getaway car. At trial, prosecution
offers computer-generated report
showing that glasses match
prescription of defendant.
Appellate court holds that report
was hearsay that required
evidentiary foundation for businessrecord exception.
Authentication
Authenticating an exhibit requires
evidence sufficient to support finding that it
is what its proponent claims it to be.
Authenticating computer records does not
require an expert witness or technical
evidence.
Questions Judges Have About
Authenticity of Computer Evidence
Do I know what person produced the
computer record?
Can I rely on the computer program used
to produce the record?
Do I know whether the record was altered
after it was created?
U.S. v. Simpson
Court holds that chat room records
for "Stavron" properly authenticated
as statements of child-pornography
defendant Simpson.
Circumstantial evidence included
(1)chat with undercover agent
giving real name as "B. Simpson"
and a home address that matched
Simpson's (2) access to the
Internet from an account registered
to Simpson. Also, police found
records in Simpson's home that
listed the name, address, and
phone number that the undercover
agent had sent to "Stavron."
HOW DO WE USE ELECTRONIC EVIDENCE IN COURT?
THE PRESENTATION OF
COMPUTER RECORDS
Explaining Technical Evidence:
Expert testimony—F.R.E. 702 et. seq.
Demonstrative aids—F.R.E. 611(a)
Expert Testimony
Rule 702: “If scientific, technical, or other
specialized knowledge will assist the trier
of fact to understand the evidence or to
determine a fact in issue, a witness
qualified as an expert by knowledge, skill,
experience, training, or education, may
testify thereto in the form of an opinion or
otherwise, if [following requirements
met].” Cf. §45 Malaysian Evidence Act.
[explanation
of complex
technical
subject]
The value of expert testimony about
cybercrime is more than the opinion. . . .
Demonstrative aids
Rule 611(a): “The court shall exercise
reasonable control over the mode and
order of interrogating witnesses and
presenting evidence so as to . . . make the
interrogation and presentation effective for
the ascertainment of truth . . . .”
Demonstrative aids (cont.)
Use during testimony—examples
Map
Diagram
Illustrate locations
Illustrate process
Selections from documents and
records
Outline of testimony
Model
How to use during testimony
Demonstrative aids (cont.)
Use during opening statement/closing
argument—examples
Opening
Chronology
Organization
Closing
Key issue
Legal rules
Questions or comments
Philip A. Guentert
guenterpa@state.gov
02-205-5503
Electronic Evidence:
Issues, Cases, and
Theories
Philip A. Guentert
Attaché, U.S. Justice Department
American Embassy Bangkok
Agenda
How do we obtain electronic evidence?
What are we trying to prove? Thinking about
the elements of the offense
Where is the electronic evidence? Looking for
proof of the cybercrime
Where do we start? Preserving and identifying
probative electronic evidence
Agenda
How do we use electronic evidence in
court?
The admissibility of computer evidence:
hearsay and authentication
The presentation of computer evidence:
expert testimony and demonstrative exhibits
HOW DO WE OBTAIN ELECTRONIC EVIDENCE?
THINKING ABOUT THE
ELEMENTS OF THE OFFENSE
Picture the conclusion of your case. . . .
Elements of §4 of Malayasian
Computer Crimes Act of 1997
Causing a computer to perform any
function with intent to secure access;
Where rhe access is unauthorized;
Knowing that it is unauthorized;
And acting with the intent:
to commit an offence involving fraud or
dishonesty or which causes injury as defined
in the Penal Code; or
To facilitate the commission of such offense
by oneself or another
HOW DO WE OBTAIN ELECTRONIC EVIDENCE
LOOKING FOR PROOF OF THE
CYBERCRIME
Where?
Where’s the
evidence?
PDA
USB
PDA
Hard
Drive
USB
USB
USB
CELL
CF
CARD
8
Where (watch)
NOW Where’s the
evidence?
This is a USB
watch.
These are
breath strips.
9
This watch
has USB
storage!
10
11
12
During a search do you seize. . . ?
HOW DO WE OBTAIN ELECTRONIC EVIDENCE?
PRESERVING AND
IDENTIFYING PROBATIVE
EVIDENCE
Preserving Electronic Evidence
Device or other computer
Consult a specialist
Photograph screen and device.
Goal is to preserve: do not search device.
When to interrupt or maintain power
Collect peripherals, cables, and
documentation.
Network
Log retention
Investigative Questions
Cybercrime involves “people evidence” as
well as electronic evidence
What questions do you ask about a
cybercrime?
Investigative Questions (cont.)
General for all cybercrime
Contact info for system administrator
When and where devices obtained
Identity of those with access to devices and their level
of experience
Scope of their access, local or remote
Their usernames and passwords
Which programs they use
E-mail addresses, on-line storage
Presence or use of “wiping” software
Investigative Questions (cont.)
Example for specific cybercrime: fraud
Victim questions:
Which accounts involved? Recent unusual activity?
Have you provided personal information to any organization
or individual? For what purpose?
Recently completed credit applications or loan documents?
Maintain personal information on computer?
Have any financial statements gone missing in the mail?
Have you checked your credit reports?
Suspect questions:
Where is computer? Was it used for on-line purchases?
Does your computer contain photo or scanner software?
E-mail is a critical source of electronic
evidence
U.S. v. Fei Yei (2007)
Four defendants convicted of economic
espionage charges based on their theft of
trade secrets concerning integrated circuit
design from Silicon Valley companies
Initial seizure at airport provided basis for
search warrants at residences
U.S. v. Fei Yei
Searches at residences provided basis for
e-mail searches at ISPs
Results:
Five Yahoo e-mail accounts
25,000 pages of e-mails
Yahoo groups account
500 pages of postings
Hypermart FTP storage account
Files stored at a remote location accessed by any
individual with the password
U.S. v. Vysochanskyy (2005)
Ukrainian convicted of
selling thousands of
copies of pirated
software through multiple
web sites
Intermediaries in U.S.
and elsewhere forwarded
payments to accounts in
Lithuania and elsewhere
U.S. v. Vysochanskyy
Obstacles for the network search v.
computer search
E-mail search made arrest possible
U.S. v. Fetterman (2004)
Defendant convicted of scheme to defraud
eBay buyers through shill bids and phony
masterpieces
KENNETH WALTON
U.S. v. Fetterman
Over 500 auctions and $450,000 in sales
involved
Concealment as evidence of criminal
intent
Over 50 phony eBay
user registrations
Shill feedback
HOW DO WE USE ELECTRONIC EVIDENCE IN COURT?
THE ADMISSIBILITY OF
COMPUTER RECORDS
Admissibility of Electronic
Evidence
• Inputs data
• Legal issue:
hearsay
human
computer
• Stores data
and/or . . .
• Generates
data
• Seizes
evidence
• Legal issue:
authenticity
human
Hearsay
People may misinterpret or misrepresent
their experiences
Hearsay is an out-of-court statement by a
person offered for its truth
Electronic evidence that is entirely
computer-generated is
not hearsay
U.S. v. Blackburn:
Correct holding?
Bank robber leaves eyeglasses in
getaway car. At trial, prosecution
offers computer-generated report
showing that glasses match
prescription of defendant.
Appellate court holds that report
was hearsay that required
evidentiary foundation for businessrecord exception.
Authentication
Authenticating an exhibit requires
evidence sufficient to support finding that it
is what its proponent claims it to be.
Authenticating computer records does not
require an expert witness or technical
evidence.
Questions Judges Have About
Authenticity of Computer Evidence
Do I know what person produced the
computer record?
Can I rely on the computer program used
to produce the record?
Do I know whether the record was altered
after it was created?
U.S. v. Simpson
Court holds that chat room records
for "Stavron" properly authenticated
as statements of child-pornography
defendant Simpson.
Circumstantial evidence included
(1)chat with undercover agent
giving real name as "B. Simpson"
and a home address that matched
Simpson's (2) access to the
Internet from an account registered
to Simpson. Also, police found
records in Simpson's home that
listed the name, address, and
phone number that the undercover
agent had sent to "Stavron."
HOW DO WE USE ELECTRONIC EVIDENCE IN COURT?
THE PRESENTATION OF
COMPUTER RECORDS
Explaining Technical Evidence:
Expert testimony—F.R.E. 702 et. seq.
Demonstrative aids—F.R.E. 611(a)
Expert Testimony
Rule 702: “If scientific, technical, or other
specialized knowledge will assist the trier
of fact to understand the evidence or to
determine a fact in issue, a witness
qualified as an expert by knowledge, skill,
experience, training, or education, may
testify thereto in the form of an opinion or
otherwise, if [following requirements
met].” Cf. §45 Malaysian Evidence Act.
[explanation
of complex
technical
subject]
The value of expert testimony about
cybercrime is more than the opinion. . . .
Demonstrative aids
Rule 611(a): “The court shall exercise
reasonable control over the mode and
order of interrogating witnesses and
presenting evidence so as to . . . make the
interrogation and presentation effective for
the ascertainment of truth . . . .”
Demonstrative aids (cont.)
Use during testimony—examples
Map
Diagram
Illustrate locations
Illustrate process
Selections from documents and
records
Outline of testimony
Model
How to use during testimony
Demonstrative aids (cont.)
Use during opening statement/closing
argument—examples
Opening
Chronology
Organization
Closing
Key issue
Legal rules
Questions or comments
Philip A. Guentert
guenterpa@state.gov
02-205-5503