Computer forensics legal regulations

Like any other new scientific discipline, computer forensic has been gradually developing into generally accepted method for determining the origin and validity of digital evidence.

As methods for gathering, analyzing and presenting digital evidence differ from state to state, it is obvious that regulations applicable in a particular legal process and the procedure of presenting digital evidence as evidence accepted and recognized by the court vary considerably.

Regulations governing this segment of criminal investigation are lagging behind the technological development. This unsurprising gap will be deepened in the future and may cause even bigger problems. Legal science is rigid per se, while technology is constantly improving. The application of advanced technologies achieves the exponential growth even in technologically underdeveloped countries like Serbia. In this way many abuses remain invisible for the judiciary system.

Below you can find more information about international and local legal regulations related to computer forensic.

Aspects of international law

  • International aspects

    The differences between the legal systems of the member states of the UN imposed the issue of harmonization of legislation as a priority for the international community. The issue of recognition of certain behavior as illegal in one country and treatment of the same type of behavior as legal in another, provides a large space for avoiding criminal liability.

    Another problem that arises is the problem of jurisdiction.

    In this case, as in the first one, the problem is caused by using technology that allows work from distant locations respectively usage of resources of one country for activites in another one while the operational work is done in third. This kind of action is impossible in the world of classic crime. Precisely for the reason of coordination and effective fight against crime, it is necessary to have mutual understanding and respect of both the prosecuting authority and justice. First of all, it is necessary to get closer the legislation, and then coordinate the processes of collecting and analyzing digital evidence.

    In the international fight against cyber crime, as well as in defining and predicting the potential risks, most importantly, a greater or lesser extent are:

    • United Nations (UN)
    • Organisation for Economic Co-operation and Development (OECD)
    • Council of Europe
    • European Union
    • G-8

  • Organisations

    • Council of Europe

      The Council of Europe is an international organization based in Strasbourg. Established in 1949 by ten of Western Europe countries.

      Today it is a pan-European organization that includes Russia and Turkey. The main role of the Council of Europe is to strengthen democracy, human rights and rule of law in the member states. In the sphere of criminal law, there have been over twenty conventions and adopted more than eighty recommendations. In 1989 the Committee of Ministers, composed of foreign ministers of member states, adopted a Recommendation on data protection. This Recommendation invites member states to consider introducing some regulations regarding cyber crime. In 1995 The Council of Europe adopted Recommendation 95 which represents the procedure for the implementation of previous recommendations. Recommendation 95 is the first defining moment of search and seizure procedures, surveillance, electronic evidence, encryption and international cooperation.

      The Committee of Experts on crime in cyberspace (PC-CY) is formed in February 1997. The task of this committee was to investigate computer crime and related issues in the criminal procedural law. The ultimate goal of the work of this committee was to define the offense, jurisdiction, search and seizure, data protection and internet service provider liability. As a result of this work, the Convention on cybercrime was created on 31th November 2001 in Budapest.

      This convention is a milestone in the fight against cyber crime, as well as clear guidance to all countries how justice should treat offenses in this sphere.

      By defining the measures to be taken at the national level, the Council of Europe gave the complete list of definitions of crimes against privacy, integrity and availability of computer data and systems, the proper definition, from illegal access to systems and data to child pornography.

      This way, to each country was provided to identify the type of crime and as such to include or define it in proper judicial system. Council of Europe didn’t give guidelines for sanctioning these crimes, it just provided every member state to punish perpetrators, “effective, proportionate and severe sanctions involving deprivation of liberty” in cases where the offender is a legal entity. It is also provided a fine.

      Council of Europe did not go further in the definition, it has left each of his member state to arrange its legal framework the way it considers appropriate. Such an approach leads to diversities that are acceptable in terms of diversity of environments and systems of government.

  • European Union

    European Union (EU) is formed in the 50-ies of the twentieth century. Today almost all the countries of the European continent are its members. With its own currency, flag and anthem, the EU has its own laws, and directives to regulate poorly defined and undefined aspects in the field of computer crime.

    In 1995 Directive which establishes criteria for the protection of EU citizens was adopted, regarding electronically processed data. This directive established the right of every citizen to know what information is kept secure and it has protected the transfer of personal data to countries outside the EU if the country does not have adequate mechanisms for data privacy. In December 1997 The directive which ensured the privacy of telecommunications was adopted. This Directive requires telecommunications companies to delete all data regarding the transmission (ie data transfer) immediately after it’s end, except for the payment of the internal affairs or national security.

    EU adopted eEurope initiative on december 1999, to insure that all the states comprising EU, as well as her citizens, are connected together, and also that all her citizens would gain and use the benefits of IT and Internet.The key moments of this initiative are related to linking young people with new technology, cheaper Internet access, starting e-business and faster internet access for students and pupils. However, when the action plan of eEurope initiative was approved, the emphasis is placed on the importance of network security and the fight against cyber crime.

    In the document, which was adopted on 26th January 2001 and entitled “Creating a safer information society”, was stressed the importance of action in terms of preventing criminal activity, together with the strengthening of the IT infrastructure. That way, the adequate resources for the prosecuting authorities of the member states of UE were ensured.

    In fact, basis of this document is the need to provide adequate penalties for child pornography on the Internet, and, in the long term, the entire legal regulations related to cyber crime, too. Together with the regulations, the Commission’s intention was to promote the need to create specialized set of Ministries of Internal Affairs for computer crimes, and all that at the national level of member states.

    The next year was passed the legal framework, in terms of attacks on information systems.

    • It defines the types of attacks on information systems:
    • unauthorized access (hacking)
    • preventing operation of information systems (DoS)
    • execution of malicious programs (viruses, trojans…)
    • interception of comunications (sniffing)
    • malicious misrepresentation (spoofing)

    Hereinafter the terms related to computers, as well as computer crime, are defined in detail. Also, the types of attacks which use unauthorized access to the information system have been defined, as well as many other details necessary to establish a legal framework to treat this type of trasgression.

    This decision represents the closing of the process of defining the offense, as well as the procedures to counter computer crime. European Union’s efforts to bring closer the high-tech crime to the members with under-developed IT infrastructure, as well as to the future members, last from the momemt of passing this decision until today.

  • G-8

    The largest contribution to the fight against cyber crime was made ??by the group of eight most developed countries (G-8) with forming so-called Lyons Group.

    This group was formed after the summit in 1995 in Halifax. It consists of a group of experts who were given the task to review and draw up agreements and mechanisms for the fight against global organized crime.

    In 1996 in Lyon, this group already represented 40 recommendations to combat organized crime. These recommendations are supported by the G-8 officials.

    After the summit in Lyons it was formed specific groups that would later deal with specific issues related to organized crime (cyber crime, human trafficking, sharing evidence in criminal cases, immigration fraud and terrorism).

    This five sub-groups are aimed at implementing the recommendations adopted in 1996. High-tech crime subgroup had a goal to increase the possibility of Member States to prevent, investigate and process the crimes related to computers, networks and other new technologies. Countries are, in this group, represented by multidisciplinary delegations formed of investigators and prosecutors, legal experts and computer forensics. In 1997 were already adopted ten principles for the fight against computer crime, same as ten items of the Action Plan. The key moments in the work of this group are: the creation of a global (currently 40 members) directory for critical information (the directory is available only to government institutions of the member states), various documents on best practice (guidelines for the security of computer networks, international requests for assistance, global surveillance of comunications and others) and conferences on training of national security services, regarding the computer crime.

    It should be noted that this group is responsible for reviewing many legal systems in order to help cope with the high-tech crime, as well as for creating the principles of transnational searches and seizures (adopted in Moscow in 1999). The existence of these principles, as well as numerous documents that describe best practices, significantly facilitates the operation to prevent and combat global computer crime.

  • Recognition of evidentary value under national law

    Although legislation in many countries already covers the basic offenses such as fraud, unauthorized access and abuse, regulation of large number of crimes in the field of computer crime will surely last for years.

    Many countries around the world are trying to, first of all, provide internet accessits citizens, others, a little more developed, are trying to improve that same approach. This, like many other factors, affects on slower legislation regarding the development of technology.

    It is possible that very few global incidents will force the authorities to seriously cope with computer crime, as it was the case with the “ILOVEYOU” virus.

    As the development of information technology and e-business is one of the major initiators of social and economic changes, especially in transitional societies such as ours, it is necessary to legally regulate the most important areas – cyber crime and protection of information systems. Lack of adequate regulations will significantly reduce or even completely prevent the development of these areas. The legal framework is the key factor, both to attract new investments and to maintain the existing business environment.

    • The reasons for this are manifold:
    • it is necessary to have a secure environment and data protection for any activity that involves processing data
    • Internet technology, as well as e-business, requires security of data and computer networks
    • large companies will not allow sensitive data to be handled in countries without adequate legal framework in terms of protection against espionage, computer crime, attacks on infrastructure or abuse of telecommunications
    • necessary are also the laws on data privacy
  • Recognition of evidentary value under national law of the USA

    Digitalni, kao i svi drugi dokazi, moraju biti prihvatljivi na sudu da bi se pomoću njih procesuirao slučaj. Bez dovoljne količine validnog dokaznog materijala, tužilac će imati slab ili nikakav slučaj. Da bi se izbeglo odbacivanje dokaza, neophodno je dokazati da su svi nalozi za pretragu i zaplenu bili legitimni. U SAD je neophodno dokazati osnov po kome su nalozi izdati, kao i autentičnost samog dokaznog materijala.

    • Reasonable suspicion and a search warrant

      As the first real problem in all criminal investigations and criminal proceedings, there is a legality in performing the initial search and seizure of evidence by the competent authorities.

      The national law of the United States this issue deals with the Fourth Amendment and its interpretation in criminal law. The Fourth Amendment limits the possibilities to investigators in terms of search and retrieval of evidence. Courts in the United States, regardless of whether the evidence are in electronic or some other form, take care of reasonable expectation of privacy.

      This prevents the search for documents and files on a personal computer of a person without reasonable suspicion. When it is proved that there was reasonable suspicion, and search and seizure were made, the court would dismiss all the evidence collected on that occasion.

      In order for collected evidence to be valid, it is necessary, before investigation starts, to demonstrate reasonable suspicion in this regard and to obtain a valid search warrant. In the case of computers, as well as all other devices in which the information and data are being stored, the term “search” is, in fact, related to a media content analysis.

      As courts across the country have different views on the occasion of a media content analysis, the search warrants issued by them are also different. It is often the case that the prosecution is required to formulate an explicit file types that will be reviewed and analyzed (eg, Word documents and Excel spreadsheets), while other courts allow a complete search and analysis of media content.

      The issue of a search warrant was actually based on an incredibly large amount of information that may include a single media. The potential level of collision and confusion about the rules of expected privacy is very large when you involve the computer in the story. Sometimes search warrant is not needed, not because of an exception defined by law, but because of the absence of a legitimate expectation on privacy by the suspect.

      For example, if a suspect uses a computer that is (publicly) available and not password protected, or at the workplace where it is known that a network administrator can access any computer, it actually rejects all rights guaranteed by the Fourth Amendment because the computer has been used publicly.

      Other questions deal with finding evidence of a third party. In case of failure on the computer, a person brings it to service. Service technician, working on computer, finds incriminating evidence or information and applies it to the competent authorities. Generally, this information would be treated as valid, but in several cases, courts have ruled in favor of the defendant led by the idea that the person that claimed the computer service is not, in fact, abandoned the principle of privacy expected, but allowed access only to the service personnel of the company (United States vs.. Barth, Texas, 1998).

      Although it is necessary to protect the privacy of citizens, as required by the Fourth Amendment, it is also necessary to form a search warrant on the broadest possible manner consistent with reasonable suspicion. This way, investigators will be able to perform the widest possible analysis in accordance with reasonable suspicion of potential incriminating content that will be accepted by the court.

    • Search without warrant

      If time and circumstances permit, it is best to go with the search warrant. However, if investigators decide to do the search without a warrant, the search must belong to the one of the exceptions so that the results could be accepted by the court.

      Exceptions are as follows:

      • voluntary consent of the suspect
      • possibility of physical destruction of evidence
      • incriminating content is evident
      • during legal detention

      Although guidelines under which such search is possibleare clear, there is ample room for later rejection of such evidence acquired so that all the investigators are advised to, if it’s possible, avoid this method of trial.

    • Relevant acts

      There are numerous laws and amendments that may affect the investigation and which are also related to privacy.

      First of all, privacy act that protects freedom of speech or freedom to publish and placing material on the Internet services. If the material that is collected is protected by First Amendment, then this act affects the search. Of course, there are exceptions when it comes to legitimate results related to the committed crime or potential crime prevention.

      In any case, investigators must approach with caution to any search which material is potentially mixed with that material, which is protected by the First Amendment. The investigator must by all means avoid contact with such material, or else the entire investigation will be declared illegal.

      Another act to be considered, the electronic communications privacy act, which deals with the protection of innocent third parties who keep the stored data, such as Internet service providers. The idea of this law, in fact, is not to protect the company that is the Internet service provider, but the protection of privacy of other users of the company whose data is also stored on servers, along with those data for which there is warrant.

      There are many other acts that must be addressed and that investigators in the civil service must meet in order to their investigation in the court was accepted as a legitimate and legal, and also all the evidence accepted as credible and authentic.

    • The authenticity of evidence

      When the digital evidence are found and properly collected, in order to be accepted by the court, the prosecutor must prove the authenticity of the evidence. As a rule 901 (a) FRE “request for authentication or identification is a prerequisite to meet the admissibility of evidence sufficient to support the findings presented by the claimant to introduce evidence.”

      This rule, in fact, requires suit to somehow prove that the digital evidence that is introduced in a case identical to that incriminating which was collected from a computer or some other device of the defendant.

      So, although the digital evidence is collected and analyzed by all the rules, the jury may declare it inadmissible if the prosecutor fails to prove the authenticity of evidence to the court. This standard is the same with traditional documents. Typically, this requires the testimony of someone who has been in contact with the disputed document and who can verify its authenticity.

      In the case of photographs, witness statement that the dispute photograph is a “fair and accurate” picture of what saw is sufficient and the photograph becomes validly introduced evidence. The same thing applies to computer documents. Suffice is someone’s testimony of the structure of these documents to have the basis of evidence authenticity. It does not take a programmer or analyst to testify about the structure of the file itself. It takes testimony of the same content, whereby respecting all previous procedures ensures authenticity of the structure.

    • Best evidence rule

      When we take into account both written and audio evidence or photographs, the court sometimes requires original evidence. This requirement is designed in order to prevent witnesses from the misinterpretation of certain materials by relying solely on their testimony about the content. With the development of technology it has become increasingly easy to create identical copies of documents or evidence in general. Best evidence rule states that the question of whether the material is presented in its original form can occur in terms of challenging the authenticity, accuracy or reliability of the evidence, and in that sense, if possible, to present the original material.

      When it comes to digital evidence, technology has enabled the creation of copies in every sense of the faithful original. In this case, presentation of copies is, in principle, acceptable despite the existence and availability of originals. In practice, even preferred presentation of copies in order to avoid any doubt about the possibility of changes to the original. Even the printed form of a digital document is considered valid, except in a case where he can show all information necessary for the process.

    • Direct and indirect evidences

      Direct evidence is a fact. Indirect evidence can potentially indicate the fact. A common misconception about digital evidence woud be bringing into question the possibility of digital evidence, in general, to be direct evidence because of its electronic nature. However, even in electronic format, digital evidence can, in any case, prove a fact.

      If we take as an example of bringing into question the security of a computer system, that security can be proved only by digital evidence. Although digital evidence generally indicate only certain human or user, activities or habits, indirect evidence can be equally important in determining some facts, as well as direct evidence. This example is best illustrated by the presence of logs of successful reporting system to a specific user. Direct evidence, in this case, is the record that the account was reported to the system at any given time, however, usage of the warrant that was reported to the system by the particular person is an indirect evidence.

      Misuse or theft of account, as well as the possibility, requires additional proof, which is – only a person may be able to access a computer at a certain time.

    • Scientific evidence

      As a new scientific discipline, digital evidence, as well as tools and techniques used to obtain and analyze them, are often subject of scientists’ assessment. Due to the power of science to convince a jury, courts all over U.S. are cautious when it comes to the process of verification of evidence before they accept the results of that process.

      If the review process is at stake, it will affect the admissibility or weight of evidence depending on the situation.

      In the U.S., scientific evidence is assessed using criteria:

      1. 1. Can the theory or technique be tested?
      2. 2. Is there a known high degree of error?
      3. 3. Was the theory or technique publicly published?
      4. 4. Was the theory or technique globally accepted by the relevant scientific community?

      Until now, digital evidence, as well as tools and techniques which have been obtained, withstood every test conducted as scientific evidences. However, examination of any tool or technique, especially the determination of error level, is very difficult and complicated process, not only in digital world. So, in fact, there are no established error limit for most of the forensic examinations. The most reliable way to find possible errors is the re-examination by another, independent investigator using some other tools. In that case, the most reliable is the determination based on the premises set out earlier, and that’s repeatablity of the process of analysis which will verify the reliability of digital evidence.

  • Recognition of evidentiary value in the Republic of Serbia/h3>

    Although there are many attempts that of arranging the system of computer crime, and therefore of digital evidence, the very stability of the political-legal system, as well as the entire social order, affects creating a large gap in this, as in other areas.

    Criminal Code, passed 2001 (Official Gazette of the FRY, no. 70/2001) introduces a new role of public prosecutor in criminal proceedings. It gives him greater powers, and leaves room for the police to independently investigate only those crimes for which a maximum penalty is five years. This procedure significantly affects the reliability of investigations, as well as the quality of the collected evidences.

    Later changes have resulted in the definition of “automated computer searches and other personal data” (article 155).

    • This article defines the type of offense for which can be done search and processing of digital evidence, and states:
    • criminal act against the constitutional order and security of the Republic of Serbia
    • crime against humanity and other goods protected by international law
    • the offense of organized crime
    • a crime against sexual freedom
    • murder, aggravated murder, aggravated robbery, theft, forgery, abuse of office…

    Also, the search and processing of digital evidence is allowed in the case where circumstances indicate the preparation of some of these crimes, and it can not be prevented otherwise. Furthermore, the text says, “a special act (search) orders judge on suggestion of public prosecutor,” and in some cases allows public prosecutors to order it independently.

    The process of collecting and processing digital evidence is limited to three months, but it provides the possibility to extend it for up to three months. Also, it is determined who can conduct this type of command: police, Security-Information Agency, the Customs Service or other governmental body or legal entity with ??certain public authorities conducted under law.

    Also, the deadline for destruction of evidence collected this way was determined for six months in case there was no criminal charges.

    When in July 2005. government passed the “Law on the Organization and Jurisdiction of Government Authorities in the fight against cyber crime”, which formed a special unit to combat cyber crime, the public had high expectations. Unfortunately, the special prosecutor was appointed only in 2007.

    Since the process of setting up a special prosecutor for this position lasted two years, in a world where major changes occured in that period, the process of planning for all areas related to collecting, storing, analyzing and presenting digital evidence in this criminal proceeding seemed endless.

    If we add international regulation and a very important aspect of protecting citizens’ privacy to this field, it becomes clear that the regulation should be adopted along the way..

    Local judiciary relies mostly on the investigative judge, on his abilities and capabilities assessment. Also, in our legal system, one or the other party, must impose its attitude to the higher court or to a single judge.

    A large number of things is on the free estimation of court: evidence, procedure accuracy, authenticity and reliability of witness evidence. The whole process relies on one man, who, at the end, as expert witnesses calls those from the list of experts or someone according to their assessment.

    In the world of digital evidence, where the key elements of investigation are sensitive, it is ungrateful to ask the expert to guarantee with his reputation for the content whose origins are not known or can not be checked.

    Since the whole system relies on the free estimation of court, it is necessary to create a special institution, at the Institute of expert testimony or separately from it, that would be involved from the very beginning of the investigation.

    The collection of evidence, documentation and analysis, as well as the storage of digital evidence, should lead professional and competent persons. In the following years it is necessary to establish an educational center for training new staff, capable of dealing adequately and professionally with investigation in the digital world.

    Also, it is necessary to restrict access to the authorities, in terms of the type of data that for a particular investigation are to be collected. The current situation in our country, and on this issue, is alarming. Privacy of citizens is not protected in any way nor it is likely this will happen in the near future.

    The entire legal system is reflected in the legal conduct of criminal proceedings, so that no innocent person would be convicted and the offender to bear criminal sanctions under the conditions stipulated by the Criminal Code and pursuant to the legal procedure. In terms of digital evidence, which will in future be a realistic source of fact, there is currently no opportunity to refute the argument of mounted process, nor to conduct the request for an impartial analysis or superexpertise at all.

  • Comments

    Read all comments

    Leave a comment

    Leave a Reply