Brazil,
September 15, 2004
For
Law Enforcement Use Only
Refuting
Digital Evidence in Court
Boaz Guttman,
Attorney
The
author serves as a defense attorney specializing in cyber crime,
is a lecturer on computer law at the
Note: In the presentation
that accompanies my talk, you can see authentic examples of the questions
raised here
1. Evidence
Alongside the basic legal
knowledge required of all defense attorneys, their role as defense attorneys in
cases featuring cyber crime also calls for a sound understanding of the terms
used and the processes taking place in the court. Not many judges and
prosecutors are fond of trials at which unfamiliar terms are used (usually by
the defense) – intended, at worst, to confuse the judge or, at best, to impress
him into accepting the evidence. In the nature of things, most trials end in a
plea bargain, the main reason being that everyone is already exhausted by the
third evidence session.
The paper aims to explain
in simple terms some of the key areas where the defense attorney’s role calls
for providing close protection at every stage - before the indictment is
presented and thereafter.
This is unlike the
customary procedure in trials where evidence is available in the form of
fingerprints or a partner’s evidence. For investigators, the immediate
conclusion is that one member of the investigation team is given the role of
the “bad guy.” His task is to present the defense’s position at each stage, so
it will be possible to correct what is discovered in a timely manner.
2- Preliminary
consultations before the trial – at this stage, in a meeting with the suspect who
will shortly be examined at the trial, the defense attorney explains what his
rights are during the examination.
The offence of
disseminating a computer virus, for example, rests mainly on the suspect’s
admission. So the defense attorney informs the potential suspect that he has
three options. The first is admission – and from then on, the suspect transfers
the decision on his fate to the prosecution. Another option is to remain silent
– if the police don't find anything on the hard disk, it could take them as
much as two years to obtain the evidence from overseas. The third option is to
give a cloudy version that sends the police to
The defense attorney makes
it clear to the suspect that it is his right, according to customary rulings,
to be present when the hard disk is copied, the same as during the search of a
house. If the detectives do not comply with the law or the procedure, this is
likely to have an effect on the trial itself – each country, according to its
own exclusionary regulations.
The client is not obliged
to hand over a password to access a file or a computer – this is covered by the
right to remain silent. To date, draft bills that have debated this matter were
inconclusive.
At the time of the arrest,
if possible, the defense attorney must immediately examine the relevant server
or site. Such an examination can reduce the suspect’s arrest from hours to
minutes.
Next, he must use every
existing technology to transfer all the evidence from a foreign court of law to
the present court of law, and thereby enable a faster investigation. Using
those technologies, he transfers every application in a communications pipeline,
regardless of the application used at the other end.
If the investigators or
prosecution do not respond correctly at this stage, it will be helpful for the
defense in future.
The expert who is called in
at an early stage, usually explains to the judge that there is no need for
continued arrest, since the server itself was attacked and is “knocked-out.”
Right away, the expert should suggest to the investigators that they fly to the
country where the server is down and seize evidence. If they refrain from doing
so, it will help the defense at a future date. The defense attorney must wait
patiently before filing an indictment at a time when he can reveal the
investigators’ inaction and lack of response.
3- The trial
itself –
Criminal thinking requires proof as one of the basic elements of the offence. A
pedophile caught on a booby-trapped site, at the other end of the line or the
other side of the ocean, may claim “I thought there was another pervert,
fantasizing like me, at the other end of the line...of course I had no serious
intentions towards a five-year old girl…”.
Another common claim -
“Someone took over my computer and did what he did by means of it” - may obtain
some sort of evidentiary infrastructure if and when the investigators
shortcomings (failing to document everything adequately) are discovered.
Reasonable doubt is
sufficient for a defense lawyer to clear the suspect.
In terms of the evidence –
in this sort of crime, we do not make such a point of procedures and evidence.
When it is a matter of digital evidence, the rules of admissibility are more
flexible, because we cannot differentiate between an original printout and a
copy of it. Instead, conditions for admissibility are more strongly emphasized,
and this has an impact on how the case is handled.
4- Digital
evidence –
the definitions and language used are known in every country - information that
can supply proof, and which is digitally transferred and stored.
It is obtained when the
information and/or physical object is retrieved or stored so it can be
examined.
The copy of the information
must be an exact one, regardless of the physical medium where it is stored.
Whenever digital evidence can be manipulated so as to modify, damage or destroy
it - an appropriately trained person
must handle the matter.
5- Uniformity – evidence must be
understood in every language because of international jurisdiction. Non-uniform
evidence must not be allowed to slip into the courtroom via the “back-door.”
Uniformity is vital
throughout the whole procedure - in the definitions used, the basic process for
obtaining evidence, the findings, and the common language used.
If evidence is not clear
and understandable, we must object to it immediately.
Piles of material should
not be crammed into the court file.
Since all cyber offences
cross continents, a standard for evidence-collection is needed, and for its
introduction into the courtroom. If no standard exists – an expert should be called.
6- Some problems – What should we ask for?
What must investigators ask their distinguished colleagues in a timely way? Was
it a Novell, UNIX, or a LINUX network? If they don’t ask, the defense will - he has an expert.
And again, the proof will
be rejected. Did we get what we really wanted? Can I use what they gave me, or
is it only for internal purposes? Has the investigator discovered what I have
to find out? Have they imposed legal immunity? This is the time to find out.
7 – Time – Like in any criminal trial, here too the
defense has an inferior status. The prosecution initiates and corrects its
mistakes during the trial, as long as it has the time to do so. The
investigator enjoys access to the judge at any time and sometimes the judge is
more flexible than a rubber-stamp, to put it mildly. An average district judge
just has to be told how to eavesdrop on the internet – you simply make a sketch
and explain. By the time the defense realizes what has happened, it’ll be too
late for the client.
A good and clear
explanation to the judge, in good time, saves cold sweat in the courtroom. So a
good investigator documents every move and step in the file.
The prosecution has a
double task… when the investigator meets the network administrator, he is a
colleague not an adversary. He is the key to well-arranged and clear evidence,
obtained at the right time, because the administrator knows every point and
intersection in the network. In the courtroom, his explanations – whether recorded, photocopied, or filmed - will
improve the prosecutor’s mood.
8 – The
qualities of good evidence – it must be authentic, accurate and complete. A computer
printout that’s printed diagonally on the page, or a double printout inside the
package of outputs, makes the defense work easier – and the work of an appeal,
too.
Handling the evidence – is
it stored in a properly ventilated area, or in a room where it could be
damaged?
The entire process must be
totally transparent.
The procedures used, the
content of the evidence, and the explanations around it must all be precise and accurate.
When the evidence is
clearly and properly documented – the defense expert find it harder to identify
weak points.
9 – Questions – how does the prosecution
prove the connection to the break-in? The connections between the computers?
After all, in this case, it’s not a matter of fingerprints? What are the
variables that intervene in the process? How exactly was the computer hacked
into? How was the break-in monitored and discovered?
10 – The expert – explains the evidence to
the defense: where does the weakness of the conception lie, and of the evidence
collected by the investigators.
In a trial itself, the expert
helps by giving evidence where necessary.
The expert provides advice according to clearly defined
instructions, deriving from the court proceedings.
He must disregard
admissions by the accused or by a witness, and indicate the weakness of the
digital evidence.
He must scrutinize the
statements given by the ISP, point out the weakness in its testimony, in the
testimony of the victim’s network administrators, in any records that were made
or collected.
When cross-examining as an
expert witness, he may - if necessary -
use a police-officer against his colleagues and/or against the
prosecution’s position.
11- Often-heard
claims –
“An amazing quantity of information”…we also have to explain to the
distinguished lady serving as the deputy-president of the court… “Before your
honor is the five gigabytes that was seized. Each floppy disk can contain 4,000
printed pages. Multiplied by 5,000, this is the quantity of information that
the defense must be given and which it must examine…”. In these cases, we are
often granted a deferral.
Incomplete logs - evidence
that was ostensibly taken from another computer. We must relate to the process
in which the information was reproduced and removed, the output, corrupt files, access to the
files or to the password – was it exclusive? Dates and times of eavesdropping,
not the content. Examining the match between them and the printouts.
Was the eavesdropping method
automatic or semi-automatic?
How was the evidence
generated and/or stored?
Which member of the team is
reporting? Is it a question of hearsay? The security measures in place at the
eavesdropping facility will reveal it.
The software programs used
to eavesdrop must be discovered and their dependability must be evaluated.
Making a “ghost” of the
electronic arena – was this done, and if so, how?
Were traps laid, and if so,
where?
Examples from other cases.
When a software program is
used to collect digital evidence, we have to find out if it is well-known. What
is its error rate? Has it been discussed in the professional literature?
These are just some of the
challenges that the defense attorney must cope with later in the trial, and his
chief tool is cross-examination.
12 – Summary
The objective of this paper
is to illuminate in everyday language taken from the courtroom some issues that
the defense attorney must address in cyber crime cases. There are two principal
tools - (1) documentation or the lack of it and (2) common sense. In a given
timeframe, the cyber crime investigator must relate to these considerations
too. They will save bothering the prosecution unnecessarily and will simplify
the court’s ruling in the matter.
Simplifying matters is the
key issue.
Attached to the material
given to the organizers with the presentation are appendices detailing and
illustrating my remarks today.
Thank you very much.