CyberCrime

The Cybercrime Trial Abigail Abraham Assistant State Attorney Cook County, Illinois Ivan Orton Sr. Deputy Prosecuting Attorney King County, Washington

What’s Different about a Cybercrime Trial Complexity Digital Evidence Issues

As With Any Trial, Keys Are: Understanding Your Case Preparing Your Case Presenting Your Case

Understanding Your Case You MUST Educate Yourself But Only About What You Must Understand Endless Task Training and Experience

Understanding Your Case Use Your Resources Other Prosecutors Office Computer Personnel Investigator/Forensic Expert Witnesses (ISP, Victim, etc.) Digital DA and other online sources

Understanding Your Case The Crime Charged Should you Amend? The Legal T heory The Evidence Anticipating Defenses

Understanding Your Case What do you have to Prove/Disprove Do you have to disprove all alternative explanations Can you disprove all alternative explanations Nature of computer “incidents”

Understanding Your Case S hare your understanding with your trial team (investigator, forensic person, crucial witnesses) to get their input

Preparing Your Case Remember Judge/Jury/Defense Understanding Varies Widely You Must Be a Teacher Law is Settling Down but . . . Technology is double edged

Preparing Your Case Education Expert Witness/Scientific Method Problem Areas Jury Instructions

Preparing Your Case - Education Educate Your Audie nce at Every Stage Voir Dire Opening Every Witness Closing Objections

Preparing Your Case - Education Keep it Simple - don’t overexplain Case in Chief v. Cross Ex and Rebuttal Let Defense make it complex Use Analogies but . . .

Preparing Your Case - Education We're using age old methods of reasoning trying to evaluate an unfamiliar situation by finding analogy to a familiar one. But applied to the web the analogies get so complex that the familiar turns into the unfamiliar. To make the situation accurate you have to make it so weird that it doesn't help us figure things out. David Weinberger , Commentator on All Things Considered

Preparing Your Case - Expert Witness Do You Need an Expert (Opinion Witness)

Preparing Your Case - Expert Witness Your Witness Testifies: Made F orensic Image Examined the Drives What Found on Drives What this Means

Preparing Your Case - Expert Witness Which of these Required Expert Witness Testimony Which Required Admission of Scientific Evidence

Preparing Your Case - Expert Witness Expert Witness - witness qualified as an expert may give an opinion Results of a Scientific Method - In Federal system and many states, Judge must be convinced results of scientific method will be useful In some states method must be generally accepted by peer community

Preparing Your Case - Expert Witness Don’t Confuse Expert Testimony with Expert WITNESS Testimony Witness can be shown to be highly qualified as a way of increasing her/his credibility So long as not seeking to give opinion, don’t have to qualify as expert witness

Preparing Your Case - Scientific Method Evidence Based on Scientific Method Doesn’t Always Have to be Qualified Jury is shown p icture t aken by 7-11 c amera to c ompare to d efendant No need to qualify photography as a scientific method Will need to authenticate/lay foundation Only if expert is giving an opinion based on scientific method evidence must evidence be qualified

Preparing Your Case - Expert/Scientific Method Effect of “Best Practices” Manuals In Russian Hacker case FBI agent quizzed by defense attorney on not following DOJ Computer Search and Seizure Manual

Preparing Your Case - Expert Witness Preparing Your Expert No Real Difference in Cyber Case From Any Other Case Involving Expert Don’t Overstate Keep Things Simple Don’t Argue with Defense Attorney “ Isn’t it true that . . . ?| “ Yes, and I can explain my answer if you’d like.”

Preparing Your Case - Problem Areas Tying Defendant to Keyboard Defendant’s Knowledge/Motive Time and Date Stamps Forensic Report

Preparing Your Case - Problem Areas Tying Defendant to Keyboard Confession/Admission Circumstantial (only resident at computer location) Substantive knowledge unique to defendant Content analysis

June 30, 1999 - 8 Minutes Later From: [email_address] To: [email_address] Subject: Hideho... Date: Wednesday, June 30, 1999 2:23 PM Hideho....dear Marni....how're you today....did you sleep well...I bet you didn't...unfortunately...one of my spies told me you'll have a opening training camp next Monday in Toronto...so I'll have more women to either fuck or destory ...Michelle Stilwell, huh....I love quadraplagia girls...amputees like Chantal Benoit is also a perfect choice....so you may survive...now I realize compare to the same level, Shira Golden is more attractive to me than you do...I switched my airplane ticket...I'll fly directly to Toronto instead of Vancouver...See ya next Monday...Hideho..have a nice day and keep a good shape... PARALYZED WOMEN KILLER FROM HONG KONG 7-1-99 destory

Preparing Your Case - Problem Areas Defendant’s Knowledge/Intent Defendant claims ignorance of child porn found on his computer. How can you overcome claim of ignorance?

Preparing Your Case - Problem Areas Number of Pictures Directory Structure File Names News Group Subscriptions History Files

Preparing Your Case - Problem Areas Time and Date Stamps

Preparing Your Case - Problem Areas Windows Files have 3 Dates/Times: Create Date When the file was created at the current location When the file was moved/copied to current location Last Written/Modified Date When the file was last changed (includes created) Does not change when file is moved/copied Is reset when a file is downloaded Last Accessed Date When file was last accessed

Preparing Your Case - Problem Areas Date/Time Stamps - Limitations Depends on accuracy of internal clock What time zone Can be manipulated

Preparing Your Case - Problem Areas Date/Time Stamps - Ways to Check Internal file accuracy (date stamp consistent with date inside file) E-mail header date/time compared to date/time assigned by system Compare known date/time to system date/time (Do you know independently when file was downloaded)

Preparing Your Case - Problem Areas Date/Time Stamps - Ways to Check If computer is attached to network, does server set clock on login Patterns of file creation dates/times If any created after computer was seized you MUST explain Experiment Using suspect’s computer NOT original hard drive

Preparing Your Case - Problem Areas Forensic Report Abigail Example

Preparing Your Case - Jury Instructions Do Pattern Jury Instructions Exist? If not, can you draw on analogous areas (burglary law for computer trespass) Special Terms need Definitions?

Presenting Your Case Voir Dire Explaining Complicated or Technological Issues Presentation Tools Digital Evidence Admissibility Issues

Presenting Your Case-Voir Dire Know your audience—what is their knowledge of computers? Educate the jury, but keep it simple Are jury questionnaires permitted by the Judge? Focus on jurors feeling of whether computer crime is really “crime.” Consider questions weeding out those that think the victim may be at fault or should “ignore it.”

“ Do you own a computer?” “ Is your home computer a Macintosh or IBM compatible” “ How familiar are you with computers” “ Does your job entail working with computers?” “ Do you access the Internet?” “For what purpose?” “ Have you ever used e-mail? Chatrooms? Instant messenger?” Presenting Your Case-Voir Dire

“ If a person enters a chatroom, are they ‘assuming the risk?’” “ Do you think that pursuing a person in a chatroom is a part of ‘Web/Net culture?’” “ If someone is being harassed by e-mail, should they just not turn the computer on or ignore it?” “ Does anyone believe that pursuing someone or harassing someone on the internet is not a matter that should be criminal in nature” Presenting Your Case-Voir Dire

A little younger, but not too young. A little more educated, but not too academic. A little technical knowledge, but not enough to second guess your witnesses. Beyond that jurors for the different types of tech cases should follow the profile for the same type of case if their was no tech element. Presenting Your Case-Voir Dire What Jury Do You Want

Presenting Your Case-Voir Dire Not All Cybercases Are the Same Trade secret theft Child porn/exploitation Hacking Fraud Component theft Piracy Cyberstalking

Voir Dire – Child Exploits/Porn It’s OK to have strong feeling about the sexual exploitation of children, but does anybody feel the subject matter alone would make it impossible for them to be fair? Have you, a relative, or a close friend ever been sexually victimized? (instruct them they need not answer in open court) Will anyone find it impossible to view graphic sexual images of young children? Does anyone disagree with the laws prohibiting sexual activity between adults and children?

Voir Dire – Fraud/Identity Theft Victimization – Self/Friend/Family Media Attention – Read/Heard/Seen Precautions They Take (May expect your victim to do nothing less) Assumption of the Risk When might you hold the victim to blame for being ripped off? Does a victim’s carelessness or naiveté ever justify stealing from them?

Voir Dire – Hacking/Intrusion Does anyone have an image in their mind when I use the term “Hacker.” Has anyone experienced the damage that can be caused by a computer virus. (describe it) Does anyone here keep personal information on their computer? Is their anyone here uncomfortable with the idea of someone having uncontrolled access to your personal information ? Should a victim be required to take steps to prevent an intentional intrusion?

Voir Dire - Piracy Does anyone think there’s a difference between making one copy of a movie/cd/tape for a friend and making a hundred to sell at the flea market? Where’s the line between fair use and theft? Does anyone have strong feelings about the movie/music/software industries business, pricing, or distribution practices? Has anyone seen media for sale they thought might be counterfeit? Describe the situation? What alerted you?

Voir Dire – Trade Secrets Does anyone feel a company can’t be a victim? Has anyone ever had the experience of having someone else steal their idea or take credit for their work? Can anyone give an example of an idea that was worth lots of money? Can anyone give an example of something that’s only valuable if it’s secret?

Presenting Your Case - Complicated/Technical Issues 1. Have a very simple analogy 2. Have a uncomplicated correct definition 3. Find/develop a picture/drawing of what your technology “looks like”. 4. Have a credible expert explain technology using all above #1, #2, #3. 5. Have your expert use that picture/drawing.

6. Link your technology to something jurors do on their computers. 7. Link your definition, as it is explained, to what the defendant DID. 8. Repeatedly, again and again USE YOUR PICTURE of the technology. 9. No overkill; the more time you spend, you may confuse or open doors 10. Try your analogy, definition and pictures out on experts and lay people. Presenting Your Case - Complicated/Technical Issues

Charts, Diagrams, Pictures Presenting Your Case - Presentation Tools

Animation Presenting Your Case - Presentation Tools

Animation Used to Show How Things Work Power Point Example Presenting Your Case - Presentation Tools

Hard Drive File Allocation Table Storage Area CLUSTER 1 Unallocated FILE STORAGE CLUSTER 2 Unallocated CLUSTER 3 Unallocated CLUSTER 1 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2

Hard Drive File Allocation Table Storage Area FILE DELETE CLUSTER 3 Unallocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 CLUSTER 1 Allocated

Hard Drive File Allocation Table Storage Area FILE DELETE CLUSTER 3 Unallocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 CLUSTER 1 Allocated CLUSTER 1 Unallocated CLUSTER 2 Unallocated ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2

INFO Hard Drive \Download DC01.jpg 10,555 Bytes 5/5/99 1:22 p.m. Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. \Recycle INFO (\Download\Image.jpg) DELETE RECYCLE BIN DELETE ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m.

Hard Drive \Download DC01.jpg 10,555 Bytes 5/5/99 1:22 p.m. INFO (\Download\Image.jpg) \Recycle RECOVER RECYCLE BIN RECOVER ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. ? C01.jpg 10,555 Bytes 5/5/99 1:22 p.m. INFO

Animation Used to Show How Things Work MPEG Example Presenting Your Case - Presentation Tools

Imaginate example Presenting Your Case - Presentation Tools

Live vs. Recorded Demonstrations Murphy’s Law Data may not look the way you want Program may not work the way you want Murphy’s Law Websites can change Live can be turned against you Presenting Your Case - Presentation Tools

Many Issues we Used to Worry About are Settled See US DOJ Guidelines for More Detailed Discussion Presenting Your Case - Digital Evidence Admissibility

Business Records - Fed R. Evid. 803(6) Computer Generated (admissible) Computer Stored (may be hearsay) Authenticity - Fed. R. Evid 901(a) Mere possibility of tampering doesn’t affect authenticity Proving the Author Circumstantial Evidence See Earlier Discussion - Problem Areas - Putting Defendant at Keyboard Presenting Your Case - Digital Evidence Admissibility: In General

Hearsay If computer records reflect only computer generated data, no hearsay If computer records contain the assertions of a person, hearsay Best Evidence - Fed. R. Evid. 1002 See Fed. R. Evid. 1991(3) Summaries - Fed. R. Evid. 1006 Presenting Your Case - Digital Evidence Admissibility: In General

Abigail Abraham, Assistant State Attorney Cook County, Illinois [email_address] (713) 869-2728 Ivan Orton, Sr. Deputy Prosecuting Attorney King County, Washington [email_address] (206) 296-9082 Sweet Home Alabama (or wherever)

CyberCrime

More Related Content

Viewers also liked (13)

Similar to CyberCrime (15)

More from CTIN (20)

Recently uploaded (20)

CyberCrime