0% found this document useful (0 votes)

181 views81 pages

EnCase Legal Journal

Encase Legal Journal

Uploaded by

kimchee88

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

181 views81 pages

EnCase Legal Journal

Encase Legal Journal

Uploaded by

kimchee88

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 81

EnCase Legal Journal

Second Edition

Copyright 2001 Guidance Software, Inc. All rights reserved.

Preface
omputer forensics is a discipline dedicated to the collection of computer evidence for judicial purposes. Those who practice computer forensics should be very familiar with the laws of evidence in their relevant jurisdictions so that they may correctly employ the proper procedures, tools and methodologies used to collect and process computer evidence. While there has been some excellent research and writing on search and seizure and privacy issues related to computer data, there has been comparatively little guidance on the authentication and presentation of electronic evidence at trial. Computer investigation experts uncertain of what the law required often received unclear direction from counsel who were equally unfamiliar with the complex technical issues and nuances that must be applied to the laws of evidence. Consequently, there has been no clear consensus on issues such as what is required to establish a sufficient foundation for computer evidence, whether a computer forensic investigator is considered a scientific expert, and how the Best Evidence rule applies to computer data. In response to these concerns, Guidance Software launched The EnCase Legal Journal (ELJ), which is provided with two goals in mind. First, the ELJ reports on recent trial court developments involving EnCase as well as notable court decisions involving computer evidence in general. Secondly, the ELJ addresses how the EnCase process facilitates the authentication and admission of electronic evidence in light of past industry practices and the current status of the law, providing investigators and their counsel with an added resource when addressing questions involving computer forensics and the use of EnCase. The ELJ is provided for informational purposes and is not intended as legal advice and should not be construed or relied upon as such. Each set of circumstances may be different and all cited legal authorities should be confirmed and updated. Just as Guidance Software is committed to ongoing product research and development, so must we also be on top of the latest legal developments impacting this field. As such, this journal should be considered as a work perpetually in progress. If you have any questions, comments or suggestions for future revisions, please feel free to contact me at [email protected]. John Patzakis Guidance Software June 2001

2001 Guidance Software

June 2001

Table of Contents
Authentication of Computer Evidence ............................................ 1
1.0 1.1 1.2 1.3 1.4 Overview..................................................................................................................................... 1 Authentication of Computer Data............................................................................................... 1 Authentication of the Recovery Process ..................................................................................... 3 Authentication of the EnCase Recovery Process ........................................................................ 7 Challenges to Foundation Must Have Foundation..................................................................... 7

Validation of Computer Forensic Tools ......................................... 8

2.0 2.1 2.2 2.3 Overview..................................................................................................................................... 8 Frye/Daubert Standard............................................................................................................... 8 Computer Forensics as an Automated Process ........................................................................ 11 Commercial vs. Custom Forensic Software and Authentication Issues.................................... 13

Expert Witness Testimony.................................................................................. 15

3.0 3.1 Overview................................................................................................................................... 15 Threshold Under Rule 702........................................................................................................ 15 3.2 Illustrations of Testimony ......................................................................................................... 17 DIRECT EXAMINATION -- PRE-TRIAL EVIDENTIARY HEARING........................................... 17 DIRECT EXAMINATION FOR THE PRESENTATION OF COMPUTER EVIDENCE BEFORE A JURY .................................................................................................................................................... 22

The Best Evidence Rule........................................................................................ 31

4.0 4.1 4.2 4.3 4.4 Overview................................................................................................................................... 31 Original Electronic Evidence............................................................................................... 31 Presenting Electronic Evidence at Trial................................................................................... 32 Compression And the Best Evidence Rule ................................................................................ 33 US v. Naparst The EnCase Evidence File Validated As Best Evidence................................. 36

Legal Analysis of the EnCase Evidence File ...................... 39

5.0 5.1 5.2 5.3 Overview................................................................................................................................... 39 Evidence File Format ............................................................................................................... 39 CRC and MD5 Hash Value Storage and Case Information Header ........................................ 40 Chain of Custody Documentation............................................................................................. 41

2001 Guidance Software

June 2001

5.4 5.5

The Purpose of Sterile Media and The EnCase Process .......................................................... 42 Analyzing The Evidence File Outside of the EnCase Process .................................................. 42

Challenges to EnCase and Other Litigated EnCase Issues.................................................................................................................................................. 45

Matthew Dickey v. Steris Corporation ..................................................................................................... 45 State of Washington v. Leavell ................................................................................................................. 46 People v. Rodriguez.................................................................................................................................. 47 People v. Merken ...................................................................................................................................... 48

Search and Seizure Issues and EnCase ...................................... 49

7.0 7.1 7.2 7.3 7.4 7.5 Overview................................................................................................................................... 49 Computer Files and the Plain View Doctrine........................................................................... 49 United States v. Carey .............................................................................................................. 51 Post-Carey Case Law ............................................................................................................... 53 Post-Carey Practice ................................................................................................................. 56 Warrant Return Requirements.................................................................................................. 57

Complying with Discovery Requirements when Utilizing the EnCase Process ....................................................................... 59
8.0 8.1 8.2 8.3 8.4 8.5 8.6 Overview................................................................................................................................... 59 Production of Entire EnCase Images ....................................................................................... 59 Production of Restored Drives ................................................................................................. 60 Production of Exported Files.................................................................................................... 60 Supervised Examination ........................................................................................................... 60 Discovery Referee in Civil Litigation Matters .......................................................................... 61 Example Form Letter Demanding Preservation of Computer Evidence .................................. 64

Employee Privacy and Workplace Searches of Computer Files and E-mail ............................................................................ 66
9.0 9.1 9.2 9.3 9.4 Overview................................................................................................................................... 66 Employee Monitoring in the Private Sector.............................................................................. 66 The Electronic Communications Privacy Act of 1986 .............................................................. 67 Other Important Considerations for Employers ....................................................................... 69 Monitoring of Government Employees ..................................................................................... 70

2001 Guidance Software

iii

June 2001

1 Authentication of Computer Evidence

1.0 Overview

ocuments and writings must be authenticated before they may be introduced into evidence. The US Federal Rules of Evidence, as well as the laws of many other jurisdictions, define computer data as documents.1 Electronic evidence presents particular challenges for authentication as such data can be easily altered without proper handling. The proponent of evidence normally carries the burden of offering sufficient evidence to authenticate documents or writings, and electronic evidence is no exception. What testimony is required to authenticate computer data? How does a witness establish that the data he or she recovered from a hard drive is not only genuine but completely accurate? Are there guidelines or checklists that should be followed? How familiar with the software used in the investigation must the examiner be in order to establish a proper foundation for the recovered data? These are some of the questions that face computer investigators and counsel when seeking to introduce electronic evidence. This chapter will address these questions. 1.1 Authentication of Computer Data

Oftentimes, the admission of computer evidence, typically in the form of active (non-deleted) text or graphical image files, is accomplished without the use of specialized computer forensic software. Federal Rule of Evidence 901(a) provides that the authentication of a document satisfied by evidence sufficient to support a finding that the matter in question is what the proponent claims. The Canada Evidence Act specifically addresses the authentication of computer evidence, providing that an electronic document can be authenticated by evidence capable of supporting a finding that the electronic document is that which it is purported to be.2 Under these statutes, a printout of an e-mail message can often be authenticated simply through direct testimony from the recipient or the author.3 The US Federal Courts have thus far addressed the authentication of computergenerated evidence based upon Rule 901(a), much in the same manner as statutes that have existed before computer usage became widespread.4 United States v. Tank,5 which involves evidence of Internet chat room conversation logs, is an important illustration. In Tank, the Defendant appealed from his convictions for conspiring to engage in the receipt and distribution of sexually explicit images of children and other offenses. Among the issues addressed on appeal was whether the government made an adequate foundational showing of the relevance and the authenticity of a co-conspirators Internet 2001 Guidance Software 1 June 2001

chat room log printouts. A search of a computer belonging to one of Defendant Tanks co-conspirators, Riva, revealed computer text files containing "recorded" online chat room discussions that took place among members of the Orchard Club, an Internet chat room group to which Tank and Riva belonged.6 Riva's computer was programmed to save all of the conversations among Orchid Club members as text files whenever he was online. At an evidentiary hearing, Tank argued that the district court should not admit the chat room logs into evidence because the government failed to establish a sufficient foundation. Tank contended that the chat room log printouts should not be entered into evidence because: (1) they were not complete documents, and (2) undetectable "material alterations," such as changes in either the substance or the names appearing in the chat room logs, could have been made by Riva prior to the governments seizure of his computer.7 The district court ruled that Tank's objection went to the evidentiary weight of the logs rather than to their admissibility, and allowed the logs into evidence. Tank appealed, and the appellate court addressed the issue of whether the government established a sufficient foundation for the chat room logs. The appellate court considered the issue in the context of Federal Rule of Evidence 901(a), noting that [t]he rule requires only that the court admit evidence if sufficient proof has been introduced so that a reasonable juror could find in favor of authenticity or identification . . . The government must also establish a connection between the proffered evidence and the defendant.8 In authenticating the chat room text files, the prosecution presented testimony from Tanks co-conspirator Riva, who explained how he created the logs with his computer and stated that the printouts appeared to be an accurate representation of the chat room conversations among members of the Orchid Club. The government also established a connection between Tank and the chat room log printouts. Tank admitted that he used the screen name "Cessna" when he participated in one of the conversations recorded in the chat room log printouts. Additionally, several co-conspirators testified that Tank used the chat room screen name "Cessna" that appeared throughout the printouts. They further testified that when they arranged a meeting with the person who used the screen name "Cessna," it was Tank who showed up.9 Based upon these facts, the court found that the government made an adequate foundational showing of the authenticity of the chat room log printouts under Rule 901(a). Specifically, the government presented evidence sufficient to allow a reasonable juror to find that the chat room log printouts were authenticated.10 The Tank decision is consistent with other cases that have addressed the issue of the authenticity of computer evidence in the general context of Fed.R.Evid. 901(a).11 Tank illustrates that there are no specific requirements or set procedures for the authentication of chat room conversation logs, but that the facts and circumstances of the creation and recovery of the evidence as applied to Rule 901(a) is the approach generally favored by the courts. (See also United States v. Scott-Emuakpor,12 [Government

2001 Guidance Software

June 2001

June 2001

2.2

Computer Forensics as an Automated Process

Federal Rule of Evidence 901(b)(9) provides a presumption of authenticity to evidence generated by or resulting from a largely automated process or system that is shown to produce an accurate result. This rule is often cited in the context of computerprocessed evidence.60 There is some debate as to whether testimony from computer forensic examiners should be considered expert scientific testimony, and thus subject to an analysis under Daubert, or non-scientific technical testimony regarding the recovery of data through a technical investigation process, and thus subject to Federal Rule of Evidence 901(a), 901(b)(9). The United States Supreme Court blurred this distinction between scientific vs. non-scientific expert testimony in its Kumho Tire Company, Ltd. v. Carmichael,61 which extended the Daubert test to cover technical processes as well as scientific opinion evidence. However, many courts still draw a general distinction between scientific and non-scientific expert testimony.62 At least one federal appeals case has referred to this issue in dicta, hypothesizing that in light of Rule 901(b)(9), computer or x-ray evidence resulting from a process or system would not fall under a Frye analysis as [t]he underlying principles behind x-ray and computers are well understood; as to these technologies, serious questions of accuracy and reliability arise, if at all, only in connection with their application in a particular instance.63 The court in United States v. Whitaker,64 held that, without addressing Daubert, a foundation for forensically recovered computer evidence could be established by the investigating agent with personal knowledge of the process used to retrieve and print the data.65 In United States v. Quinn,66 the prosecution sought to introduce photogrammetry evidence through expert testimony to determine the height of a suspect from surveillance photographs. The trial court allowed the testimony after a simple proffer from the government as to the basis of a photogrammetry process, which the court found to be nothing more than a series of computer-assisted calculations that did not involve any novel or questionable scientific technique.67 The court of appeal rejected the defendants contention that the photogrammetric evidence required an evidentiary hearing under Daubert, finding that the trial court acted within its discretion.68 In Burleson v. State,69 the court held that expert testimony resulting from a complicated computer-generated display showing deleted records was admissible, as the software and computer systems creating the output relied upon by the expert were shown to be standard, accurate and reliable. The court noted that it was unnecessary for the computer system technology to be authenticated under a Frye test, finding that the showing of an accurate and reliable system producing the display was sufficient.70 EnCase is proven to provide a more accurate, objective and complete search and recovery process through a substantially automated process. In more complex computer forensic cases, evidence concerning the search and recovery function with its resulting visual outputs and printed reports is often as important as the recovered data itself. Some tools exclusively employed by a minority of computer forensics examiners are little more than basic single-function DOS disk utilities that, when combined as a non-integrated suite, are manipulated to perform computer forensic applications. This formerly common 2001 Guidance Software 11 June 2001

practice presents three fundamental problems: 1) results from the examiners search and recovery process are often subjective, incomplete and variant; 2) the data restoration process can either improperly alter the evidence on the evidentiary image copy or provide a visual output that is not a complete and accurate reflection of the data contained on the target media; and 3) the lack of integration of all essential forensic functions within a single software application presents potential challenges to the authenticity of the processed computer evidence. Applying Rule 901(b)(9) to the context of electronic data discovery, computer forensic software should ideally provide an objective and automated search and data restoration process that facilitate consistency and accuracy. To provide a hypothetical illustration, a group of ten qualified and independently operating forensic examiners analyzing the same evidentiary image should achieve virtually the same search results when entering identical text search keywords or seeking to recover all specified file types on the image, such as all graphical images or all spreadsheet files. If not, the process employed cannot be considered to be either automated or accurate and thus would not be considered a process qualifying for a presumption of authenticity under Rule 901(b)(9). Further, it is often necessary to duplicate search processing results during or before trial, and thus if a colleague or, even worse, an opposing expert obtains significantly differing search results from the same media, the impact or even the very foundation of the evidence may be substantially weakened. While the court in Gates Rubber did not expressly cite Rule 901(b)(9), its holding that a computer examiner has "a duty to utilize the method which would yield the most complete and accurate results" is clearly consistent with the statute. Results from search and recovery procedures utilizing DOS utilities will significantly vary depending upon the type and sequence of non-integrated utilities employed, the amount of media to be searched, and the skill, biases and time availability of the examiner. Further, each piece of acquired media must be searched separately, using the same tedious and time consuming protocol for each hard drive, floppy disk, CD or other media involved in the case. In sum, the likelihood of different independently operating examiners duplicating the search and restoration process on the same evidentiary image is extremely remote, if not impossible. Due to the inordinate burden of searching a Windows image with DOS utilities, some investigators resort to operating Windows Explorer on the evidentiary image disk. In addition to not being able to view file slack, swap files and all other types of unallocated data, Explorer will corrupt the data in such a situation by altering file date stamps, temporary files and other transient information. Better practice requires specially designed Windows-based computer forensic software that employs a completely noninvasive and largely automated search process. A more objective search process facilitates results that are dramatically more accurate and consistent, thereby enabling duplication of the process at trial and by independently operating examiners. For example, when utilizing EnCase, simply clicking a request to display all graphical image files contained on an evidentiary image disk will instantaneously list all such files in a graphical interface, including files re-named or hidden in obscure directories by a 2001 Guidance Software

June 2001

suspect in order to conceal them, and even, in most cases, previously deleted files. EnCase duplicates the Windows Explorer interface and viewing functions, with the critical added benefits of viewing deleted files and all other unallocated data in a completely non-invasive manner. An EnCase search process often reduces an examiners lab analysis time by several weeks. Most importantly, an examiner can present the discovered evidence in court with confidence that the search and recovery process provided more complete, consistent and objective results. It should be noted that the line of cases that applied rule 901(a)(b) discussed above preceded Kumho Tire, which, as also noted above, extended the Daubert test to technical processes as well as scientific opinion evidence. EnCase has been authenticated at trial under both Daubert/Frye and Rule 901(b)(9), and it is advisable that both approaches be considered in authenticating the software. 2.3 Commercial vs. Custom Forensic Software and Authentication Issues Some computer forensic investigations utilize custom software tools developed by the investigating agency or a private company that are not commercially available to the general public. Courts have addressed issues concerning the type of software involved where computer-generated evidence is at issue. Such cases provide a presumption of authenticity for evidence resulting from or processed by commercially available computer systems and software over customized systems and software. As noted by one respected treatise on the subject: Evidence generated through the use of standard, generally available software is easier to admit than evidence generated with custom software. The reason lies in the fact that the capabilities of commercially marketed software packages are well known and cannot normally be manipulated to produce aberrant results. Custom software, on the other hand, must be carefully analyzed by an expert programmer to ensure that the evidence being generated by the computer is in reality what it appears to be. Nonstandard or custom software can be made to do a host of things that would be undetectable to anyone except the most highly trained programmer who can break down the program using source codes and verify that the program operates as represented.71 In fact, courts in many jurisdictions actually require that any computer-generated evidence be a product of a standard computer program or system in order to admit such evidence.72 This body of authority would seem especially relevant to software used by law enforcement for computer forensic purposes, given the sensitive function of such software. A law enforcement agency that utilized customized proprietary software for computer forensic investigations could face various complications when seeking to introduce evidence processed with such software. Such actual or potential pitfalls could include the following:

2001 Guidance Software

June 2001

1. The defense could seek to exclude the results of any computer investigation that utilized tools that were inaccessible to non-law enforcement. Federal courts are unanimous in holding that computer evidence generated by or resulting from a process is only admissible if the defense has access to such software in order to independently duplicate the results of that process and thus is given the same opportunity to inquire into the accuracy of the computer system involved in producing such evidence.73 2. If the defense is provided with a copy of the proprietary software and all evidentiary images, an expert retained by the defense will require substantial time to learn the software and recreate the process, resulting in substantial cost to the government in cases involving indigent defendants. The government will incur even further costs if the purchase of supporting operating systems and file servers is required to support the custom software. 3. While, as noted above, the source code for commercially available software is not required to be introduced into evidence in order to establish the authenticity of computer processed evidence, it is apparent that such presumptions of authenticity would not be afforded to customized software. Thus, the defense would seek to exclude the results of any computer investigation utilizing custom software tools, unless the source code was made available to the defense for testing and analysis. This would be especially true for computer forensic software, given the sensitive nature of presenting evidence of deleted files and other transient electronic information. Conversely, when questioned in court regarding the reliability of a commercially available software application such as EnCase, the proponent of the evidence would be able to testify that EnCase is a widely used and commercially available software program and thus any member of the public can purchase, use and test the program. The defense could not claim prejudice by the use of EnCase as any reasonably skilled computer examiner would be able to examine the discovery copy of the evidence, nor would the government be subject to questions regarding its access to the source code of the program.

2001 Guidance Software

June 2001

3 Expert Witness Testimony

3.0 Overview

re computer forensic investigators considered experts? Many courts outside of the United States, such as in Great Britain, employ a higher (perhaps wiser) threshold as to who is qualified to provide expert testimony on a technical subject. This chapter will discuss the threshold for qualifying a computer investigator as an expert and brief some cases where the court addressed this very issue. Also presented in this chapter are two fictional transcripts of sample direct examinations. The first example is a transcript from a mock pre-trial evidentiary hearing under either Federal Rules of Evidence 104, 702 and/or Daubert v. Merrell Dow Pharmaceuticals. A court may schedule such an evidentiary hearing to consider any foundational questions regarding the EnCase process. The second example is a direct examination in the context of a jury trial presenting evidence obtained from a computer forensic examination. Although these examples are fictional, they are based upon actual investigation procedures and techniques taught in Guidance Softwares training program and employed daily in the field by hundreds of agencies and organizations. These examples are by no means mandatory scripts to be strictly followed, but should provide a general reference for prosecutors in preparing direct examinations of their computer examiners in the context of either an evidentiary hearing or a jury trial. 3.1 Threshold Under Rule 702

In the United States, Federal Rule of Evidence 702 provides that in order for a witness to be qualified as an expert, the expert must simply be shown to have knowledge, skill, experience, training, or education regarding the subject matter involved. Under this threshold, trained computer forensic experts have qualified as experts in the US courts. However, oftentimes prosecutors opt not to offer the examiner as an expert, especially where the records in question can be authenticated under Federal Rule of Evidence 901(b)(9) or a corresponding state statute, or where the examiner can be offered as a percipient witness presenting more objective and empirical findings of their investigation. This approach tends to be more common in many state courts. This question was directly addressed in the recent case of United States v. ScottEmuakpor,74 where the court considered whether the United States Secret Service agents who conducted the computer forensic examination needed to be a qualified expert in computer science to present their findings.

2001 Guidance Software

June 2001

The Defendant in Scott-Emuakpor brought a motion in limine contending that the USSS agents should be precluded from providing testimony regarding the results of their computer examinations, particularly as one of the agents admitted that he was not an expert in the area of computer science. However, the court opined that: [T]here is no reason why either witness may not testify about what they did in examining the computer equipment and the results of their examinations. The question before the Court at this time is not whether these witnesses have the expertise, for example, to develop sophisticated software programs. The question is whether they have the skill to find out what is on a hard drive or a zip drive. Apparently, they have this skill because they determined what was on the drives. By analogy, a person need not be an expert on English literature in order to know how to read. . . .The fact that (the USSS agent) admitted that he is not an expert in the area of computer science is not binding on the Court. However, it is not uncommon for an examiner to be asked to interpret the recovered data. The recent case of United States v. Hilton75 provides a very good example of a computer forensic examiner offering expert witness testimony to interpret the data gleaned from his examination. Among the issues in Hilton was whether the Defendant had utilized interstate commerce (i.e. the Internet) in the process of distributing child pornography, thereby satisfying a key element and requirement of the statute. The computer investigator from the United States Customs Service testified that the images in question were located in a subdirectory named "MIRC," which contained software and files related to "IRC" (Internet Relay Chat). The Special Agent testified that, in his expert opinion, because the contraband was located in the MIRC subdirectory that contained Internet chat-related files, the images were likely associated with the Internet. The special agent also testified that the file time and date stamps reflecting the creation time of each of the subject images were indicative that the Defendant downloaded the images from the Internet via a modem. The special agent based this conclusion on the fact that the images were created on Defendant's computer at intervals of time consistent with downloading the images via a modem. The special agents expert testimony, among other factors, convinced the court the subject images were transmitted to the Defendant's computer via the Internet, thereby satisfying the interstate commerce requirement of section 18 U.S.C. 2252A(a)(5)(B).

2001 Guidance Software

June 2001

3.2

Illustrations of Testimony DIRECT EXAMINATION -- PRE-TRIAL EVIDENTIARY HEARING A. PREFACE

If any challenge is raised to the qualifications of the computer examiner or the foundation of the evidence concerning the tools or methodologies used in the course of a computer forensic investigation, many prosecutors prefer to address such objections outside the presence of the jury through a hearing under either Federal Rule of Evidence 702, Rule 104 or Daubert. Judges are typically more receptive toward technical evidence and it is obviously desirable to avoid presenting complex testimony on contested technical issues before a jury by resolving such foundational issues in a separate hearing beforehand. The following fictional mock trial direct examination is designed to illustrate how a proper foundation may (but certainly not must) be established for the EnCase process under both Rule 901(b)(9) and Daubert. For illustration purposes, the below example contains more detail than what would normally be presented on direct examination, even in the context of a court trial or hearing. However, much of the information may be useful for re-direct examination. B. BACKGROUND [After stating name for the record] Q: Sir, are you a Senior Special Agent for the United States Customs Service? A: Yes I am. Q: And do you have any specialized duties as a Customs agent? A: I am a computer evidence examiner certified as a Seized Computer Evidence Recovery Specialist by the United States Department of the Treasury. Q: Please tell us how long you have been a computer evidence examiner. A: I have been a Seized Computer Evidence Recovery Specialist with Customs for eight years. Q: Tell us about your educational background. A: I received a Bachelor of Science degree in electrical engineering from University of __________ in 19__. Q: And could you briefly describe your training for the handling and examination of computer evidence? A: In 19__ I received three-weeks of intensive training, known as Seized Computer Evidence Recovery Specialist training at the Federal Law Enforcement Training Center. In 19__ I obtained Computer Forensic Examiner Certification from the International Association of Computer Specialists, known as IACIS, after receiving two weeks of their intensive training. The next year I received Advanced Course 2001 Guidance Software

June 2001

34, and ask if you can identify it? A: Yes. This is the printout I made of the metafile of the e-mail document from [email protected] to the e-mail account of the Defendant. Q: If you would, please read the text as it appears on this printout.

2001 Guidance Software

June 2001

4 The Best Evidence Rule

4.0 Overview

robably the most misunderstood rule of evidence among many computer forensic investigators is the Best Evidence Rule. The Best Evidence Rule is a doctrine of evidentiary law in the United States and Canada that essentially requires that, absent some exceptions, the original of a writing must be admitted in order to prove its contents. As one might imagine, significant questions arise when applying this evidentiary doctrine to computer data. Among the issues raised by this rule are how to present computer evidence at trial, what constitutes a valid image of a computer drive, and data compression. This chapter will provide the law and address some myths as well. 4.1 Original Electronic Evidence The Best Evidence Rule under the US Federal Rules provides that [t]o prove the content of a writing, recording or photograph, the original writing, recording or photograph is required79 Notably, electronic evidence falls under the Federal Rules definition of documents. 80 However, with electronic evidence, the concept of an original is difficult to define. For example, when seeking to reproduce an original photographic image, a negative of that photograph, while containing all the data of the original, must be processed in order to provide an accurate visual replication of the original photograph. Fortunately, the Federal Rules of Evidence have expressly addressed this concern. Rule 1001(3) provides [if] data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original. Under this rule and similar rules in state jurisdictions, multiple or even an infinite number of copies of electronic files may each constitute an original.81 The operative language in Rule 1001(3) is accurate reflection. It is a mistake to analogize computer files to hard copy documents for purposes of the Best Evidence Rule. A mere bit stream copy of a graphical image file does not provide a completely accurate printout or other output readable by sight unless Windows-supported forensic tools or other viewers are used to non-invasively create an accurate visual output of the recovered data, without changing any of the data. Conversely, if a computer file is compressed, encrypted, transmitted as an e-mail attachment (thus sending a copy of that decrypted, compressed file in a different file format and even divided into many packets), and then received, decompressed, decrypted and opened, the file now in possession of the recipient would be another original of that file under the Federal Rules. Printing that file also converts it to another file format. However, as long as the printout is an accurate reflection of the original data, it is irrelevant what the operating system or the network 2001 Guidance Software 31 June 2001

does to that file during the printing process. The important concept here is the accuracy of the visual output once the image is mounted. If an examiner were to simply extract key data from slack space and export that data to a text file, will a printout of that text file always constitute an accurate reflection of the original data? Many prosecutors do not think so, because the context of computer data is often as important as the data itself. Congress, by enacting Rule 1001(3), placed the emphasis on the accuracy of the visual output of computer data (printout or otherwise) once the image or file is mounted, not on the stored state of that file or image. Obviously, if the original data is actually compromised, the visual output will not be accurate. It is mandatory that the original data remain unchanged, but whether that data is compressed, encrypted or converted to a different file format in its stored state is immaterial as long as the data itself is not compromised. This is one of the reasons the MD5 hash and verification processes are so important. Even though the file format of the data in question may change, the integrity of that data must remain intact. The Best Evidence Rule has been raised in the context of an entire drive image as well as an individual file. A Texas Appellate Court recently ruled that an image copy of a hard drive qualifies as an "original" for the purposes of the Best Evidence Rule.82 The issue of whether an EnCase Evidence File suffices as an original under the Best Evidence Rule was recently litigated successfully in US Federal District Court, New Hampshire (see 4.4 for a full discussion). In situations where computer evidence is collected from a business, a drive image copy is often the only original available to the examiner, as the company often requires immediate return of the original drives in order to remain in business. However, while there is strong legal support for a drive image copy satisfying the Best Evidence rule, it is always advisable to retain physical custody of the seized drive whenever possible. An ideal compromise is to retain custody of the original drives while providing restored or cloned drives to the business. 4.2 Presenting Electronic Evidence at Trial The United States DOJ Guidelines on Searching and Seizing Computers states an accurate printout of computer data always satisfies the best evidence rule.83 This certainly is true in general. However, in Armstrong v. Executive Office of The President,84 the court correctly ruled that a hard copy paper printout of an electronic document would not necessarily include all the information held in the computer memory as part of the electronic document.85 The court further noted that without the retention of a complete digital copy of an electronic document such as an e-mail message, essential transmittal relevant to a fuller understanding of the context and import of an electronic communication will simply vanish.86 As illustrated by the Armstrong case, the presentation of electronic evidence often requires the visual display of the logical data structure of a file, its context, and its associated metadata, in addition to the physical data of that file. When seeking to

2001 Guidance Software

June 2001

establish a defendants state of mind by presenting an electronic audit trail, the ability to display a visual output showing various file attributes and other metadata and demonstrating the logical connection to various data filesinstead of relying upon dry and technical expert testimonyprovides a tremendous advantage to the advocate of such evidence. EnCase provides the best method to visually display all physical and logical data contained on the target drive, while showing the context of such files by displaying file metadata and other means. When providing testimony, many examiners present evidence through screenshots in a PowerPoint presentations format, or take EnCase with them into Court for a live demonstration. In United States v. Dean, the opinion reflects that the prosecution presented results of its computer forensic examination through PowerPoint slides.87 Such a presentation, fast becoming common if not mandatory in modern trial practice, is virtually impossible using the available command-line utilities.

Figure 1: A screenshot exhibit offered by the prosecution and entered into evidence in US v. Dean. The black redactions over certain filenames are a result of the Dean courts ruling that the probative value of those filenames was outwieghed by their prejudicial nature.

In Dean, the prosecution sought to establish that the Defendant accessed and viewed files on a series of floppy disks. While the Defendant denied ever accessing and viewing those files, his computer operating system created temporary link files when he accessed the floppy disk files. A US Customs Service forensic investigator recovered those temporary link files from the Defendants hard drive. In order to show the context 2001 Guidance Software 33 June 2001

and metadata associated with the link files, including file created dates, full path location and other information, the prosecution successfully presented EnCase screen shots as evidentiary exhibits. These screen capture exhibits provided the most accurate visual display of the data, as it existed on the Defendants computer at the time of seizure. The court allowed the screenshots into evidence and Dean was convicted on all counts. Dean is an important illustration that the context of computer evidence is often just as important as the data itself. For example, if portions of relevant data are recovered in unallocated or slack space areas of a drive and then simply exported to a text file and then printed, a proponent will likely face significant difficulty in admitting that evidence without establishing its context. What file partially overwrote the first section of the cluster where the slack data still resides? When was the file currently occupying that cluster created and last modified? What is the precise address (physical cluster, sector offset, etc.) of the data recovered from slack space? Figure 2 illustrates how such data should be presented both for demonstrative purposes and to comply with the Best Evidence rule.

Figure 2: Key evidence of bomb making instructions found in the slack area of a cluster also occupied (at the beginning) by a deleted printer spool file. Screen shot presentation enables full contextual presentation of the data.

4.3

Compression And the Best Evidence Rule The issue of compression in the context of computer evidence is one that has

2001 Guidance Software

June 2001

never been addressed by the courts in any known published decisions. However, there is some appreciable authority where US courts have discussed data compression in the context of intellectual property disputes. These rulings do provide a degree of guidance on how the courts would address compressed computer files as evidence. In Storer v. Hayes Microcomputer Products, the court defined computer data compression as follows: "Data compression is the process of reducing the size of the representation of a string of electronic data in order to permit it to be transmitted or stored more efficiently and later to be reconstructed without error."88 While the Storer case addressed whether a companys compression technology infringed upon a patent held by a competitor for similar technology, the case provides a clear and concise definition of data compression as articulated by a court. In Universal City Studios v. Reimerdes,89 a Napster-genre copyright infringement case, the court determined that a software application that compresses and then decompresses DVD recordings using "lossy" compression infringes upon the copyright of the publisher. This is so even though "lossy" compression involves inexact replication of the original file. Thus, the compressed and then decompressed end product infringes upon the copyright of the original material. Compression technology allows EnCase to store a large disk image in a relatively small file. An Evidence File can be compressed upon acquisition or at a later point in the investigation. Compressed Evidence Files can be searched and examined by EnCase in the same manner as uncompressed Evidence Files. EnCase uses an industry standard lossless compression algorithm to achieve an average of 50% size reduction. Lossless data compression, where the compressed-then-decompressed data is an exact replication of the original data, is a very basic and standard aspect of computer science. It is also important to note that whenever a computer file is transmitted over the Internet or it is sent to the printer, it undergoes compression. Some excellent resources on lossless data compression and data compression in general can be found at http://www.datacompression.com. As noted above, Federal Rule of Evidence 1001(3) provides [if] data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original. Compression does not have any effect on the actual content of the Evidence Files or the integrity of the evidence. Importantly, a compressed Evidence File will register the same CRC and MD5 hash values as an uncompressed Evidence File of the same drive, as the file content is identical. Further, in the post-acquisition verification process, EnCase verifies the compressed blocks as well as the MD5 hash for the entire image in the same manner as with uncompressed Evidence Files. As a compressed Evidence File will contain the exact same contents and the same CRC and MD5 hash values as an uncompressed Evidence File of the same disk image, both will constitute an original under Fed.R.Evid. 1001(3). For the same reason, an Evidence File that is acquired uncompressed and is subsequently copied in a compressed format also constitutes an original under Rule 1001(3).

2001 Guidance Software

June 2001

4.4

US v. Naparst The EnCase Evidence File Validated As Best Evidence

The issue of whether EnCase Evidence Files constituted the best evidence of the computer data contained therein was litigated in a recent federal criminal prosecution in New Hampshire. The prosecution offered to allow the Defense access to a copy of the EnCase evidence file for discovery purposes. However, the Defense contended that it required access to the original computer systems in question so that they could operate those computers and examine them in their native environment, and filed a formal written request for a Court order allowing such unfettered access to the original computer evidence. The Government filed a successful objection to the request, asserting that the mirror image created by the Special Agent is the proper way to preserve the original evidence, as turning on the computer, as the Defense requested, will change the state of the evidence by altering critical date stamps and potentially overwriting existing files and information. The Court ruled that the EnCase Evidence File qualified as the Best Evidence and that a discovery copy of the Evidence File would be sufficient discovery disclosure. Alternatively, the court ruled that the defense could have access to the original computer systems only if its expert created another proper forensic image under the supervision of the Special Agent. The defense was barred from booting the original computer systems to their native operating systems. A copy of the three-page brief filed by the Government in support of its successful objection is reprinted here with permission. UNITED STATES DISTRICT COURT DISTRICT OF NEW HAMPSHIRE (United States of America ( ( v. ( (Harold Naparst

Cr.: 00-11-1-M

thousands of CRC checks. This means that an investigator can determine the location of any error in the forensic image and disregard that group of sectors, if necessary. The Cyclical Redundancy Check is a variation of the checksum, and works in much the same way. The advantage of the CRC is that it is order sensitive. That is, the string 1234 and 4321 will produce the same checksum, but not the same CRC. In fact, the odds that two sectors containing different data produce the same CRC is roughly one in a billion. The CRC function allows the investigators and legal team to confidently stand by the evidence in court. In addition to the CRC blocks, EnCase calculates an MD5 hash for all the data contained in the evidentiary bit-stream forensic image. As with the CRC blocks, the MD5 hash of the bit-stream image is generated and recorded concurrent to the acquisition of a physical drive or logical volume. The MD5 hash is calculated through a publicly available algorithm developed by RSA Security. The odds of two computer files with different contents having the same MD5 hash value is roughly ten raised to the 38th power. If one were to write out that number, it would be a one followed by thirty-eight zeros. By contrast, the number one trillion written out is one followed by only twelve zeros. The MD5 hash value generated by EnCase is stored in a footer to the Evidence File and becomes part of the documentation of the evidence. Throughout the examination process, EnCase verifies the integrity of the evidence by recalculating the CRC and MD5 hash values and comparing them with the values recorded at the time of acquisition. This verification process is documented within the EnCase-generated report. It is impossible for EnCase to write to the Evidence File once it is created. As with any file, it is possible to alter an EnCase Evidence File with a disk utility such as Norton Disk Edit. However, if one bit of data on the acquired evidentiary bit-stream image is altered after acquisition, even by adding a single space of text or changing the case of a single character, EnCase will report a verification error in the report and identify the location where the error registers. 5.2 CRC and MD5 Hash Value Storage and Case Information Header
CRC 64 Sectors of Data

Case Info

MD5

Figure 3: A Graphical Representation of the EnCase Evidence File

The CRC and MD5 hash values are stored in separate blocks in the EnCase Evidence File, which are external to the evidentiary forensic image itself. Those blocks containing the CRC and MD5 hash values are separately authenticated with separate CRC blocks, thereby verifying that the recordings themselves have not been corrupted. If any information is tampered with, EnCase will report a verification error. Conversely, 2001 Guidance Software 40

June 2001

process that involves reverse engineering a proprietary image file format without the consent of the developer. Because of such questions, EnCase is not designed to mount or crack other proprietary file images.

2001 Guidance Software

June 2001

6 Challenges to EnCase and Other Litigated EnCase Issues

omputer forensic investigators throughout the world utilize EnCase for the seizure, analysis and court presentation of computer evidence. Reports from the field indicate that computer data acquired and processed with EnCase has been successfully admitted into evidence in thousands of trials and preliminary hearings throughout the world. There are no known instances of sustained objections to EnCase-based computer evidence on authentication grounds relating to the use of EnCase. There are to date three particularly notable cases where EnCase withstood challenges over other processes: 1. Mathew Dickey v. Steris Corporation, (United States Dist. Ct, Kansas No. 99-2362KHV) 2. State of Washington v. Leavell (Okanogan County, Washington Superior Ct. no. 00-10026-8) 3. People v. Rodriguez (Sonoma County, California Superior Ct. no SCR28424) Matthew Dickey v. Steris Corporation The first known instance of a serious challenge to the use of EnCase occurred in a civil litigation matter before the United States Federal District Court, Kansas, where at an April 14, 2000 pre-trial hearing, the court ruled that the testimony of an Ernst & Young expert regarding his computer forensic investigation based upon EnCase would be allowed, overruling objections from the Plaintiff. In Matthew Dickey v. Steris Corporation, the trial court overruled evidentiary objections to the introduction of EnCase-based evidence at an April 14, 2000 pre-trial hearing. Plaintiff Dickey brought a motion in limine seeking to exclude the testimony of an Ernst & Young expert, regarding the results of his computer forensic investigation based upon the use of EnCase. The Plaintiffs motion was based upon the report of his own expert, which consisted of a critique of the Ernst & Young report. Steris Corporation (Steris) successfully opposed Dickeys motion, clearing the way for the expert testimony based upon EnCase. Steris brought its own motion to exclude the testimony of the Plaintiffs expert. Among Steriss arguments was the contention that the Plaintiffs expert was unqualified to provide an expert opinion about computer forensics as, among other reasons, she was admittedly unfamiliar with the EnCase software. The court denied both motions, finding that 1) the challenge to the EnCase process employed by the Ernst & Young expert was without merit, and 2) the testimony of the Plaintiffs expert would not be excluded, although she could be questioned at trial regarding her unfamiliarity with EnCase, which would be relevant to her credibility as a computer forensics expert.

2001 Guidance Software

June 2001

State of Washington v. Leavell On October 20, 2000 in a Washington State Superior Court, a contested hearing took place in the matter of State of Washington v. Leavell91 where the defense brought an unsuccessful suppression motion to exclude from trial all computer evidence obtained through a forensic investigation utilizing EnCase. A copy of the complete hearing transcript is included as an attachment to this publication. The defense brought its challenge on two grounds: 1) That the governments examiner could not establish a proper foundation for the evidence, asserting that EnCase was essentially providing expert testimony and that the defense was unable to crossexamine the government witness in detail regarding how EnCase works and how it was developed; and 2) That EnCase should be subject to a Frye92 analysis, which is a legal test employed by many courts in the United States to determine whether a scientific technique for obtaining, enhancing or analyzing evidence is generally accepted within the relevant scientific community as a valid process. The Court ruled that the governments trained computer examiner could provide a sufficient foundation for the evidence recovered by EnCase, and that EnCase met the Frye test as a process with general acceptance and widespread use in the industry. On the issue of evidentiary foundational requirements, the Court relied on the case of State v. Hayden,93 which upheld the validity of enhanced digital imaging technology and the admissibility of evidence obtained through this process. The Court noted that like enhanced digital imaging technology, EnCase is merely a tool utilized by the States examiner and is not providing expert testimony. The Court determined that the investigating officer who was trained in computer forensics could testify regarding the EnCase process. On the related argument of the Frye analysis, the Court similarly upheld the introduction of evidence obtained with EnCase. The Court determined that EnCase was a widely used and commercially available software tool for recovering computer evidence, including deleted files, and that the investigating officer had conducted his own testing and successfully recovered deleted files on many other occasions. The defense based its Frye challenge in part on the theory that only Microsoft could completely and accurately recover deleted files, as the inner workings of the Windows operating system were proprietary. The government countered by producing an affidavit from an internal computer forensic investigator at Microsoft who testified that his department utilized commercially available software for the forensic recovery of deleted files, and that EnCase was one of their primary tools for this purpose. The Court expressly took judicial notice of Microsofts use of EnCase software, which served as one of the considerations in the Courts ruling. Finally, the Court relied upon the case of United States v. Scott-Emuakpor,94 which is addressed at length in section 3.1. The court in Scott-Emuakpor determined that the United States Secret Service agents who conducted the computer forensic examination did not need to be a qualified experts in computer science to present their

2001 Guidance Software

June 2001

June 2001

to open a drawer to find out whether the label was misleading and the drawer contained the objects of the search.123 The court rejected the government's argument that the files were in plain view, finding that it (was) the contents of the files and not the files themselves which were seized. The court also noted that the pornographic images were in closed files and thus not in plain view.124 By this language, the Carey court seems to imply that file folders evidencing criminal conduct outside the scope of the search warrant may be seized, but the actual file contents may not be searched absent a supplemental warrant. The court also rejected the file cabinet analogy noting that [t]his is not a case in which ambiguously labeled files were contained in the hard drive directory. It is not a case in which the officers had to open each file drawer before discovering its contents. Even if we employ the file cabinet theory, the testimony of (the officer) makes the analogy inapposite because he stated he knew, or at least had probable cause to know, each drawer was properly labeled and its contents were clearly described in the label.125 The court further noted that because this case involves images stored in a computer, the file cabinet analogy may be inadequate. Since electronic storage is likely to contain a greater quantity and variety of information than any previous storage method, computers make tempting targets in searches for incriminating information.(citations) Relying on analogies to closed containers or file cabinets may lead courts to oversimplify a complex area of Fourth Amendment doctrines and ignore the realities of massive modern computer storage."126 The Carey court, seizing the opportunity for pontification in an unsettled area of the law, then proposed in dicta that courts addressing this issue in future acknowledge computers often contain intermingled documents. Under this approach, law enforcement must engage in the intermediate step of sorting various types of documents and then only search the ones specified in a warrant. Where officers come across relevant documents so intermingled with irrelevant documents that they cannot feasibly be sorted at the site, the officers may seal or hold the documents pending approval by a magistrate of the conditions and limitations on a further search through the documents. The magistrate should then require officers to specify in a warrant which type of files are sought.127 In support of its proposal, the court invokes a Harvard Law Review notation, which theorizes that where a warrant seeks only financial records, law enforcement officers should not be allowed to search through telephone lists or word processing files absent a showing of some reason to believe that these files contain the financial records sought. Where relying on the type of computer files fails to narrow the scope of the search sufficiently, the magistrate should review the search methods proposed by the investigating officers."128 The court further opines that with the computers and data in their custody, law enforcement officers can generally employ several methods to avoid searching files of the type not identified in the warrant: observing files types and titles listed on the directory, doing a key word search for relevant terms, or reading portions of each file stored in the memory. In this case, (the officers) did list files on the directory and also performed a key word search, but they did not use the information gained to limit their search to items specified in the warrant, nor did they obtain a new warrant authorizing a search for child pornography.

2001 Guidance Software

June 2001

However, notwithstanding its extensive comments on the topic and its rejection of the filing cabinet analogy advocated by the government, the court ultimately states that it did not reach its decision on the applicability of the Plain View Doctrine.129 Instead, the court expressly bases its ruling upon the testimony of the investigating officer who conceded that he intentionally abandoned his search for evidence of drug trafficking and began opening the .jpg files with the intent to search for files containing erotic depictions of minors. Under such circumstances, the court notes, we cannot say the contents of each of those files were inadvertently discovered.130 The court indicates throughout the opinion that had the investigating officer obtained a supplemental warrant after viewing the first file containing child pornography, such a supplemental warrant and authorized search would have been proper. The court also implies that had the officer come across the various items of child pornography inadvertently while continuing his search for drug-related information, the Plain View Doctrine would have been applicable. Unlike the majority opinion, concurring opinion is less than subtle on this point, noting that if the record showed that (the officer) had merely continued his search for drug-related evidence and, in doing so, continued to come across evidence of child pornography, I think a different result would have been required.131 7.3 Post-Carey Case Law

Several courts have issued published decisions involving the search and seizure of computer media that feature a discussion of Carey, while another court has addressed the Plain View Doctrine in the context a forensic text string search of computer files but without a discussion Carey. These decisions provide some indications as to the yet undetermined impact of the Carey decision. In United States v. Gray,132 FBI agents executed a search warrant at the home of a suspected computer hacker and seized four computers belonging to defendant, which were taken back to the FBIs offices. The warrant authorized the FBI to search the defendants computer files for evidence of computer hacking activity, including stolen computer files and utilities enabling unauthorized access to protected computer systems. After imaging the four computer drives onto magneto-optical disks, the FBI Computer Analysis Response Team (CART) agent created a series of CD-ROMs from the disk images to allow the case agents to view the information in readable form. While the information was being copied onto the CD-ROMs, the agent, pursuant to routine CART practice, opened and looked briefly at each of the files contained in the directories and subdirectories being copied to look for the materials listed in the search warrant in the hope that they might facilitate the case agents search.133 To accomplish this, the CART agent utilized the CompuPic program to display thumbnail views of the text and graphical image files contained in each directory. In the course of this action, the CART agent came across and opened a subdirectory entitled Teen that contained numerous files with .jpg extensions.134 While the agent noted that the files in that subdirectory appeared to contain images of child pornography, he continued his original search pursuant to the warrant.

2001 Guidance Software

June 2001

Thereafter, the agent saw another subdirectory entitled Tiny Teen, causing the agent to wonder if child pornography resided in that subdirectory.135 The CART agent testified that he then opened the "Tiny Teen" subdirectory not because he believed it might contain child pornography, which it did, but rather because it was the next subdirectory listed and he was opening all of the subdirectories as part of his routine search for the items listed in the warrant.136 Upon determining that the Tiny Teen subdirectory did apparently contain child pornography, the CART agent ceased his search and obtained a second warrant authorizing a search of defendant's computer files for child pornography. The search pursuant to the supplemental warrant revealed additional images of child pornography, which, along with the images that triggered the application for the warrant, the defendant moved to suppress.137 In upholding the original search and supplemental warrant as lawful, the court noted that: Although care must be taken to ensure a computer search is not overbroad, searches of computer records are no less constitutional than searches of physical records, where innocuous documents may be scanned to ascertain their relevancy. It follows, then, that (the agents) search of the Teen and Tiny Teen subdirectories was not beyond the scope of the search warrant. In searching for the items listed in the warrant, (the CART agent) was entitled to examine all of defendant's files to determine whether they contained items that fell within the scope of the warrant. In the course of doing so, he inadvertently discovered evidence of child pornography, which was clearly incriminating on its face.138 The court found United States v. Carey to be distinguishable, finding that the CART agent never abandoned his original search: he was not commencing a new search when he opened the Teen and Tiny Teen subdirectories, rather, he was continuing his systematic search . . . without regard to file names or suffixes because he was aware that the materials that were the subject of the warrant could be hidden anywhere in defendant's files.139 The Gray court was also unpersuaded by the defenses argument that the CART agent knew the Teen and Tiny Teen subdirectories did not contain documents or other files related to hacker activity when he searched them because many of the files had .jpg" extensions, indicating a picture file, and none of the materials covered by the warrant were believed to be pictures. In a strong affirmation of standard practice by many examiners, the court noted that the CART agent would have been remiss not to search files with a .jpg suffix simply because such files are generally pictures files, based upon his experience that computer hackers often intentionally mislabel files, or attempt to bury incriminating files within innocuously named directories.140 In United States v. Scott-Emuakpor,141 FBI and Secret Service agents

June 2001

forensic processes utilized by U.S. Customs in early 1997, before the agencys adoption of EnCase). The court further states if the images themselves could have been easily obtained through an on-site inspection, there might have been no justification for allowing the seizure of all computer equipment. In reviewing a 1995 forensic examination, the court in United States v. Hunter,154 opined, until technology and law enforcement expertise render on-site computer records searching both possible and practical, wholesale seizures, if adequately safeguarded, must occur. Thus, it is only a matter of time before warrant return requirements of 10 days or less become the standard for computer examinations. A clear example is the Southern District of the 9th Circuit (San Diego) where magistrates are now routinely mandating on-site computer examinations when issuing warrants to be executed at business establishments. Not coincidently, the San Diego Regional Computer Forensics Lab resides in the Southern District of the 9th Circuit, and the capabilities and expertise of the lab are widely known by the local bench.

2001 Guidance Software

June 2001

8 Complying with Discovery Requirements when Utilizing the EnCase Process

8.0 Overview

ne of the questions prosecutors and examiners routinely face in the field is complying with discovery requirements when the prosecutions computer evidence is contained within an EnCase image. This is a somewhat difficult issue due to the very nature of computer evidence. Printing out all the data on a typical 10-gigabyte hard drive would result in a stack of paper approximately 300 meters tall. Even worse, this data will be compromised unless properly handled with computer forensic software. The question then becomes what is required to produce relevant computer evidence in the course of discovery? There are several models for producing electronic evidence in the course of discovery that are employed by prosecutors and attorneys. Each have their own strengths and weaknesses, and the applicable statutes and discovery rules of the particular jurisdiction and preferences and discretion of the individual judge often determine which of the following models are most suitable. 8.1 Production of Entire EnCase Images

Many attorneys choose to produce exact copies of the EnCase Evidence File, which is a complete physical image of an acquired drive. Often the prosecution will also produce the Case File, which contains the bookmarks, text-string searches, various notes and comments of the investigator, as well as other information. As much of the data contained within the Case File, such as the examiners bookmarks and notations could be considered work product, it is within the discretion of the prosecutor to produce such evidence. Many prosecutors in the U.S. inform the defense that it should retain an expert who is familiar with the EnCase software. With EnCase and the practice of computer forensics becoming more standard, there are an increasing number of experts in the private sector as well as Federal and State Public Defenders offices who are utilizing the software. As such, this option is becoming increasingly more feasible as the practice of computer forensics expands. The advantage to this approach is that it ensures the defense cannot tamper with the evidence, at least without detection, and dispels any claim that the prosecution withheld evidence. For these reasons, this method of discovery is the most desirable. The disadvantage to this approach is that many defendants and their counsel still lack the expertise or means to purchase and utilize the EnCase software, although as noted above, this trend is decreasing. 2001 Guidance Software

June 2001

8.2

Production of Restored Drives

Another option is to provide a restored hard drive, which is a complete bootable clone of the original seized drive. EnCase includes a feature that allows the examiner to easily restore an EnCase image to a separate drive. EnCase version 2.11+ will restore the seized drive onto a separate drive and verify the copy by a 128 bit, MD5 hash, which will match that of the original evidence, even if different sized media is utilized in the process. After receiving the discovery, the defenses retained expert can examine the evidence. The advantage of this approach is that it provides the entirety of the evidence in a manner that most laypersons can access and view. However, the disadvantage of this approach is that deleted, temporary and buffer files, as well as key metadata are not viewable by simply booting the cloned drive. Also, once the defense boots the cloned drive, much of the evidence would change, including date stamps and writes to the swap file. As a result, the Defense may attempt to introduce, and not necessarily by intention, evidence that is not an accurate reflection of the data as it existed at the time the government seized the computer media. Of course, with the MD5 hash of the restored drive recorded, the prosecution would be able to detect that any changes were made to the restored drive by the defense. 8.3 Production of Exported Files

Some prosecutors provide selected exported files and other information from the Evidence File, along with printouts of that information. Production of these files and blocks of selected data is achieved by transferring the information to a CD-ROM disk in a format that is easily viewable by counsel. The EnCase report may also be produced. This option provides the exact information that the prosecution intends to introduce at trial in a convenient and easy to read format. By providing the electronic evidence on CD-ROM disks, the defense cannot tamper with the selected portions of the original evidence. Disadvantages of this process include potential claims that the production was too narrow and that potentially exculpatory documents were omitted. Many courts tend to prefer that document productions be comprehensive, as opposed to more limited productions that may not contain all relevant data. 8.4 Supervised Examination

Where the Defense has retained an expert, another option is to permit the defense expert to access, under supervision of the investigating officer and/or a special master, an image of the original drives so that the expert can conduct a proper and non-invasive investigation. This approach is essentially the only option where the computer evidence consists of contraband, such as child pornography. Ideally, the expert would utilize EnCase to conduct the exam, but may be permitted access to the original drives or a properly restored clone for re-imaging with other non-invasive tools.

2001 Guidance Software

June 2001

Section 4.4 summarizes a New Hampshire Federal District Court case where the prosecution offered to allow the Defense supervised access to a copy of the EnCase Evidence File, which contained images of child pornography. However, the Defense contended that it required access to the original computer systems in question so that they could operate those computers and examine them in their native environment, and filed a formal written request for a Court order allowing such unfettered access to the original computer evidence. The Government filed a successful objection to the request, asserting that the mirror image created by the Special Agent is the proper way to preserve the original evidence. The Government asserted that merely turning on the computer, as the Defense requested, will change the state of the evidence by altering critical date stamps and potentially overwriting existing files and information. The Court ruled that the Defense could only have access to the original computer systems if their expert created a proper forensic image under the supervision of the Special Agent. The Defense was barred from booting the original computer systems to their native operating systems. 8.5 Discovery Referee in Civil Litigation Matters Electronic evidence discovery has recently become a critical component of civil litigation. This has not always been the case as the prior DOS-based, non-integrated methods of computer forensic investigation often proved cost-prohibitive, inefficient and incompatible with the needs of litigation counsel in terms of reviewing the complete investigation results and producing them to the opposing party. In Alexander v. Federal Bureau of Investigation,155 an information technology specialist from the Executive Office of the President testified that the examination of a single hard drive to locate documents responsive to a subpoena (employing non-EnCase methodology) would require approximately 265 hours. If a law firm were to retain an expert to conduct a similar task at an average standard rate of $300 per hour, the cost would nearly exceed $80,000 for the examination alone. It is thus no wonder that the Alexander case often found its way into briefs submitted by litigants seeking to quash an adversarys subpoena for the production of computer evidence. As recent as July 1999, counsel advanced the argument in one well-publicized federal litigation that e-mail discovery was simply not feasible.156 Even though civil trial lawyers have long recognized the importance of computer evidence discovery involving the assistance of computer forensic experts, enormous financial constraints generally limited the practice to only the most well financed lawsuits. However, recent significant improvements in computer forensic techniques and software have reversed this trend. Recently, an Indiana U.S. District Court issued an order articulating a well-designed discovery protocol for the examination of computers to recover relevant documents, including deleted files. In Simon Property Group v. mySimon, Inc.,157 the court issued an order appointing Seattle-based Computer Forensics, Inc., (CFI) as an officer of the court and directing that CFI generate mirror images of 8 designated computers. The Court issued the order after the Plaintiff brought a motion to compel access to computers in the possession of defendants, who objected to making

June 2001

operated by ___________. 5. XYZ Company must retain and preserve all backup tapes or other storage media, whether on-line or offline, and refrain from overwriting or deleting information contained thereon, which may contain Electronic Data identified in paragraphs 2 through 4. 6. In order to alleviate any burden upon XYZ Company, the undersigned is prepared to immediately enlist the services of a computer forensic expert to properly and non-invasively create back-up images all drives and media in the custody and control of XYZ company that may contain Electronic Data relevant to this matter. This can be accomplished through a stipulation setting forth a similar procedural framework outlined by the Court in Simon Property Group v. mySimon, Inc. 94 F.R.D. 639 (SD Ind. 2000), to ensure retention of all privileges while properly preserving and processing computer evidence as mandated by the court in Gates Rubber Co. v. Bando Chemical Indus., Ltd 167 F.R.D. 90, 112 (D.Col., 1996). Please contact me if you have any questions regarding this request. Sincerely, _____________

2001 Guidance Software

June 2001

9 Employee Privacy and Workplace Searches of Computer Files and E-mail

9.0 Overview lectronic mail is all but firmly established as the primary form of workplace communication. In recent years, employment litigation and other cases involving alleged workplace misconduct routinely involve evidence in the form of e-mail or other computer-generated records created in the course of business. With most of a typical companys documents and other information existing in electronic form, employer monitoring, and in many cases, seizure of these files is becoming commonplace. In considering employee privacy in the context of monitoring of e-mail and other computer files, it is important to note that the rights of government employees may differ in many aspects from their counterparts in the private sector. For instance, the United States Constitutions Fourth Amendment restrictions on unreasonable searches and seizures afford potential additional protections for government employees who are subject to monitoring of their e-mail and computer files. As the Fourth Amendment only acts as a check on government actions,160 the scope of the Amendment's protections for government workers' e-mail is limited, if at all, in application to non-government workers. Conversely, employer manuals and other written information setting forth company policy largely govern privacy rights in the commercial workplace. As such, workplace privacy issues in the private and public sector are addressed separately in this section. 9.1 Employee Monitoring in the Private Sector While an employer is generally prohibited by law from intercepting e-mail messages being transmitted over the internet,161 monitoring employee e-mail, stored computer files, including Internet history files, are generally permitted in most states without written consent or notification. Connecticut, a notable exception, requires employers to obtain written consent from their employees before any such monitoring can take place.162 A bill for a similar statute, dubbed the Notice Electronic Monitoring Act (S.2898) was introduced in Congress in July 2000, but as of June 2001 remains in committee. Counsel should remain vigilant in monitoring any developments in the law at both the state and federal level. In considering the propriety of employer monitoring of employee e-mail and computer files, the primary question concerns whether and to what extent written agreements and policies addressing such monitoring are in place. Written notification that their e-mail and computer files are subject to access by the employer generally governs whether an employee can claim a reasonable expectation of privacy in those files. These 2001 Guidance Software

June 2001

rules, in the form of written e-mail, Internet use and stored computer file policies, must limit the employees privacy expectations in their electronic communications and stored computer files, but must do so consistently with laws that prohibit interceptions of electronic communications in transit. Moreover, it is important that these rules and polices are expressly acknowledged and consented to in writing by the employee. Balancing of Interests In determining an employees privacy interests, the courts will balance the employers interest against the reasonable privacy rights of the employee. Preventing theft of intellectual property and policing unauthorized activity are generally seen as compelling interests justifying an employers reasonable monitoring activities.163 Additionally, employers may potentially be held liable for an employees online misconduct where the companys computer networks are the means for the offense.164 Some legal experts have hypothesized that where an employee utilizes an employers computer systems to engage in such activities as hacking, on-line harassment or copyright infringement, an employer may be liable for those activities.165 In the very recent case of Blakey v. Continental Airlines,166 the New Jersey Supreme Court found that Continental Airlines could be potentially liable for an employees harassing postings on an internet bulletin board hosted by the airline for its employees. In reversing a lower courts order dismissing Blakeys complaint, the Court reasoned that since the company provided the Internet forum for employees use, Continental had a duty to monitor e-mail postings to ensure that employees were not harassing one another. In another leading decision in this area, Smyth v. Pillsbury Co., the Pennsylvania U.S. District Court determined that a companys interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.167 Thus, with the employers interest in preventing theft and unauthorized activity coupled with the possibility of third liability for failing to monitor the employees on-line conduct usage, e-mail and Internet usage monitoring of employees is a critical, if not mandatory necessity for employers in the private sector. 9.2 The Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act of 1986 (ECPA) is a federal statute that some contend has application to an employers workplace e-mail monitoring activities. The ECPA includes two categories relevant to this discussion: Title I prohibits interception of messages in transit,168 while Title II prohibits access to and disclosure of stored information. The stored information provision under title II has been narrowly construed to only apply to information in intermediate storage incident to transmission, such as an e-mail residing on a server prior to being retrieved by the recipient.169 Thus, the ECPA prohibits three types of intrusions into electronic communications: intercepting messages while they are in transit, accessing information in intermediate storage incident to transmission, and disclosing information at any point in the process.170 While the ECPA may seem to provide employees with broad protection from e-mail monitoring, the Act contains several exceptions that sharply limit its scope. First, it is apparent that

2001 Guidance Software

June 2001

Congress did not intend the ECPA to govern the relations of employees to their employers, but rather intended to regulate intrusions by unauthorized outsiders into the electronic communications of organizations. As such, most commentators believe that the ECPA does not cover workplace local area networks (LANs) and thus provides no protection for employees when they send e-mail over their workplace computer network.171 The language in the ECPA prohibiting disclosure of electronic communications only applies to those entities that provide electronic communication services "to the public,"172 while intra-office networks offer services only to employees. Thus, under this construction of the ECPA, any e-mail sent by employees over a nonpublic network would not be subject to the Act. Second, even if the ECPA did apply to proprietary LANs, the Act contains an exemption allowing access to stored communications when authorized by the entity providing electronic communications services.173 On its face, this provision allows the network provider to access any stored communication that had been sent over the network without violating the ECPA. If an employer owns the network, it could then access all communications sent by employees. In Bohach v. City of Reno,174 the plaintiffs, two police officers, sought an injunction preventing the City from continuing an internal affairs investigation. In rejecting the plaintiffs' claim that the investigators' violated the EPCA by retrieving the plaintiffs pager messages stored on the Citys telephone network, the court noted that the City was the provider of the electronic communications service used by the officers.175 It then held that "[section] 2701(c)(1) allows service providers to do as they wish when it comes to accessing communications in electronic storage. Because the City is the provider of the 'service,' neither it nor its employees can be liable under 2701."176 Employers should be aware that actually intercepting e-mail messages in transit, as opposed to accessing stored communications, would likely constitute a violation of the ECPA.177 Interception is generally defined as the act of accessing a message or preventing it from reaching its destination at any point between the time the message is sent and the time the intended recipient receives it. To date, most courts have taken a narrower view of what constitutes "interception" of e-mail, establishing that under the ECPA, interception can only occur during the fraction of a second the message is actually traveling along the wires connecting computers.178 Fraser v. Nationwide Mutual Insurance Co.179 is the latest case to hold that an employers retrieval of an employees e-mail from post-transmission storage does not constitute an interception under the ECPA. In Eagle Investment Systems Corporation v. Tamm,180 the court similarly determined that no interception occurred when an employee obtained a stored e-mail from a co-worker without his consent. In Steve Jackson Games, Inc. v. United States Secret Service, the Fifth Circuit addressed the issue of whether the seizure of a computer storing private e-mail that had been sent to an electronic bulletin board but not yet read by the recipients constituted an "intercept" proscribed by Title I of the ECPA. The court determined that such a seizure was not an interception because the e-mail was not being transferred but was instead in

2001 Guidance Software

June 2001

storage incidental to transmission.181 Other courts have reached similar conclusions regarding the definition of interception as used in the ECPA.182 However, at least one court in a more recent decision has determined that the viewing of information from a secure web page in intermediate storage prior to being read by its intended recipient constitutes an interception.183 As such, there is an apparent split in authority regarding whether seizing an e-mail while in intermediate storage incident to transmission and before it is retrieved by its intended recipient constitutes an "interception" under Title I of the ECPA. However, the seizure of e-mail that has been retrieved by its intended recipient is clearly not an interception under the current status of the law. 9.3 Other Important Considerations for Employers

The issue of employee monitoring is complex and the employers should seek the advice of their counsel when considering the implementation of a written policy governing these issues. The following are some additional important considerations for employers: Employers should monitor all developments in this rapidly developing area of law. In addition to the Connecticut statute,184 the California legislature recently passed a law that would have mandated an employees written consent among other requirements before an employer could monitor their employees e-mail, Internet usage and stored computer files.185 Only the somewhat unexpected veto of Governor Gray Davis blocked the enactment of the statute. Similar bills are being considered in other states and in the US Congress. In any event, employers should ensure that all employees are informed and consent in writing to any such monitoring activities. Currently in the US, proper written consent provides an exception to almost all existing laws governing employers electronic monitoring activities. Employers and their counsel should be mindful of recent cases that hold employers liable for the wrongful conduct committed by an employee through the internet/network. This adds to the equation of the employers interests of not only protecting their intellectual property and internal resources but also being charged with a duty to prevent wrongful on-line conduct of their employees. Employers should be consistent and even-handed in their monitoring activities in order to avoid common law invasion of privacy claims. An employee could in theory state a claim for improper monitoring if an ordinary reasonable person would find that the circumstances involved a substantial and highly offensive invasion of privacy.186 For instance, a targeted, non-routine search for incriminating electronic documents to provide a pretext for the termination of an employee may be construed as unreasonable by some courts.

2001 Guidance Software

June 2001

9.4

June 2001

Cyber Forensics
No ratings yet
Cyber Forensics
22 pages
Evidence Handling
No ratings yet
Evidence Handling
18 pages
Computer Forensics Fundamentals
100% (1)
Computer Forensics Fundamentals
19 pages
Fundamental Computer Investigation Guide For Windows
No ratings yet
Fundamental Computer Investigation Guide For Windows
55 pages
Module 02 Computer Forensics Investigation Process
No ratings yet
Module 02 Computer Forensics Investigation Process
74 pages
S2-Digital Forensics Life Cycle
No ratings yet
S2-Digital Forensics Life Cycle
34 pages
Cyber Forensics
No ratings yet
Cyber Forensics
146 pages
Fundamentals in Computer Investigations - General Digital Forensics
No ratings yet
Fundamentals in Computer Investigations - General Digital Forensics
60 pages
FCI
100% (2)
FCI
48 pages
EnCase Legal Journal 10.2008
100% (2)
EnCase Legal Journal 10.2008
190 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
79 pages
Module 03 Computer Investigation Process
No ratings yet
Module 03 Computer Investigation Process
28 pages
Lec 4
No ratings yet
Lec 4
40 pages
Unit Ii CF
No ratings yet
Unit Ii CF
39 pages
EF User Manual
No ratings yet
EF User Manual
393 pages
SCI4201 Lecture 5 - Processing Crime and Incident Scenes
No ratings yet
SCI4201 Lecture 5 - Processing Crime and Incident Scenes
66 pages
Digital Evidence: (C) Peter Sommer 2002
No ratings yet
Digital Evidence: (C) Peter Sommer 2002
29 pages
Computer Security Professionals and IT Personnel
No ratings yet
Computer Security Professionals and IT Personnel
20 pages
EnCase Forensic v8.07 User Guide PDF
0% (1)
EnCase Forensic v8.07 User Guide PDF
780 pages
4482 For L1
No ratings yet
4482 For L1
93 pages
Lecture 5 Processing Crime and Incident Scenes
No ratings yet
Lecture 5 Processing Crime and Incident Scenes
66 pages
Computer Forensics: An Essential Ingredient For Cyber Security
No ratings yet
Computer Forensics: An Essential Ingredient For Cyber Security
11 pages
Guidelines For The Management of IT Evidence
No ratings yet
Guidelines For The Management of IT Evidence
27 pages
2 DF
No ratings yet
2 DF
40 pages
Ques 4
No ratings yet
Ques 4
2 pages
ETI Unit4 Notes Msbte Store
No ratings yet
ETI Unit4 Notes Msbte Store
16 pages
AS HB171 - Guidelines For The Management of of Evidence
No ratings yet
AS HB171 - Guidelines For The Management of of Evidence
42 pages
"Electronic Evidence": National Law School of India University Bangalore
No ratings yet
"Electronic Evidence": National Law School of India University Bangalore
20 pages
Learning From Other's Mistakes: Issues Arising From Electronic Discovery
No ratings yet
Learning From Other's Mistakes: Issues Arising From Electronic Discovery
2 pages
Evidence Law Project
No ratings yet
Evidence Law Project
12 pages
Investigation Unit4
No ratings yet
Investigation Unit4
33 pages
CH 01
No ratings yet
CH 01
39 pages
Preservation of Digital Evidence: Preserving The Digital Crime Scene
No ratings yet
Preservation of Digital Evidence: Preserving The Digital Crime Scene
9 pages
Ten Deadly Sins of Computer Forensics July 2010
No ratings yet
Ten Deadly Sins of Computer Forensics July 2010
5 pages
CERT-EU-SWP 12 004 v1 3
No ratings yet
CERT-EU-SWP 12 004 v1 3
6 pages
Krotoski EffectivelyUsingElectronicEvidence Nov201 231103 222027
No ratings yet
Krotoski EffectivelyUsingElectronicEvidence Nov201 231103 222027
21 pages
Ca2 797
No ratings yet
Ca2 797
32 pages
Gcfi6e Im Ch04
No ratings yet
Gcfi6e Im Ch04
16 pages
Intro To Computer Forensics
No ratings yet
Intro To Computer Forensics
38 pages
Computer Forensics To Court Cases
No ratings yet
Computer Forensics To Court Cases
6 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
70 pages
CSI2403 Chapter2
No ratings yet
CSI2403 Chapter2
35 pages
03 27 08 Computer Forensics
No ratings yet
03 27 08 Computer Forensics
110 pages
Ca2 797
No ratings yet
Ca2 797
20 pages
ITT593GroupProject - Case Study Reading
No ratings yet
ITT593GroupProject - Case Study Reading
9 pages
Unit 3
No ratings yet
Unit 3
5 pages
Com Forenis U1 - 1
No ratings yet
Com Forenis U1 - 1
7 pages
Unit 3
No ratings yet
Unit 3
15 pages
EnCase Portable Brochure 9-11-13-Webready
No ratings yet
EnCase Portable Brochure 9-11-13-Webready
6 pages
History of Computer Forensics
No ratings yet
History of Computer Forensics
1 page
Cross-Examination of The Computer Forensic Expert
No ratings yet
Cross-Examination of The Computer Forensic Expert
6 pages
SuccessStory RealWorld
No ratings yet
SuccessStory RealWorld
2 pages
590 WK
No ratings yet
590 WK
17 pages
SuccessStory APD
No ratings yet
SuccessStory APD
2 pages
EnCase Processor Hardware and Configuration Recommendations
No ratings yet
EnCase Processor Hardware and Configuration Recommendations
7 pages
EnCase Forensic v7.03 Onesheet Rev
No ratings yet
EnCase Forensic v7.03 Onesheet Rev
2 pages
Computer Forensics Based On What I Have Read: Definition of Computer Forensics
No ratings yet
Computer Forensics Based On What I Have Read: Definition of Computer Forensics
4 pages
Automated Network Technology: The Changing Boundaries of Expert Systems
From Everand
Automated Network Technology: The Changing Boundaries of Expert Systems
Carl P. Catalano Ph.D.
No ratings yet
CHFI Computer Hacking Forensic Investigator The Ultimate Study Guide to Ace the Exam
From Everand
CHFI Computer Hacking Forensic Investigator The Ultimate Study Guide to Ace the Exam
Jake T Mills
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet