Im working on a coursework and have come across a number of stumbling blocks such as finding passwords, finding applications to run "unknown" files and it made me think - what happens in real cases? What is legal and what is not? What is documented - and more importantly what do you tell a court you did and what do you not tell them!
Thanks!
The questions are a bit to general, but I'll try to answer some.
1. You will have to have a good understanding of the legislation before the investigation starts. Unauthorized access for example to the suspect's emails on the server (Google etc) is an offense for anyone including forensic investigators, so you need a warrant of some kind (Stored Communication Warrant here in OZ).
Rules of admissibility come next, you may not be committing an offense by looking for specific evidence, but it may be not admissible because it is not relevant or deemed to be improperly obtained.
2. Ethical hacking? The term is used to describe the procedure of penetration testing (hacking) with the authority provided by the owner of the target computer system or perhaps legal authority (law-enforcement + warrant). There are only a few situations when this is used in real live. Knowledge of the process (Ethical Hacking) is extremely beneficial to the forensic examiner however, because it allows better understand how the incident (hacking etc) happened.
3. Running unknown files by booting the suspect’s forensic image in virtual environment (Liveview or similar apps) is legal for law enforcement (normally there is an exception from copyright legislation if it is done for law-enforcement purposes). Researchers can also do it with no problems. Private investigators should consult with their legal departments.
4. Documenting forensic procedure has been discussed previously, just search for “documenting forensic procedure” and Goolge can help you to find the answer.
Thanks for the input. What about passwords - Windows based, document based, archives etc? Thats what im thinking - can you go ahead and do it if the suspect refuses to hand over the passwords - and if so what is the correct procedure to follow?
Thanks for the input. What about passwords - Windows based, document based, archives etc? Thats what im thinking - can you go ahead and do it if the suspect refuses to hand over the passwords - and if so what is the correct procedure to follow?
This is your job as forensic examiner and there are specific procedures to follow, which is part of applied decryption field. I come across these files and perform decryption Very often.
It is not ethical hacking though.
Thanks for the input. What about passwords - Windows based, document based, archives etc? Thats what im thinking - can you go ahead and do it if the suspect refuses to hand over the passwords - and if so what is the correct procedure to follow?
Are computers treated any differently from other items of property if it's believed they contain evidence? If a suspect's car or home was the scene of a crime and law enforcement didn't have the keys what would happen?
I'd suggest starting off with the Police and Criminal Evidence Act 1984 (PACE) which provides the framework of police powers around stop and search, arrest, detention, investigation, etc., but I'm not a lawyer or in law enforcement so perhaps other board members could provide more relevant info.
Thanks for the input. What about passwords - Windows based, document based, archives etc? Thats what im thinking - can you go ahead and do it if the suspect refuses to hand over the passwords - and if so what is the correct procedure to follow?
Are you talking civil or criminal cases?
Basically, the answer depends, in part, upon the laws in your jurisdiction. For example, in the US, a user may not be compelled to turn over a password if that would violate his 5th Amendment rights (actually, this was overturned by an appeals court but the issue is most likely unsettled).
Another issue (in the US) is that of a reasonable expectation of privacy. Password protecting files, even on a shared computer, may grant the user the expectation of privacy which would protect the contents from discovery in many cases.
Bottom line, you need to check with applicable laws in your jurisdiction. I wouldn't attempt to do such a thing unless it was clear that I had the legal authority to do so.
What do you tell a court you did and what do you not tell them!
Thanks!
The answer to that question depends, very much, on what role you are playing and whether the proceedings are civil or criminal.
For example, in criminal proceedings in the US, the prosecutor is required to turn over any exculpatory data to the defendant, while the defendant is not required to turn over any data which might assist the prosecutor in securing a conviction. There are asymetrical duties, in this case.
In civil proceedings you have fewer obligations in terms of what you must present, voluntarily, however, if you fail to present evidence which might support your opponents case, you can be accused of bias and the weight of your testimony may be weighted, accordingly.
So, the simple answer is, "it depends".
I would agree with most people here. But in India, one can use the so called "ethical hacking" techniques to secure the information needed as there is no provision under the law which either makes it mandatory for the defendant to hand over the password or stopping the prosecution from using various techniques to obtain the data. However, given the incomplete nature of the law, it is upto the judge to decide mostly.
Im working on a coursework and have come across a number of stumbling blocks such as finding passwords,
I'm unclear as to how this is a "stumbling block".
…finding applications to run "unknown" files and it made me think - what happens in real cases?
Finding applications…depends on the file.
What is legal and what is not?
That's somewhat up to the attorneys, but there are limits. For example, if you are performing an examination for "suspicious activity" and find that the company's former employee was using a Facebook account, you can't just go attempt to log into the account.
What is documented
Everything you do.
- and more importantly what do you tell a court you did and what do you not tell them!
The biggest thing about this sort of question that most folks do NOT get is that you won't simply end up on the stand…you'll be there at the behest of the prosecution or the defense. As such, what you do/do not say, and how you say it, will in large part be up to them.