Digital Forensics, Privacy and Due Process	Rights
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Digital Forensics, Privacy and Due Process Rights





Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Digital Forensics, Privacy and Due Process Rights Presentation Transcript

  • 1. Digital  Forensics,  Privacy  and  Due  Process  Rights   Giuseppe Vaciago Seminar on Cybercrime and Digital Forensics April 8-12th 2014 EU-Macao Co-operation Programme in the Legal Field (2002-2007)
  • 2. 1.  Introduc:on   q  Digital/Electronic  Evidence   q  Case  Law  on  Digital/Electronic  Evidence   q  Digital  forensics  Defini7on   2.  Digital  Forensics  Procedure   q  Iden7fy  the  suspect   q  Detec7ng  and  Seizing  Illegal  Contents   q  Valida7ng  Digital  Evidence   q  Chain  of  Custody  a@er  Seizure   q  Analysis  of  Digital  Evidence   q  Repor7ng  of  Digital  Evidence  Findings   3.  Privacy  and  Due  Process  Rights   q  Surveillance   q  Cloud  Compu7ng:  Jurisdic7on  and  Privacy     Agenda   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 3. What  is  Digital/Electronic  Evidence?   Digital   evidence   is   ‘any   informa,on   of   eviden,al   value   whether   memorized  or  sent  in  a  digital  format’  -­‐  defini,on  by  the  Scien,fic   Working  Group  on  Digital  Evidence  (SWGDE  -­‐  1999)       Digital   evidence   or   electronic   evidence   is   ‘any   proba,ve   informa,on  stored  or  transmiFed  in  digital  form  that  a  party  to  a   court  case  may  use  at  trial’  (Eoghan  Casey  -­‐  2004)       Electronic  evidence  is  informa,on  generated,  stored  or  transmiFed   using  electronic  devices  that  may  be  relied  upon  in  court  (Council  of   Europe  -­‐  2012)   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 4. What  is  Digital  Electronic/Evidence?   It’s  invisible   to  the   untrained  eye     It  may  need   to  be   interpreted   by  an   specialist     It  may  be   altered  or   destroyed   through   normal  use     It  can  be   copied   without  limits     Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 5. Legal  Requirements  of  Digital/Electronic  Evidence?   Admissible:   compliant  with   law  and  best   prac,ce     Authen:c:   avoid  any  digital   evidence   tampering   Reliable  and   Believable:   readily   understandable   to  a  judge   Propor:onal:   respect   fundamental   right  of  par,es   affected  by  the   measure   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 6. How  to  find  a  Digital/Electronic  Evidence?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 7. How  to  find  a  Digital/Electronic  Evidence?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 8. There  are  three  types  of  digital  evidence:     Created  by  man:  any  piece  of  digital  data  that  is  the  result  of  a  step   or  ac,on  taken  by  a  human  person.    Can  be  one  of  two  types:     a)  Human  to  human  (mail)   b)  Human  to  PC  (word  document)   Categories  of  Digital/Electronic  Evidence   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 9. Created  independently  by  the  computer:  any  piece  of  digital  data   that  is  the  result  of  the  processing  of  data  carried  out  by  soUware  in   accordance   with   a   specific   algorithm   and   without   human   interven,on   (e.g.   telephone   records   or   Internet   Service   Provider   logs)   Categories  of  Digital/Electronic  Evidence   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 10. Created  by  both  man  and  the  computer:  an  electronic  spreadsheet   where  the  data  is  entered  by  the  human,  while  the  computer  works   out  the  result.   Categories  of  Digital/Electronic  Evidence   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 11. One   of   the   principal   characteris,cs   of   digital   evidence   is   its   complexity.    One  example  is  the  Amero  case.   The  complex  nature  of  digital  evidence  (the  case  of  Julie  Amero)   Julie   Amero   is   a   supply   teacher   at   Kelly   School   in   Norwich,   Connec,cut   who   was   found   guilty   of   showing   pornography   to   children  under  the  age  of  16   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 12. Julie  Amero’s  lesson.   ‘Inappropriate’   pictures  appear  as  pop   -­‐  ups  on  the  PC.   The  Police  look  at  the   content  of  the  hard   disk,  but  do  not  take  a   bit-­‐stream  copy     The  Court  finds  Julie   Amero  guilty  of   impairing  the  morals  of   a  child   Julie  Amero  obtains  a   new  trial  in  which  she   is  fined  100  dollars   26/10/04   05/01/07   10/11/08  19/10/04   The    regular  teacher  comes   into  the  class  room,  sees   that  the  cache  contains   pornographic  files  and   informs  the  headmaster   20/10/04   The  defence  team  request  a  new  trial   on  the  grounds  that  the  evidence  had   not  been  acquired  correctly  and  that   the  computer  was  infected   (mousetrapping)   01/06/08   The  ‘Amero’  case:  :meline   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 13. Mousetrapping   and   Pagejacking   are   DNS   hijacking   techniques   that   keep    users  on  a  site  by  launching  a  never  ending  series  of  pop-­‐ups.     The  Amero  case:  Mousetrapping  and  Pagejacking   A  new  trial  was  held,  as:   1)  Julie  had  been  a  vic,m  of  mousetrapping,  probably  as  a  result  of   the  improper  use  of  the  PC  by  the  regular  teacher   2)  Those   inves,ga,ng   had   not   followed   any   digital   forensics   procedure  (no  bit  stream  copies  taken  and  the  analysis  carried   out  between  20  and  26  October  was  not  documented)   3)  Julie  Amero’s  lawyer  had  not  been  able  to  get  an  expert’s  report   on  the  computer  prepared  for  the  defence     Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 14. Digital   evidence   could   be   altered   and   can   contain   countless   pieces   of   informa,on.  The  “Garlasco”  case  is  a  clear  example  of  this.   Alberto  Stasi  was  acquiFed  of  murder  of  his  girlfriend,  Chiara  Poggi,  by  the   Court  of  first  Instance  In  December  2009  and  the  judgement  was  confirmed   in  the  Appeal  court  in  December  2011.     Italian  Case  Law  on  Digital  Evidence   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 15. Chiara  Poggi  died   between  10.30  and   12.00     Stasi  voluntarily  hands   over  his  PC  to  the   Police     AUer  working  on  the  PC  the   Police  hands    it  over  to  the   Scien,fic  Inves,ga,on  Group    Judge  Vitelli  of   Vigevano  acquits   Stasi  of  murder   14/08/07   29/08/07   17/12/09  13/08/07   -­‐ Stasi  wakes  up  at  9     -­‐ Telephones  Chiara  Poggi   -­‐ Works    on  his  thesis   13/08/07   The  expert  report  requested  by  the  judge  shows   that  Stasi  was  working  on  his  thesis  during  the   period  when  Chiara  Poggi  was  killed   17/03/09   The  “Garlasco”  case:    the  “IT  alibi”   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 16. What  is  Digital  Forensics  ?   Digital  forensics,  in  a  tradi,onal  sense,  is:     -­‐  get  hold  of  evidence  without  modifying  the  IT  system  in  which  that   evidence  is  found;     -­‐  ensure  that  the  evidence  acquired  in  another  medium  is  iden,cal   to  the  original;   -­‐   analyse  data  without    modifying  it.   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 17. The  “Big  Five”  for  Digital  Forensics  (Council  of  Europe)   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Data   Integrity     No  ac,on  taken  should  change  electronic  devices  or  media,   which  may  subsequently  be  relied  upon  in  court     Chain  of   Custody   An  audit  trail  of  all  ac,ons  taken  when  handling  electronic   evidence  should  be  created  and  preserved     Specialist   Support     If  inves,ga,ons  involving  search  and  seizure  of  electronic   evidence  it  may  be  necessary  to  consult  external  specialists     Appropriate   Training     First  responders  must  be  appropriately  trained  to  be  able   to  search  for  and  seize  electronic  evidence  if  no  experts  are   available  at  the  scene     Legality     The  person  and  agency  in  charge  of  the  case  are  responsible   for  ensuring  that  the  law  and  the  above  listed  principles   are  adhered  to    
  • 18. Digital  Inves:ga:on   Procedure       Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 19. Digital  Inves:ga:on  Procedure       Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Iden,fy  the  Suspect   Detec,ng  and  Seizing  Digital  Evidence   Valida,ng  Digital  Evidence   Chain  of  Custody   Analysis  of  Digital  Evidence   Presenta,on  in  the  Court  
  • 20. Iden:fy  the  suspect   When  inves,ga,ng  Internet  crimes,  the  general  approach  is  as  follows:   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   An  inves,gator  receive  a   complaint  by  a  vic,m  of   cybercrime  or  detect  an  illegal   content  on  line   The  inves,gator  uses  the  Court   System  to  compel  the  ISP  to   reveal  a  physical  loca,on  that   corresponds  to  the  likely  source   of  Network  (IP  Address)   Under  a  warrant  (depend  from   the  Jurisdic,on)  the  loca,on  is   searched  and  any  computer  or   other  devices  is  seized   Multiple User ID or multiple Ips over time, open Wi-Fi, Proxy, Botnet Data Retention Directive in EU and Patrioct Act in US OSINT and SOCMINT
  • 21. Iden:fy  the  Suspect:  Data  Reten:on   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   •  In  the  wake  of  the  terrorist  aFacks  in  Madrid  and  London  (2004   and   2005   respec,vely),   the   European   Parliament   issued   Direc:ve  2006/24/EC.   •  Data   reten:on   (or   data   preserva,on)   generally   refers   to   the   storage  of  call  detail  records  (CDRs)  of  telephony  and  internet   traffic   and   transac:on   data   (IPDRs)   by   governments   and   commercial  organiza,ons.             •  Reten,on  period:  from  6  month  to   24  months   •  Scope  of  applica,on:  serious  crime  
  • 22. Iden:fy  the  Suspect:  Open  Issues  on  Data  Reten:on   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   1.  There  is  no  consistent  approach  across  the  EU  of  the  period  of   reten:on  among  Member  States   2.  No  defined  list  of  par:es  en:tled  to  request  such  data   3.  ‘Serious  crime’  is  a  generic  term     It   is   for   these   reasons   that   the   Cons,tu,onal   Court   in   certain   Member  States  (Germany,  Romania  and  the  Czech  Republic)  have   declared   na,onal   law   implemen,ng   the   Direc,ve   to   be   uncons,tu,onal,   resul,ng   in   a   legisla,ve   lacuna   that   does   absolutely  nothing  to  assist  inves,ga,ons.         In  addi,on,    Austria  and  Sweden  have  decided  against  implemen,ng   the  Direc,ve,  with  heavy  penal,es  being  imposed  by  the  European   Commission  as  a  result.    
  • 23. Iden:fy  the  Suspect:  Open  Issues  on  Data  Reten:on   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Of  the  22  Member  States  that  have  implemented  the  Direc,ve:     Reten:on  Period     •  Thirteen  MS  have  decided  that  data  may  be  kept  for  12  months   •  Five  MS  have  established  a  longer  period     •  Four  MS  have  gone  for  a  shorter  ,me  limit     Concept  of  Serious  Crime     •  Ten   MS   have   defined   'serious   crime',   with   reference   to   a   minimum   prison   sentence,   to   the   possibility   of   a   custodial   sentence  being  imposed,  or  to  a  list  of  criminal  offences  defined   elsewhere  in  na,onal  legisla,on.     •  Eight  MS  require  data  to  be  retained  not  only  for  inves,ga,on,   detec,on  and  prosecu,on  in  rela,on  to  serious  crime,  but  also   in  rela,on  to  all  criminal  offences     •  Four   MS   refers   to   ‘serious   crime’   or   ‘serious   offence’   without   defining  it.    
  • 24. Iden:fy  the  Suspect:  Data  Reten:on   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   q  The  prac,cal  repercussion  of  this  scenario  is  the  following:  when   faced   with   a   U.S.,   German,   Austrian   or   Romanian   ISP,   law   enforcement  officers  could  never  be  sure  if  the  data  they  are   aUer  has  long  been  cancelled  or  is  s,ll  in  storage.   q  On  the  other  side.  U.S.  Law  Enforcement  could  obtain  data  from   EU.  Under  Patriot  Act,  U.S.  authori,es  are  en,tled  to  subpoena   personal  data  related  to  non-­‐US  ci,zen  from  any  company  that   has  “minimum  contacts”  with  the  U.S   Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA
  • 25. Iden:fy  the  Suspect  –  OSINT  AND  SOCMINT   Mr  Palazzolo  a  treasurer  for  the  mafia,  on  the  run  for  30  years,  was   discovered  by  monitoring  his  facebook  profile.   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 26. Face  Recogni:on  Project   Alessandro  Acquis7   CCTV   Fair  Fax  Media   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Iden:fy  the  Suspect  –  Face  Recogni:on  Project  
  • 27. Detec:ng  and  Seizing  Digital  Evidence:  Bit-­‐Stream  Copy   Anyone   wan,ng   to   seize   and   validate   digital/electronic   evidences   (content   of   an   e-­‐mail   or   an   en,re   hard-­‐disk)   has   to   respect   two   fundamental  “rules”:  Bit-­‐Stream  Copy  and  Hash  Func:on   The  bit-­‐stream  copy  can  ‘clone’  the  en,re  hard-­‐disk.  It  is  a  par,cular   form  of  duplica,on  in  which  the  content  of  the  physical  unit  is  read   sequen,ally   loading   the   minimum   quan,ty   of   data   that   can   from   ,me  to  ,me  be  directed,  then  recording  it  in  the  same  sequence  on   a   standard   binary   file,   genera,ng   a   physical   image   of   the   original   medium.   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 28. Seizing  and  Valida:ng  Digital  Evidence:  Hash  Func:ons   During   the   forensic   analysis   of   modifiable   media,   the   Hash   guarantees  the  intangible  nature  of  the  data  that  it  contains.   The   Hash   is   a   unique   func:on   that   operates   in   one   direc,on   (meaning   that   it   cannot   be   reversed),   by   means   of   which   a   document  of  random  length  is  converted  into  a  limited  and  fixed   length  string.   This   string   represents   a   sort   of   ‘digital   fingerprint’   of   the   non-­‐ encrypted  text,  and  is  called  the  Hash  Value  or  the  Message  Digest.     If  the  document  is  modified  even  to  the  slightest  extent,  then  the   fingerprint   changes   as   well.   In   other   words,   by   calcula,ng   and   recording  the  fingerprint,  and  then  recalcula,ng  it,  it  can  be  shown   beyond  all  doubt  whether  the  contents  of  the  file,  or  the  medium,   have  been  altered,  even  accidentally.     Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 29. Where  and  how  is  the  digital/electronic  evidence  hosted?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Digital   Evidence   Third   par,es   Suspected   PC   ISP, TELCO, BANK Jurisdiction ENCRYPTION Key Mandatory Law Houston,  We  Have  a  Problem!  
  • 30. Why  Third  Par:es  are  important  during  Digital  Inves:ga:ons?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Internet  Access  Provider   •  Could  reveal  from  which  place  the  email  was  sent   Mail  Account  Provider   •  Could  reveal  from  which  places  the  email  account  was  accessed   Credit  Card  Company     •  Could  reveal  where  the  goods  bought  with  a  cloned  credit  card   were  delivered   Example:  a  forensics  analysis  reveals  that  a  cybercrime  vic,m  had   received  a  decep,ve  email  that  installed  spying  soUware  on  the   vic,m's  machine.  What  to  do?  
  • 31. An   inves,ga,ng   tool   most   frequently   used   for   carrying   out   an   on   line  inves,ga,on  is  hashing  techniques.     For  example,  star,ng  with  a  file  containing  an  illegal  content,  it  is   possible  to  convert  it  into  a  message  digest  and  to  carry  out  a  fast   search  inside  a  storage  support  (hard  drive,  flash  disk)  or  within  the   network  (P2P  networks).   Ferrari.jpg   Ferrari_copy.jpg   HASH  SHA-­‐1     051ed4dbdb9bcd7957aa 7cbb5dfd0e94605cd887   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Detec:ng  and  Seizing  Digital  Evidence:  Hashing  Techniques  
  • 32. What  happens  if  I  just  change  the  file  in  an  infinitesimal  way?   Ferrari.jpg   Ferrari_copy2.jpg   HASH:   051ed4dbdb9bcd7957aa7cbb5dfd0e 94605cd887   HASH:   a9fa2933484f828b95c1dde824dea28f 35b509d6   The  hash  does  not  match  and  the  search  will  not  generate  results   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Detec:ng  and  Seizing  Digital  Evidence:  Hashing  Techniques  
  • 33. For  this  reason,  there  are  techniques  (i.e.  fuzzy  hashing)  or  various   types  of  algorithms  that  allow  a  “certain  degree  of  similarity”  to  be   iden,fied.   A  good  soUware  used  is  SSDEEP  wriFen  by  Andrew_Tridgell    and   used  for  detec,ng  spamming.   Online  is  available:  pHash  (The  open  source  perceptual  hash  library)   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Detec:ng  and  Seizing  Digital  Evidence:  Hashing  Techniques  
  • 34. The  more  complex  techniques  have  a  20%  degree  of  error     What  does  it  means?                   No  problem  if  there  are  false  posi,ves.  Human  checking  is  sufficient.     But  in  the  case  of  false  nega:ves?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Detec:ng  and  Seizing  Digital  Evidence:  Hashing  Techniques   False  Posi:ves=   (i.e.,  non  –obscene  packets  misclassified  as  obscene)   False  Nega:ves=   (i.e.,  obscene  packets  incorrectly  deemed  as  non-­‐obscene)  
  • 35. The  new  challenge  with  Cloud  compu,ng  is  a  loss  of  data  loca,on   due  to:     -­‐ “Data  at  rest”  does  not  reside  on  the  device.     -­‐ “Data  in  transit”  cannot  be  easily  analysed  because  of  encryp,on.     -­‐ “Data  in  execu,on”  will  be  present  only  in  the  cloud  instance     The   inves,gator   who   wants   to   capture   the   bit-­‐stream   data   of   a   given  suspect  image  will  be  in  the  same  situa,on  as  someone  who   has   to   complete   a   puzzle,   whose   pieces   are   scaFered   randomly   across  the  globe   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Detec:ng  and  Seizing  Digital  Evidence:  Cloud  Compu:ng  
  • 36. How   is   it   possible   to   validate   online   digital   evidence   and   immediately   show   that   a   par,cular   piece   of   data   on   a   par,cular   online  site  is  certain?   Valida:ng  Digital  Evidence  on  line   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 37. Domesday  Book    (1086):  Ink  on  parchment:  legible  aler  over  900   years.           Domesday  Book    2  (1983):  LaserDisc:  illegible    aler  15  years.   Whilst  the  bit  is  eternal,  its  storage  medium  is  not.  Digital  storage   media  last  less  than  analogue  media  and  devices  to  read  such  media   last  even  less.   Chain  of  Custody  of  the  digital  evidence   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 38. Analysis  of  Digital  Evidence   1.  Text   searches:   aimed   at   scanning   files,   directories   and   even   en,re  file  systems  for  specific  text  terms   2.  Image   searches:   aimed   at   iden,fying   image   files   in   various   formats,  and  at  genera,ng  s,ll  frames  of  digitally  stored  video   footage   3.  Data   recovery:   aimed   at   recovering   all   files   stored   on   mass   memory  units,  including  deleted  or  damaged  data   4.  Data   discovery:   targeted   at   accessing   hidden,   encrypted   or   otherwise  protected  data   5.  Data   carving:   focused   on   reconstruc,ng   damaged   files   by   retrieving  por,ons  of  their  content   6.  Metadata  recovery  and  iden:fica:on:  this  digital  forensic  tool  is   par,cularly  useful  for  retracing  the  ,meline  of  web  accesses  and   file  changes   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 39. Analysis  of  Digital  Evidence:  two  Italian  issue   1.  Digital  forensics  analysis  is  repeatable  or  unrepeatable,  that  is   the  ques:on….   2.  Open  Source  or  Closet  source           Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 40. This  stage  is  of  key  importance  for  Prosecutors,  Judges  and  lawyers,   as  the  outcome  of  the  trial  will  depend  not  only  on  results  achieved,   but  also  the  degree  of  clarity  and  comprehension  of  the  report.     Opera:onal  recommenda:ons     q  Presence  of  an  index   q  Presence  of  a  glossary  and  reference  notes  if  there  are  any   technical  terms   q  Timeline  table  and  flow  charts   q  Presenta,on  slides  with  photos   q  Possible  video-­‐recording  of  opera,ons  carried  out   Presenta:on  in  the  Court  of  the  digital  evidence  findings   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 41. Presenta:on  in  the  Court  of  the  digital  evidence  findings:  Murtha  Case   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 42. Internet  Surveillance  Plans   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  -­‐  Surveillance   q  EU  -­‐  Echelon  Intercep:on  System  –  2001   q  US  -­‐  Total  Informa:on  Awareness  Program  (TIA)  –  2002   q  UK  -­‐  Communica:ons  Capabili:es  Development  Program  –  2012   q  US  -­‐  Cyber  Intelligence  Sharing  and  Protec:on  Act  (CISPA)-­‐  2013  
  • 43. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  -­‐  Surveillance  
  • 44. Privacy  and  Due  Process  Rights  -­‐  Encryp:on   q  Encryp,on   is   the   process   of   obscuring   informa,on   to   make   it   unreadable  without  special  knowledge   q  Encryp,on  can  be  used  to  ensure  secrecy   q  Encryp,on  can  be  used  to  hide  the  fact  that  encrypted  messages   are  exchanged   q  Encryp,on  used  by  criminals  can  lead  to  difficul,es  collec,ng  the   necessary  evidence   A  possible  answer  is  Encryp,on   e process of obscuring make it unreadable knowledge be used to ensure be used to hide the fact Picture removed in print version Bild zur Druckoptimierung entfernt EXAMPLE PGP Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 45. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  -­‐  Encryp:on  
  • 46. Legal  Solu,on  to  Fight  Encryp,on       United  States  v.  Boucher   (2007  WL  4246473)   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Case  Law  on  Encrpy:on  
  • 47. Privacy  and  Due  Process  Rights-­‐  United  States  v.  Boucher,   2-­‐19-­‐2009  December   17,   2006   -­‐   Sebas,en   Boucher's   laptop   computer   was   inspected   when   he   crossed  the  border  from  Canada  into  the  USA  at  Derby  Line,  Vermont.  Law  Enforcement   seized  the  laptop,  ques,oned  Boucher  and  then  arrested  him  on  a  complaint  charging   him  with  transporta,on  of  child  pornography  in  viola,on  of  18  U.S.C.  2252A   December  29,  2006  -­‐  When  the  laptop  was  switched  on  and  booted,  it  was  not  possible  to   access  its  en,re  storage  capability.  This  was  because  the  laptop  had  been  protected  by   PGP  Disk  encryp,on.   January    12,  2007  -­‐  A  grand  jury  subpoenaed  the  defendant  to  provide  the  password  to   the  encryp,on  key  protec,ng  the  data   November,   29   2007-­‐   U.S.   Magistrate   Judge   Jerome   Niedermeier   of   the   United   States   District   Court   for   the   District   of   Vermont   stated   "Compelling   Boucher   to   enter   the   password  forces  him  to  produce  evidence  that  could  be  used  to  incriminate  him.  This  is  a   evidence  obtained  in  viola:on  of  filh  amendment”.  Niedermeier  quashed  the  subpoena   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 48. “Mandatory   Key   Disclosure”   is   legisla,on   that   require   individuals   to   surrender  cryptographic  keys  to  law  enforcement.  Na,ons  vary  widely  in  the   specifics  of  how  they  implement  key  disclosure  laws.     Some,   such   as   Australia,   give   law   enforcement   wide-­‐ranging   power   to   compel  assistance  in  decryp,ng  data  from  any  party.     Some,   such   as   Belgium,   concerned   with   self-­‐incrimina,on,   only   allow   law   enforcement  to  compel  assistance  from  non-­‐suspects.     France   require   only   specific   third   par,es   such   as   telecommunica,ons   carriers,   cer,fica,on   providers,   or   maintainers   of   encryp,on   services   to   provide  assistance  with  decryp,on.     Italy  doesn’t  have  a  Key  Disclosure  Laws.   Privacy  and  Due  Process  Rights  -­‐  Mandatory  Key  Disclosure  Laws   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 49. This  legisla,ve  instrument  doesn’t  work.  Why?   1.  Technical  reasons:  an  expert  could  always  find  a  way  to  hide  a  file     2.  Possible  viola:on  of  European  Conven:on  on  Human  Rights:  Ar,cle  6   Everyone  charged  with  a  criminal  offence  shall  be  presumed  innocent  un7l   proved  guilty  according  to  law   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  -­‐  Mandatory  Key  Disclosure  Laws  
  • 50. What  is  the  “new”  possible  solu,on?   Privacy  and  Due  Process  Rights  -­‐  Mandatory  Key  Disclosure  Laws   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 51. Remote  Forensics   Privacy  and  Due  Process  Rights  –  Remote  Forensics   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 52. On    December  20,  2006:  Ar,cle  5.2(11)  of  the  Law  on  the  Protec,on  of   the   Cons,tu,on   in   North   Rhine-­‐WestFalia   was   amended   with   the   introduc,on  of  provisions  on  remote  intelligence-­‐gathering,  both  online   and  by  accessing  informa,on  technology  systems.     Private  computer  systems  could  be  covertly  accessed  “remotely”,  thanks   to   soUware   (keylogger   and   sniffer   programs)   installed   on   the   target   system   without   the   owner’s   knowledge,   for   instance,   in   the   form   of   Trojans   incorporated   within   or   disguised   as   harmless   content,   by   convincing   the   owner   to   voluntarily   upload   the   relevant   spyware   or   disclose  passwords  through  cleverly  devised  social  engineering  ini,a,ves.   Privacy  and  Due  Process  Rights  –  Remote  Forensics   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics  
  • 53. On   February   27,   2008   The   German   Cons,tu,onal   Court   determined   that   the  amendment  of  NordWestalia  Law  was  uncons,tu,onal  as  it  violated:   The  “right  to  informa,onal  self-­‐determina,on” The  inviolability  of  the  home The  privacy  of  correspondence   The   Cons,tu,onal   Court   establishes   a   new   “Right   to   the   Confiden:ality   and   Integrity   of   Informa:on   Technology   Systems”   (right   to   the   free   development  of  one’s  personality),  read  in  conjunc,on  with  Ar,cle  1.1  GG   (right  to  human  dignity).   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Remote  Forensics  
  • 54. Just  three  years  aUer  the  ruling  by  the  German  Cons,tu,onal  Court,   Germany’s   Jus,ce   Minister   has   called   for   an   inves,ga,on   aUer   authori,es   in   at   least   four   German   states   acknowledged   using   computer   spyware   to   conduct   surveillance   on   ci,zens   (Bavaria,   Baden-­‐WurFemberg,  Brandenburg  and  Lower  Saxony)   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Aler  3  Years  :(  
  • 55. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Cloud  Compu:ng   Cloud   compu,ng   is   a   model   for   enabling   convenient,   on-­‐demand   network   access   to   a   shared   pool   of   configurable   resources   (e.g.,   networks,   servers,   storage,   applica,ons,   and   services)   that   can   be   rapidly  provisioned  and  released  with  minimal  effort  or  management   service  provider  interac,on     Cloud   compu,ng   has   five   essen:al   characteris:cs:   (i)   On-­‐demand   self-­‐service,   (ii)   Broad   network   access,   (iii)   Resource   pooling,   (iv)   Rapid  elas,city,  (v)  Measured  service  
  • 56. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Cloud  Compu:ng   From   a   Legal   Standpoint   Cloud   Compu,ng   services   have   to   face   these  two  dis,nct  issues:     Jurisdic:on:  The  “loss  of  loca:on”  of  digital  evidence  in  the  cloud   world  creates  problem  of  jurisdic,on.  With  cloud  compu,ng,  are  the   documents   governed   by   the   law   of   the   state   in   which   they   are   physically   located   or   by   the   loca,on   of   the   company   possessing   them  or  by  the  laws  of  the  state  where  a  person  resides?  Over  the   last  few  years,  various  approaches  have  been  offered  to  solve  this   problem.     Privacy:  The  “lack  of  control”  over  the  data  (cloud  clients  may  no   longer   be   in   exclusive   control   of   this   data   and   cannot   deploy   the   technical   and   organisa,onal   measures   necessary   to   respect   Data   Protec,on     Law),   and   the   “absence   of   transparency”   (insufficient   informa,on  regarding  the  processing  opera,on  itself)  are  the  main   data  protec,on  risk  of  cloud  compu,ng  
  • 57. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Cloud  Compu:ng  and  Jurisdic:on   We  have  4  different  possible  principle  to  solve  the  “loss  of  loca,on”   in  a  cloudy  world:     •  Territorial   principle:   the   Court   in   the   place   where   the   data   is   located  has  jurisdic,on   •  Na:onality   principle:   the   na,onality   of   the   perpetrator   is   the   factor  used  to  establish  criminal  jurisdic,on.   •  “Flag  principle”:  which  basically  states  that  crimes  commiFed  on   ships,  aircraU  and  spacecraU  are  subject  to  the  jurisdic,on  of  the   flag  state.   •  “Power  of  Disposal  Approach”:  from  a  prac,cal  point  of  view,  a   regula,on  based  on  the  power  of  disposal  approach  would  make   it  feasible  for  law  enforcement  to  access  a  suspect’s  data  within   the  cloud.  
  • 58. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Cloud  Compu:ng  and  Privacy   Lack  of   control  over   the  data   Lack  of  Integrity     caused  by  the   sharing  of   resources   Lack  of  availability     due  to  lack  of   interoperability   Lack  of   intervenability    due  to  the   complexity  and   dynamics  of  the   outsourcing   chain   Lack  of   informa:on  on   processing   (transparency)   Lack  of  isola:on   A  cloud  provider   may  use  its  physical   control  over  data   from  different  clients   to  link  personal  data.     Lack  of   confiden:ality   in  terms  of  law   enforcement   requests  made   directly  to  a   cloud  provider   Lack  of   intervenability   (data  subjects’   rights)  
  • 59. Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Privacy  and  Due  Process  Rights  –  Cloud  Compu:ng  and  Privacy   Proposal of Regulation on Data Protection The right to be forgotten EU citizens are to be entitled to require information online to be deleted Privacy Officer Public bodies and businesses having a minimum number of employees are obliged to establish a data protection officer Security Where information is lost (which is described as a serious breach), this will have to be reported, and even more complex security models will be required One-Stop-Shop Businesses and individuals must be able to deal with one single point of contact Cookies The use of cookies on line is regulated further, in line with the recent Cookies Law directive. Privacy by design: The regulation introduces an obligation to use technological means to ensure that personal data is automatically processed only to the extent that is absolutely necessary.
  • 60. What  Authority  do  you  Need  to  Seize  Digital/Electronic  Evidence?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Before  the   Digital  Age   Aler  the   Digital  Age   Your   professional   and  private   life  
  • 61. Who  is  en:tled  to  have  access  to  Digital/Electronic  Evidence?   Macau,  April  8-­‐12,  2013  -­‐  Seminar  on  Cybercrime  and  Digital  Forensics   Court   Order   Wriqen  Given   Consent  (civil   proceeding)   Law   Enforcement   Given  Consent   (criminal   proceeding)   Content data, IP and Log File Registration Data Content data, IP and Log File related to investigation Internal Investigation (Corporate Forensics)
  • 62. Thanks  for  your  aFen,on   Giuseppe  Vaciago     Mail:   Web:  h_p://     Twi_er:  h_ps://   Linkedin:  h_p://