CyberCrime

The Cybercrime Trial Abigail Abraham Assistant State Attorney Cook County, Illinois Ivan Orton Sr. Deputy Prosecuting Attorney King County, Washington

What’s Different about a Cybercrime Trial

Complexity

Digital Evidence Issues

As With Any Trial, Keys Are:

Understanding Your Case

Preparing Your Case

Presenting Your Case

You MUST Educate Yourself

But Only About What You Must Understand

Endless Task

Training and Experience

Use Your Resources

Other Prosecutors

Office Computer Personnel

Investigator/Forensic Expert

Witnesses (ISP, Victim, etc.)

Digital DA and other online sources

The Crime Charged

Should you Amend?

The Legal T heory

The Evidence

Anticipating Defenses

What do you have to Prove/Disprove

Do you have to disprove all alternative explanations

Can you disprove all alternative explanations

Nature of computer “incidents”

S hare your understanding with your trial team (investigator, forensic person, crucial witnesses) to get their input

Preparing Your Case

Remember

Judge/Jury/Defense Understanding Varies Widely

You Must Be a Teacher

Law is Settling Down but . . .

Technology is double edged

Preparing Your Case

Education

Expert Witness/Scientific Method

Problem Areas

Jury Instructions

Preparing Your Case - Education

Educate Your Audie nce at Every Stage

Voir Dire

Opening

Every Witness

Closing

Objections

Preparing Your Case - Education

Keep it Simple - don’t overexplain

Case in Chief v. Cross Ex and Rebuttal

Let Defense make it complex

Use Analogies but . . .

Preparing Your Case - Education We're using age old methods of reasoning trying to evaluate an unfamiliar situation by finding analogy to a familiar one. But applied to the web the analogies get so complex that the familiar turns into the unfamiliar. To make the situation accurate you have to make it so weird that it doesn't help us figure things out. David Weinberger , Commentator on All Things Considered

Preparing Your Case - Expert Witness

Do You Need an Expert (Opinion Witness)

Your Witness Testifies:

Made F orensic Image

Examined the Drives

What Found on Drives

What this Means

Which of these Required Expert Witness Testimony

Which Required Admission of Scientific Evidence

Expert Witness - witness qualified as an expert may give an opinion

Results of a Scientific Method - In Federal system and many states, Judge must be convinced results of scientific method will be useful

In some states method must be generally accepted by peer community

Your Witness Testifies:

Made F orensic Image

Examined the Drives

What Found on Drives

What this Means

Don’t Confuse Expert Testimony with Expert WITNESS Testimony

Witness can be shown to be highly qualified as a way of increasing her/his credibility

So long as not seeking to give opinion, don’t have to qualify as expert witness

Preparing Your Case - Scientific Method

Evidence Based on Scientific Method Doesn’t Always Have to be Qualified

Jury is shown p icture t aken by 7-11 c amera to c ompare to d efendant

No need to qualify photography as a scientific method

Will need to authenticate/lay foundation

Only if expert is giving an opinion based on scientific method evidence must evidence be qualified

Preparing Your Case - Expert/Scientific Method

Effect of “Best Practices” Manuals

In Russian Hacker case FBI agent quizzed by defense attorney on not following DOJ Computer Search and Seizure Manual

Preparing Your Expert

No Real Difference in Cyber Case From Any Other Case Involving Expert

Don’t Overstate

Keep Things Simple

Don’t Argue with Defense Attorney

“ Isn’t it true that . . . ?|

“ Yes, and I can explain my answer if you’d like.”

Preparing Your Case - Problem Areas

Tying Defendant to Keyboard

Defendant’s Knowledge/Motive

Time and Date Stamps

Forensic Report

Tying Defendant to Keyboard

Confession/Admission

Circumstantial (only resident at computer location)

Substantive knowledge unique to defendant

Content analysis

June 30, 1999 - 8 Minutes Later

From: [email_address] To: [email_address] Subject: Hideho... Date: Wednesday, June 30, 1999 2:23 PM

Hideho....dear Marni....how're you today....did you sleep well...I bet you didn't...unfortunately...one of my spies told me you'll have a opening training camp next Monday in Toronto...so I'll have more women to either fuck or destory ...Michelle Stilwell, huh....I love quadraplagia girls...amputees like Chantal Benoit is also a perfect choice....so you may survive...now I realize compare to the same level, Shira Golden is more attractive to me than you do...I switched my airplane ticket...I'll fly directly to Toronto instead of Vancouver...See ya next Monday...Hideho..have a nice day and keep a good shape...

PARALYZED WOMEN KILLER FROM HONG KONG 7-1-99

destory

Defendant’s Knowledge/Intent

Defendant claims ignorance of child porn found on his computer.

How can you overcome claim of ignorance?

Number of Pictures

Directory Structure

File Names

News Group Subscriptions

History Files

Time and Date Stamps

Windows Files have 3 Dates/Times:

Create Date

When the file was created at the current location

When the file was moved/copied to current location

Last Written/Modified Date

When the file was last changed (includes created)

Does not change when file is moved/copied

Is reset when a file is downloaded

Last Accessed Date

When file was last accessed

Date/Time Stamps - Limitations

Depends on accuracy of internal clock

What time zone

Can be manipulated

Date/Time Stamps - Ways to Check

Internal file accuracy (date stamp consistent with date inside file)

E-mail header date/time compared to date/time assigned by system

Compare known date/time to system date/time (Do you know independently when file was downloaded)

Date/Time Stamps - Ways to Check

If computer is attached to network, does server set clock on login

Patterns of file creation dates/times

If any created after computer was seized you MUST explain

Experiment

Using suspect’s computer

NOT original hard drive

Forensic Report

Abigail Example

Preparing Your Case - Jury Instructions

Do Pattern Jury Instructions Exist?

If not, can you draw on analogous areas (burglary law for computer trespass)

Special Terms need Definitions?

Presenting Your Case

Voir Dire

Explaining Complicated or Technological Issues

Presentation Tools

Digital Evidence Admissibility Issues

Presenting Your Case-Voir Dire

Know your audience—what is their knowledge of computers?

Educate the jury, but keep it simple

Are jury questionnaires permitted by the Judge?

Focus on jurors feeling of whether computer crime is really “crime.”

Consider questions weeding out those that think the victim may be at fault or should “ignore it.”

“ Do you own a computer?”

“ Is your home computer a Macintosh or IBM compatible”

“ How familiar are you with computers”

“ Does your job entail working with computers?”

“ Do you access the Internet?” “For what purpose?”

“ Have you ever used e-mail? Chatrooms? Instant messenger?”

“ If a person enters a chatroom, are they ‘assuming the risk?’”

“ Do you think that pursuing a person in a chatroom is a part of ‘Web/Net culture?’”

“ If someone is being harassed by e-mail, should they just not turn the computer on or ignore it?”

“ Does anyone believe that pursuing someone or harassing someone on the internet is not a matter that should be criminal in nature”

A little younger, but not too young.

A little more educated, but not too academic.

A little technical knowledge, but not enough to second guess your witnesses.

Beyond that jurors for the different types of tech cases should follow the profile for the same type of case if their was no tech element.

Presenting Your Case-Voir Dire What Jury Do You Want

Presenting Your Case-Voir Dire Not All Cybercases Are the Same

Trade secret theft

Child porn/exploitation

Hacking

Fraud

Component theft

Piracy

Cyberstalking

Voir Dire – Child Exploits/Porn

It’s OK to have strong feeling about the sexual exploitation of children, but does anybody feel the subject matter alone would make it impossible for them to be fair?

Have you, a relative, or a close friend ever been sexually victimized? (instruct them they need not answer in open court)

Will anyone find it impossible to view graphic sexual images of young children?

Does anyone disagree with the laws prohibiting sexual activity between adults and children?

Voir Dire – Fraud/Identity Theft

Victimization – Self/Friend/Family

Media Attention – Read/Heard/Seen

Precautions They Take (May expect your victim to do nothing less)

Assumption of the Risk

When might you hold the victim to blame for being ripped off?

Does a victim’s carelessness or naiveté ever justify stealing from them?

Voir Dire – Hacking/Intrusion

Does anyone have an image in their mind when I use the term “Hacker.”

Has anyone experienced the damage that can be caused by a computer virus. (describe it)

Does anyone here keep personal information on their computer?

Is their anyone here uncomfortable with the idea of someone having uncontrolled access to your personal information ?

Should a victim be required to take steps to prevent an intentional intrusion?

Voir Dire - Piracy

Does anyone think there’s a difference between making one copy of a movie/cd/tape for a friend and making a hundred to sell at the flea market?

Where’s the line between fair use and theft?

Does anyone have strong feelings about the movie/music/software industries business, pricing, or distribution practices?

Has anyone seen media for sale they thought might be counterfeit? Describe the situation? What alerted you?

Voir Dire – Trade Secrets

Does anyone feel a company can’t be a victim?

Has anyone ever had the experience of having someone else steal their idea or take credit for their work?

Can anyone give an example of an idea that was worth lots of money?

Can anyone give an example of something that’s only valuable if it’s secret?

Presenting Your Case - Complicated/Technical Issues 1. Have a very simple analogy 2. Have a uncomplicated correct definition 3. Find/develop a picture/drawing of what your technology “looks like”. 4. Have a credible expert explain technology using all above #1, #2, #3. 5. Have your expert use that picture/drawing.

6. Link your technology to something jurors do on their computers.

7. Link your definition, as it is explained, to what the defendant DID.

8. Repeatedly, again and again USE YOUR PICTURE of the technology.

9. No overkill; the more time you spend, you may confuse or open doors

10. Try your analogy, definition and pictures out on experts and lay people.

Presenting Your Case - Complicated/Technical Issues

Charts, Diagrams, Pictures

Presenting Your Case - Presentation Tools

Animation

Animation Used to Show How Things Work

Power Point Example

Hard Drive File Allocation Table Storage Area CLUSTER 1 Unallocated FILE STORAGE CLUSTER 2 Unallocated CLUSTER 3 Unallocated CLUSTER 1 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2

Hard Drive File Allocation Table Storage Area FILE DELETE CLUSTER 3 Unallocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 CLUSTER 1 Allocated

Hard Drive File Allocation Table Storage Area FILE DELETE CLUSTER 3 Unallocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - CLUSTER 2 Allocated Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 CLUSTER 1 Allocated CLUSTER 1 Unallocated CLUSTER 2 Unallocated ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2 ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. - Clusters 1+2

INFO Hard Drive Download DC01.jpg 10,555 Bytes 5/5/99 1:22 p.m. Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. Recycle INFO (DownloadImage.jpg) DELETE RECYCLE BIN DELETE ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m.

Hard Drive Download DC01.jpg 10,555 Bytes 5/5/99 1:22 p.m. INFO (DownloadImage.jpg) Recycle RECOVER RECYCLE BIN RECOVER ? mage.jpg 10,555 Bytes 5/5/99 1:22 p.m. Image.jpg 10,555 Bytes 5/5/99 1:22 p.m. ? C01.jpg 10,555 Bytes 5/5/99 1:22 p.m. INFO