Lecture 09 Evidence Analysis II

--- title: 'Lecture 09 Evidence Analysis II' disqus: hackmd --- :::info ST2502 Computer Law & Investigation ::: Lecture 09 Evidence Analysis II === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 80%; display: block; } </style> ## Table of Contents [TOC] Computer Output Evidence --- - pervasive role played by comps in society & increase in computerisation of records will lead to more comp output presented in evidence #### Sections 35 & 36 of Evidence Act - introduced in 1996 when comp tech was in its infancy hence cautious approach was taken - comp output can only be admitted if - its produced in an approved process - shown to be produced by properly operating comp which was properly used - repeal of sections 35 & 36 - cumbersome process & not consonant with modern realities - position now is that comp output evi shld not be treated differently from other evidence - hence repealed ### Presumptions in Relation to Electronic Records - there'll be new presumptions facilitating admission of electronic records introduced by Evidence Act 2012 - Eg. if device properly used & accurately communicates on electronic record, its presumed that an electronic record communicated by that device is accurately communicated - unless evidence to contrary adduced, court presumes that any electronic record generated/recorded/stored is authentic if its established that electronic record was generated in the usual & ordinary course of business by a person who was not a party to the proceedings & did not generate under the control of the party seeking to introduce the record - Eg. A seeks to cite evi against B in form of electronic record - fact that record generated by in usual & ordinary course of business by C, a neutral 3rd pt is relevant fact for court ot presume its authentic - unless evi to contrary is adduced, whr electronic record generated/recorded/stored by pt who is adverse/harmful in interest to the pt seeking to adduce/cite the evi, court shall presume that record is authentic in relation to authentication issues arising from generation/recording/storage of the record - Eg. A seeks to cite evi against B in form of electronic record - fact that record was generated by B who opposes the relevance of evi is relevant fact for court to presume its authentic #### Example - Telemedia Pacific Group Ltd Credit Agricole ![](https://i.imgur.com/VjkPMMb.png) Processes for Validating Electronic Record are Relevant Facts --- - section 9 of evi act - to clarify that processes for validating an electronic record are relevant facts - example - method & manner whr record was generated/comm/received/stored, reliability of devices & circumstances which devices were used/operated to generate record may be relevant facts as authenticating the record ### Approved Process - section 116A(5) - minister may make regulations providing for process by which doc may be recorded/stored through use of an imaging system - includes providing for appointment of 1/more persons/orgs to certify these systems & their use\ - approved process in subsection 6 means process has been approved in accordance with provisions of such regulations - section 116A(6) - whr electronic record was recorded/stored from doc produced pursuant to an approved process, court shall presume, unless evi to contrary is adduced, the record accurately reproduces that doc ### Rules for Filing & Receiving Evidence in Court using InfoTech - Section 36A - rules committee constituted under supreme court of judicature act & fam justice rules comm constituted under fam justice act 2014, may make rules to provide for filing/receiving/recording of evi & docs in court by use of info tech in such form/manner/method as may be prescribed - (2) w/o prejudice to generality of subsection (1), such rules may - modify such provisions of this act as may be necessary to facilitate the use of electronic filing of docs in court - provide for burden of proof & rebuttable presumptions in relation to identity & authority of person sending/filing evi/docs by use of info tech - provide for auth of evi & docs files/received by use of info tech - __need to know__ - whr evi is - what evi means - how to put it tgt ### Sources of Evidence - 3 basic sources - users - 1st hand observations - systems - including backups - log files - intruder remnants (processes, files etc) - networks/comms - netflow logs - firewall logs - modem banks/telephone logs - basically rely on logs recovered from compromised system ### Mutable Evidence - comp evi is endlessly changeable - intruder might add/remove/modify log entries - might compromise system components that maintain the logs - you might modify sth during investigation ### Chain of Custody - who had access to evi? - what procedures followed when working with evi? - how can we show that our analysis is based on copies identical to orig evi? - __BY DOCUMENTATION & TIMESTAMPS__ Obtaining Computer Related Evidence --- - to obtain comp-related evi, 4 steps must be taken - identify evi - identify type of info available - determine how to best retrieve - preserve evi - with least amt of change possible - must be able to account for any changes - analyse evi - extract - may produce binary "gunk" that isn't human readable - process - make it humanly readable - interpret - requires deep understanding of how things fit tgt - present evi - to management, attorneys, in court etc - acceptance depends on - manner of presentation - did you make it convincing/understandable? - qualifications of presenter - credibility of processes used to preserve & analyse evi - especially impt when presenting evi in court ### Evidence Preservation - make copy - generate copy - verify accuracy of copy through timestamp - document - who collected it from whr, how, when, maybe why - give copy/orig to custodian - custodian gives copies to others - document chain of custody - fewer custodians better - fewer to testify Best Evidence Rule --- - when nothing better, court will resort to admitting evi that otherwise be inadmissible in other cases - rule may apply to cases whr evi excluded as better evi is available - for comp output, best evi in decreasing order of desirability - orig disk - binary copy of orig disk - log file from disk - Eg. UNIX wtmp - records from within file - contents of file - collection of files - collection of files with attributes intact - byte stream img of disk is good for most purposes, but not all purposes ###### tags: `CLI` `DISM` `School` `Notes`