Legal Aspects of Investigations
Information security professionals should attempt to provide all evidence during investigations. The evidence should be relevant, authentic, accurate, complete and convincing.
- Real Evidence – Tangible of physical objects. Hard drives, DVDs, USB or printed documents
- Direct Evidence – Testimony provided by witness.
- Circumstantial Evidence – Provides details regarding circumstances that allow for assumptions to be made regarding other types of evidence.
If a person testified she directly witnessed the defendant create and distribute malware, this is direct evidence. If the forensics investigation of the defendant’s computer revealed the existence of source code for the malware, this is circumstantial evidence.
- Corroborative Evidence – Evidence that provides additional support for a fact that might have been called into question
- Hearsay Evidence – Indirect second hand evidence. Exceptions (Rule 803) include computer generated data and logs
- Best Evidence – Originals are preferred over copies. Conclusive tangible objects are preferred over oral testimony. Prefers evidence that meets relevant, authentic, accurate, complete and convincing as main criterias.
- Secondary Evidence – Copies of original documents and oral description. Exception: Rule 1001 allows logs and documents are considered original.
Evidence must be reliable. Checksums such as MD5 and SHA-1 are used to ensure that no data changes occurred as a result of acquisition and analysis.
Chain of custody
Chain of custody requires that once evidence is acquired, full documentation be maintained regarding the who, what, when and where related to the handling of said evidence. Initials and or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form. Use of checksums and Chain of Custody forms by forensics investigators is best practice.
If evidence was obtained illegally, then it will be inadmissible in court. Search warrants are required to search a private citizen’s property. Exception is that if the property is in plain sight or at public checkpoints. Another exception is exigent circumstances where there is an immediate threat to human life or of evidence being destroyed. Search warrants only apply to law enforcement and those who are acting under the color of law. An example is a corporate security professional seizing data in a corporate case under direct supervision of law enforcement.
Entrapment and Enticement
Entrapment – When a law enforcement persuades someone to commit a crime when the person otherwise had no intention to.
Enticement – When a law enforcement makes conditions for commission favourable but the person is already determined to commit the crime.
- Computer systems as target – Crimes where the computer systems serve as a primary target, such as disrupting online commerce by means of Distributed Denial of Service attacks, installing malware on systems for the distribution of spam, or exploiting vulnerability on a system to leverage it to store illegal content.
- Computer as a tool – Crimes where the computer is a central component enabling the commission of the crime. Examples include: stealing trade secrets by compromising a database server, leveraging computers to steal cardholder data from payment systems, conducting computer based reconnaissance to target an individual for information disclose or espionage, and using computer systems for the purposes of harassment.
Refers to intangible property that resulted from a creative act.
- Trademark – Associate with marketing, a distinguishing name, logo, symbol or image. TM used for unregistered and circle R is used with registered trademark.
- Servicemark – Is used to brand a service – SM
- Patent – Provide Monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the holder’s making the invention public. Europe and US patents last 20 years.
- Copyright – represents a type of intellectual property that protects the form of expression in artistic, musical or literary works. A registered copyright is one that has been registered with the copyright office. Copyrights last 70 years after death of author, or 95 years after first publication if it is a product of a corporation or 120 years after creation. Software is covered by copyright
- First sale doctrine – Allows legitimate purchaser of copyrighted material to sell it to another person.
- Fair use doctrine – Allows purchaser to duplicate copyrighted material without consent. Copyright act 1976 determines the purpose and style of excerpt; nature of copyrighted work; amount of content duplicated compared to overall length of work; and whether duplication might reduce value or desirability of original work
- Licenses – Contract between provider of software and consumer. EULA provides explicit limits on the use and distribution of the software
- Trade Secrets – Business proprietary information that is important to an organization to compete. The organization must exercise due care and due diligence in protection of trade secrets. Common protection methods include Non-compete and NDA (non disclosure) agreements. Lack of reasonable protection of trade secrets can make them cease to be trade secrets.
- IP Attacks – Software piracy, trade secrets targeted by espionage. Trademarks can fall under several attacks such as counterfeiting, dilution (ex. Kleenex referred to any facial tissue) and cybersquatting and typo squatting (registering in bad faith domain name associated with another person’s trademark.
Privacy is the protection of confidentiality of personal information. These include PII (Personally identifiable Information) such as social security numbers, financial information such as annual salary and bank account information required for payroll deposits and healthcare information for insurance purposes. One issue to understand is whether a citizen’s privacy protections are primarily opt-in or opt-out. Opt-in requires individuals to have to do something in order to had their data used, where as opt-out agreements require an individual to have to do something to prevent their data from being resold.
EU data protection directive
- Requires notifying individuals how their personal data is collected used
- Allowing individuals to opt out of sharing their personal data with third parties
- Requiring individuals to opt into share the most sensitive personal data
- Providing reasonable protections for personal data