Legal Issues in Computer Forensics
Forensics is defined as “The use of science and technology to investigate and establish facts in criminal or civil courts of law.” As a subcategory of this, computer forensics attempts to assist litigants in establishing (or refuting) facts by examining digital evidence. This can range from activity that took place on a computer or cell phone, information that was passed along by someone, or interaction with prohibited or protected material on that computer.
The legal issues relevant to computer forensics are vast, and range from the qualification of experts, the reliability and accuracy of forensic evidence that is being proffered, to the scope and result of an expert’s testimony. We may deal with these in the future, but this page will focus on one of the most prominent legal issues in computer forensics: proof of possession of prohibited material.
Very often, a case has at its root an allegation that an individual or corporation had a certain piece of digital material on their computer. This may be photographs, videos, text documents, spreadsheets or another type of computer file.
Applying a common sense analysis to these situations can be problematic. Typically, when we find something located in someone’s personal space (i.e. their kitchen, their car, their briefcase) we presume the person possessed the item. When things are found outside of a person’s direct possession the law regarding possession is rooted in the two concepts of
- Knowledge; and
- Control
No one can possess something they don’t know about (the baseball thrown in their yard by a neighbour and covered with bushes) or that they don’t control (the marijuana plant someone can see in their neighbour’s yard, yet over which they have no power).
Courts have affirmed the application of these principals to possession of material on computers. In R. v. Chalk http://www.ontariocourts.on.ca/decisions/2007/november/2007ONCA0815.htm
the court stated: (at para. 17-19)
Section 4(3) of the Criminal Code contains a definition of possession. Section 4(3)(a)(ii) contains the relevant part of that definition for present purposes:
a person has anything in possession when he ... knowingly
(ii) has it in any place ... for the use or benefit of himself or another person;
Possession requires knowledge of the criminal character of the item in issue. In this case, the Crown had to prove that the appellant had knowledge of the contents of the videos in issue.
Knowledge alone will not establish possession. The Crown must also prove that an accused with the requisite knowledge had a measure of control over the item in issue. Control refers to power or authority over the item whether exercised or not: R. v. Mohamad (2004), 182 C.C.C. (3d) 97 at paras. 60-61 (Ont. C.A.).
These central concepts are easily understood in simple “real world” examples about baseballs, cars and cocaine. However, it is the bridge between a computer forensic examination and a conclusion about these concepts that is often vexing or (worse) misunderstood by litigants and courts alike.
A properly conducted examination of a hard drive is, at its root a very black and white process of examining 1’s and 0’s. It is the multiple layers of interpretation of these 1’s and 0’s that must be subjected to careful legal scrutiny if a proper result is to be obtained.
The complicated nature of these interpretations, and the human frailties associated with such interpretations, are the grey area within which these cases can be won or lost.
For example, images of a prohibited nature may be found to exist on a computer seized at a defendant’s home (we’ll call her Jane). Some litigants and courts may start from the proposition that material found on a computer was placed there by Jane. The danger with such a conclusions ignore the alternative explanations that may be just as, or more, likely explanations:
Another person with access to the computer placed the material there.
This attractive explanation is well known to those who litigate in this area. A computer regularly used by 12 different people is ripe for this explanation. Computer forensic examinations will attempt to foreclose another physical person through the following means:
- Utilizing dates and times of access to the material to exclude other potential people, for instance when they couldn’t possibly have been physically in the home;
- Determining if the material was accessed while the computer was logged into Jane’s user account, which may well have been password protected; or
- The material was accessed at the same time as material specific to Jane, such as her work email or a project she was completing.
These sorts of “exclusions” are merely propositions that may be very, or only partially, supported by the rest of the computer examination.
The reality is that much of the content accessed by computer users is not by request, but served out by internet web pages. In R. v. G., 2008 ONCJ 97, the court considered whether this sort of unintentional and accidental downloading can explain the presence of prohibited material on a user’s computer: (at para. 22)
[the] evidence that internet browsing can result in the inadvertent copying of images onto a hard drive is important. Anyone who has used the internet, perhaps to read the online version of a newspaper, will understand that the "page" that opens when one enters a website may be considerably larger than what is immediately visible to the user. That is, a web page may contain substantially more information, in the form of images and text, than what can be seen on the computer screen. To see everything, the user may have to scroll' a considerable distance to the bottom of the page.
The court in R. v. G. acquitted the accused of all charges. This result, however, was built on the evidentiary foundation laid by cross examining the forensics expert. In R. v. C. [2009] O.J. 2624, the accused was convicted, and the court rejected the defence that had been successful in R. v. G.:
I was referred to the case of R. v. G., [2008] O.J. No. 917 (O.C.J.), where the Crown failed to prove that the images that were child pornography were knowingly viewed or transmitted by the accused, and failed to prove that he knew they existed on the hard drive of his computer or exercised any measure of control over them. I note that the evidential basis of that case differed from this in that aspect. In that case there was evidence that a picture file could be created or accessed without it being viewed in some fashion, additionally that Internet browsing without proper security on a computer could allow the creation of files without the image being opened or viewed; that Internet browsing could result in the inadvertent copying of images onto a hard drive. There was evidence that the browser writes to the hard drive Temporary Internet Files not just the images the user sees on the screen but all the evidence on the web page even though the user may not have seen them or been aware of their existence. There was no evidence to this effect in the case before me.
It may well have been that the expert in R. v. C. refused to agree with the concessions made in R. v. G. That said, a detailed knowledge of the principals and technical aspects of computer forensics can always assist with turning the other side’s expert against them.
One of the grim realities of today’s internet is the constant threat of malware (viruses, trojans and worms etc.). Malicious users scan the internet for poorly protected computers and focus attacks on them. Some web pages are exclusively set up to infect computers that access them, even if by accident or unintentionally. In July 2009, Google’s Safe Browsing Malware List identified 350,000 web pages that contained malicious software. This reality is often downplayed where the other side wishes to prove someone like Jane meant to download or access prohibited material. Courts have recognized these threats, and have even based findings on these threats.
In R. v. P. [2006] O.J. 2208, the court found the defendant not guilty of possession of child pornography, largely due to the existence of these malicious threats:
Perhaps most tellingly, on 31 August 2005 a crown witness, Constable Glen McBryde, testified that material can make its way into a computer in a number of ways:
(1) An owner actively downloads material (active acquisition);
(2) An owner unknowingly receives or downloads material (passive acquisition);
(3) Another person actively downloads material (third party activity).
105 Only the observed activity of the owner, Mr. [P.] or the observed actions of a third party using Mr. [P.'s] computer can be evaluated using the traditional evidence and inferences found in the case law in such alleged criminal activity as possession of drugs or stolen property. Neither type of evidence is found in this case.
106 According to the evidence of the crown witness, the technology of computers and the internet lead directly to another, innocent explanation, namely, the remote access to the computer, by others, not detectable or known to the computer user, in this case, Mr. [P.]
107 In the context of computers, I find on the evidence, it is neither straightforward nor self-evident that a limited physical control of a computer can lead to any useful inferences of criminal knowledge or control.
This summary only briefly considers a few of the multitude of legal issues involved in a computer forensics case. The law in this area is still coalescing, and few appellate level decisions are available. It is for this reason that the quality and type of evidence presented is even more decisive than in other types of litigation. Courts are looking for guidance on these issues, and still have difficulty grappling with these complicated concepts.
Anecdotally, when lawyers from Mulligan Tam Pearson were training in computer forensics in the U.S. and England, most experts stated they were almost never substantively challenged on their evidence in cross-examination. As can be gleaned for the above material, the quality of evidence can have a massive impact on these cases’ results.