Digital Forensics

2. Legal & Ethical Issues

It's the Law!

Some legal aspects have already been looked at in earlier sections. These include:
  • The Data Protection Act (DPA) created with a view of safe guarding of personal data and people's privacy.
  • The Copyright and Patents Act implemented to protect people's intellectual property and work.
  • Computer Misuse Act 1990 intended to provide legal protection to digital devices belong to individuals and organisations.

As the focus of this unit concerns digital forensics and discovering who did what to which computer the main legal framework that applies in this area is the Computer Misuse Act.

There are particular sections of the Computer Misuse Act together other laws, especially governing the seizure of property and the recording of evidence prospective analysts need to be aware of.

Computer Misuse Act 1990

Police Tape

Section 1

Unauthorised Access To Computer Material

It is an offence to cause a computer to perform any function with intent to gain unauthorised access to any program or data held in any computer. It will be necessary to prove the access secured is unauthorised and the suspect knows this is the case. This is commonly referred to as ‘hacking’.

The Police and Justice Bill 2006 amended the maximum penalty for Section 1 offences. The offence is now triable either way, i.e. in the Magistrates Court or the Crown Court.

The maximum custodial sentence has been increased from six months to two years.

Police Lamp

Section 2

Unauthorised Access With Intent to Commit Other Offence

An offence is committed as per S1 but the S1 offence is committed with the intention of committing an offence or facilitating the commission of an offence. The offence to be committed must carry a sentence fixed by law or carry a sentence of imprisonment of 5 years or more. Even if it is not possible to prove the intent to commit the further offence, the S1 offence is still committed.

Max penalty: 5 years imprisonment.

Do Not Cross

Section 3

Unauthorised Acts with Intent to Impair Operation

An offence is committed if any person does an unauthorised act with the intention of impairing the operation of any computer. This ‘impairment’ may be such that access to data is prevented or hindered or that the operation or reliability of any program is affected. This offence carries a maximum penalty of ten years imprisonment.

This offence is used instead of the Criminal Damage Act 1971, since it is not possible to criminally damage something that is not tangible. The Police and Justice Bill 2006 amended the original Section 3 Computer Misuse Act offence, unauthorised modification, and increased the maximum penalty to ten years imprisonment.

Police & Justice Bill 2006 & Police & Criminal Evidence Act (PACE) 1984

Only applicable in Scotland in cross border investigations.

Seized Computers
Section 3A

Making, Supplying or Obtaining Articles

The bill amends the Computer Misuse Act to make it an offence to make, supply (including offers to supply) or obtain items to commit Section 1 or Section 2 misuse offences.

This would cover for example, writing or distributing malicious software or obtaining malicious software for later use. Or even putting malicious software on media (eg USB drives) to give someone to use to load malware.

The maximum penalty is two years imprisonment.

security fundementals
Other Relevant Sections

From both acts

  • Section 14: Search Warrant: Police may apply for a search warrant if they believe:
    • an offence has been committed
    • or is about to be committed
    on the premises. The warrant grants authority to seize any items that may contain evidence of an offence. Only a Circuit Court Judge (Senior Judge) can grant these warrants.
  • Section 8: Search Warrant (PACE): These can be granted by a Justice of the Peace (JP)
    • if the police believe that an indictable offence has been committed
    • and evidence is on the premises.

    The warrant also give authority to persons accompanying the police, for example computer experts.

Criminal Justice & Police Act 2001

In Scotland equivalent powers are granted by:-
  • Civic Government Scotland Act 1982
  • Criminal Procedure Scotland Act 1995
  • Common Law
Seizing Computers

Section 50

Search & Secure Bulk Items

Sets out the powers which can be used to seize items if it is believed to contain something or items for which authorisation has been given to search for.

In other words, the Police can seize electronic devices, if they've got reason to believe they contain evidence of a crime for which they've been given a search warrant for.

Police Seizing Computers

Section 50 Para 1

Reasonable grounds for seizing devices

If the Police believe that something contains evidence but it can't be established at the time, maybe because its a device that switched off or password protected, then they have the right to seize it and take it away.

Seized Computer Equipment

Section 50 Para 2

Seizing combined items

If the police believe that an item contains evidence which is contained in, or is part of another, for which they have have no authorisation to seize and it is not possible to separate them at the time, then both items can be taken.

In cases of digital technology, examples might include hard disks contained with larger servers.

Principles of computer based electronic evidence

Computers and digital devices can be used to commit crime and in the case of hacking, can be targets of crime. The successful prosecution of cyber-crime requires the same level of evidence produced to the same standard, following the same rules of evidence as required for more conventional crimes.

To help maintain the standard of evidence, Forensic Analysts have to abide by principles of how evidence is gathered, stored, documented and managed.

Principle What it says What it means
Principle 1 No one on the investigative side should change data held on digital devices which may be relied on in court.

Computer based electronic evidence is subject to the same regulations and laws that apply to documentary evidence.

It is the responsibility of the prosecution to show to the court, that the evidence produced is exactly as it was, when it was first taken into possession.

Principle 2 Where data on a device needs to be accessed, it must be done by a competent person and who is able to give evidence, explaining its relevance and implications.

The reason for this, is that the operating system and applications can alter data automatically without the user being aware of the data being changed.

Principle 3

There must be a record or audit trail of all the processes and treatments applied to the original data. As in a scientific experiment, a person must be able to follow the same steps and achieve the same result.

So that the evidence is preserved, all investigations should be conducted, where-ever possible on an exact image or copy of complete target device, rather than the original data.

Partial or selective copying should only be done, when the amount of data makes this impracticable.

Principle 4 The person in charge of the investigation has overall responsibility and makes sure the principals and relevant laws are followed.

The lead investigator has to demonstrate in court objectivity together with continuity and integrity of the evidence

Ethical Issues: a summary

The law attempts to provide protection to computer users at various levels. The Data Protection Act (DPA) is orientated towards looking after personal data.

The Copyright and Patents Act aims to look after intellectual property made with or stored on computing devices.

Finally, the Computer Misuse Act attempts to limit what can be done to or with computing devices.

These laws are backed up by sections in other legal frameworks (PACE, Criminal Justice & Police Act).

The laws set out the conditions under which authority can be granted to the Police to enter, search, find and retain items which may subjected to further examination to find evidence to support the claims for which the initial warrant was given.

The items seized by the police are the subjected to a forensic examination governed by principles.

From the legal position, it would appears fairly straight forward leaving little scope for more ambiguity. But digital forensic investigators are always:-

  • In a position to tamper with the evidence to show guilt or innocence.
    • Investigators may be tempted to change evidence to show guilt if they were sure that a suspect was a guilty although direct evidence couldn't be found, especially if the crime was especially emotive like paedophilia
    • Equally they may influenced to adapt evidence in exchange for payment or advantage.
  • Be exposed to highly sensitive material and company secrets. Some of which, may conflict with the investigators beliefs, for example animal test results may run counter to a committed anti-vivisectionist or vegan.
  • Learn trade secrets for which people may pay a lot of money for.
  • Get access to very personal information, diaries, personal photographs and other adult material which could cause severe embarrassment, threaten marriages, careers and the outcome of legal cases such child custody cases.
Sensitive Information

Add a new page to your notebook. Title it Legal frameworks and Ethical dilemmas. Answer the following questions.

  1. Describe what is meant by the term 'intellectual property' and provide examples of your own intellectual property that you would want to guard.
  2. Explain the difference between Section 1 offence and a Section 2 offence under the Computer Misuse Act.
  3. Why isn't the Criminal Damage Act 1971 used to prosecute people who 'impair the operation of any computer'?
  4. What do the police have to show or demonstrate in order to obtain a search warrant.
  5. Can the police seize items not included on the original search warrant? Explain your answer.
  6. One of the principals of forensic investigation is to maintain an audit trail. What is an audit trail.
  7. Use your research skills to discover and explaining the meaning of spoliation.
Stored Evidence

In most cases it is easy to make decisions over the right or wrong thing to do. It is only at the edges where mitigating circumstances begin to blur the boundaries and we have to bring ethics into it.

Copy each of the following scenarios and beneath each, give your answer with with your reasoning.

  1. A pupil sets an inappropriate image as their desktop picture. Another pupil in the class complains about its upsetting nature. The teacher gets involved and the pupil, after discussion recognises its inappropriateness, agrees to change it and not to set such pictures again.

    A few weeks later another pupil complains about the first pupil's desktop image which been changed again. The pupil claims to have had nothing to do with it and argues that someone else had hacked their account and changed it without their permission.

    But when the teacher points out, that a forensic investigation can reveal who and exactly when the image was changed, the pupil starts to argue that its an invasion of privacy.

    What should happen now?

  2. School Deputes are worried about inappropriate messages and material being exchanged on a social meda platform used by the school. The IT department says they have program CyberMon which help. This program monitors all activity on the website and generates listing of email addresses of all those who use the site.

    Is it ethical to use CyberMon?

  3. Susan, an IT manager, suspects that someone is smuggling out trade secrets and data from the company and begins an investigation. While conducting an internet use analysis, she discovers her best friend Ellie, has been using her office time for online shopping. This is expressly forbidden by the company who consider it a sackable offence because shopping in company time using company resources is not what they pay people for.

    Susan also knows that Ellie has recently lost her husband to cancer and that she is struggling to cope.

    What should Susan do?

Ethical Choices

Can you now do?

  • Explain the difference between the main sections of the Computer Misuse Act 1990
  • Describe some of the conditions under which Police can gain the authority to conduct searches and seize items.
  • Explain the relevance of ethics to forensic investigations
  • Provide and explain at least three principles governing the conduct of forensic investigations.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee