Presenting Technical Evidence in Court

okay um the little legend having come up that the recording has started i hope that this is uh uh recording and i hope that you are well uh whoever you may be um this is uh kind of a new one on me having presented at uh a number of uh conferences over the past year remotely doing it via recording pre-recording and not knowing who's going to be there or who introduced me or how they introduced me allow me to introduce myself my name is rob slade i started in uh research into security and researching malware so you can take a picture of the qr code there and get some information on me in the full confidence

that is absolutely safe bearing in mind that i know every possible way to get people to install malware on their machines um i have taught at a number of uh conferences presented at a number of conferences and thought i'm going to be teaching next week uh during the the pandemic here um i primarily consider myself a teacher i've taught on five continents i in terms of legal stuff and presenting in court i did write the book software forensics and a bunch of other things uh including most recently cyber security lessons from coveted 19. uh but i should probably uh uh get started on presenting technical evidence in court because that's what you're here for at least i assume so unless you stumbled

into this room by mistake um their as blind random chance would have it i'm doing uh some uh security lectures here in vancouver and uh next week a longer version of this same presentation um is going to be given and there's the the url that gets you to join and the url that gives you some uh information on what the the series is all about and the url that gets you into my youtube channel so that you can see uh previous ones if you are interested in any of that and if you're not um we'll just go on with this right okay csi yaletown is not going to help as the subtitle here because um well we'll we'll talk a

little bit about csi and the csi effect a little bit later here but uh the way you present technical evidence in court is not the same way uh that it gets presented in all the cop shows and and uh lawyer shows on on television um i have um in uh teaching well much of the stuff that i've been teaching is is the csi uh sorry not csi cissp uh uh courses review seminars uh around the world and which means that interestingly as a canadian i have been teaching american law to americans very much at the time but anyway um i have uh had to present i have had to deal uh recently uh with consulting with an

awful lot of lawyers on patent troll cases and um it's just uh different than uh they show it on the the tv and that's what i want to point out a few of those things and because we are dealing with legal issues and uh all kinds of legalities here it's probably important that i tell you that i am very definitely not a lawyer i um i am techy i'm a geek just like all of you guys um and that becomes important because lawyers don't just work in a different industry than we do don't just have a different trade than we have lawyers are a different species um we uh when when we uh attack a problem either there's going to

be an answer or there isn't and if there is an answer there's about 16 different answers and you you pick the the one that you prefer best but you know the solution is the solution and and there is a solution um that's not the case with lawyers with lawyers uh basically are you you ask a lawyer anything it doesn't matter what the question is the the answer is always going to be it depends and so you know the way that they think and the way that we think is is not the same and in the same way that it's important that we as security professionals um learn business and so that we are we know that we are supporting the

business that we are supporting and working for when we are helping with a legal case we are helping the lawyers and we have to understand their mindset and consider um what they will consider important not just what we consider interesting anyways we will get through uh to this um and i i'm sorry that this is is not going to be a cut and paste here is how you present here is what you need to do here is a a process to follow because of course every every case is going to be different so we'll look a little bit at at uh some of the principles here in in the law um i i seem to have uh jumped ahead of

myself so we'll just go back here um first of all most of the stuff that you see on tv because it's shot in the united states is going to be roughly under a common law legal system and actually un unfortunately common law is not that common there's only 42 countries in the world that have common law legal systems and even in the united states for example which federally is is under common law legal system and most of the states are under common law legal systems uh they have two states louisiana and california where they their legal systems on at the state level are based on the civil or code law legal system and this in fact is is the most common

one this is where um you know the state uh writes the the laws well you know that's that's fairly obvious but the common law legal system is going to be based on some kind of a chartered document uh they've got the magna carta in the uk which is where the whole thing started um in the united states they've got the constitution here in canada we've got the the bill of rights civil or code law legal systems you have to have a specific law or something is legal for example if a particular country in their civil law legal system had not specified that murder was illegal and would not be illegal under the common law legal system

um there is uh there are certain principles and and the fact that you know yeah killing somebody is a bad thing it's is basically one of those principles and so you don't necessarily have to define murder in the law for it to be illegal um that has a lot of implications for those of us in uh the the technical world because of course technology and and the technical world the information society is is changing and putting a lot of pressure creating all kinds of new situations that civil law legal systems have not yet addressed uh as one example under the common law legal system if somebody writes malware and releases malware that is that can be considered mischief

it can be considered trespass it can be considered a number of things under the the principles of the common law legal system but if you don't have a a specific law in their civil or code law legal system that says that's the wrong thing to do then it isn't wrong and and so uh when you know in our interconnected environment uh these days it's important because you may be dealing with other jurisdictions very easily i mean on the internet everybody lives next door to everybody else so there's that now there are other uh legal systems religious or traditional law legal systems um they can have factors uh bearing into this but uh do remember that a lot of the things that we

think are universal such as the presumption of innocence um even jury trials uh things like that are all um uh based on on the principles of the common law legal system and they may not hold in some of the jurisdictions that you have to deal with when you deal with a complex uh system now there are different kinds of laws under all of those things there there is criminal law that is you know this is specifically criminal and criminal law is something that you can put somebody in jail for it as a basic sort of division here civil or tort law has to do with lawsuits and and yeah again don't uh confuse the civil or code

law legal systems with civil or tort law under various types of legal systems the the toward law this has to do with lawsuits the intellectual property is a big issue here and i've had to deal with far too many intellectual property cases and particularly patent trolls you can get a decision that somebody owes you money because you have harmed them in some way but you can't throw somebody in jail under uh a lawsuit in in regard to a lawsuit administrative or regulatory law sometimes called has to do with specific industries enterprises specific fields of work banking is subject to regulations uh health care is is subject to specific regulations there are specific administrative or regulatory

laws that relate to those and uh some of the laws that you may have to deal with are because of specific regulations for a specific industry now i have mentioned jurisdiction that is um you know where where did the crime take place where then can it be prosecuted and unfortunately that particularly as i say in in our interconnected world can be an issue um i remember a case um uh casinos uh you know are uh basically um illegal in in most places in the united states you can't have a casino um online uh gambling is is therefore uh illegal although apparently it's not illegal to run a casino it's only illegal to have american customers uh it's kind of

bizarre um but uh of course people have set up online uh casino systems and i remember one case where uh an online gambling casino was set up primarily american customers of course the company was headquartered in the cayman islands the uh servers were sitting in the basement of a hotel a few miles away from me and burnley so um you know where is the jurisdiction there who's whose laws are going to apply in that kind of case um you run into that all kinds of of times as i say and you know on the internet where did something originate where uh did somebody get hurt where um were things transferred jurisdictional issues can get extremely

complex uh i remember uh the dc snipers the uh five separate jurisdictions when they finally caught the people wanted to try them and there was this big wrangle about who was going to try them first anyway uh now as i mentioned uh you know lawyers are different than us uh and and technology uh code works or it doesn't and the background and the documentation are irrelevant an awful lot of people think that documentation itself is irrelevant i happen to disagree there but uh in the legal world you immediately run into all kinds of complexities in the com uh in the situation and so your preparation is important um your background is important if you are a witness i'll talk about expert

witnesses in a bit um documentation is often vitally important and of course the law itself um so as i say you're going to have to see this from the lawyer's perspective they are in charge in this situation now uh some additional uh concepts here liability um there doesn't have to be uh in in terms of uh civil or tort law and lawsuits uh there doesn't have to be a specific crime just a a harm to somebody and you don't have to specifically do something to somebody um if you if you do something and your action even though it wasn't directed at someone harms someone as you know sort of collateral damage if you will then you are liable if you

should have done something if a reasonable person should have done something to keep someone from harm then you are liable that you know if you don't take the steps that you should take that's negligence um so these are concepts that you are going to see in uh in legal situations and you are going to have to demonstrate you know uh yes this person was liable or know this person wasn't liable because uh the steps that you were saying that could have been taken um were irrelevant were not steps that a reasonable person would have taken and and these issues can be uh pretty uh interesting uh there's also the issue of due care and due diligence um again

the steps that a reasonable person should take us that's duke care um looking at uh dictionaries of law sometimes they will define do care and due diligence as the same thing sometimes you will get basically a definition that do care is what you should do uh due diligence is how you prove that you in fact did it so uh interesting uh related concepts there now uh the crypto wars are uh a sort of a well a recurrent uh legal battle i can remember uh the crypto wars back in the 90s you can tell i'm old um and we seem to be fighting this uh recently all over again law enforcement tends to say they need uh to have access to

communications so that they are able to do wiretapping on the bad guys and and all the everything that goes along with that um this is uh you know an ongoing fight because of course anything you do to weaken encryption weakens security overall for example if we say that we can't have strong encryption we can't have online commerce how do we protect um uh using credit cards online or or anything like that and of course um uh cryptocurrencies themselves rely on on encryption and so you know all kinds of of battles are going to be fought in this and and this is probably one that is going to be ongoing and well or at least recurrent

it's going to keep coming back and back again and it is not something that's going to be resolved at any time soon ah so finally down to presenting evidence in court and there are different types of evidence now the most regarded type of evidence is direct evidence that is witness statements which is kind of weird from from our technical perspective because research has definitely shown that witness statements are extremely unreliable um everything in investigation quite apart from from the law everything in investigation managing of uh an investigation is a uh there are all kinds of specialty fields in there one of them being interviewing and interrogation because you don't want to lead the witness not only because

uh that may you know it's illegal uh for one thing and and uh it may uh lead you astray but because it's very easy to lead the witness without even intending to when you hear something interesting from a witness and just you know leaning forward and widening your eyes because you're interested in what they're saying feeds back to them we are very quick to pick on these things and and if they want to help you uh they will start to create facts and and um extra supporting uh factors in in their story um and certainly you know you uh it's it's very easy to show you you uh set up a situation and and uh have a little play going on

and and then interview everybody who saw it and uh say you know now uh you know tell us what happened and see the differences in statements that people make but it's very easy to get them uh to mess this up and and so you say well tell me about the guy in the green hat and uh they say initially well like i don't remember the guy there oh sure you know he had he had that red vest on and and blue tie you know and and pretty soon because of course you are are feeding information to them they're picking it up and they will remember the guy in the green hat and the red vest and the blue

tie when in fact there was no such person so uh you know but it's this is interesting in in traditionally direct evidence has been the best type of evidence that people want now real evidence this is a tangible object and we think in the technical world yes we're dealing with tangible objects we're dealing with computers but unfortunately most often it is not the computer that is the important thing it is in fact the information and the information is not tangible it we aren't dealing with real objects we are dealing with a very small uh magnetic uh variations on a physical object uh so it you know real real is dna real is hair samples real is is mud spattered blood's

better things like that you know that's real evidence uh real is a a television with a serial number that was recorded as i mean shipped to this company and now it's being found in this person's possession and therefore they stole it uh you know that's real evidence but our evidence is most often documentary and our uh you know the information that we are extracting from a computer that's documentary evidence not only is it documentary evidence um because of the nature and the fragility of digital evidence it's even hearsay and very often it is considered to be hearsay business uh records are not actually evidence of a transaction they're evidence surrounding a transaction and so most of our evidence is

documentary most of it has to be supported and it has to be interpreted and this is where we get down to the last one demonstrative and this is where the csi stuff comes in and we have to build demonstrations of why our documentary evidence does in fact mean what we say it means so those are the the types of evidence and of course the the documentary evidence is the most important for us hearsay is is when you say you heard somebody say something and then that's generally speaking not accepted in court in accepted in exceptional circumstances and we have to give reasons for why this hearsay is something that should be heard uh there has to be backup testimony how

was the information created how was it handled how was it protected was there any deviation from the standard process and why were any of those uh deviations made and should be accepted and all of this has to be backed up when you are dealing with documentary evidence so that is going to be vitally important everything that you decide you need to present in court is going to have to be backed up in in that way when it comes to computer information and computer review are rules for evidence uh when you are presenting in court if it's going to be acceptable now uh you will find various uh lists of the rules and and there are different

numbers of rules and that sort of thing basically the principles here are what you will see first of all it's got to be relevant and this is something of particular problem to us we may find something that we find really interesting but unless it's specifically relevant to the case to proving that the person that we say did something did something identifying them or indicating that this was the action that they took you know it's got to be relevant to that and if it's not specifically relevant it's never going to see the light of day in court and in fact there are uh different types of evidence that may from our perspective be relevant but because of that last rule the best

evidence we may not be able to present certain things we we have to present the best evidence the most relevant uh the the evidence that is uh uh really going to give the court uh the best picture of what happened uh admissibility is uh an interesting concept first of all there's there's the uh legality of it is this well and that's mentioned as well you know um was this uh evidence collected in a uh proper manner uh anything that uh deals with illegal search and seizure and their their rules you know what you cannot search what you can't seize um that uh that evidence uh then becomes uh tainted and can't be uh presented in court or uh sometimes even

if it's presented in court cannot be used in the final decision we've had a a recent case here in vancouver where uh some one actually killed someone but because all of the evidence that was gathered relied on a specific piece of evidence that was kept illegally uh then all of that had to be thrown out and in fact the uh the the court case that the fact that this person was guilty had to be thrown out because of the tainting and of that evidence it should not have been admissible in the first place um and in in regard to the uh admissibility here uh again the the chain of evidence the the issue of the chain of evidence of

the chain of custody who collected this information how did they safeguard it was it protected was it sufficiently protected did anyone have access to it between the time it was collected and the time it's presented in court and and for what purpose so um that becomes a very important issue uh the chain of evidence chain of custody is is vitally important when we're we're dealing with this um monitoring and surveillance uh very interesting uh situation particularly when we're dealing with um privacy laws and even labor laws you know if you have employee monitoring if you have surveillance in in your place of work um make sure that you keep it to a minimum so that you don't run afoul of

privacy uh issues make sure that you have agreement or permission from your uh your workers or even uh customers um and that becomes uh very interesting there was a case in the united states uh where a police station was of of course under video surveillance and big signs about video surveillance was was done and uh someone was caught this evidence was taken into court and in court uh the uh that party challenged because uh the uh recording that was being used was a from a surveillance camera in a broom closet and uh this lawyer said that uh you know nobody in their right mind would put their surveillance camera in a broom closet and therefore his client

had uh a reasonable expectation of privacy um i do not know how that uh case came out but um you know even the fact that it uh the the argument was made uh shows how uh interesting some of these uh cases may become um and again privacy is is now a specialty on its own uh there are specialists in in issues of privacy um we have to think about the privacy directives and gdpr being basically an extension of the privacy directives uh has the basic principles there most uh countries around the world that have privacy laws have based their privacy laws on the privacy directives so they can have equivalent protection because one of the privacy

directives said you can't transfer information to a jurisdiction without equivalent uh privacy protection so this is everybody except the u.s which basically does not have any privacy legislation at all which is really interesting there is an issue called discovery there this is an adversarial system um again uh that is a difference you know we work in a collegial environment even when we're dealing with uh you know intellectual property and and patents and and things like that you know basically we want to share uh information with our colleagues we write papers we you know we do this um the uh the law and in particular the courts are an adversarial system and you've got two sides um and you know somebody is

there in court not to prove you wrong they are there just to make you look bad that's all they have to do i mean you know as an example of this uh right now in the political realm uh justin trudeau is not you know doing great things he's trying his best maybe with a bunch of different situations and aaron the tool is uh having a field day saying trudeau is doing everything wrong now all he he doesn't have to prove that he's got better ideas which he doesn't sound like he does he doesn't have to prove that um you know something specific that that trudeau has done is is wrong all he has to do is make him look

bad and the same thing happens in court and they get to see everything that you have done everything you have done discovered everything that you were going to bring against them so uh whereas uh previously a lot of companies were starting with uh information technology and our storage capacities going up saying we're just going to keep everything now in uh more legal terms companies are are starting to think you know maybe we should keep what we keep to a minimum uh because if you face a court case um it can be very expensive to provide the the opponents with everything that they want to see so uh bear that in mind uh so digital evidence is fragile

it is extremely fragile there is you know if if there was any change there is no way to say what the change was who uh it was changed by when it was changed what the original data was and and whether it was of any significance so if anything is changed very often your evidence is worthless and that's where this chain of custody issue comes in um the it is very important to protect uh digital evidence um when you make a copy of a hard disk for example you don't make a backup because most backups set the archive bit on every file that they back up and and so they are changing information on the hard drive and as

soon as you say that you know you uh well uh for one thing you lose a lot of of um evidence about you know what files people may have looked at but uh the fact that you change it means that you know now um you've got already got modified uh data and that can be challenged in courtney gain you know somebody doesn't have to prove that what was changed was uh what's important to the situation all they have to prove was that you allowed a change and therefore the evidence is unreliable um so you uh when when you have a hard drive you make a bid image copy you make a bid image copy with usually specialized

hardware that is not going to write anything to the hard drive that it's reading uh you are going to collect everything with the uh the logical space and the slack space you are going to collect the files you are going to correct the blank space after the files the the bits in between the files uh you're just going to collect absolutely everything and and that is going to be your bit image copy and then you make a copy of that bit image copy and that's your working copy so that if anything goes wrong with that you can go back to the copy rather than having going to go back to the original hard drive because of course the chain of custody

is going to be interfered with if you have to go back to the original hard drive uh anyways uh that you know is is an issue that you have to deal with now when you are presenting in court as a witness uh you can be a witness of fact uh which means you just get to say you know just the facts ma'am as as the phrase has it uh or you can be an expert witness but the court gets to decide whether you are an expert witness an expert witness may provide an opinion and that's you know very often that is what you need if you were going to do any interpretation of saying well what this means was you

know as soon as you say that that's that's an opinion and you have to be an expert to be able to do that in the united states there's a decision called the dober decision the judge the individual judge in the case gets to decide whether you have the skill training and experience to be an expert witness interestingly in the u.s under that decision the bias is unimportant you can be a very biased person you can work for one side or the other that's not important if and you know as long as you have the skill the training and the experience that is necessary in the uk uh you cannot be an expert witness if you have a possible bias and so a friend

of mine who worked for the high-tech crimes unit over there he was never able to present as an expert witness in court because the fact that he worked for the police meant that it was you know automatically assumed that he would be biased and therefore he was not allowed to be an expert witness even though he was a very expert uh individual so uh the presentation and this again you remember back to our our list the this is the demonstrative type of evidence um there is going to have to be a lot of preparation um you're going to have to think of who your audience is and and this becomes very important your audience you will

remember here uh and and this is particularly when we deal with with fairly complicated uh technical issues uh your audience is uh you know two lawyers who you know may be very smart people they got through law school but they may not know anything about technology and a judge who is you will remember by definition an old lawyer and 12 people who were too stupid to get out of jury duty and and so you you know you have to present you you have to prepare your presentation remembering that audience remembering how you are going to lay out for this audience what these complicated issues mean and and why that supports your contention that you know what you say happened

happened uh of course it has to be it has to be relevant the preparation can really take a lot of time i i can remember one particular case and i was days and days with multiple different lawyers being uh questioned as to what i was going to say in court and because the lawyers did not understand the minutiae of of the uh technical uh stuff that that they were dealing with the court case was dealing with uh i can remember one session one well many of the sessions were frustrating but one in particular was extremely frustrating and i i finally asked the guy you know what is it that you want me to say and he said i

can't tell you because telling you would be coaching the witness and that's illegal uh but they do you know take you through hours and hours of of preparation asking you the questions um seeing what your answers are are going to be um what uh kind of follow-ups they they may need to do um it just it takes an awful lot of time in preparation you know for uh what may be you know five or 15 minutes on on the stand in in court hours and hours and hours of preparation and that's quite apart from putting together any kind of presentation to demonstrate the technology and here's where csi comes in because um csi has a lot to answer for

the tv show the various tv shows the whole franchise and and many many other uh television shows and the presentations that they do but particularly csi csi gave a lot of people um the impression that any technical issue could be covered in court with this you know colorful animated computer graphic um that just makes it absolutely clear that what they uh say happened actually happened and that's all done within you know 45 minutes excluding commercial breaks and and then we can all go home for dinner and so um the uh you know court cases have increasingly run into this that this is what the jury expects these days and unfortunately that is just not reality and

you have to and and the lawyers you're working with are going to have to address that issue carefully as to what the expectations are going to be for the audience and are you going to be able to if not exactly meet them at least deal with the expectations that people have for these kinds of of presentations and that is why csi yaletown is is not going to help uh i hope that this has helped i hope that you are enjoying uh besides vancouver uh this year uh in a very strange situation i hope you are all uh being kind to each other uh being calm in uh all the uh weird uh situations that we find

ourselves and being safe i hope that you have all registered for your vaccine and now i suppose i turn this off and somebody opens up the floor for questions or discussions or or something like that