Module 4 - Legal Considerations of Evidence

Question 1

Office of General Counsel Goal

Answer 1

Use information in legal proceedings, have their own requests

e-discovery rules

Question 2

Federal Rules of Evidence (FRE)

Answer 2

• Adopted by 41 states

Question 3

Working with Legal

Answer 3

• distinction between experienced incident responder and an expert
• have to identify indisputable facts and separate from opinions
• gather and use data that can withstand legal scrutiny, i.e. FRE.

Question 4

Computer Records (3 Types)

Answer 4

• most information captured by administrators and incident responders. (turned over to attorneys)
• Non-hearsay
• Hearsay
• Both hearsay and non-hearsay

Question 5

Hearsay Records

Answer 5

• Covered under FRE 801
• Assertion by human beings (declarants)
• Many exceptions (e.g. FRE 803(6), business records).
• Attorneys have to argue why should be allowed in

Examples:
body of Word document
body of an e-mail
Bookkeeping records made in QuickBooks or Excel

Question 6

Business Records

Answer 6

• Haag v US, US v Fujii, US v Briscoe

- Computer records are not hearsay at all.

Question 7

Non-Hearsay Records

Answer 7

• Created by process that does not involve a human assertion

Examples:
Firewall records
TCP/IP headers
E-Mail headers
Login records
List of processes and activities

Question 8

Mixed Records

Answer 8

• data recorded by a computer and a statement of assertion made by a human

Examples:
Word doc header and metadata with body
e-mail header along with body of e-mail
SMS records with system created time stamps

Question 9

How to introduce mixed records in legal

Answer 9

Requires:

• forming foundation for admissibility of hearsay statement
• authenticating the computer generated record

Question 10

Authentication

Answer 10

• Chain of Custody

- Hashing files

Question 11

Computer Business Record Admissibility

Answer 11

Must be:

• kept in the course of regularly conducted business activity
• regular practice of the business activity to make the record (as shown by collectors)

Question 12

Public Records

Answer 12

• content that is publicly available, is not considered privileged and can be an exception to the hearsay rules
• multiple parties can view the content.

Question 13

Tool standards

Answer 13

• tools must meet standards within the Federal Rules of Evidence
• > Reliable results
• > Reproducible results
• > Tested
• > Recognized by the community

Question 14

Authentication of Data

Answer 14

• CoC (FRE 901(a)
• Show source of product and that is reliable
• prove data has not been altered
• identify source (IR can be responder, FRE901(b) has list of authentication methods)

Question 15

Best Practices for IR in prep for legal

Answer 15

• do not add comments to the output files (keep it non-hearsay)
• hash files (incl. results)
• burn all files to non-rewritable medium
• Initial the CD with permanent markers
• use SOPs
• use of DOSKey to show commands and switches

Question 16

Saving Records (method for)

Answer 16

• Recover the entire container if possible
• if e-mails are saved, recover the entire e-mail container
• Saving an entire website and preserving it in a PDF or other locked format.
• Date the material.

Question 17

FRE 803(6)

Answer 17

Exclusion to Hearsay Rule for Business Records

(6) Records of a Regularly Conducted Activity. A record of an act, event, condition, opinion, or diagnosis if:

(A) the record was made at or near the time by — or from information transmitted by — someone with knowledge;

(B) the record was kept in the course of a regularly conducted activity of a business, organization, occupation, or calling, whether or not for profit;

(C) making the record was a regular practice of that activity;

(D) all these conditions are shown by the testimony of the custodian or another qualified witness, or by a certification that complies with Rule 902(11) or (12) or with a statute permitting certification; and

(E) neither the source of information nor the method or circumstances of preparation indicate a lack of trustworthiness.

Question 18

FRE 902(11)

Answer 18

Firewall records - part of normal business

RULE 902. EVIDENCE THAT IS SELF-AUTHENTICATING

The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:

(11) Certified Domestic Records of a Regularly Conducted Activity. The original or a copy of a domestic record that meets the requirements of Rule 803(6)(A)-(C), as shown by a certification of the custodian or another qualified person that complies with a federal statute or a rule prescribed by the Supreme Court. Before the trial or hearing, the proponent must give an adverse party reasonable written notice of the intent to offer the record — and must make the record and certification available for inspection — so that the party has a fair opportunity to challenge them.

Question 19

FRE 901(a)

Answer 19

Chain of Custody

RULE 901. AUTHENTICATING OR IDENTIFYING EVIDENCE

(a) In General. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.