Declassified in Part - Sanitized Copy Appreveite rIEelease 2014 01 15 TO ROOM NO BUILDING REMARKS EXA 3f 1987 SEP 1211 4 pm 5% 15 SEP 1987 5 SEP 19 m VRa s AIM k0 gawk ca FROM ROOM NO BUILDING EXTENSION FORM NO- RFPI ACFS FORM 36-8 47 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 r- at Declassified in Part - Sanitized Copy Approved for Rele eEe 2014 01 15 CIA-RDP89600643R000300030005-6 OFFICE DIRECTOR $355 11 REP1987 - Office of Security T03 Deputy Director for Administration SUBJECT FBI Briefing on Computer Crime Bill As you can see from the attached I have arranged for FBI Agent Lane to brief us on computer crime I have invited Staff and You are of course also welcomed -STAT Atts Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 - LN'thi Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 i a STAT STAT STAT 11 SEP 1987 MEMORANDUM FOR Director of Information Technology DA Chief Information Management Staff DO Chief Counterintelligence Staff D0 FROM Director of Security SUBJECT FBI Briefing on Computer Crime 1 I have made arrangements for Mr George Lane who is an FBI agent to brief us on gathering evidence in computer crime Bill Donnelly heard Mr Lane's briefing at a recent National Telecommunications Information Systems Security Committee NTISSC meeting and suggested the message was one that should be shared Mr Lane will be speaking to us on 22 September at 1000 hours inT You and two or three members of your staff are invited to join me 2 Attached are_two documents relevant to this topic Attachments cc DDA OS 7 8036 ADMINISTRAT NAL USE ONLY Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declaseified in Part - Sanitized Copy Approved-for Release 2014 01 15 CIA-RDP89600643R000300030005-6 ASPECTS OF CRIME BY Stephen C Gross Crime in Commerce Ewen-t Information Systems ForS 231 December 18 1986 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 - Declassified in Part - Sanitized Copy Approved-for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 TABLE searCh and Seizure 2 B Obtaining Computer Evidence C Computer Records and Reports as Evidence in f kn D Storing and Caring for Evidence E Privacy and Secrecy 0f EVidenCe PROSECUTION-AND COEFUTER 10 A Foundational Problems 10 B Evidentiury Problems with Computer Records 12 C Practical Recommendations 14 iv 1 I FOOTNOTE 18 21 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 ed in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Dedasg J Computers and information systems have permeated today's society to such an extent that there is virtually no sector which does not rely heavily their use 3 As might be expected computer crim so expanded with resulting annual losses incurred by an enormous In fact respond- ents to an American Bar Association survey of private organizations and pub- lic agencies disclosed estimated total annual losses between $145 million and $730 million highlighting the need for more and better computer crime investigative efforts 3 As is true in any investigation or preparation for court trial the use of evidence is a significant element In fact the most likely of the principle defense strategies that will arise in a com- puter-related crime case will be an attack on the admissibility of computer generated physical evidence This paper will discuss comluter evidence issues based on general law principles and sound investigative procedures including I- preventive measures to be considered during all investigative and prosecutive stages 3 initially the discussion will focus on computer evidence considerations from an investigative perspective Search and seizure issues will be discussed as well as procedures used in obtaining computer evidence computer records and reports as evidence proper handling and storage of computer evidence and computer evidence privacy and secrecy considerations Next we will address foundational problems encountered in computer crime cases problems associated with admitting computer records into evidence and finally some practical recommendations for the successful prosecution of computer crime cases It is not surprising to see attention focusing on computer crime con- sidering the power and leverage of computers the dependence upon them and their increasing role in society 3 Suceeding in combatting the growing threat imposed by bomputer-related crime will depend upon the knowledge and Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 on UL computer crime evidence will be crucial to this fight II COEFUTEH EVIDENCE CONSIDERATIONS A SEARCH AND SEIZURE 'As computer technology becomes more accessable so does the liklihood of computer crime the computer is quickly becoming abuser friendly 5 Investigators seeking and executing search warrants authorizing the seizure of computers and related computerized information are generally on untested ground since complete judicial guidance is still limited in this area They must comply with an 18th century prohibition against unreasonable searches and seizures while contending with 20th century electronic technology an often formidable task They may sometimes find themselves searching for intangible rather than the ordinary and more familiar types of evidence such as stolen guns and stock cert- ificates 2 Very little has been done to overcome obvious problems in discovery search warrants and subpoenas Thus a pandora's box of legal iSsues becomes available to the defense regarding computer evidence requiring alert pro- secutors to be ever mindful of this potential Fortunately those routine issues concerning search and seizure such as consent informers entry and searches incident to arrest generally will arise and apply much as they would in noncomputer-related cases 2 But what are the necessary steps to take in conducting a successful search and in gathering computer evidence in the non routine situations In general search warrants should be obtained and used in computer-related crime cases 10 Regardless of technological advances search and seizure by law enforcement officers continues to be governed by the fourth amendment to the U S Constitution protecting the right of the people to be secure against unreasonable Government intrusion This protection extends to computers and to computer processed information and requires that proper search warrants be -2- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part- Sanitized Co A roved for Release 2014 01 obtained prior to Eggiggmate searcnes nus 6 strictness where businesses or residences the places where computers are most likely to be located must be entered to perform the search There must be a- showing of probable cause and the warrant must particularly describe the place Ito be searched and the persons or things to be seized Unique problems can sometimes arise concerning probable cause and particularity where computers are the search target and will comprise the evidence to be seized 11 It is necessary to excercise great care in preparing a search warrant in a computer crime case due in large part to this being a technical area often new and unfamilier to judges and The 1mm - tig utor should have detailed affidavit which covers all the technical bases yet is understandable to someone who knows very little or nothing at all about computers lg The difficulties involved in such a task become apparent when one considers the enormity and complexity of the scene of the crime in some of the larger business computer centers For instance in the litigation involving Equity Funding Gorporation of America of fictitious insurance policies had been created and existed somewhere within a computer memory At the same time that particular computer was processing hundreds of thousands of valid insurance policies lj It becomes apparent that one of the first obstacles to be overcome is explaining in an affidavit that certain records being sought may be contained in sophisticated technological equipment Fortunately this obstacle is normally easily overcome since the investigator seeking the search warrant can simply state that the information sought my kc in electronic gr written form thereby circumventing a non-meaningful description of the computerized information in its encoded form It is more critical that the infomation itself be de- scribed with particularity rather than in the form in which it may be found Also the storage media which contains the information should be described as concisely as the facts known will allow i3 Another hurdle to overcome in establishing probable cause to search is to Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 articuiate the necessary iaCLs to snow tnat a crime nas aetualiy been committed In doing so it is helpful to examine the role played by the computer in the crimr inal activity and then detailing to the magistrate that such a crime has been - committed The mechanics of the crime should be clear and easily understood In instances where the crime is unusual or unfamiliar the investigator should consider using the neTV1cnn of a computer expert At this point the investigator must set forth enough facts to convince a magistrate of the probability that evidence of the crime exists at the place to be searched The legal requirement for recent info nation is satisfied where the investigator can set forth reliable information that the objects sought were recently observed at the proposed search site Although search warrants are preferable in computer-related crime cases special mention and consideration should also be given to situations providing application of exigent circumstance exceptions to preserve evidence because of the high degree of ease with which both the instruments and fruits of the crime can rapidly destroy or alter the computer evidence Because any power interruption will result in the loss of information stored in the computer s internal memory valuable evidentiary data can be destroyed in the instant it takes to flip a power interruption switch Also a nagnetic device known as a degausser can instantly eras millions of data characters from a computer tape or disc Therefore a no knock entry is reasonable where the investigator reasonably believes that making a pre-entry announcement will result in de- struction of the evidence 12 The plain view doctrine is another possibility however this should be used cautiously since there is a strong liklihood what defense attornies will attempt to show the lack of sophistication of most investigators in computer technology Also avoid reliance on expert informants to point out at the scene what items should be seized They will generally be insiders and will likely be legally - Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP8QGOO643R000300030005-6 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Overall investigators should be open to using imagination and ingenuity an well an 'Lhulr Lralniug Lu l ln eh' rmzul Liz Lud gull-uh and seizure situations 13 OBTAINING comm EVIDENCE Evidence in a computer is much more dense than in any other information system in that a single computer tape can contain as much information as a shelf full of books As an example in the Equity Funding case alone ap- proximately 3 000 reels of computer tapes were potential evidence 2 l2 Ensuring that the best evidence for prosecution available at the crime scene is obtained can be both challenging and rewarding for the careful investigator When a search is directed towards obtaining documents they can normally be visually identified and expert knowledge of computer technology is unneccessary gg Documentation practices vary from phenomenally obsessive and complete - to non-existent Ideally they will thoroughly describe every aspect of the computer system and list each type of output that it produces 21 Documents such as systems manuals computer run books interpreted punch cards program documentation logs data and program input forms and computer printed forms are usually labeled as to their contents and should be relatively easy to recognize The completeness and originality of these documents can be determined by careful and complete questioning of those who are most familiar with them gg Recognizing and requesting program documentation is somewhat more difficult and may require knowledge of computer program concepts to understand the types and extent of documentation required such as source and object listings flow charts test data and storage dumps It must also be realized that program documentation is frequently obsolete relative tocurrently used versions and -5- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 thus nay necessitate new computer printouts If the investigator is unsure about what may be obtained or identified an expert should accompany him on the' search gJ Taking possession of other computer media materials may be more technically complex Magnetic tapes and disks will normally have external labels however logs and program documentation will normally be necessary to obtain-full titles and descriptions of their contents A trusted technologist may be necessary to check a tape or disk's contents by using a computable computer and computer program 25 Also where appropriate consideration should be given to shutting down the operation of the business being searched for a reasonable time to protect the evidence covered by the warrant and to properly sort through the computer documentation 25 This sorting process performed at the scene can serve to prevent the seizure and thus the denial of access and use by the owner of innocent records The mere fact that the sorting process is time consuming will not necessarily render a wholesale seizure of records reasonable 26 C COMPUTER RECORDS AND REPORTS AS EVIDELCE Computer records may be divided into two types 1 computer-stored where the printout produced from computer storage is a restatement of information or data previously supplied to the computer and 2 computer-generated where the computer makes a computation performs a logical operation or analyzes the input and other stored data In judicial proceedings a distinction appears to be drawn between the two types It is more difficult to get computer reports containing computer-generated records into evidence This is probably because computer-stored records are more easily equated with ordinary business records while computer-generated data involves the complexity of examining the creation of the generated information and the deceptively neat package in which it is displayed 221 -5- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 'Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 There is no clear cut answer as to which kind of computer output can or cannot I be admissable as evidence whether from a printer cathode ray tube audio response microfilm or speech mail In the case of Cotton v John W Eshelman $935 Inc the court held that computer generated output was admissable since our statute was intended to bring the realities of business and professional practice into the courtroom and should not be interpreted so as to destroy its obvious usefulness Generally the court will apply the following rules Business Records Erception to the Hearsay Rule to evaluate the admissibility of computer output as evidence 1 that the records were made in the usual course of business and not merely for the purpose of litigation 2 it was normal business procedure for an employee with knowledge of the act to make the record and 3 the record was made at or near the time of the act Another possible basis for admission of computer digital4image printouts into evidence is the Best Evidence Rule This rule requires that original writing or recording is necessary to prove its own contents however if the original is unavailable then other relevant evidence of its contents is admissable unless the original was lost or destroyed in bad faith gg During the procedure of obtaining and using computer reports as evidence errors and omissions or malicious intentional acts are possible at each stage 'of the report-producing process or through nonreal-time program or data nod- ification It is often not practical to detect or prevent these sufficiently sophisticated intentional acts to alter the reports Thus it becomes necessary to take varying degrees of precautions and to invoke the trust of the data pro- cessing personnel Additional confidence in the integrity of the report can be gained by taking the storage medium tape or disk to a separate computer center to have its contents printed Further independenceh can be ensured by verifying that personnel in the new center have no special interest in the work they would be required to do Throughout the process independant trustworthy observers with the skills and knowledge to derermine correct op- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 erations should observe and supervise all the production steps 39 D STORING AND CARING FOR EVIDENCE A basic requirement for the admission of evidence is proof that the physical condition of the object is substantially unchanged from its state at the time of seizure On the surface this would not appear to pose any additional problem for computer related evidence than would normally be ex pected in the handling and storage of regular investigative evidence However Vsome types of computer evidence require special care and their storage en- vironments must be controlled with steps taken to minimize the chance of physical damage from manual handling Even though most criminal justice agencies normally have acceptable storai 3e facilities for regular types of evidence these environments may not be suited to computer-related evidence plus experience in correctly handling computer products may be lacking in their personnel Separate types of computer evidence have special needs in their handling and storage For instance magnetic tapes and disks should be stored hand- led and transported in hard cover containers Care should be taken to avoid drapping or squeezing and no parts of the recording surfaces should be either tduched bent or creased rThe tape reels should be stored vertically in tape storage racks uhurc room urn l'urlJuH N dc m'm'u degrees fahrenheit -Storage life for data retention and recovery is three years Storage requirements for punch cards and paper tape is similar to that of magnetic tape except the storage life is indefinite Special care should be taken to avoid folding spinning or knicking edges and tape that might remove paper surfaces should not be used Computer listings should be stored between binder covers and should not be subjected to strong light They should -8-- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 - Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 be broken into separate pages unless having them in a continous sheet is important to the case when storing electronic and mechanical components it is always wise to consult the manufacturer or owner for special instructions 13 'Some additional points on the nrOper handling of computer evidence are also worth mentioning It is often crucial to a case to specifically identify the location where the physical evidence was acquired Floor plans line drawings of the system and photographs may help in the preparation of the case for court Lists of the computer evidence and what form it is in - tapes printouts cassettes etc - are good ideas Also the investigator should inscribe computer tapes disk drives and print-outs with his personal ID markings It is appropriate to mark the tape by writing on the dull side since the first fifteen to twenty feet of tape is leader tape and has nothing on it Identification markings can also be etched on the bottom metal part of a disk pack Care must be taken in handling these items due to their sensitivity to dust and physical damage 35 Finally to establish that the evidence is substantially unchanged a complete chain of custody must be readily available From the initial stages of the search until its completion careful indexing must be maintained of all the evidence that is seized 35 E PRIVACY AND SECRECY OF EVIDEKCE Issues of personal privacy trade secrets or government secrets may some- times arise since evidence seized in the form of computer media may have data stored that is immaterial to the investigation but that may be confidential to the rightful owner An obviou consideration would he to ens that all re- trieving and copying on another computer medium contains only that data per- taining to the investigation In those where this is not possible the investigator should make assurances that any extraneous data will not -9- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 vw v Declassifiedjg Part - Sagi_tiz_e_d_90p 5p roveq_for_R_elease 2__0_1_4 01 15 CIA-RDP89600643R000300030005-6 In those situations where consent to release the information is denied by the owner sufficient safeguards are available in most jurisdictions to minimize the problem If necessary a hearing can be held outside the pre sence of the jury or even in camera to allow the court to either overrule the objection or excise the specific objectionable portions PROSECUTION AND CONFUTER EVIDENCE As computer technologies and the means for abusing them have rapidly emerged they have confronted a criminal justice system which is largely uninformed concerning the technical aspects of computerization Additionally this system is bound by traditional legal machinery that is often ineffective against unconventional criminal Operations Difficulties in coping with computer abuse arise because a great deal of the preperty involved does not neatly fit into the categories of normally considered as subject to abuse or theft 32 It becomes obvious that prosecutors face new and demanding challenges in dealing with their fight against computer crime Their use of computer evidence is clearly a significant element in the pre4 paration of those difficult cases for prosecution and will be addressed as such in this section of the paper Certain considerations have been mentioned previously but merit reconsideration from the prosecutor's viewpoint A FOUNDATIOHAL PROBLEMS Before proffered physical evidence can be admitted into trial evidence certain foundational facts must be proved by the party seeking admission When these facts are contrasted with the facts sought to be proved by the evidence a principal defense avenue of attack is opened to which the prosecutor is particularly vulnerable - 1o - Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 of authentication which means in general terms being able to introduce evidence sufficient enough to sustain a finding that the written statement or document is in fact the writing the prosecutor claims it to be Thus it becomes necessary to have testimony from someone who can verify that the purported maker of the document the computer system that generated the item is the actual maker Sufficient evidence should be introduced to convince the judge that the proffered item is authentic however it is critical at this stage to not claim more than simply the output process for instance that the item was generated by such-and-such computer at such- and-such place and time more Tho prosecutor significantly com- pounds the authentication problem if an attempt is made to claim that the item reflects a particular configuration or some internal process within the computer To do so would allow defense to raise valid objections based on the authentication of the specific computer configurations and processes previously mentioned by prosecution As stated earlier in the report for computer media to be admitted as evidence they must also qualify as business records which are excepted from the application of the Hearsay Rule 32 ln a 197 new Jersey case Konarch Federal Savings and Loan Association v gensgp the court delineated the re- quirements necessary in laying the foundation for business records In Genser the court held that personal knowledge testimony regarding the in- formation received into the computer is not required nor is the preparer re- quired to testify However testimony is required of a qualified witness who can testiiy that the computer records were made in the ordinary course of business were made contemporaneously what the sources of the information were and what was the method of preparation 39 Although the Genser decision represented a careful and extensive treatment of the problem of admission of - 11 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part - Sanitized Copy Approved for Release 2014 01 17577 decision of the court in one jurisdiction FoundutIOnul requirements will vary from state to state 11 i B EVIDERTIARY PROBLEMS WITH CORPUTER RECORDS Computer-generated printed evidence produced to show proof in the courtroom must satisfy the Business Record Exception requirements before being admissable as a hearsay exception Again the prosecutor is faced with the burden of Jmulug uumlauLL-J reliability m-amu hu'hnulu-cjh'ul 1m best strategy will hinge upon leading a presumably non technical court to focus upon the legal issues rather than getting lost in technical matterss gg Although some look upon the computer as no more than a big adding machine it is impossible to look at the phenomenon of computer crime without con Sidering the varied effects of computers on our legal consciOUsness It is important that the prosecutor be prepared to assist the court with prior and understandable case law dealing with the issue at hand The best response to defense objections on Business Record Exception 'ssues is to focus on the law particularly the underlying purposes for the lam The majority of issues within the past few years regarding computer re cords and the law of evidence have fallen into three basic categories 1 ad- missability of computer printouts 2 computer printouts as the basis of 0 expert testimony and 3 discovery matters with regard to computer systems 0f the above categories admissibility receives the most attention from the courts The admissability of computer printouts as evidence depends pri- marily on whether the data from uhich the report was generated were entered into the system during the normal course of business If so the data record and reports produced subsequently in the regular course of business or even for trial purposes may be admissable Many of the recent court decisions regarding admissibility of computer -12- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP8QGOO643R000300030005-6 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 printouts have addressed foundational requirements and most allowed the admission into evidence of a computer printout Typically in United States v Farris the the defendant convicted of failure to file income tax returns _c1aimed the court had erred by admitting into evidence the output of a computerized data system The 7th Circuit Court upheld the admission of the records under 28 L 3 C 1733 b which allows admission of authcrised copies of documents of United States departments as if they were originals A 1976 decision bears on issues raised by computer records being used as the basis for expert testimony In Terma Research and Development v Singer 99 a breach of contracts civil suit the defendant objected to the use of the results of computer simulations as a basis for the plaintiffs expert testimony Although the court admitted that it would have been better for the plaintiff's counsel to have delivered to defense prior to trial the details of the un- derlying data and theorems so as to avoid discussion of their technical nature during trial it did not charge the trial judge however with abuse of dis cretion for allowing the expert's testimony regarding the results of the computer simulation In 22222 States v Liebert a discovery issue was raised as to whether pre- trial discovery may be used by defense to secure extrinsic evidence to impeach the reliability of a computer printout Again the defendant in this case was charged for failure to file tax returns The IRS computers had no record of the defendant s filing and the defendant reouested that his computer ex- pert have access to the IRS Service Center to test the reliability of the IRS data process system the request was granted The defendant then requested for discovery purposes records of any notices sent to persons stating that the IRS had failed to receive their returns When the court granted the de- fendant's request as to a portion of the list of non filers the government ref- used to comply with the court order and the defendant's case was dismissed On -13- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP8QGOO643R000300030005-6 - anneal the dismissal was reversed and themmellatn hn'm hn cum- 1 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 the list requested by the deiendant wuu1 d bu beLau e 01 the infringement of the right of privacy of those persons on the list The IRS's _willingness to make available all documents regarding their procedures operat- ions and electronic data processing system to_diseover nonfilers and their willingness to allow their expert witness to be deposed was held sufficient to provide the defendant with an opportunity to question the accuracy of the system 0 PRACTICAL RECOEMEHDATICNS Computer crimes are difficult cases to develop and solve and sometimes require many more resources than most organizations have at their disposal Often legal problems are unavoidable However adherence to good invest- gative methodology and thorough planning for trial will help the case work flow smoothly 32 The practical recommendations that follow while cer- tainly no panacea are proven good advice and will enhance the prosecutor's chances of success Expert witnesses are often the keys to the admission of evidence in computer criminal trials Since computer technologists have little or no experience i as expert witnesses they must be carefully coached prior to their test- imony It is crucial to keep the computer expert in control and force him to answer questions in court in as few words as possible the means of achiev ing thisis to ensure the questions themselves are well formulated so as to elicit brief responses Remember that good witnesses are those who know what they are talking about and can show that the method of generating the evidence is valid Proschtors should remember that the most likely image that the judge and jury have of computer technology is what they las read on the front page -14- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified-in-Part - Sanitized Copy Approved-for Release 2014 01215 CIA-RDP89G00643R000300030005-6 of events It is therefore important to make the case as basic simple and free from computer technology and terminology as possible explaining only those circumstances necessary to present the case If possible rely on paper records if they exist rather than introducing computer-generated re- cords Do not personify or anthromorphize computers in presentations rather treat them strictly as inanimate objects machines subject to use and man ipulation by people The bottom line Keep It Simple 32 Prosecutors should also attempt to determine the trial judges degree of knowledge and attitude towards computer technology and gear their presentat- ion accordingly For example Judge Van Graafeiland of the United States Second Circuit Court of Appeals has said as one of the many who have re ceived computerized bills and dunning letters for accounts long since paid I am not prepared to accept the product of a computer as the equivalent of Holy Writ It is therefore important to present and make common knowledge a convincing argument depicting computerized record keeping as rapidly becoming a normal procedure in the business world IV CONCLUSION In this paper we have examined several different aspects of evidence in computer crime cases and the criticality of evidentiary issues to the suc cessful prosecution of computer criminals Computer crime continues to grow by leaps and bounds making it imperative that investigators and prosecutors become ever more reliant upon improving their training and skills in this area In 1980 experts at the Federal Bureau of Investigation estimated that only one oi 22 000 computer criminals goes to jail Further they estimated that only 1% of all computer crimes is detected only of that is report ed and only 35 of those cases ever result in jail sentences clearly leaving 15 - Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89G00643R000300030005-6 Declassified in Part - Senitized Copy Approved for Release 2014 01 15 I In addressing the different investigative evidentiary considerations as well as the role of computer evidence in criminal prosecution we have seen the value of being properly prepared for the investigation from the initial search to the final court trial and for careful adherence to established legal principles We have also observed the apparent need for better training for both investigators and prosecutors in the area of computer crime evidence as well as the need to better utilize the services and advice of those who are most knowledgeable of computer technology and openztlons In response to a survey by the American Bar Association Task Force on Computer Crime an executive for a consumer reporting agency appropriately stated The most difficult task at present is to educate government so as to make them aware of the computer problem Law enforcement agencies are not familiar enough with computers and the losses that can occur to properly conduct an investigation and prosecute the perpetrators jg A step in the right direction is the FBI Academy's development of a computer crime course to assist investigators and prosecutors in gaining a better under- standing of the technical and legal aspects of computer crime 53 Combining the expectation of hard work friendly patience access to the FBI computer and a variety of motivational techniques the Academy staff has proceeded with efficiency to create a core of law enforcement personnel with a expanded knowledgeiof computer crime With this knowledge comes the ability to com- municate more directly and meaningfully with the computer experts necessary at the various stages of the investigation and subsequent trial 55 Throughout the investigative process the investigator should be willing to actively seek out the persons who are most knowledgeable of the particular computer regimen in question to assist in identifying and explaining what -16- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified _in _Saniti_zed Copy Approved for Beleamse 2014 01 15 CIA- RDP89600643R000300030005- 6 vuwulo an we organization has a security specialist he can be of great assistance in con- ducting the investigation He will likely he very hnowledgeable of the com- puter system and his records could provide significant amounts of evidence that might be used in criminal trial particularly since they may be exceptions to hearsay evidence rules due to their being produced in the normal course of business is San Paul 'I ribile R - Va the leadingr sponsor of the Computer Fraud and Abuse Act stated It is time to dispel the notion that computer crime is a game or a challenge to be overcome The fact is the computer criminal is a law breaker just like any other and deserves to be treated as such 16 Understanding and adhering to the preper evidentiary principles in computer crime investigations will undoubtedly assist in that effort -17 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP8QGOO643R000300030005-6 1 Honse of Representative Report 99 753 9ch Congress 2d Session Computer Security Act of 1 86 August C lSPc p 1 g4 house of Rerresentatives Eerort 98th Congress 2d Session Counterfeit Access yevice and Computer Fraud and Abuse Act of 199 July 24 198h p 9 3 National Criminal Justice Information and Statistics Service law Enforcement Assistance Administration U S Department of Justice Computer Crime-Criminal Justice Resource Manual Washington D C Government Offices 1979 P -100 5 Donn Iarker Fighting Computer Crime Pew York Charles Lcritner's Sons 1983 p x j J J Bloombecker New Federal Law Bolsters Computer Security Efforts Computerworld October 27 1 8 pp Eh-Cf 6 John Sauls Raiding the Computer Room bourth Amendment Considerations Conclusion FBI law Enforcement Bulletin June 1986 pp 2Me30 John Sauls Raiding the Computer Hoow Fourth Amendment Considerations Part I FBI Law Enforcement Bulletin Lay 1086 pp 25 33 -- Task Force On Computer Crime Section of Criminal Justice American Bar Association Re ort on Com uter Crime Washington D C Government Printing Office 198k pp II-8 2 National Criminal Justice Information and Statistics p 100 10 National Criminal Justice Information and Statistics p 100 11 Sauls Part I p 26 I 12 J J Becker The Investigation of Commuter Crime An Operational Guide to White Collar Crime Enforcement I Washington D C Government Printing Office April 1980 j 1 2a 13 Becker Programmed For Crime los Angeles Lawyer November 1979 PP- 1 -31- i3 Sauls Conclusion pp 2h-25 Part I pp 26 29 -18 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP8QGOO643R000300030005-6 I 16 National Criminal Justice information and Stitigting 5 an1 nn Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 CIA- RDP89600643R000300030005- 6 Souls Conclusion p 27 National Criminal Justice Information and Statistics p 100 13 Becker The Investigation of Computer p 19 gg National Criminal Justice Information and Stutis stics gi Becker The Investigation of Computer p 1h gg National Criminal Justice Information and Statistics 101 National Criminal Justice Information and Statistics p 10 23 National Criminal Justice Information and Statistics p 102 gj Becker _The Investigation of Computer p 25 Sauls Conclusion p 29 James Vergari Evidential Value and Acceptability of Computer Digital - imagngrintouts Rutgers Computers and Technology Law Journal V010 199k 33 Chi H L Lam Cnn Computer Output iv Evidence 11 T IW Au $1 Jul n-1 or the Auditor's Foundation Full 19oz p ku - gg Vergari p 3h7 39 National Criminal Justi e Information andStatistics p 110 ' 31 Becker The Investigation of Comnuter p 27 3g National Criminal Justice Information and Statistics r 111 31 Bruce Coldstein A Pocket Guide to Couruter Crime Investigatio_i i adison Wisconsin Assets Protection 1981 pp 17 18 33 Coldstein p 15 35 Becker The Investigation of Computer p 112 National Criminal Justice Information and Statistics p 112 32 House of Representatives Report 9 NationalCriminal Justice Information and Statistics p 113 32 Becker The Investigation of Computer p 30 59 National Criminal Justice Information and Statistics p 121 51 Becker The Investigation of Computer p 30 19- Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6 Ann1 3nn1 TI II 0 1 Declassified in Part- Sanitized Copy Approved for Release 2014 01 15 RDP89C300643R000300030005- 6 Becker Programmed For Crime p 66 National Criminal Justice Information and p 116 National Criminal Justice Information and Statistics p 12h Goldstein p 5 Lam p 57 National Criminal Justice Information and Statistics p 12h National Criminal Justice Information and Statistics p 125 Becker The Investigation of Computer p 6 Tani-L Force on Ui imu 11 Glenn McLaughlin Computer Crime and Jecurity Updated Issue Brief Congressional Research Service Library of Congrem September 15 1986 p 9 J J Becker Computer Crime Go 'l o loot Camp At FBI Academy Security World September 19 pp 30-31 S logational Criminal Justice Service Information and Statistics Service P 56 Kevin Power Congress Approves law to Combat Computer Crime October 2Q 1986 p 5 Declassified in Part - Sanitized Copy Approved for Release 2014 01 15 CIA-RDP89600643R000300030005-6                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu