Legal Issues in Computer Forensics

Forensics is defined as “the use of science and technology to investigate and establish facts in criminal or civil courts of law.” As a subcategory of this, computer forensics attempts to assist litigants in establishing (or refuting) facts by examining digital evidence. This can range from activity that took place on a computer or cell phone, to information that was passed along by someone, or interaction with prohibited or protected material on that computer.

The legal issues relevant to computer forensics are vast, and range from the qualification of experts, the reliability and accuracy of the forensic evidence that is being proffered, to the scope and result of an expert’s testimony. We may deal with these in the future, but this page will focus on one of the most prominent legal issues in computer forensics: proof of possession of prohibited material.

Very often, a case has at its root an allegation that an individual or corporation had a certain piece of digital material on their computer. This may be photographs, videos, text documents, spreadsheets or other type of computer file.

Applying a common sense analysis to these situations can be problematic. Typically, when we find something located in someone’s personal space (e.g. their kitchen, their car, or their briefcase) we presume the person possessed the item. In reality, there is a wide scale of uncertainty of whether the person possessed the item. When things are found outside of a person’s direct possession (e.g. their pocket or hand) the law regarding possession is rooted in the two concepts of :

1.) Knowledge; and
2.) Control

No one can possess something they don’t know about (the baseball thrown in their yard by a neighbour and covered with bushes) or that they do not control (the marijuana plant someone can see in their neighbour’s yard, yet over which they have no power).

Courts have affirmed the application of these principles to possession of material on computers. In  R. v. C the court stated: (at paras. 17-19):

Section 4(3) of the Criminal Code contains a definition of possession. Section 4(3)(a)(ii) contains the relevant part of that definition for present purposes:

a person has anything in possession when he … knowingly
(ii)  has it in any place … for the use or benefit of himself or another person;

Possession requires knowledge of the criminal character of the item in issue. In this case, the Crown had to prove that the appellant had knowledge of the contents of the videos in issue.

Knowledge alone will not establish possession. The Crown must also prove that an accused with the requisite knowledge had a measure of control over the item in issue. Control refers to power or authority over the item whether exercised or not: R. v. Mohamad at paras. 60-61 (Ont. C.A.).

These central concepts are easily understood in simple “real world” examples about baseballs, cars and cocaine. However, it is the bridge between a computer forensic examination and a conclusion about these concepts that is often vexing or (worse) misunderstood by litigants and courts alike.

A properly conducted examination of a hard drive is, at its root, a very black and white process of examining 1’s and 0’s. It is the multiple layers of interpretation of these 1’s and 0’s that must be subjected to careful legal scrutiny if a proper result is to be obtained.

The complicated nature of these interpretations, and the human frailties associated with such interpretations, are the grey area within which these cases can be won or lost.

For example, images of a prohibited nature may be found to exist on a computer seized at a defendant’s home (we’ll call her Jane). Some litigants and courts may start from the proposition that material found on a computer was placed there by Jane. The danger with such a conclusion ignore the alternative explanations that may be just as, or more, likely, such as another person with access to the computer placed the material there.

This possibility is well known to those who litigate in this area. A computer regularly used by 12 different people is ripe for this explanation. However, computer forensic examinations will attempt to foreclose another physical person through the following means:

  • Utilizing dates and times of access to the material to exclude other potential people, for instance when they couldn’t possibly have been physically in the home;
  • Determining if the material was accessed while the computer was logged into Jane’s user account, which may well have been password protected; or
  • The material was accessed at the same time as material specific to Jane, such as her work email or a project she was completing.

These sorts of “exclusions” are merely propositions that may be very, or only partially, supported by the rest of the computer examination.

The reality is that much of the content accessed by computer users is not by request, but served out by internet web pages. In the 2010 case of  R. v. G. the court considered whether this sort of unintentional and accidental downloading can explain the presence of prohibited material on a user’s computer. At trial, the judge had found: (at para. 22)

[the] evidence that internet browsing can result in the inadvertent copying of images onto a hard drive is important. Anyone who has used the internet, perhaps to read the online version of a newspaper, will understand that the “page” that opens when one enters a website may be considerably larger than what is immediately visible to the user. That is, a web page may contain substantially more information, in the form of images and text, than what can be seen on the computer screen. To see everything, the user may have to scroll a considerable distance to the bottom of the page.

The court in R. v. G. found the accused not guilty on all charges. This result, however, was built on the evidentiary foundation laid by cross examining the forensics expert. In R. v. C. the accused was convicted, and the court rejected the defence that had been successful in R. v. G., even mentioning the case:

I was referred to the case of R. v. G, where the Crown failed to prove that the images that were child pornography were knowingly viewed or transmitted by the accused, and failed to prove that he knew they existed on the hard drive of his computer or exercised any measure of control over them. I note that the evidential basis of that case differed from this in that aspect. In that case there was evidence that a picture file could be created or accessed without it being viewed in some fashion, additionally that Internet browsing without proper security on a computer could allow the creation of files without the image being opened or viewed; that Internet browsing could result in the inadvertent copying of images onto a hard drive. There was evidence that the browser writes to the hard drive Temporary Internet Files not just the images the user sees on the screen but all the evidence on the web page even though the user may not have seen them or been aware of their existence. There was no evidence to this effect in the case before me.

It may well have been that the expert in R. v. C. refused to agree with the concessions made in R. v. G. What is important is that a detailed knowledge of the principles and technical aspects of computer forensics can always assist with turning the other side’s expert against them.

One of the grim realities of today’s internet is the constant threat of malware (viruses, trojans and worms, etc.). Malicious users scan the internet for poorly protected computers and focus attacks on them. Some web pages are exclusively set up to infect computers that access them, even if by accident or unintentionally. In July 2009, Google published a “Malware List” that identified 350,000 web pages that contained malicious software. This reality is often downplayed where the other side wishes to prove someone like Jane meant to download or access prohibited material. Courts have recognized these threats, and have even based findings on these threats.

In the 2010 Supreme Court of Canada case R. v. Morelli the Court ruled that a search warrant that failed to distinguish between an allegation of “possessing” child pornography and “accessing” child pornography was unlawful, and ruled the evidence found by police should be excluded. This case crystalized the important difference between simply visiting websites that may contain unlawful material (that is then passively downloaded to an internet “cache”) and intentionally downloading files of source material such as photos and videos. At paragraph 19, the Court stated:

Canadian cases appear implicitly to accept only the latter proposition: That possession of an image in a computer means possession of the underlying data file, not its mere visual depiction.

And further at paragraph 33:

In short, my purpose here is not to say what constructive possession of virtual objects necessarily is, but rather what it manifestly is not. Plainly, in my view, previous access and the possibility of again accessing a Web site that contains digital images, located on a distant server over which the viewer has no control, do not constitute — either alone or together — constructive possession. However elastic the notion of constructive possession may be, to stretch it that far is to defy the limits of its elasticity.

The Court in Morelli also undertook a detailed analysis of what types of inferences can be drawn from bookmark links and website names. As the first Supreme Court of Canada decision to consider computer possession in detail, it is the foundation of any case analysis.

The law in this area demonstrates the difficulty with which legal principles are adapted to concepts of digital manipulation and storage. Often, cases turn on the facts that are successfully proven in the evidence stage; facts like how are files written to hard drives, and what types of “user” intervention are required to create them. Analogies about what people possess in their car, or their yard are illuminating, but often false or fallacious.

This summary only briefly considers a few of the multitude of legal issues involved in a computer forensics case. The law in this area is still coalescing, and few appellate level decisions are available. It is for this reason that the quality and type of evidence presented is even more decisive than in other types of litigation. Courts are looking for guidance on these issues, and still have difficulty grappling with these complicated concepts.

Anecdotally, when lawyers from Mulligan Tam Pearson were training in computer forensics in the U.S. and England, most experts stated they were almost never substantively challenged on their evidence in cross-examination. As can be gleaned from the above material, the quality of evidence can have a massive impact on these cases’ results.