Вы находитесь на странице: 1из 23



Federol Rules ond

Criminol Codes

G#mme'er #Bjecfrye.s

After reading this

chapter and

completing the exercises,

you will be able to do the following:


Identify federal rules ofevidence and other principles ofdue process of

the law


Explain the legal foundation and reasons for pretrial motions regarding




ldentify the limitations on expectations of privacy.

Explain the major anticrime laws and amendments impacting discovery and use ofe-evidence.


pederal rules and laws are changed t9 bring Qem up to date with new technol-


ogy. crimes. threats. and evidence. Rules are regulations that govern legal

c.onduct, procedures, and praclices. I aws are regulations that govern the conduct

of the people of a society or nation. These rules and laws directly impact inves- tigative procedures and the admissibility of evidence. Investigators who do not

understand them run the risk of compromising cases, convicting innocent people, or letting guilty people go free. You need to know what constitutes a legal search,

what laws govern obtaining e-evidence and securing it so that the chain of

evidence is not compromised, what telecommunications may lawfully be inter-

cepted or examined after they have been received and what privacy rights

employees and other individuals have. Consider the need to understand rules

and laws in these cases. Before seizing a computer or other hardware, one needs to consider whether the Fourth Amendment requires a search warrant.

  • 408 CHAPTER l2 | Federal Rules and Criminal Godes

Before accessing stored electronic communications, one needs to consider the requirements of the Electronic Communication Privacy Act. To conduct real-time electronic surveillance, a wiretap order may be needed from a judge.

In this chapter, you learn about due process of the law, federal rules of

evidence and procedure, and anticrime laws. These laws are important to know because even cases that center on physical evidence and eyewitness testimony may require collecting e-evidence to guide or corroborate the physical evidence.

You will learn about the authority granted to investigators under privacy laws and

the limitations those laws impose to protect civil rights. Many of these laws are highly controversial and subject to heated debates. At the same time, crimes are

increasingly computer-technology-dependent.

These forces will drive changes

in privacy laws as the privacy versus security battles play out. This chapter also

provides the framework for understanding the ethical challenges and demands of giving testimony in court that are covered in the next chapter.

Due Process of the Law

Due process of the luw is a fundamental principle to ensure that all civil and

criminal cases follow federal or state rules to prevent any preiudiciul, or :unequ;al, treatment. This chapter focuses on federal rules and cases for two reasons. First, cases that involve the Internet or telecommunications typically are federal cases because they cut across state boundaries. Second, states'rules are patterned after

federal rules and are sufficiently similar for the level of this chapter.

Due process is guaranteed in the FifthAmendment to the U.S. Constitution,

which states: "No person shall

. . .

be deprived of life, liberty, or property, with-

out due process of law." Federal Rules of civil Procedure, Federal Rules of Criminal Procedure, and

Federal Rules of Evidence, which were introduced in Chapter 1, are the primary rules ensuring due process. In federal courts, evidentiary rules are governed by

the Federal Rules of Evidence. State courts follow their own state rules of evi- dence. This chapter discusses the rules in greater detail now that you have a solid

understanding of the technology and criminal components of e-evidence.

d-;rpfum f* ff*dmrmf ffi*;dms #f #n*m*#*rrs

The Low School of Cornell University mointoins upto-dote Federol Rules

of Criminol Procedure ot www.lqw.cornell.edu/rules


Federol Rules of Civil Procedure ore ot www.low.cornell. edul



Rules of Procedure Regulate production

of Evidence


oue Process of the Law 4O9

The rederal Rules of civil Procedure were adopted in 193g. Until 1970, rules

had developed to deal only with physical or tangible evidence. Specifically, the

law of criminal procedure has evolved to regulate the mechanisms common to the investigation of physical crimes, namely the collection of physical evidence and eyewitness testimony-and not e-evidence (Kerr, 2005)_ So the rules you

learn about are expected to change.

Rules 26 and34 regulate the production of evidence. Then an amendment

in Rule 34(a) took effect that made electronic data subject to discovery, while

also providing protections (in the form ofexceptions to the rule) for the party

whose electronic data was being searched. For decades, this amendment had no

striking impact because only computer hard-copy printouts were routine

in legal

matters. A far-reaching impact did not begin until the late-1990s when the dis-

covery of "electronically stored information" contained on the computer itself became routine. This change raised issues about e-evidence-how it could be

authenticated, proved to be reliable, and determined to be admissible in criminal

or civil proceedings. This section reviews the current and evolving status of

laws pertaining to the processes of authentication, reliability,

and admissibility.

It also discusses the requirements for laying a proper foundation for e-evidence and serving as an expert witness.

On April 12,. 2006, the U.S. Supreme Court opproved

posed omendments to the Federol Rules of Civil

the pro-

procedure. These

rules concern the discovery of "electronicolly

lESl). These rule chonges offect Rules Form 35.


stored informotion"


The rules hove been sent to congress ond will become effective on December 1,2006, unless Congress octs to chonge or defer the omend-

ments. The omendments ore ovoiloble on the U.S-. courts'

web site qt:

www.uscourls.gov/rules/newrules6.htm l#cvO8O4.

Proposed omendments will impose greoter precision ond further

courts o[prooch e-discovery. ln por- the disciosure of e-discoveiy during

Discovery requests would'hove


chonge_th: yqy. lowyers ond

ticulor, Rule

l6(b)(5) reguires

the initiol pretriol confeience.


be more specificolly toilored becouse' of ihe huge volume of


CHAPTER t2 I Federal Rules and CriminalCodes


e-evidence. This discussion should be specific regording the subiect

motter, time periods, ond identificotion of persons or groups from whom discovery moy be sought. And the porties need to negotiote

how the documents will be produced very eorly in the cose. lt could

toke lowyers months to negotiote ihe formot in which documents

would be produced-imoges, TIFF, PDF, or notive formot-ond

whot metodoto would be included (Hsieh, 2006). For exomple, in Louren Corp. v. Cenlury Geophysicol Corp., the plointiff sought to

inspect the defendont's computers for evidence to supporl its cloim

thot the defendont hod unlowfully used the plointiff's licensed soft-

wqre. lt took the porties ond the court over o yeor to resolve vorious

discovery disputes. The court finolly compelled inspection of the


Proposed omended Rule 34(b) would ollow the requesting porty to "specify the form in which eleclronicolly stored informotion is to be

produced." Specific informotion on these pending rules ond the stotus of other omendments con be found by selecting the "Pending Rules Amend-

ments Awoiting Finol Action" hyperlink in the upper left corner of the

Web poge www.uscourts.gov/rules/ #1udiciolo9o5. Also see

www. uscou rts. gov/ru les/com menf 2OO5 /CVAu gO4. pdf . Another proposed chonge to Rule 26(b)(2)(B) would require o

court order for e-evidence thot is "not reosonobly occessible becouse of undue burden or cost." This rule moy leod to lengthy discussions obout whot is or is not reosonobly occessible becouse it shifts the cost burden to the requesting porty.

Laying a Proper Foundation for E-Evidence

In 1975, the Federal Rules of Evidence were adopted. They govern the

admissibility of evidence, including electronic records or data. Some of these

rules are referred to as exclusionary rulesbecause they specify the types of evidence that are excluded-and thus cannot be presented at trial. In estab-

lishing admissibility, many rules of evidence concentrate first on the

evidence's relevancy. After evidence is found to be relevant, then it must survive several tests based on the rules of evidence in order to be admissible.

Figure l2.l shows that relevant evidence which has not been excluded is

admissible evidence.

Exclusionary Rules Exclusionary rules are specific Federal Rules

of Evidence that test whether evidence will be admissibte. Some ol these

rules test whether there is a specific rule that bars the admissibility of

(lF /tl

Due Process ofthe Law 4t t

FIGURE 12.1 Relevant evidence that has not been excluded is admissible evidence.

evidence, such as hearsay or

bars its admissibility, there

business rule exception to the


privilege. Even if there is a specific rule that may be exceptions to the rule, such as the

hearsay rule. Exclusionary rules pertain to the




s.elevancy. The evidence has a logical and varuable connection to an

issue of the case.

Privilege. Protects attorney-client communications and keeps those communications confidential.

opinion of expert. Qualified experts may testify under certain condi-

tions even though they were not eyewitnesses.



Hearsay. Rule against using "out of court" statement offered to prove


Authentication. The evidence is what it purports (claims) to be.

These rules as they apply to e-evidence are described in Table 12.1. The

Legal Information Institute (LII) of Cornell University publishes the eleven articles of the Federal Rules of Evidence at www.law.cornell.edu/rules/fre/.

This is a free service provided by the LII.

As the Rules listed in Table 12.1 describe, evidence may be inadmissible if

it falls into a category that makes it inadmissible, such

as hearsay or privilege;

or it is irrelevant, prejudicial, misleading, or causes delays that substantially outweigh its probative value. Evidence has probative value if it is sufficiently

useful to prove something important.

  • 412 CHAPTER t 2 I Federal Rules and Criminal Codes

TABLE t2'l

Federal Rules of Evidence pertaining to e-evidence'

Rule 1 04(a). PreliminarY Questions of AdmissibilitY


Rule 401. Definition of Relevant Evidence

Rule 402. Relevant Evidence Generally Admissible; lrrelevant Evidence lnadmissible

Rule 403. Exclusion of Relevant Evidence on Grounds of Prejudice, Confusion, orWaste of Time


questions concerning the

qualification of an expert witness or the

admissibility of evidence are decided by the court.

Relevant evidence means evidence that can make some fact or issue more

probable or less probable than it would be without the evidence.

All relevant evidence is admissible,


as otherwise provided by the

Constitution of the United States, by Acl

of Congress, by these rules, or by other rules of the Supreme Court. Evidence

that is not relevant is not admissible'

Even if it is relevant, evidence may be excluded if its Probative value is


of unfair

outweighed by the danger

prejudice, confusion of the

issues, misleading the jury, unnecessary delay, or waste of time.

This rule broadly governs the admissibility

of expert testimony. lt outlines what is

necessary to be qualified as an expert'

A witness is qualified as an expert by

knowledge, skill, experience, training, or

education. Under Rule 702, the test is:

lf scientific,


technical, or other specialized

will help lhe trier of fact ( jury

or judge) understand the evidence, a

quatified expertmay testify if (1) the

testimony is based upon sufficient facts or

data, (2)1he testimony

reliable principles and

is the product of

methods, and (3)the

witness has applied the principles and

methods reliably to the facts o{ the case'

Testimony in the form of an opinion-that is not inadmissible for some other

reason-is allowed because the opinion is an issue for the trier of fact to decide'


Ou" Process of the Law

4 t 3

Rule 802. Hearsay Rule

Rule 803(6). Business Exception Rule

Rule 901(a). Requirement of Authentication or ldentification, General provision


is not admissible except as

provided by these rules or by other rules

of the Supreme Court.

Business records that are made during the ordinary course of business are admissible. Conversely, business records

that are made for use in a civil or criminal case are not admissible.

The requirement of authentication or identification is satisfied by evidence that supports that the "matter" is what its proponent claims it is.


m bl}/*rl# k #nmrsxmd

#exsfr*m ffi,rr*cf*ry

vi s i t Pre n ti ce-H o I l's cyb ro ry o t www.to I ki ustice.c om /

for o comprehensive directory of Web sites ,.eloteJ t; forensics, ond other criminol iustice topics.




Hearsay Evidence Hearsay Rule 802 can block admissibility unless some exception applies to the evidence. For example, if the author of an electronic

record is not available to verify the truth of the matter, the electronic record would be hearsay. As such, it would be inadmissible unless it fit into one of the

exceptions to the hearsay rule. Electronic records that are business records made during the ordinary course of business are admissible under the business records exception rule in Rule 803(6). Therefore, business records, which are

hearsay, can be admitted as evidence because they are an exception to hearsay.

The reason for their exception is that their regular use in the business of a com-

pany ensures a high degree ofaccuracy so additional verification is not needed.

Motions to Suppress Evidence euestions of admissibility and motions

to suppress evidence are handled before trial. A judge may hold a hearing to determine whether or not evidence is admissible. In those cases, the jury never hears of the evidence. A motion by a lawyer for such a hearing before trial is called a motion in limine (pronounced lim-in-nay). courts prefer this approach

  • 414 CHAPTEB t Z I Feaeral Rules and Criminal Codes

because it limits the jury's exposure to inadmissible evidence, which might

influence jury members regardless of attempts to ignore it (Eichhorn, 1989).

Federal Rule 702 Test for Admissibility Evidence is not the only thing that

is subject to tests of admissibility. A forensic examiner's qualifications can be

challenged or the tools or methodologies used in a forensic investigation can be

objected to. These challenges or objections are heard outside the presence ofthe

jury during a pretrial hearing under Federal Rule 702 (as defined in Table 12.1).

From 1923 to 1993, the test for admissibility of expert witness testimony

and methodologies was based on the 1923 ruling in Fryte v. United States (1923). The Frye test, as it came to be known, requires that the scientific principle upon

which the work is based is "sufficiently established to have gained general

acceptance in the parlicular field in which it belongs." using Ftye, a judge had to

test the admissibility of expert testimony before allowing it in court. In part because ofthe problems caused by the "general acceptance" crite- ria, the Frye test that Rule 702had been relying on was replaced (superceded)

by the Daubert test in 1993. In 1993,the Supreme Court issued an opinion in the case of Daubert v. Merrell Dow Pharmaceuticals that abandoned the earlier Frye standard in federal cases and set a new standard. A judge must take into

account the following:

  • 1. Whether the theory or technique can be and has been tested

  • 2. Whether it has been subjected to peer review and publication

  • 3. The known or potential error

  • 4. The general acceptance of the theory in the scientific community

  • 5. Whether the proffered testimony is based upon the expert's special skill


The Daubert test is primarily a question of relevance, or "fit," of the evi- dence. The Supreme Court holds that in order for testimony to be used it must be sufficiently tied to the facts ofthe case to help understand an issue being dis-

puted (Norberg, 2006). For the full text of the Daubert test, visit the Supreme Court Collection of the Legal Information Institute at supct.law.cornell.edu/

s up ctlhtmU 9 2 -l02.ZS.html.

Authenticating E-Mail Messages and other E-Evidence

A physical document can be authenticated by either direct evidence or

circumstantial evidence. Examples of circumstantial evidence would be the

paper document's appearance, content, or substance. The same circumstantial

evidence the courts use to authenticate physical documents applies to e-mail


In order to authenticate an e-mail message, Rule 901 requires that the per-

son (proponent) who introduces the message provide "evidence sufficient to iupport a finding that the fe-mail message] is what its proponent claims."


or" Process of the Law 415

The reliability of e-evidence itself and the reliability of the methods and

procedures used must be established too. Rule 901 generally can be satisfied by


1. The computer equipment is accepted in the fierd as standard and compe-

tent and was in good working order.

  • 2. Qualified computer operators were employed.

  • 3. Proper procedures were followed in connection with the input and output of information.

  • 4. A reliable software program and hardware were used.

  • 5. The equipment was programmed and operated correctly.

  • 6. The exhibit is properly identified as the output in question.

Proof must be provided for all six of these issues or for all issues that

apply to the handling of the evidence. It is not a surprise that opposing


will challenge the authentication of the e-evidence. In fact, evidence should be

challenged to ensure that it accurately and fully represents the truth.

circumstantial E-Mail Evidence Authenticates other E-Mail A good

of example of how e-mail messages can be authenticated to meet Rule 901 is

in united states v. siddiqui (Robins, 2003). rn. siddiqui, the defendant was

convicted of fraud, making false statements, and obstruciing a federal investiga- tion in connection with an award he had applied for from the National Science

Foundation (NSF). The issue of the case was that the defendant, Siddiqui, had

falsified documents (letters recommending him for the NSF award) in the names

of two other individuals; and the defendant had then urged those two individuals

to support the falsified documents. E-mail messages between Siddiqui and the

two individuals containing incriminating information were recovered and used

as e-evidence.

Siddiqui appealed. He challenged the district court's decision to admit into

evidence several e-mail messages between himself and the two individuals. The

court held that the appearance, contents, substance, internal patterns, and other circumstances of these e-mail messages authenticated them. The Eleventh Cir- cuit pointed to the following facts:

1. The e-mail messages reflected an e-mail address that included a varia-

tion of the defendant's name and a uniform resource locator (URL) for the defendant's employer.

  • 2. The e-mail address in these messages was consistent with one in another e-mail message that was introduced into evidence by the defendant as an e-mail message from the defendant to one of the two other individuals.

  • 3. The contents of the messages indicated that the author knew the details of the defendant's conduct in connection with the NSF award.

  • 416 CHAPTER l2l Federal Rules and Crimina! Godes

    • 4. One of the e-mail messages referred to a visit the defendant had made to a particular event attended by the defendant and by the recipient ofthe message.

    • 5. The e-mail messages referred to the author by a nickname recognizedby the recipients.

    • 6. The e-mail messages occurred during the same time period in which the recipients spoke to the defendant by telephone and had conversations consistent in content with the e-mail messages.

This case presents several important lessons for computer forensics inves- tigators. It illustrates the larger and more comprehensive role of e-mail evidence

in a case. E-mail messages not directly on point may be relevant to the case as

the proof needed to authenticate other e-mail. The content of e-mail messages may relate to other documents of the author, or have a style that is consistent with other communication patterns.

The issue of style is equally critical when e-mail has been planted or

forged. E-mail forgers may not be aware of distinctive writing styles or rules of evidence and, out of habit, use their own writing style'

ln o sexuol horossment cose brought by on occountont ogoinst her mon- oger, the monoger produced on +moil messoge ollegedly sent to him by

thl occountont, which she denied hoving sent. The comPony ot which

both employees

ees were olso

worked required personnel to shore computers' Employ-

required to'reveol their e-moil posswords, so thot if on

employee *or ouiof the office, colleogues could hove occess to e-moil messoges on thot employee's computer. The computer forensics investi- gotor concluded thot, bosed on these policies, it wos not possible to ver-

ify whether or not the occountont hod sent emoil. The occountont

produced e-moil she hod sent to the monoger ond thot he hod sent to her

over o yeor's time. The grommor, sentence structure, punctu-otion, ond

other style feotures in thJdisputed e-moil messoge cleorly differed from other e-moil sent by the occountont ond supported her cloim thot she hod

not sent the disputed +moil. The controdictory evidence kiggered -o

wider seorch of e-moil of the monoger ond informotion technology stoff.

Circumstantial Evidence Authenticates Chat Room Session Circum-

stantial evidence was used to authenticate e-evidence in the tJnited States v.

Simpson case. The case involved a hard-copy printout of an online chat room

session that Simpson had participated in. The government was able to authenticate


Anticrime Laws 417

a printout of a chat room session between a detective and the defendant Simpson.

Even though Simpson did not use his full name in the chat room when communi-

cating with the detective, he provided his first initial and last name. The initial and

last name were the same as the defendant's, and the e-mail address belonged to the

defendant. Pages found near a computer in Simpson's home contained the name,

street address, e-mail address, and telephone number that the detective had given to

the individual in the chat room session.

When considered all together, the circumstantial evidence was sufficient to authenticate the communication as one that occurred in a chat room session

between Simpson and the detective.

This case illustrates how different types of evidence can be used for

authentication. It also reaffirms the importance of detailed documentation of

materials found near a computer, as was

discussed in prior chapters. Next, we

will examine the anticrime and privacy laws.




jAn employee who


uses his employer's

lcomputer for ipersonol communi- lcotions ossumes

the risk thot these



1 moy be

ril(Jy oe QCCeSSecl



lby the employer or

iby others.

Anticrime Laws

congress responds to changing technology and high-tech crimes

by amending

existing laws if possible or by issuing new laws (statutes). The most authorita-

tive federal statutes affecting computer forensics are the Electronic Communi-

cations Privacy Act (ECPA), the Federal wiretap Statute, the pen/Trap Statute,

the cFAA, and the usA PATRIoT Act. The ECpA extended the wiretap Statute

to include authority over digital transmissions over computer networks. A highly contentious response by president George w Bush as part of his

war against terroflsm was the use of warrantless electronic surveillance. The order

was issued without the consent of Congress and violates the Fourth Amendment.

Electronic Communications privacy Act of 19g6

In certain situations, the Electronic communications privacy Act (ECpA) of

!98f t4keq precedence over the right to privacy guaranteed by the Fourth Amendment. The ECPA applies to stored computer files that had been transmit-

ted over a network. This law applies only to stored computer information and not to real-time interception of communications. Real-time interception of

computer information in transit falls under the Federal Wiretap Statute of 1968.

The ECPA permits an ISP to look through all stored messages,


e-maii'waiting in an inbox, or recently sent and received mail. Some ISps

temporarily store all messages that pass through the system. The ECpA nor-

mally prevents the ISP from disclosing the messages to others, but there are

exceptions. Law enforcement with proper warrants or administrative subpoenas

can collect basic information about users from ISps, including their names.

They might also be allowed access to the content of stored messages.

4t 8

CHAPTER t 2 I Federal Rules and Criminal Codes


Supreme Court

Defers to


The courts usuolly

defer to Congress's

iudgment when confronted with Fourth Amendment chollenges to elec-

tronic surveillonce.

Congress made the ECPA the primary law by which to address claims of

privacy violations in the communications field. This law's goal is to balance pri-

vacy rights with law enforcement needs-while protecting Fourth Amendment

rights against unreasonable search and seizure whenever possible. The authority given to law enforcement by the ECPA has sparked fierce

opposition by privacy advocates. The full text of the ECPA is available at

www.usiia.org/le gis/ecpa.html.

Limitations of Privacy Laws The belief that a person has a reasonable

expectation of privacy under all circumstances is wrong. People try to hide their