I’m doubling up on conferences this week. Yesterday, I got the chance to sit in on a couple of sessions of the New York State Cyber Security Conference, which is always held in Albany. I then headed for Syracuse to attend the annual meeting of the New York Archives Conference, which started today.
The first session I attended, Acquiring Computer Communications: Often a Treacherous Task, focused on the use of electronic communications as evidence in legal or disciplinary proceedings. Stephen Treglia, an Assistant District Attorney with the Nassau County District Attorney’s Office, highlighted the many problems that employers and law enforcement agencies in New York State must confront. The legal terrain is laden with pitfalls.
The search and seizure of electronic communications (e.g., e-mail) has been the subject of a substantial amount of case law, and many of the non-computer issues relating to search and seizure translate well to computer issues. However, to date, most of the case law pertaining specifically to electronic communications has focused on child pornography. The courts are only now turning their attention to search and seizure of electronic communications relating to white-collar crime, and archivists and records managers should note that very little case law focuses upon search and seizure of electronic communications that document improper recordkeeping.
As if the situation weren’t murky enough, and most of the case law is federal. New York State law tends to be more respectful of individual rights than federal law, and not all federal case law is applicable in New York.
Treglia then provided an overview of current case law, with a particular focus on the workplace. He emphasized that current case law regarding employer searches of staff computers indicates that office policies trump individual privacy concerns. However, the court that handed down the prevailing opinion noted that the employee did not assert that he did not know about the policy, and future defendants may make this argument. As a result, employers should establish computer and Internet use policies and have each employee sign a statement indicating that s/he is aware of these policies and of the penalties for violating them.
Treglia’s presentation, which highlighted many inconsistencies and oddities in case law, made it plain that legislators and the courts have a lot of work to do to bring the law into line with the age of the Internet and that law enforcement personnel, attorneys, employers, schools -- and even some parents attempting to monitor their children’s Internet and cell phone usage -- will find themselves stumbling across uncertain terrain for some time to come.
The next session I attended, Incident Response Using Open Source Forensic Tools, focused on the New York State Digital Forensics Workgroup’s testing of open source alternatives to commercial forensics packages such as EnCase. The Digital Forensics Workgroup is headed by the New York State Police and consists of staff employed by many other agencies. Tom Hrbanek of the State Police, who initiated the discussion, noted that many agencies struggle to find the resources needed to do forensics work, and the workgroup wanted to see whether open source software would lower training and other costs. It also wanted to determine whether open source tools would make it easier for the workgroup to expand its focus to include live capture of evidence as well as post facto incident response.
John Griffin of the New York State Multi-Agency Digital Forensics Analysis Center, which focuses on state employee misconduct, explained how the workgroup conducted its tests. It spent about $400 to purchase a desktop computer that ran Linux and installed several open source forensic tools. It then downloaded and ran a hypothetical hacking scenario created by the National Institute for Standards and Technology (NIST). This scenario is accompanied by 31 questions that forensic analysts should be able to answer, and the testing team was able to answer all 31 questions with the open source tools and to validate the results with commercial forensics applications.
Mike Gibbs of the New York State Office of Children and Family Services then outlined some of the technical dimensions of the project. The forensics tool that the testing team used is called PTK, which runs on a variety of Linux distributions and on Mac OS X, and he discussed some of the problems they encountered. He also directed attendees to more information about the project and the software used.
Tom Hrbanek concluded by noting that work on the project continues and that it will expand to include capturing live memory dumps and data moving across networks, etc., and that the group will present its findings in detail at the International Conference on Digital Forensics & Cyber Crime, which will be held at the University at Albany, SUNY in September.
Although some components of this presentation exceeded my technical expertise, it was fascinating to hear that forensics personnel focus on issues of authenticity and integrity and use some of the techniques (e.g., fixity checking, keeping computers offline) that we often use. There are of course huge differences between the two fields -- they're trying to put away bad guys, and we’re trying to keep records intact and accessible across time. It’s always fascinating to see how the digital era has forced professions that formerly had little in common to focus on some of the same concerns.