Evidential value of eMailFor:

Phil Bowles LLB(hons) May 2011

Overview

• “Best Evidence” and “Native form”• IT Evidence is not always what it

seems• The mechanics of email / location of

evidence• Simple forgery of email• In Practice: R v Rowe and Bhatt

• Law• Surrealist / pop art• History• Geography• Philosophy• Quantum Theory

“Best Evidence”

no evidence is admissible unless it is "the best that the nature of the case will allow“

Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, per Lord Harwicke

“if an original document is available on one’s hands, one must produce it; that one cannot give secondary evidence by producing a copy”Garton v. Hunter [1969] 1 All ER 451, [1969] 2 QB 37, per Lord Denning

Best Evidence?

PMB/1 11:30 9/5/2011N40419682

PRACTICE DIRECTION 31B: DISCLOSURE OF ELECTRONIC DOCUMENTS

5(8)•“Native Electronic Document” or “Native Format” means an Electronic Document stored in the original form in which it was created by a computer software program 6(4) •Electronic Documents should generally be made available for inspection in a form which allows the party receiving the documents the same ability to access, search, review and display the documents as the party giving disclosure33•Save where otherwise agreed or ordered, electronic copies of disclosed documents should be provided in their Native Format, in a manner which preserves Metadata relating to the date of creation of each document.

Things are not always what they seem…

“La Trahison des Images”Rene Magritte 1929

The treachery of paper

“I have in my hand a piece of paper…”

…less than 1 year later, history showed that it did NOT represent “peace for our time”

Neville Chamberlain, 30 September 1938

A small “e” makes all the difference

• Postmark• Fingerprints• DNA• Postman’s

footprints• Signature• Human memory

• Headers• Headers• Headers• Headers• Digital Signature• Forensic analysis

of electronic memory

Paper MailEvidential characteristics Evidential characteristics

email

Real vs Digital Evidence

ShrÖdinger’s Cat…

- Can simply LOOKING at something actually change it?

Real DigitalFor those who are not shocked when they first come across quantum theory cannot possibly have understood it

Niels Bohr

I think I can safely say that nobody understands quantum mechanics. Richard P Feynman

The Mechanics of email

• Connection between computers that allows exchange of information

• Computers all speak the same “language” – TCP/IP

• Interconnected Networks = “INTERNET”

NETWORK

Real-world analogy

020 8552 4821

01279 313007

01279 313130

Voice

FAX

IP Addressing

213.123.4.64 64.17.111.26

195.94.94.117

email

web

Relaying

Client

Client

Server

Server

SMTP

SMTP

POP3IMAP

“Relay”

Where is the evidence located?

Headers

212.1.132.123

12.111.34.47

194.195.1.222

152.158.43.43

Hello..

Rcvd from 212.1.132.123

Hello..Rcvd from 212.1.132.123

Hello..

Rcvd from 12.111.34.47

Rcvd from 212.1.132.123

Hello..

Rcvd from 12.111.34.47Rcvd from 194.195.1.222

Hello..What steps are required to secure the evidence?

Beware DHCP…

“Profile of time” Salvador Dali 1904-1989Salvador Domingo Felipe Jacinto Dalí i Domènech, Marquis of Dalí de Púbol

Corporate gateways

INTERNET

152.158.43.43

How long will the evidence be held?

Example of headers

• Microsoft Mail Internet Headers Version 2.0• Received: from cerberus.anorhack.com ([192.168.0.2]) by cerberus.anorhack.com with Microsoft

SMTPSVC(5.0.2195.5329);• Tue, 3 Sep 2002 17:30:34 +0100• Received: from m60-mp1.cvx1-b.col.dial.ntli.net [213.107.232.60]• by cerberus.anorhack.com• with XWall v3.21 ;• Tue, 3 Sep 2002 17:25:03 +0100• Received: from BODDIRECTOR ([192.168.0.164]) by ntsraidnet1 with Microsoft

SMTPSVC(5.5.1877.197.19);• Tue, 3 Sep 2002 17:24:37 +0100• X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400• From: Adrian Reid <Adrian.Reid@DataSec.co.uk>• To: "administrator@anorhack.com" <administrator@anorhack.com>• Return-Path: "Adrian.Reid@DataSec.co.uk" <Adrian.Reid@DataSec.co.uk>• Subject: timetable• Date: Tue, 3 Sep 2002 17:24:37 +0100• X-Assembled-By: XWall v3.21• X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)• Message-ID: <NDBBILBFOLBLEMNHKBGBOEDBGKAA.Adrian.Reid@DataSec.co.uk>• Mime-Version: 1.0• Content-Type: multipart/mixed;• boundary="_NextPart_1_GxMKaEJLIEyBzBZJkTIXkvgUZlV"• X-OriginalArrivalTime: 03 Sep 2002 16:30:34.0904 (UTC) FILETIME=[3A8FE180:01C25367]

Manual server conversation

HELO datasec.co.ukMAIL FROM: phil.bowles@datasec.co.ukRCPT TO:

a.valid.user@thismailserver.comSUBJECT: Forged headers and SPAMDATABlah blah blah

.

anyoldrubbish@totallybogus.com

“The Scream” Edvard Munch 1893

(pseudo) Live Demonstration

An easier way

But WEEEEEE don’t want to make you do all THAT…!

• anonymailer.net• emailpranker.com• fakesend.com• sendanonymousemail.com• mytrashmail.com

The treachery of emailIf what you have in your hand is a piece of paper…

…it is certainly NOT an eMail!

R v Rowe & Bhatt(Canterbury Crown Court 2003 – unreported)

• Large Pharmaceutical company• 1/2m fraud, “cut-throat” defence• Rowe produced dozens of printed emails

between himself and Bhatt• Bhatt alleged that he had never received

(nor even seen) the emails• Rowe was IT infrastructure manager for

Europe. He designed and implemented the email transport system for the company

• After live demo of email forgery to the court email evidence was significantly devalued

Summary

• eMail evidence native form is DIGITAL• Network investigation experience

essential in email investigations• Email is easily forged• Full audit trail required for “best evidence”• Contextual inferences often vital• Distributed location, often international• Time issues: log retention / time zones

Questions?

Phil BowlesInternet Enforcement Team LeaderConsumer MarketsOffice of Fair Trading2-6 Salisbury SquareLondon EC4Y 8JX

020 7211 8598

phil.bowles@oft.gsi.gov.uk

© 2011 mecánica cubana presentación