U.S. attorney: Gathering cybercrime evidence can be difficult

With more cases of cybercrime on the docket, the U.S. district attorney's office has new challenges to face in terms of gathering evidence and presenting it to the court.

At Black Hat 2017, SearchSecurity sat down with Norman Barbosa, assistant U.S. state's attorney for the western district of Washington and the office's coordinator of computer hacking and intellectual property crimes, who is based in Seattle. Barbosa said jurors and judges have been getting better at understanding cybercrime evidence, although, overall, cybercrime cases have been getting more difficult to prosecute.

This interview has been edited for clarity.

Have you seen a type of tipping point in terms of understanding the digital world and cybercrime evidence, or was it a gradual process?

Norman Barbosa

Norman Barbosa: I think it's a gradual process, but it's not recent. I mean, it's been going on for decades. The courts have been seeing electronic evidence since the 70s, maybe even earlier, older stuff. And the arguments were a little bit more simplistic in those early days.

The civil practitioners have been trying cases for decades using similar evidence, email and computerized evidence. There's tons and tons of experience with handling it, establishing the authenticity of it, addressing concerns that something may have been faked. So legal systems are definitely familiar with it. 

People tend to think, 'Oh, you know, because computer evidence can be faked, you're never going to get [it] into court.' The fact that it can be faked is not determinative because we all know that we receive stuff on a day-to-day basis on computers. We work with them constantly, and they are reliable for the most part. They're used all the time, and very effectively. Judges and juries understand that.

How do you meet the burden of proof with cybercrime evidence? 

Barbosa: It's kind of two levels that we deal with. There's what we call the authentication rules for getting evidence into federal court, and they're governed by the rules of federal evidence. That's a fairly low standard; we have to show that the item is what it purports to be.

If I am introducing an email that the government asserts is an email sent by the defendant, I have to have some minimal amount of evidence to show that it really is. So it's something to give the judge enough confidence that this is not a fabricated piece of evidence; the government didn't type this up on paper and make it look like an email.

We can do that with a number of different things. That gets the evidence in front of the jury. If you can't meet that standard, you don't even get to talk to the jury about it.

But once you've met that standard, which is just a threshold meeting applied by the judge, it comes down to good old-fashioned argument in front of the jury on behalf of my side and the defense. The defense makes the argument that you shouldn't believe this, it's not good enough to believe that it was him, and we make our arguments as to why it is.

What do you say to those who claim cyber attribution is impossible because all digital evidence can be faked?

The reality of the situation is computers are not magical instruments that nobody can understand anymore and, frankly, juries get that now.

Barbosa: They're wrong. The reality of the situation is computers are not magical instruments that nobody can understand anymore and, frankly, juries get that now. I don't think you can find a juror who hasn't used a computer and [doesn't have] a basic understanding of how it works. Those are arguments to be made before the jury, and they are made.

It's often a defense that somebody else planted the evidence, and it's definitely our burden to show that the evidence was not planted. But there are a number of different ways to go about showing that. 

And proving the validity of that cybercrime evidence is an argument for the jury? It won't stop the evidence from being submitted in the first place?

Barbosa: Generally not, unless there truly is some reason to believe that evidence has been fabricated or planted and, frankly, if there is that reason, the case is unlikely to actually get to the point of a trial.

But you put the evidence in front of the jury, the government puts as much evidence to prove their case, that they believe this evidence is reliable, and the other side makes whatever arguments they can. Juries are remarkably intelligent, and are very capable of wading through those arguments at this point. They do it on a day-to-day basis; there's tons of cases that use electronic evidence. 

What are the barriers to gathering cybercrime evidence?

Barbosa: Computer crime is often pretty complex. It, very often, if not always, involves evidence in multiple jurisdictions, including foreign jurisdictions.

We're frequently required to seek assistance from other governments, which move at different paces depending on who you are dealing with. Different things, depending on the law of the country where you need to obtain evidence, you may or may not be able to get the things you need.

So that can make an investigation take a while, but not necessarily; it depends on the facts of any given case. There's no one recipe for, 'Okay, when you open a file, it'll be done within so many days.' You don't know until you start digging.

If you have evidence scattered all over the world, the different laws in place in each country where you may need to obtain evidence are going to impact that. Evidence that may be available with fairly simple process in one country may require a great deal more process to get in another country. It changes the speed at which you might be able to get your hands on [cybercrime evidence]. And, in certain countries, certain things may just not be available to law enforcement. We research what we can get, pursue whatever we can and, at the end of the day, you just have to evaluate what you're able to obtain and see if it makes a case.

We don't solve every case. You pursue every lead that you can and, really, I found that really goes to the heart of whether you can be successful. You can't ignore an avenue of investigation because it might be difficult. It's tempting in these cases because, as I point out when you're dealing with so many different jurisdictions and so many different roles, it grinds on you, makes it difficult, but the investigators that do solve cases just aggressively pursue every lead despite the difficulty of obtaining evidence. And that's what can often lead to us finding that needle in the haystack that unravels the whole thing. 

Are the difficulties greater because of how quickly digital can move, or is it that the legal process in the investigative process hasn't quite adapted yet?

Barbosa: I think it's a combination of both. The cases are more complex.

Traditional crime fighting involving local crime, you know, a drug crime scene or a violent crime scene, tends to be more compact and within your jurisdiction. Many cases you do [as] a prosecutor in a violent crime section or a drug unit, you have evidence maybe throughout the United States, or it may only just be in a few states, but cybercrimes so often bring in other countries, and our laws are different.

It takes longer to work through those processes. It involves diplomatic procedures. You have to send formal requests in most instances that just take a long time -- a longer time to transmit, and a longer time to get evidence back.

So whereas, let's say, you were pursuing a case with evidence solely in the United Sates, you can use legal process that we control. You know, working with our court system, working through our court system, I can get a search warrant to search either an account or a physical location, and we go do it.

But if it's [a] foreign government, we have to ask somebody else to do that. I have to write a request to them, it has to get sent to them, then they have to pursue whatever legal process [is] in their country. And that just builds in weeks, if not months.

Once they get the evidence, they have to send it back, and it goes through a long process through their department of justice or equal component and through ours and back to us. It may be six months to nine months [before] the evidence is being looked at by our investigators. [It] can be a big difference in time. 

Have you seen a movement toward streamlining the process of gathering international cybercrime evidence?

Barbosa: Yes, yes, definitely. I think everybody that's working these cases is constantly thinking about ways to make the process move quicker. Many governments are getting more comfortable, more familiar with this kind of investigation.

We're equally involved, too. I mean, we receive tons of requests from other governments for evidence that is located in our country related to crimes going on overseas, too. We've gotten better at processing those, too, but it's still a burdensome process; it takes a long time.

Part of that is built to make sure we're not just grabbing stuff willy-nilly. There are reasons for those procedures. They are in place to protect people's privacy and our system; that's what goes to the heart of our Constitution. It's good that they're there. It's frustrating sometimes when it moves slowly, but we've got to remind ourselves that those procedures are put in place for very good reasons.

We're having success, we're solving cases, we're bringing people to justice. We've got to constantly work harder and think of new, faster ways of doing cases. That's part of the challenge, which is one of the things that makes it an interesting and enjoyable space to work in. They are good challenges.

How do security companies help with investigations and gathering cybercrime evidence?

Barbosa: Many of our cases involve interaction with the incident response companies that are hired by victims to help them address the issues, and so it's often the incident response company may be the first on the scene who has taken images of the infected computers or machines.

They will often be doing some of the initial work-up and shipping leads to us; you know, sending us lists of malicious IP addresses that they may have noticed in their early incident response. Other clues that they might have picked up on, you know, if there's some email address or other lead that they may have found in the code or left on a machine, they'll send those to us.

That's really helpful. Just coordinating with the incident response companies can be very important to the success of an investigation because so much of it is [to] get jumping on leads really quickly and moving as fast as you can to pursue evidence.

[In] the vast majority of cases, we are working hand in hand with either the FBI or the Secret Service, and a variety of other agencies that do this kind of work. But we'll usually work very closely with the agents [on] the investigative plan, the strategy, and generating legal process to pursue evidence.

Most of the cases I get, I will receive a call from either counsel for the victim company or the FBI the day that we start doing the case. I mean, we're consulting with our agents from the minute the thing starts. 

It sounds like there are a lot of moving parts between the domestic agencies and organizations and international partners when gathering cybercrime evidence for cases.

Barbosa: Yeah. Sometimes it's hard to keep your head around [it].

I mean, earlier this year, one of my colleagues and I were working two different credit card hacking investigations -- different victims, different actors, but a lot of similarities kept mixing. We'd be sitting down to talk about what's going on this week and constantly having to go back to our charts and our notes to make sure we're talking about the right evidence and the right case. It gets confusing.

How many cases do you tend to work on at one time?

Barbosa: It varies significantly; often somewhere around a dozen or more. They're usually in different stages of the investigation. You may have a file open that you're not actively working on for weeks at a time.

So, when you have multiple cases popping up at the same time with lots of stuff going on, that's when it gets very difficult. Just keeping stuff straight; so much of it is just numbers. IP address after IP address, something like 95.22.122.217, and then you're like, 'What is that from? I got 12 cases, I got all this stuff.' You've got to constantly be keeping charts.

When it comes to cybercrime evidence, do you tend to lean more heavily on things like IP addresses and emails, or can you build cases on connecting certain pieces of malware or some code?

Barbosa: Each piece of evidence requires its own set of factors to establish its authenticity, but you rely on everything that might be available; it's hard to prove it's authentic.

IP address tracing is one thing, you know, if you can establish that an email was sent from an IP that was registered in the name. I mean, this is a very simplistic example, but it definitely occurs, and not so much in true cybercrime cases because people use all kinds of VPNs and what-not.

But, in a business dispute case, you may be trying to introduce an email and show that it came from this particular sender. And the fact that the IP address in the header was the person's home Comcast account, it's going to be very strong evidence that he, in fact, sent it. That's definitely going to the jury. He can argue that somebody spoofed the IP, but that's not likely to work.

What about once you get into the more advanced obfuscation techniques and adversaries using the deep web?

Barbosa: You've got to bring in more. It just makes the job a little bit harder, but just keep working at it.

We don't get every piece of evidence in. But you do your homework and make sure you prepare for every potential argument [and] make the arguments to the judge. As long as you've done your work, you should be in good shape.

Is it getting more difficult to solve cybercrime cases?

Barbosa: Yes. I think this is the case in any area of criminal investigations, is investigators find ways to solve a case. Criminals look for ways to make it harder and just keep repeating that cycle over and over again. But as they develop new means of hiding themselves, we look for new ways of uncovering them.