1

❖ Has consulted for the Malaysian Government cybersecurity agency to

develop a Manual on digital evidence

❖ Developed e-learning course for the CISSP domain on law, investigation &

ethics

❖ Taught “Information Security Law” at universities in Malaysia and Singapore.

Education

Bachelor of Law, National University of

Singapore

MA (Fletcher School of Law & Diplomacy, Tufts

University, USA

Strategic Counsel (Cybersecurity, Technology, IP)

Author of 9 books including “E-Security Law and Strategy”

Advocate & Solicitor, Singapore; & Solicitor, England & Wales*

Adjunct Senior Fellow, Nanyang Technological University,

Singapore (teaching cybersecurity law & cyberterrorism)

*Non-practicing solicitor ** in collaboration with SIM Global Education, Singapore

Zaid Hamzah, Founder of CyLexic www.cylexic.com

30 years professional experience including:

▪ Director, Microsoft Inc

▪ Chief Legal & Regulatory Officer, Telekom Malaysia

▪ Senior Legal Advisor, JV between Singapore Telecommunications,

Warner Brothers and Sony Pictures Entertainment (HOOQ)

▪ Acted as Adviser/Consultant for the Japanese and Malaysian

Governments

2

E-Security Law & Strategyby Zaid Hamzah

Publisher Lexis Nexis, 2005

www.lexisnexis.com.my

ISBN 967-962-632-6 (paperback)

E-Security Law and Strategy provides a concise and management-oriented legalguide on key aspects of information security and computer forensics, anemerging practice area that deals primarily with the management of digitalevidence. Aimed at IT professionals and business executives in corporations,organizations and government agencies as well as lawyers seeking anintroduction to this emerging practice area.

Course contents

3

Topics

Cybersecurity Law• Cybercrime• Cyberterrorism• Cyberwar

Investigation StepsEvidence managementProsecution in courts

Domestic Cybersecurity Law• Computer Misuse Act

Public International Law (Cyber War)Cyber Diplomacy & International RelationsCybercrime ConventionASEAN

Cybersecurity law and practice in industry

Cybersecurity Law & Investigation

5

1.Computer or IT system as a VICTIM of

cybercrime

2.Computer or IT system as a TOOL to

commit a crime

Two basic scenarios

Cybercrime, Cyberterrorism &

Cyberwar

International law

National Law

International

Relations &

Diplomacy

7

CASE STUDY 1

Singhealth Cyber attack

8

9

12

Cyber war &

International Law

13

14

CYBERCRIME – CASE STUDIES

15

16

STRAITS TIMES JAN 30, 2015

17

18

19

HACKING: THE LEGAL ASPECTS

20

LOG FILES: LEGAL EVIDENCE

IP Address: “Digital fingerprint”

GENERAL PRINCIPLES

21

22

Cybercrime – The Legal Aspects

The law operates in all aspects –You must understand legal issues &

its ramifications

Chain of

Custody

Integrity of

Evidence

Burden of Proof

Admissibility of

Evidence

23

The Legal & Investigation Cycle

Intrusion

Detection

Evidence Preservation

& AnalysisInvestigation

Prosecution

Legal Aspects

are Integral

Parts of Cycle

24

Digital Forensics & the Law

Computer Forensics:

An autopsy of a computer or network to uncover digital evidence of a crime

Role of Evidence in the CourtEvidence must be preserved and hold up in a court of law

MANAGING DIGITAL EVIDENCE

25

26

Integrity of Evidence

Admissibility of Evidence

Weightage of Evidence

Concepts

Burden of Proof Beyond reasonable doubt

Cannot be illegally obtained

If not strong, not so useful (but you can try)

Tampered evidence cannot be used

27

1. Physical evidence

2. Digital Evidence

Evidence Management Lifecycle

Identify Evidence

Collect Evidence

Process Evidence

Analyze Evidence

Present in report

IP addresses are

like the digital

fingerprint

28

Strategies to Manage Legal Aspects

Compliance with the law

Evidence produced must meet legal standards

Collection of evidence must comply with laws of criminal

procedures

• For successful criminal prosecution:– Must acquire the evidence while preserving the

integrity of the evidence• No damage during collection, transportation, or storage• Document everything• Collect everything the first time

– Establish a chain of custody

• What to watch out for…….– Don’t work on original evidence!– Can perform analysis of evidence on exact copy!– Make many copies and investigate them without

touching original– Can use time stamping/hash code techniques to

prove evidence has not been compromised

Key Aspects

Cybercrime, Cyberterrorism &

Cyberwar

International law

National Law

International

Relations &

Diplomacy

https://www.ict.org.il/Article/2083/Cyberizing-Counter-terrorism-Legislation#gsc.tab=0

CYBER WARFARE

32

https://www.law.upenn.edu/institutes/cerl/conferences/cyberwar/pap

ers/reading/Kanuck.pdf

EVIDENTIARY ASPECTS

36

37

Cybercrime – The Legal Aspects

The law operates in all aspects –You must understand legal issues &

its ramifications

Chain of

Custody

Integrity of

Evidence

Burden of Proof

Admissibility of

Evidence

38

The Legal & Investigation Cycle

Intrusion

Detection

Evidence Preservation

& AnalysisInvestigation

Prosecution

Legal Aspects

are Integral

Parts of Cycle

39

Digital Forensics & the Law

Computer Forensics:

An autopsy of a computer or network to uncover digital evidence of a crime

Role of Evidence in the CourtEvidence must be preserved and hold up in a court of law

40

Integrity of Evidence

Admissibility of Evidence

Weightage of Evidence

Concepts

Burden of Proof Beyond reasonable doubt

Cannot be illegally obtained

If not strong, not so useful (but you can try)

Tampered evidence cannot be used

41

1. Physical evidence

2. Digital Evidence

Evidence Management Lifecycle

Identify Evidence

Collect Evidence

Process Evidence

Analyze Evidence

Present in report

IP addresses are

like the digital

fingerprint

42

Strategies to Manage Legal Aspects

Compliance with the law

Evidence produced must meet legal standards

Collection of evidence must comply with laws of criminal

procedures

PROSECUTION IN THE COURTS

43

Prosecuting Cybercrime in the Courts

1. Prosecution of Criminal Offences1. Building the cybercrime case - the trial process

2. What is electronic document discovery

3. What does a public prosecutor do in a court room?

4. Typical documents in criminal proceedings

2. Burden of Proof1. Concept of burden of proof - what is the burden of

proof required?

2. What does “beyond reasonable doubt” mean?

3. What does “on balance of probabilities” mean

44

Digital Evidence

1. Overview of digital forensics and the law

2. Evidence in generala) Why collect evidence

b) Identifying digital evidence

c) Evidence collection options

d) Types of Evidence• Direct and indirect

• Hearsay evidence

3. Methods to gather, preserve and present evidence of a computer crime

45

Defence Counsel Strategies

1. How does the defence lawyer carry out defence in cybercrime cases?

1. Basic techniques

a) Challenging the method of evidence collection

b) Challenging the qualifications of the evidence collector

c) Raising doubts – its importance in criminal prosecution

2. Advanced techniques

3. Legal challenges in cloud forensics

4. Understanding Rules of Procedures

46

Testifying in a cybercrime case

1. Testifying as an evidentiary witness

2. Testifying as an expert witness

3. Giving direct testimony

4. Cross-examination tactics

47

Issues in cross border computer crime

1. Importance of cross border collaboration between law enforcement bodies

2. Role of Interpol

3. International Court of Justice1. No cybersecurity cases to date

4. Case Study: Ardit Ferizi case (cyber terrorism)

48

CYBERSECURITY LAW IN THE CORPORATE CONTEXT

49

50

Cyber

AttacksRecoverSurvive

Is it a criminal

offence?

How should digital evidence be

collected so that it is admissible in

court?

How to ensure

successful

prosecution in

court?

What is the proper investigation

procedure?

In any cyber attack, legal issues

must be addressed

What can the police search and seize?

Cyberattacks & how the law fits in…….

51

Cybersecurity

Cybercrime &

Cyberterrorism

Computer

Crime

Corporate

Wrongs

When a cybercrime

takes place, an

investigation must be

carried out – the police

must be involved.

Computer crime: Offences against

computers and IT system

Cybercrime: Crimes committed using

computers and IT systems

Domains in Cybersecurity Law, Investigation & Risk

Management

52

How to comply with the law?

What kind of legal risk management

framework

should be established?

What kind of governance, risk & compliance

framework should be established?

Legal Issues Facing Governments and Industry

53

Analytic Framework

Legal Risk Management in Cybersecurity

Has the law been broken? Is this a

crime?

Has digital evidence been properly

collected to meet the legal requirements?

If I take pre-emptive strike measures is it

legal?

Is my intelligence gathering method

legal?

54

Cybersecurity Risk Management & Governance Need to Develop

Proactive Framework

Governments, enterprises and

organizations need to create a structured

and proactive risk management framework

that deals with the legal aspects of

cybersecurity attacks. It is an essential

building block to deter and prevent cyber

attacks. We offer capability building

programs as well as design of systems and

procedures as part of the risk management

framework

Enterprises need to develop structured

framework

55

LEGAL AGREEMENTS

Standard Operating Procedur

es & Manuals

NEGOTIATION

Digital Asset

Protection Programs

Legal Due Diligence

COSTREVENUE

PROFITABILITY

Civil cases

(cybersecurity)

Digital

Evidence

Cybercrime

InvestigationCybersecurity

law compliance

Personal Data

Protection & Privacy

Compliance

Cybersecurity

Corporate Policy

Key Aspects - Industry

56

Cybersecurity Intelligence Gathering:

Legal Aspects

Standard Operating Procedur

es & Manuals

Cybercrime Pre-emptive

Strikes: Legal

Aspects

Digital Asset

Protection Programs

Cybercrime Criminal

Procedure

E-Discovery

Cybercrime

Law

Digital

Evidence

Cybercrime

Investigation

Cybercrime

Prosecution

Personal Data

Protection & Privacy

Compliance

Cybersecurity

Corporate Policy

Key Aspects

57

CASE STUDY 1

Singhealth Cyber attack

58

59

END

62