Posted: Sat Oct 15, 2011 8:48 pm Post subject: Police Computer Forensics are worthless in court
Hi guy's i was a juror in a case of computer fraud / identity theft. What happened was the defendant was accused of hacking into another guy's
email account, he then obtained this guy's credit card number which he
used to order items online, one of the things he ordered was a laptop,
Funny part is he sent the laptop to his own house. To make a long story
short the cops were able to track down the package before it ever reached
the defendants place, the police then obtained a search warrant and took defendants computer router etc...
Now here is where i believe computer forensics "At least in court" is worthless, In court defendant from the beginning denied ever hacking / using credit card. There was a mountain of evidence against him from the police investigator report, If i remember correctly they had a 95 page report from encase, everything from the webpage he visited when ordering the laptop, time date etc.... to ups tracking # to hacking tools, trojans you name it.
Now most of you may be thinking this is a pretty straight forward guilty case as i did, but here is what happened, Defendant stuck to his guns, saying he had no idea, he then argued that the computer (his computer the one confiscated) was recently purchased from a 3rd party "Craigslist" and he was not aware of what was on it, The defense attorney during discovery asked the forensic expert for results of a virus scan he had asked for on the final day of trial the defendants lawyer came up with a trojan horse defense after numerous trojans were found on his pc.
Now you may be thinking this is crazy but here is what happened, defense argued with so many back door trojans etc..the "without a reasonable doubt could not be made" they believed a hacker was able to take control of his computer and frame the defendant.
While pretty much every juror including myself new he did it, a reasonable doubt was there, prosecution MUST prove "without a reasonable doubt, and after all was said and done we had no choice but to agree upon Not Guilty which we did and all charges were dropped
Joined: Oct 16, 2011 Posts: 2 Location: Central Texas
Posted: Mon Oct 17, 2011 2:08 pm Post subject: Reply to pipster
Well, you have made a good point, but only about a very limited example, and at the same time, you have uncovered a can of worms.
"Reasonable Doubt" - Under the conditions you described I would say that the prosecution had proved the case beyond a reasonable doubt and I would have voted guilty. It is up to the Jury to use their common sense as well as their brain. Still, you were there and I was not so I am sure you made the best decision you could.
Did the prosecution say anything about a password on the computer? Using the same argument that establishes that the use of a password sets up a reasonable expectation of privacy it also establishes the fact that is someone had to use a password to access the account under which the crime was committed then they had to use the password to do so. That puts someone at the keyboard unless they can PROVE otherwise.
Most cases are not as limited as yours was. I am doing a case right now where a law Enforcement Officer is accused of using his computer to send pornography to a female employee. We have uncovered examples of him sending a valid business email to someone at 10:09 AM on 9-10-2010 and then sending pornography to the employee at 10:11 AM on 9-10-2010. Is a jury going to believe that he signed out of his computer and someone else signed in and sent an email with a pornographic image attached all in a matter of 2 minutes, while the computer remained in the suspects own office?
I wonder if the prosecutor in your case gave you any information like that?
There are many ways to lock someone into a computer at a specific date and time. In your case it could be that the police never asked the right questions during their interviews, or, the prosecution did not ask the right questions, or did not present the best evidence.
For example, a standard interview question the police are supposed to ask in a case like this is "Who did you give your password to?" Almost every time the suspect will say 'nobody' or perhaps name a family member or a spouse. Once they have the answer to that question it allows the DA to lock down who had access to the account used to order the merchandise. If the suspect still claims no knowledge then you say OK, we are going to prosecute your wife, or your son, or your brother, or father, or mother, or whoever he says he gave his password to. That is usually enough pressure to make him spill the beans.
One never knows how good, how experienced, or how well trained the police are in any one area as opposed to another but it makes a difference. Same may be said for the DAs, and ADAs. What happened in your case happened because of the myriad factors that went into your case and unique to your case. That does not equate to every other computer forensics case everywhere. It is very risky for you to stand on one case history and one juror's experience in that one case and paint with such a broad brush as to claim that "Police Forensics are Worthless in Court." That is just not the case and I can give you several examples of good, solid convictions. There are plenty of convictions out there and if what you say is actually true, there would not be countless thousands of convictions where good, solid, police forensics work is involved.
Thank you for presenting this interesting topic. Give us some more details if you like. I, for one, am always interested in hearing about these kind of experiences.
P.S. The Police made a big mistake when they did not let that laptop get into the suspect's hands and then watch what he did with it before they arrested him. _________________ "The problem with the Internet today is that it is very difficult to tell which postings are truthful, and, which are not."
I agree with you 100% how the cop's should have let the laptop be delivered, they could have watched who sign's for it etc... Defended would be straight up busted, However that just wasn't the case, instead they raid the house, Defendant was never arrested, just hand cuffed while they took his computer, once they finished he was un-cuffed and told if they find anything on his computer they would be back, 9 months go by with nothing said till a letter is mailed to defendant telling him to be in court in 1 week
You mentioned maybe the investigators asked the wrong questions, They asked no questions at all,
Again the doubt was there, With the amount of back door trojans found on his computer weather he put them there or not leaves that possibility of a
hacker. Another factor was his wireless network was wide open, no password, his computer had no firewall, no anti-virus nothing.
What got me is the defense asked for 2 things and only 2 things
1. As means of policy, What were the results of the virus scan performed
on defendants computer. This question went unanswered, said they needed more time, Like over 9 months wasn't long enough. the feeling i got was the investigators didn't feel it was necessary??
2. Defense asked for results of the router "which was taken also" security logs. "Prosecution answer to that question was they couldn't check because they didn't have the power cord??? What...your telling me they couldn't come up with a 12v power cord???
I have to say, Investigators had a mountain of evidence against the defendant of hacking websites, hundred plus stolen email and passwords. Evidence of the laptop that was ordered, Date time etc...Even the tracking number he saved to notepad and had on his desktop.
i had a hard time with the router cord issue, it was like they knew something, These investigators showed pictures of the defendants
computer and the process of imaging etc, you see this work station
with all this high tech computer stuff yet they couldn't come up with a standard Linksys 12v power cord hahaha
Again at the end of the day the prosecution must prove "Without doubt" the defendant ordered this laptop. doubt was very clear, ton's of backdoor trojens, no firewall, wide open network etc.... Does that not leave doubt ?? I think so
"I am doing a case right now where a law Enforcement Officer is accused of using his computer to send pornography to a female employee. We have uncovered examples of him sending a valid business email to someone at 10:09 AM on 9-10-2010 and then sending pornography to the employee at 10:11 AM on 9-10-2010. Is a jury going to believe that he signed out of his computer and someone else signed in and sent an email with a pornographic image attached all in a matter of 2 minutes, while the computer remained in the suspects own office?
YOUR KIDDING RIGHT???
We have uncovered examples of him sending a valid business email to someone...Might be valid, his email address but this does not prove he sent them, If i knew your email address & pass and sent porn to one of your co-workers should one automatically put the blame on you? Sorry
but that was a poor example.
There are many ways to lock someone into a computer at a specific date and time. Again i will have to disagree, the only real way one could be placed behind a keyboard is if they were caught red handed IN PERSON...
Face it computer forensics is weak, Cyberspace is a totality different world, There will never be your key eye witnesses, fingerprints, DNA etc..which puts a person Without doubt behind bars.
In all fairness though, A forensic investigators job in general is a joke.
You rely on software to do your job, A typical day for you would be set up
the computer your investigating in your little work station, Connect the 2 computers so you can image / make your exact copy...pop in your encase cd type in the search keywords of your choice and hit send.
Encase does it's thing, usually takes quite awhile to complete. meanwhile you can sit back and do nothing. When it does finish encase lays it all out for you all you have to do is push print. My favorite one is how easy it is to alter anything you want to your likings, for instance when making your exact copy of the original bit for bit all same blah blah blah
Your evidence is printed out on paper, do people not understand how
easy it is to change words add numbers etc from a print out.. ??
say what you will but that factor alone doesn't fly with me.
i'll bet 85% of computer forensic so called experts were asked tec questions about encase etc and how they work they couldn't fully break it down
Let's be real here, you can disagree with me all you want but the TRUTH is Forensic experts rely on software tools without much understanding how they work. Of course, all of us trust and swear by tools we don't fully understand--do you really fathom how a quartz wristwatch tells time or a mouse moves the cursor?—an expert should be able to explain how a tool performs its magic, not offer it up as a black box oracle. Forensic Experts are trained to dodge attacks on their lack of fundamental skills by responding that, “The tool is not on trial” or citing how frequently
the testimony of other witnesses using the same tool has been accepted as evidence in other courts. "SO TRUE"
You cant tell how a particular computer was used or who used it.
Computer forensics specialists can perform miraculous tasks, there are limits to what can divine or resurrect. Some of these limits are oddly mundane. For example, it can be difficult to establish that a user altered the time on their computer, especially if the clock has been correctly reset by before the examiner arrives. Computers are pretty "stupid" where time is concerned. A toddler (at least one who doesn't live in Alaska) would challenge the assertion that it's midnight if the sun's still up, but, no matter what the actual time may be, a computer accepts any setting you give it as gospel. There are ways to ferret out time manipulation, but they aren’t foolproof.
One thing i know for sure a computer can’t identify its user.
At best, it can reveal that the user was someone with physical access to the machine or who perhaps knew a password , but it can’t put a particular person at the keyboard. Usage analysis may provide other identity clues, but that, too, isn’t foolproof.
Fact is examiners rely upon software tools to get the job done.
Keyword searches are an integral part of computer forensic examinations and entail an examiner entering key words, phrases or word fragments into a program which then scours the drive data to find them. "Oh boy real hard"
How can a forensic examiner be certain that someone hasn't slipped in incriminating data? A forensic examiner might respond that, when acquire d, the data on the hard drive is "hashed" using sophisticated encryption algorithms and a message digest is calculated,
functioning as a fingerprint of the drive. Once hashed, the chance that tampering would not be detected is one in 340 undecillion--and that's one in 340 followed by 36 zeroes! That’s FAR more reliable than DNA evidence! IT'S AN IMPRESSIVE ASSERTION, and even true…to a point.
The reliability assertion is genuine But, the probative value of hashing depends upon the points in time during the acquisition and analysis process when hashing is done and, ultimately, upon the veracity of the examiner who claims to have hashed the drive. Two identical message digests of a drive tell you only that no tampering occurred between the time those two digests were computed, but tell you nothing about tampering at other times. If a drive is altered, then hashed, subsequent
hashes can be a perfect match without revealing the earlier alteration. Likewise, an earlier hash can't tell you anything about subsequent handling; at least, not until the drive is hashed again and the digests compared.
I WOULD LOVE TO hear your explanation of hashing, and the mathematical process by which such a critical step is accomplished???
Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Fri Oct 21, 2011 1:47 pm Post subject:
I could explain how several different hashing algorithms work but there would be no point. You have demonstrated your lack of knowledge in your posts. Attempting to give a technical explanation of the way a hashing algorithm works to you would be as effective as trying to explain nuclear physics to a cat. There is much more to working in computer forensics than using a few software tools. I can see why a defense attorney would select you for a jury though. If I was a defense attorney, I would want the guy that has no real clue also. Funny thing is, I really believe that you think you know what you are talking about.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum