Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: williamlucas
New Today: 1
New Yesterday: 2
Overall: 29661

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Esta zapatilla para correr Air Max Plus TN también se puede
 Software to search an FTK Lite Mounted drive with keyword
 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection

Computer Forensics World Forums


Pages Served
We received
59472200
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Computer Evidence Search
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Computer Evidence Search
Goto page 1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Wed Jul 31, 2013 3:20 pm    Post subject: Computer Evidence Search Reply with quote

A Journalist is accused of storing pornographic pictures on his computer. His computer is seized. NO joint search is done with him or his lawyer of the computer to identify contents. NO image is done for accused or his defense counsel. When hash algorithm is done on the hard disk, the hash key is not shared with the accused or his defense counsel.

How can the Journalist determine that that is not planted evidence? Computer file dates / times alone are not reliable as those can be easily altered by changing computer system clock.

How can the police ensure the evidence holds against the accused?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Jul 31, 2013 9:40 pm    Post subject: Reply with quote

1. A Joint search is never done.
2. The defense can get an image of the drive through discovery process.
3. The hash will be matched when they get the image.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Wed Jul 31, 2013 11:30 pm    Post subject: Computer Evidence Search Reply with quote

Hi Cybercop,

1. What happens if the Defense are not given any copy at any stage in the trial? Should they just agree to the findings of the Prosecution Team?

2. If the Defense Team was not given the hash key at the time of seizure of evidence, how can they be sure that the evidence has remained intact up to the time of presenting the evidence in Court.


The point is... suppose the Police plant the porn. Then afterwards they generate a hash key. How can the accused be sure of the integrity of the data on the computer?

I would thought that the best procedure would have been immediately after seizure, perhaps in the presence of the accused or his Defense Counsel, generate the hash key and then share it with the other stakeholders. This way, the defense will have nothing to worry about.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Aug 01, 2013 12:21 am    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
1. What happens if the Defense are not given any copy at any stage in the trial? Should they just agree to the findings of the Prosecution Team?
If the digital evidence contains contraband there will be no copies released, however there will be an opportunity for a defense expert to review the evidence. If that opportunity is not provided then there are grounds for an appeal.

ComputerLearner wrote:
2. If the Defense Team was not given the hash key at the time of seizure of evidence, how can they be sure that the evidence has remained intact up to the time of presenting the evidence in Court.
The report from the prosecution examiner would typically include pre and post exam hashes. If the defense believes there is an issue with the evidence, that is grounds for an appeal.


ComputerLearner wrote:
The point is... suppose the Police plant the porn. Then afterwards they generate a hash key. How can the accused be sure of the integrity of the data on the computer?

I would thought that the best procedure would have been immediately after seizure, perhaps in the presence of the accused or his Defense Counsel, generate the hash key and then share it with the other stakeholders. This way, the defense will have nothing to worry about.
Do you really believe the police have the time and inclination to plant evidence? Really?

Bad procedures are the grounds for appeal.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Thu Aug 01, 2013 1:05 am    Post subject: Computer Evidence Search Reply with quote

Many THANKS PreferredUser for your valuable contribution.

Whilst we have no good reason to suspect the police of planting evidence, but if their IT Expert Witness states in court that EnCase has capability to recover ALL deleted data irrespective of the circumstances (overwriting included), we begin to think that their is a deliberate position by the Prosecution Team to impress upon the magistrate that they indeed recovered porn on the computer.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Aug 01, 2013 6:38 am    Post subject: Reply with quote

And they very well may have recovered evidence. Again, as stated in the other thread, it is up to the defense to show that the witness was incorrect.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Aug 01, 2013 2:49 pm    Post subject: Reply with quote

Cyber_Da_Inv,
Please remove the link from your signature. Direct links are not allowed.
Back to top
View user's profile
Admin5
Newbie
Newbie


Joined: Aug 27, 2004
Posts: 61

PostPosted: Thu Aug 01, 2013 4:40 pm    Post subject: Reply with quote

Deleted your one-liner, Cyber_Da_Inv, in case you don't return for a while. As Cybercop says, no links are allowed (for very pragmatic reasons). Please remove from your sig. Thanks.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Fri Aug 02, 2013 7:40 pm    Post subject: Computer Evidence Search Reply with quote

Assuming a PORN PICTURE was planted on an accused's computer. After several weeks, the computer is handed over to the defense team to do their own investigations.

1. How can accused's team prove that the picture was planted or not?
2. What is wrong with the Police at the time of seizing the computer....generating a hash key and sharing it with the defense team?

I feel the hash key not having been:

1. Generated in the presence of the accused or his defense lawyer
2. Given to the defense team at the time of seizing the accused's computer or immediately after (say 72 hours) creates a BLACK HOLE that can be manipulated by the Police.

I understand the only way of proving that a file or HDD has not been tempered with is to generate a second hash key and comparing it against the first one that was presumably generated right on seizure or immediately afterwards.

MAC times alone will not be useful because those can be easily altered.

Our situation is such that the Police, apart from just arresting, are also doing the forensic investigations.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Fri Aug 02, 2013 9:54 pm    Post subject: Reply with quote

If you think the police used improper procedures in your case, have your lawyer bring it up in court.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Aug 03, 2013 12:45 am    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
Assuming a PORN PICTURE was planted on an accused's computer. After several weeks, the computer is handed over to the defense team to do their own investigations.
I recognize it is often difficult for people to believe a friend or relative has "porn" on their computer. However, do you really in your heart believe that law enforcement has the time or inclination to have "planted" evidence on someones computer?

ComputerLearner wrote:
1. How can accused's team prove that the picture was planted or not?
They hire an expert.
ComputerLearner wrote:
2. What is wrong with the Police at the time of seizing the computer....generating a hash key and sharing it with the defense team?
Several years ago it might have been feasible to create a forensic image of a hard drive or other digital media, however with the exponential growth in the size of storage it may take days (weeks) to get all the media imaged and generate the hashes.

ComputerLearner wrote:
I feel the hash key not having been:

1. Generated in the presence of the accused or his defense lawyer
2. Given to the defense team at the time of seizing the accused's computer or immediately after (say 72 hours) creates a BLACK HOLE that can be manipulated by the Police.
You would be mistaken. There are numerous safeguards in place to track evidence so there is not a "black hole".

ComputerLearner wrote:
I understand the only way of proving that a file or HDD has not been tempered with is to generate a second hash key and comparing it against the first one that was presumably generated right on seizure or immediately afterwards.
First you cannot prove a negative. That said having a hash is not the only way to prove the integrity of a file or HDD. It is important to hire a competent forensic examiner, and better yet to hire one that specializes in "porn" cases to examine the evidence in your case.

ComputerLearner wrote:
MAC times alone will not be useful because those can be easily altered.
Again, you need a competent examiner to look at all the elements of the case.

ComputerLearner wrote:
Our situation is such that the Police, apart from just arresting, are also doing the forensic investigations.
Which is a typical situation. I am not sure how you see that as a problem, that is the role of law enforcement.

As I wrote previously, it is difficult for friends and relatives to grasp that someone they know is downloading, sharing, or creating "porn", however being in denial is not helpful, believing that there is some conspiracy is not helpful, what is helpful is getting professional help from people that are familiar with the type of case in which you find yourself involved.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sat Aug 03, 2013 8:29 pm    Post subject: Computer Evidence Search Reply with quote

Hi...

Cybercop and PreferredUser.... I am VERY VERY grateful for your comments and contributions. And shall forever remain so.

I agree with CyberCop that the Police didnt follow procedure. It is for this reason that even their IT Expert Witness deliberately lied in Court that EnCase can recover ALL deleted data without stating circumstances when data recovery is possible and when not. The whole idea is to sway the thinking of the Court into a particular direction.

I was privileged to read through EnCase Legal Journal 2001 and 2011... both confirm that once deleted data has been overwritten... when the entire file is contained into a single cluster and that cluster has been 100% overwritten... such data cannot be recovered. This is not even computer forensics.. it is general knowledge in IT.



ANALOGY: In common scenarios, when Police search a premise... and they pick say a trunk loaded with unknown goods.

1. Is it proper for Police to just identify the trunk by COLOR and MAKE and take it away....without opening it to carry out an inventory of the contents in the presence of the Defense Team?

2. Is it proper for the Police several weeks later to produce in Court items they claim were found in the trunk when they did the search on their own?


This is similar to this PORN CASE. The Police have no way to prove that what are attempting to produce in Court as evidence is actually what was in the computer at seizure. Their Digital Evidence Chain of Custody is very questionable.



PreferredUser:
By the way... we are talking of one computer here with an HDD of about 250GB. Can hashing a 250GB HDD take several hours / days / weeks?

I use Hash Generator tool for my tests... this takes just a few seconds to generate a hash key on a huge file.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sat Aug 03, 2013 10:26 pm    Post subject: Reply with quote

I NEVER said the police didn't follow procedure. I said if you don't think they followed procedure have your lawyer show that in court.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sat Aug 03, 2013 10:55 pm    Post subject: Computer Evidence Search Reply with quote

Hi Cybercop,

Apologies for misunderstanding your comment.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Aug 03, 2013 11:48 pm    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
It is for this reason that even their IT Expert Witness deliberately lied in Court that EnCase can recover ALL deleted data without stating circumstances when data recovery is possible and when not. The whole idea is to sway the thinking of the Court into a particular direction.
Lied is pretty strong. I would say it is more likely the expert is misinformed.

ComputerLearner wrote:
ANALOGY: In common scenarios, when Police search a premise... and they pick say a trunk loaded with unknown goods.

1. Is it proper for Police to just identify the trunk by COLOR and MAKE and take it away....without opening it to carry out an inventory of the contents in the presence of the Defense Team?
First the Police would not seize the trunk without probable cause. Second. It is not practical for police to wait on the defense team before seizing the trunk.

ComputerLearner wrote:
2. Is it proper for the Police several weeks later to produce in Court items they claim were found in the trunk when they did the search on their own?
Yes. Police and Courts are busy. It is very likely to take several weeks.


ComputerLearner wrote:
This is similar to this PORN CASE. The Police have no way to prove that what are attempting to produce in Court as evidence is actually what was in the computer at seizure. Their Digital Evidence Chain of Custody is very questionable.
All points your lawyer can bring up during trial.



ComputerLearner wrote:
PreferredUser:
By the way... we are talking of one computer here with an HDD of about 250GB. Can hashing a 250GB HDD take several hours / days / weeks?

I use Hash Generator tool for my tests... this takes just a few seconds to generate a hash key on a huge file.
Hashing a drive, creating a forensic copy of the drive, hashing the results of the copy, and comparing the copy to the original of a 250 GB drive would take several hours. Creating a listing of files on the drive during the forensic copy could also add time to the process as could performing say a keyword search during the copy.

Additionally I am guessing this is not the only case the Police are working. That drive might sit in evidence for quite a while before the examiner ever begins to work on it.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Goto page 1, 2, 3, 4  Next
Page 1 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.