Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Nein
New Today: 0
New Yesterday: 2
Overall: 29410

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
52848979
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Computer Evidence Search
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Computer Evidence Search
Goto page Previous  1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sun Aug 04, 2013 1:47 am    Post subject: Computer Evidence Search Reply with quote

In this case, the Defense Counsel and the accused were present when the computer was being seized.

In the interest of justice and fair play, wouldn't it have been appropriate to create a digital image copy of the 250GB HDD, create a hash key on the crime scene and share the hash key with the defense counsel before taking the computer away.

Granted... the process would have taken a few hours. But with a hash key have been given to the Defense on crime scene, that would have left no room for any speculation of any kind from anyone.

If the IT Expert Witness is misinformed about recovering overwritten clusters, what guarantee has the Defense that this same Expert could even carry out a proper forensic investigation?

By the way... the same Expert also lied in Court that the Police never turned on the computer after seizure. And yet, this was done by the Manager to the Expert in the presence of the accused when they were testing the Journalist's login credentials on the Computer. I thought switching on a computer before the digital evidence is preserved is against standards and procedures of handling the digital evidence.

If given access...the Defense Team will be able to prove this through checking for Event ID 4624 on suspect computer.

The other information I left out is... the Police say the PORN was deleted about 60 DAYS prior to the date when the computer was seized. And the computer was in use all these past 60 days. But EnCase recovered everything intact.... so they say.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Aug 04, 2013 6:55 am    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
In this case, the Defense Counsel and the accused were present when the computer was being seized.

In the interest of justice and fair play, wouldn't it have been appropriate to create a digital image copy of the 250GB HDD, create a hash key on the crime scene and share the hash key with the defense counsel before taking the computer away.
You are beating a dead horse here. Imaging might happen on site, however if there is contraband on the computer it is just as likely to be seized and imaged later.

ComputerLearner wrote:
Granted... the process would have taken a few hours. But with a hash key have been given to the Defense on crime scene, that would have left no room for any speculation of any kind from anyone.
If your lawyer wants to try to prove the evidence was mishandled they certainly can try that as a defense. However I will reiterate that your conspiracy theory that police planted evidence or tampered with evidence is close to putting you in tinfoil hat territory. The level of coordination and the number of people that would have to be involved in doing that and then keeping it quiet (ie no leaks) is so far from the realm of probability.

ComputerLearner wrote:
If the IT Expert Witness is misinformed about recovering overwritten clusters, what guarantee has the Defense that this same Expert could even carry out a proper forensic investigation?
Why would the defense rely on the expert for the prosecution? The judicial system is an adversarial process, a competent defense includes challenging the expert.

ComputerLearner wrote:
By the way... the same Expert also lied in Court that the Police never turned on the computer after seizure. And yet, this was done by the Manager to the Expert in the presence of the accused when they were testing the Journalist's login credentials on the Computer.
If the expert lied then the defense would certainly bring that point up in court.

ComputerLearner wrote:
I thought switching on a computer before the digital evidence is preserved is against standards and procedures of handling the digital evidence.
Whose standards and procedures? There are many methods and circumstances where a subject computer would be booted.

ComputerLearner wrote:
If given access...the Defense Team will be able to prove this through checking for Event ID 4624 on suspect computer.
4624 is a logon event, not an indication of booting.

ComputerLearner wrote:
The other information I left out is... the Police say the PORN was deleted about 60 DAYS prior to the date when the computer was seized. And the computer was in use all these past 60 days. But EnCase recovered everything intact.... so they say.
Deleted is not overwritten. It is possible that items a year old (or more) could be recovered.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sun Aug 04, 2013 9:20 am    Post subject: Computer Evidence Search Reply with quote

The Defense have absolutely no problem with the seizure of the computer. The Defense understand and appreciate that forensic investigations can sometimes take quite a while. However, if the hash key was generated on site in the presence of the Defense...and then the key shared with the Defense, this would have put to rest the worries of the Defense.

In the absence of this having been done, the Defense have no copy they can trust to be original. Even if they are given access to the computer now, after several months, how can they confirm the integrity of the contents?

The Police deliberately chose to mislead the court about recoverability of deleted data... Their IT Expert Witness is a qualified forensic expert. He also has EnCase certifications. His pronouncement in Court was intended to mislead the Court. I am no forensic expert, but from my basic IT knowledge, I cannot....even in my sleep, categorically state that data recovery tools can 100% recover data.

Further, they also claimed to have followed all the best practices in handling the digital evidence. They claimed not to have switched on the computer. And yet this was actually done in the presence of the accused. The Defense will be able to prove that the police switched on and logged into the computer by checking Event ID 4608 and 4624. By claiming that they did not log into the computer, they were actually trying to take care of the situation that no action they took could have led to data spoliation.

If the Police acted professionally and sincerely;

1. Why would they deny logging into the computer when they actually did it... in the presence of the accused. What more when the accused wasn't present, couldn't they even have done more than just logging in?

2. Why are they deliberately misleading the Court that EnCase recovers data 100%?

People who deal with digital evidence in this manner cannot be trusted.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sun Aug 04, 2013 10:43 am    Post subject: Reply with quote

As to their turning it on and testing login credentials, they could simply have booted an image. not the evidence drive. I would bet money that you have misunderstood the experts claims. I would have to see the court transcripts to verify.
As you have already been told repeatedly, your lawyer should hire a forensics examiner and then challenge the states expert.
If the police mishandled the case in the ways you claim, your lawyer should have no trouble proving that in court and getting any evidence recovered through that thrown out.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Sun Aug 04, 2013 5:05 pm    Post subject: Computer Evidence Search Reply with quote

As we seek expert opinions from this forum, it is not our intention to make you comment on false claims - that wont help us in any way. It is us who need help. Hence, what we present is as accurate as we know it.

The issue of starting and logging into the computer was done IN THE PRESENCE OF THE ACCUSED. So, there is no mistaking that one. That was done on the original computer. No wonder we are sure of establishing that thru Security Logs. They are free to do what they want on the image.... that is part of the investigations process. But the original MUST not be tempered with - accidentally or otherwise. This is best practice requirement.




You may also wish to know that one of the reasons they advanced for wanting the contents of the computer to be admitted as evidence is that the accused was present when the computer was seized.

True, the accused was present - but this is not sufficient guarantee that the digital evidence will remain intact afterwards. The accused's presence at seizure doesn't act as a hash key.

By this claim, they are attempting to tie the accused to the contents of the computer.




You spoke about the evidence drive - you may also wish to know that the Police only identified the source of the evidence under investigations thru Color, Make, Model and Serial Number of the computer casing. They never identified the actual HDD from which they extracted the data they were investigating.

If there can be such a glaring flaw in the Physical Evidence Chain of Custody, what more the Digital Evidence Chain of Custody?




The Journalist's lawyer will definitely be looking into the possibility of hiring an Expert Witness... though:

1. It doesn't look like the defense will even be given access to the original computer

2. Even if the Defense Expert Witness was given access to the computer AT THIS STAGE, the manner in which the computer was seized AND the lies and denials as stated in Court means there is no guarantee to the accused that the HDD is still the original one... and that the contents are as intact as from seizure.




Guys.... We very much appreciate your comments, your contributions and your valuable time. I am sure we will be able to put up something from this chat that will go a long way in helping our colleague.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Mon Aug 05, 2013 5:37 am    Post subject: Reply with quote

You want to prove a conspiracy so bad that you have been ignoring anything that has been said that doesn't agree with you. As I said, IF the police mishandled the evidence, your lawyer should be able to show that in court. That will get the evidence thrown out. Nothing said in this forum could be used as evidence in your case because YOU are the only one saying they mishandled the evidence. I would love to see the transcripts from the trial so far and at the completion.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 06, 2013 3:57 pm    Post subject: Computer Evidence Search Reply with quote

ASSUMING my presentation to this forum represents 100% of the transcript, would you say the seizure was PROPERLY HANDLED or NOT PROPERLY HANDLED?

If it was not properly handled, what should have been done differently?



Here is a FULL summary of what happened in the case we are seeking your professional opinion on:

1. Police arrest Suspect 1 (S1). Seize a computer belonging to S1. CLAIM they found one porn picture on the computer. From a number of email exchanges with Suspect 2 (S2), police BELIEVE the porn came from S2. S1 denies possession of porn picture. Also denies receiving porn from S2. There is no direct email from S2 to S1 containing the porn attachment.

2. Police arrest S2....This is the Journalist we are focusing on. Police take S2 to police offices for interrogations. After three hours, police and S2 return to S2's workplace to search his office. Police seize S2's computer...in his presence. NO search is done in presence of S2. NO digital copy is made for S2's Defense Counsel. Hash Key not generated in presence of S2. Hash Key generated by police...presumably immediately after seizure, not shared with S2 or his Defense Counsel. On the crime scene, before the digital evidence is secured... and in the presence of S2....police switch on S2's computer and login into it to test his login credentials.

3. Several weeks later, police claim in Court that EnCase recovers 100% of deleted data all the time. Police claim to have used EnCase to recover porn that was deleted about 60 days from the date S2's computer was seized. They claim this is the same picture they found on S1's computer.

4. S2 denies possession of the porn picture. S2's Defense Counsel contests the production of the digital evidence for the following reasons:

a. That they have no way of proving the integrity of what police are trying to present to court
b. Police digital evidence chain of custody does not show that the evidence could not have been tempered with from seizure.
c. Claim of IT Expert Witness that EnCase can recover ALL deleted data is deliberate misinformation from an expert
d. Failure to categorically identify the actual physical storage device (HDD) is one issue being challenged
e. Insistence by police that S2's presence when his computer was being seized links him to the contents





Having said this, can we say digital evidence on S2's computer was properly seized or not?

Can S2 just trust that the police can do a good job?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Aug 06, 2013 9:01 pm    Post subject: Reply with quote

I do not see any mishandling based on what you claim.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 06, 2013 9:38 pm    Post subject: Computer Evidence Search Reply with quote

Well.... that being the case, then the accused is at the mercy of the prosecution.

The only thing the police need to do is to suspect someone of having committed a felony... then just seize their computer... just leave behind a seizure notice for the computer hardware and then take off to their lab.

Whilst the computer hardware will be clearly identified by Serial Number, Make, Model and Color... the contents of that computer cannot be identified by such physical identity characteristics. The contents can be altered whilst the physical identity characteristics of the computer still remains the same.

The physical evidence chain of custody is no doubt correct. It starts with a seizure notice of the hardware.... and the hardware was identified as such even in Court.

But the digital evidence chain of custody is highly questionable... NO DOUBT.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Aug 07, 2013 6:42 am    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
ASSUMING my presentation to this forum represents 100% of the transcript, would you say the seizure was PROPERLY HANDLED or NOT PROPERLY HANDLED?

If it was not properly handled, what should have been done differently?
What you have presented is at best incomplete. Additionally it is not presented in an unbiased fashion. As such there is NO WAY to determine how the evidence was handled.



ComputerLearner wrote:
Here is a FULL summary of what happened in the case we are seeking your professional opinion on:

1. Police arrest Suspect 1 (S1). Seize a computer belonging to S1. CLAIM they found one porn picture on the computer. From a number of email exchanges with Suspect 2 (S2), police BELIEVE the porn came from S2. S1 denies possession of porn picture. Also denies receiving porn from S2. There is no direct email from S2 to S1 containing the porn attachment.
Again this is just a tiny slice of the information needed to make any sort of reasonable response. All I see is probable cause for an exam. People claim things all the time.

ComputerLearner wrote:
2. Police arrest S2....This is the Journalist we are focusing on. Police take S2 to police offices for interrogations. After three hours, police and S2 return to S2's workplace to search his office. Police seize S2's computer...in his presence.
The story just keeps changing. Although you probably do not realize it you keep twisting the story every time you post.
ComputerLearner wrote:
NO search is done in presence of S2.
Immaterial
ComputerLearner wrote:
NO digital copy is made for S2's Defense Counsel.
Immaterial. If there is contraband (porn or more likely child porn although you seem reluctant to write that) the defense would not be given a copy (because that would be distribution), the defense expert would have to go to the police lab or similar location and examine the evidence there.
ComputerLearner wrote:
Hash Key not generated in presence of S2.
Immaterial. In most cases the evidence will be taken to the lab and imaged at which time hashes are generated.
ComputerLearner wrote:
Hash Key generated by police...presumably immediately after seizure, not shared with S2 or his Defense Counsel.
Presumably? Is there not a report generated by the hashing tool in the report? Is the hash information not in the report?
ComputerLearner wrote:
On the crime scene, before the digital evidence is secured... and in the presence of S2....police switch on S2's computer and login into it to test his login credentials.
And? There are many reasons to boot a computer, the examiner merely documents this in their report.

ComputerLearner wrote:
3. Several weeks later, police claim in Court that EnCase recovers 100% of deleted data all the time. Police claim to have used EnCase to recover porn that was deleted about 60 days from the date S2's computer was seized. They claim this is the same picture they found on S1's computer.
Pretty sure I covered the answer to this previously.

ComputerLearner wrote:
4. S2 denies possession of the porn picture. S2's Defense Counsel contests the production of the digital evidence for the following reasons:

a. That they have no way of proving the integrity of what police are trying to present to court
b. Police digital evidence chain of custody does not show that the evidence could not have been tempered with from seizure.
c. Claim of IT Expert Witness that EnCase can recover ALL deleted data is deliberate misinformation from an expert
d. Failure to categorically identify the actual physical storage device (HDD) is one issue being challenged
e. Insistence by police that S2's presence when his computer was being seized links him to the contents
All items that the defense can try to use.

ComputerLearner wrote:
Having said this, can we say digital evidence on S2's computer was properly seized or not?
That is what the jury will have to decide.

ComputerLearner wrote:
Can S2 just trust that the police can do a good job?
I would hope so. However it is NOT the job of the prosecution/police to find exculpatory evidence, it IS the job of the prosecution/police to present an unbiased report of the evidence. If they come across exculpatory evidence that gets presented along with any damning evidence. Then the jury weighs the facts to come up with a verdict.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Aug 07, 2013 6:54 am    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
Well.... that being the case, then the accused is at the mercy of the prosecution.
No the accused is at the mercy of the jury.

ComputerLearner wrote:
The only thing the police need to do is to suspect someone of having committed a felony... then just seize their computer... just leave behind a seizure notice for the computer hardware and then take off to their lab.
At best an over simplified and incomplete characterization of the process.

ComputerLearner wrote:
Whilst the computer hardware will be clearly identified by Serial Number, Make, Model and Color... the contents of that computer cannot be identified by such physical identity characteristics. The contents can be altered whilst the physical identity characteristics of the computer still remains the same.

The physical evidence chain of custody is no doubt correct. It starts with a seizure notice of the hardware.... and the hardware was identified as such even in Court.

But the digital evidence chain of custody is highly questionable... NO DOUBT.
At the time of the search the evidence is "bagged" and labeled. It would be unlikely that the computer would be disassembled on site to inventory all the parts. That is typically done at the lab.

You can be as flip, as unbelieving as you want, but from the limited amount you have posted there is no conspiracy on the part of the police. As much as you want your friend to be innocent I find it highly implausible that there is a conspiracy by the police to plant evidence.

That said there might be other avenues that prove the innocence of your friend, however what you are proposing (conspiracy) is the least likely avenue to prove their innocence.

As CyberCop and I have posted previously, you need an expert. What you glean from this forum just barely touches on all the nuances of a digital forensic exam.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Fri Aug 09, 2013 4:05 pm    Post subject: Computer Evidence Search Reply with quote

The assumption that the police WILL NOT temper with the evidence doesn't hold any water. I am not saying that they did, but the fact that the chain of custody has a 'GRAY AREA' that anyone who wants can misuse, renders the whole chain just an academic exercise. What we would expect is to have a completely airtight chain of custody.

On the Physical Evidence Chain of Custody part.... this is ALMOST ok:

- Police seize the computer. And issue a seizure notice. The seizure has physical identities of the computer. The only problem is the actual physical storage device (HDD) is not identified. The first gray area pops up.

Any IT person knows that HDDs are swappable. You can create an image, and dump it on a different HDD, then slot the HDD into the suspect's computer.

The National Institute of Justice US Department of Justice - April 2004 Chapter 3, Page 11 also talks of the HDDs being categorically identified.

But your logic is that the Police have no time to manipulate the evidence. My argument is - there MUST be no room for anything of this sort to be done. Whether they did it not - that is not the issue.

The Digital Evidence Chain of Custody is even worse. At seizure time, nothing is identified. Nothing is secured. No hash key is shared. Further, an Expert misinforms the Court that EnCase can recover all deleted stuff.

No wonder Susan W. Brenner - http :// www . mttlr . org/voleight/Brenner.pdf on Page 79 and 106 argues that the accused MUST be left a copy. This is the only way the accused will be sure about the contents.

Otherwise... the accused is at the mercy of the Jury.

Thank you for your advice. We will advice the Defense Counsel to make sure that they get an IT Expert to help out.

AMEN.

Moderator Note: Direct Links are not allowed.

Duplicate post removed.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Fri Aug 09, 2013 9:49 pm    Post subject: Reply with quote

I am done with this topic as you are bound and determined to say there was evidence that was mishandled. IF there was evidence that was mishandled, your Lawyer would have had that evidence thrown out. Since it wasn't, it most likely wasn't mishandled. In most cases I see where they start attacking the evidence chain without there actually being problems with the chain, it is simply because they are guilty and grasping at straws.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Fri Aug 09, 2013 10:35 pm    Post subject: Computer Evidence Search Reply with quote

CyberCop & PreferredUser,

We are very grateful for all your comments and your time. It will no doubt prove valuable as we discuss the issue.



If you don't mind, kindly comment on the following before you wind down with this discussion.

If any of the file types stated below are partially overwritten - say 25%, can the recovered 75% constructed to something meaningful:

1. A porn picture is deleted and 25% overwritten. 75% is recovered. Can the full picture be reconstructed to see the porn?


2. An MS SQL database is deleted and 25% overwritten. 75% is recovered. Can the recovered database be reconstructed so that any of the Tables and Records can be readable?


3. A program Executable is deleted and 25% overwritten. 75% is recovered. Can the recovered .EXE be reverse engineered to generate any meaningful source code?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Aug 11, 2013 12:44 pm    Post subject: Re: Computer Evidence Search Reply with quote

ComputerLearner wrote:
If any of the file types stated below are partially overwritten - say 25%, can the recovered 75% constructed to something meaningful:

1. A porn picture is deleted and 25% overwritten. 75% is recovered. Can the full picture be reconstructed to see the porn?


2. An MS SQL database is deleted and 25% overwritten. 75% is recovered. Can the recovered database be reconstructed so that any of the Tables and Records can be readable?


3. A program Executable is deleted and 25% overwritten. 75% is recovered. Can the recovered .EXE be reverse engineered to generate any meaningful source code?
There are too many variables and your questions are too broad, at best the answer would be possibly.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.