Forensic Report (Cr...
 
Notifications
Clear all

Forensic Report (Created/Modified/Deleted Date of files)

15 Posts
4 Users
0 Likes
2,320 Views
(@elder_futhark)
Posts: 5
Active Member
Topic starter
 

Hello,

The case file of a copyright infringement case (multimedia files such as mp3, video, pics, etc.) was brought to me by a defense attorney that requested my assistance with the analysis of the forensic report. I'm not an expert, I'm just a PC enthusiast, and avid PC gamer, but I thought I'd give it a try. The forensic report lists two PCs. One running on Windows Vista 64-bit, and the second on Windows XP SP2 32-bit.

Here are a few things I found strange about the report, and I need help with
First of all, the forensic report only mentions the "DATE CREATED"* of the files, but not the "DATE MODIFIED"*
*Note "FILE CREATED / FILE MODIFIED" in EnCase.

Feel free to correct me on this, but as far as I know, the only way to make sure that a file has been downloaded from a specific machine is to compare the created date to the modified date and see whether they are identical i.e. either exactly the same or with minor deviation (perhaps a few seconds).

Once someone starts to move files from one machine to another, or even from one folder to another within the same machine, it becomes impossible to figure out whether the file was actually downloaded from the machine in question, or whether it was copied there from an external source (HDD or USB drive). In my opinion, the fact that the forensic report only mentions the created date of the files in question is very problematic and diminishes its credibility significantly. I would very much appreciate it if someone could actually verify this for me.
I would also like to know if there is a safe way for someone to actually determine whether a file was downloaded on a specific machine.

There is also an issue regarding some files that were found deleted, and were recovered.
The forensic analyst has failed to determine when the majority of the recovered files were deleted. There is no "DATE DELETED" for 88% of the recovered files. Instead, the analyst found that 12% of the files were deleted on DATE-X, so -he claims- it follows that the remaining 88% was also deleted on DATE-X or later. I would also like to know whether this is acceptable, and if not, to what extent does it weaken the overall credibility of the forensic report.

As a side note, I would like to point out that the USN journal ($UsnJrnl) is NOT mentioned in the forensic report at all.

That's all for now. Feel free to ask for more details that might help addressing my points.
Thank you in advance.

- EF

 
Posted : 15/05/2015 2:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It's hard to say anything about your case without a lot more info (and the actual report).

As a general rule, I would take any report with more than a grain of salt, in the sense that there are obviously two parts in a forensic report

  1. Data output of the programs/tools used (objective)
  2. Opinions/Assumptions (often very subjective)
  3. [/listo]

    The issue here is that #1 depends largely on #2, in the sense that in many cases the forensic examiner "targets" the extraction of data according to the specific case (or presumed charge) and either omits or undervalue some of the data or runs the tools/software according to a pre-determined scheme, if you prefer instead of answering the question "What happened?" (which is IMHO the "right" question) the report answers the question "Ok, we know that this and that happened, what are the traces proving it?".

    On the other hand you cannot really "verify" a report, all you can do (just like you are doing) is to doubt about data that seems like missing or that "sounds" not accurate, but nothing more, what would be needed is the actual untouched original data (the disk images) and re-analyze them.

    What everyone around here always recommends is to create a timeline placing each and every recorded event, log, trace coming from tens of sources (besides date/time a file has been created/modified, who was logged in, which external devices were connected at the time, is the date/time reliable or may it be an artefact of some kind, etc., etc.) i.e. the whole system activities should be reviewed and placed in a context.

    It is possible that a given report provides the "right data" but lead to a "wrong conclusion", but I would find more likely that it is the missing of part of the data that can lead to a "wrong conclusion", and without all the data it is unlikely that you will be able to find "flaws" (if any) in the report.

    jaclaz

 
Posted : 15/05/2015 2:54 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Personally I think you should walk away from the case. By the nature of the questions you are asking you clearly have some knowledge, but you are also jumping to conclusions - eg created and last modified the same would not make me "sure" of anything. How were the files downloaded, FTP/web link/RDP? where they downloaded as an archive? Most importantly what wass the file system - if FAT then their won't be a USN Journal. etc.

But the main reason is what happens if your team rely on your report and your're wrong what are the possible consequences to you. Do you have professional indemnity insurance etc.

I did a case many years ago where a forensic company up North stated that the evidence relating to a particular fax (stored on a PC) indicated that it was probably authentic (not forged). Based on this their lawyers started litigation over about £10M. For unkown reasons half way through the case the forensic company asked me to pass a second opinion on the data and my conclusion was that the fax was almost certainly a forgery. After the meeting with the lawyers I was asked to leave the room……. Not heard of them since.

 
Posted : 15/05/2015 3:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

First, I agree with Paul…even with the information you have provided, there is still a great deal that is unknown

Here are a few things I found strange about the report, and I need help with
First of all, the forensic report only mentions the "DATE CREATED"* of the files, but not the "DATE MODIFIED"*
*Note "FILE CREATED / FILE MODIFIED" in EnCase.

Feel free to correct me on this, but as far as I know, the only way to make sure that a file has been downloaded from a specific machine is to compare the created date to the modified date and see whether they are identical i.e. either exactly the same or with minor deviation (perhaps a few seconds).

Well, as you're working with an attorney, let's take a look at "downloaded"…what does that mean?

To me, it means the use of HTTP or FTP protocols. Downloading via a browser leaves certain artifacts…as of WinXP SP2, files downloaded via IE/OutLook have a "ZoneID" ADS associated with the downloaded files.

Downloading via the ftp.exe client leaves different artifacts from the use of Windows Explorer to access FTP sites.

Now, if by "downloaded", you're referring to copy/move operations, I think you may be referring to the following
https://support.microsoft.com/en-us/kb/299648

Once someone starts to move files from one machine to another, or even from one folder to another within the same machine, it becomes impossible to figure out whether the file was actually downloaded from the machine in question, or whether it was copied there from an external source (HDD or USB drive). In my opinion, the fact that the forensic report only mentions the created date of the files in question is very problematic and diminishes its credibility significantly. I would very much appreciate it if someone could actually verify this for me.

I don't want to seem to be stuck on this, but there's a need for specificity of language here…from my perspective as a forensic analyst, there's a difference between "download", "copy", and "move". I say that because each of these requires a different set of actions from the user, and leaves different sets of artifacts.

I would also like to know if there is a safe way for someone to actually determine whether a file was downloaded on a specific machine.

I would suggest that the answer is "yes", but it depends on what you mean by "download".

If you were to provide me with an image of, say, a Windows XP SP2 system, and you asked me if a particular file had been "downloaded to" that system, I would follow a specific analysis process and look for specific artifacts. However, I could return the report to you, and you may very well say, "uh…I meant "copied to"..".

There is also an issue regarding some files that were found deleted, and were recovered.
The forensic analyst has failed to determine when the majority of the recovered files were deleted. There is no "DATE DELETED" for 88% of the recovered files. Instead, the analyst found that 12% of the files were deleted on DATE-X, so -he claims- it follows that the remaining 88% was also deleted on DATE-X or later. I would also like to know whether this is acceptable, and if not, to what extent does it weaken the overall credibility of the forensic report.

I'm not going to comment on this particular item because the file system is not mentioned. I'm not being obstinate…I simply don't want to write a "TL;DR" response and bore you. 😉

As a side note, I would like to point out that the USN journal ($UsnJrnl) is NOT mentioned in the forensic report at all.

Not correcting you, but the file you'd want is the alternate data stream $UsnJrnl$J, *if* the file system is NTFS. Again, as Paul stated, the file system was not specified in the post.

That's all for now. Feel free to ask for more details that might help addressing my points.

Well, to Paul's point, there's much that's simply not known at this point. Based on what you have provided, there does seem to be a dearth of detail in the report, but then, I'm not looking at the report…so…

Good luck.

 
Posted : 15/05/2015 5:11 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As a side note, I would like to point out that the USN journal ($UsnJrnl) is NOT mentioned in the forensic report at all.

Not correcting you, but the file you'd want is the alternate data stream $UsnJrnl$J, *if* the file system is NTFS. Again, as Paul stated, the file system was not specified in the post.

Sure ) , but we might be kind enough to credit Elder_Futhark with this piece of knowledge so that being surprised at the missed analysis of $UsnJrnl$J would automatically imply that NTFS systems are the object of the report.
On a probability estimation, 99% of XP systems are installed/use NTFS and in the case of Vista 99.9999995% of them….

jaclaz

 
Posted : 15/05/2015 5:47 pm
(@elder_futhark)
Posts: 5
Active Member
Topic starter
 

Hello everyone, and thank you all very much for your posts.
Suffice it to say, I was overjoyed to see your replies.

I'm not going to comment on this particular item because the file system is not mentioned.

Not correcting you, but the file you'd want is the alternate data stream $UsnJrnl$J, *if* the file system is NTFS.

The file system of the first machine is NTFS, OS is Vista 64-bit.
The file system of the second machine is NTFS, OS is WinXP 32-bit.

The case file does not include a full report of the methodology and tools used by the forensic analyst. The forensic report is comprised solely by the conclusions and commentary of the analyst. I personally found this strange, and I was wondering whether it is the usual M.O a forensic analyst follows or not…
I suspect EnCase was used.

I don't want to seem to be stuck on this, but there's a need for specificity of language here…from my perspective as a forensic analyst, there's a difference between "download", "copy", and "move". I say that because each of these requires a different set of actions from the user, and leaves different sets of artifacts.

In ALL instances the analyst has used the terms (in Greek) "δημιουργήθηκαν/αποθηκεύθηκαν" the exact English translation of which is "created/stored". He also uses the term (FILE CREATED), which makes me think he used EnCase.
The exact way it is printed is
The files were created/stored (file created) … - then he proceeds to mention dates, what the files were etc…
These are the ONLY terms he uses throughout the report.

I would also like to mention that CCleaner was found installed, although we have no clue of its settings (number of overwrites, areas selected to be wiped, etc.).

Let me know if more info is needed.
It appears to me that this report has been written very poorly (this is Greece after all!), and I am convinced I can find enough info to damage its credibility.

Personally I think you should walk away from the case.

Thank you very much for your concern and advice. I am in no way officially involved in this - I haven't signed anything, I'm just helping out.
It will be up to the attorney to decide whether to accept anything I present him with - whether official or unofficial.

It's hard to say anything about your case without a lot more info (and the actual report).

The report is in Greek, and doesn't say anything in regards to the methodology and tools used. I'm interested to see whether the forensic analyst is being objective i.e. not jumping to conclusions.
For example, as I mentioned earlier, the analyst states that 12% of the files were deleted on (or after) a certain date (let's call it "Date-X"), he then claims that this is enough to conclude that the remaining 88% were also deleted on or after "Date-X" - he actually admits that he does NOT know (insufficient data) when 88% of the files were deleted.
This was on the machine running on Vista 64-bit, and the HDD was formatted as NTFS
Of course I'm not an expert, but I find this claim of his a bit shaky. Then again, this is why I'm here, trying to figure this out with your help.

 
Posted : 15/05/2015 6:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The report is in Greek, and doesn't say anything in regards to the methodology and tools used. I'm interested to see whether the forensic analyst is being objective i.e. not jumping to conclusions.

The point, besides the language barrier is that what you are looking at seems a lot NOT like a "report", but rather the "findings only".

More or less it would be like attempting to review a literary sum up without having read the actual original book.

It is however IMHO "queer" that the exact procedure and list of tools used is not mentioned in the document you have in your hands a technical report - no matter if related to digital forensics or for other scopes - normally contains, at least as a reference and detailed in a separate (attached) folder all the actual evidence gathered and the key printout/output of the tools used.

Just as an example, I would put in the report the "key data" found summed up in a spreadsheet table but attach also the actual files or paper documents containing the "source" data used in the table.

For example, as I mentioned earlier, the analyst states that 12% of the files were deleted on (or after) a certain date (let's call it "Date-X"), he then claims that this is enough to conclude that the remaining 88% were also deleted on or after "Date-X" - he actually admits that he does NOT know (insufficient data) when the 88% of the files were deleted.
This was on the machine running on Vista 64-bit, and the HDD was formatted as NTFS
Of course I'm not an expert, but I find this claim of his a bit shaky. Then again, this is why I'm here, trying to figure this out with your help.

Yes, but you (we) are missing the actual data and (complicated by the language barrier) whatever we come out with may well be incorrect.

Just as an example this sentence makes NO sense

Since 12% of the files were deleted on the "Date-X", no actual date was retrieved for the deletion date of the remaining 88% hence also these 88% were deleted on or after "Date-X".

But an only sightly different sentence like

There is direct evidence that 12% of the files were deleted on "Date-X", and although no actual date was retrieved for the deletion date of the remaining 88% this very lack leads me to believe that also these 88% were probably deleted on the same date or after it.

followed by

As a matter of fact here is evidence of *insert here whatever other hint, coming from the Registry, logon dates, internet connection, etc. that proves that part of the files in the 88% existed the day before "Date-X".

starts to make some more sense.

If - by mistake - the latter sentence is missing from the report, it may mean that the report has been not re-read accurately or that the writer is not very good at reports, or if you prefer it is an omission, but not necessarily a false conclusion, it may well (as it did) raise an alert flag but unless the actual data is examined there is no way to know if it represents something "wrong" or only something badly or insufficiently justified.

The exact way a sentence is phrased is very important, to give you another common example there are people that write "user XY logged on the "Date-X" at hhmm.ss" while what should have been written is "there is a record of a successful logon with the credentials of user XY on the "Date-X" at hhmm.ss",

jaclaz

 
Posted : 15/05/2015 8:32 pm
(@elder_futhark)
Posts: 5
Active Member
Topic starter
 

The point, besides the language barrier is that what you are looking at seems a lot NOT like a "report", but rather the "findings only".

First of all I want to thank you for having the patience, and for taking the time to reply to me. I know that most - if not all - of you are professionals and you most likely have better and more productive things to do. I really appreciate your help and input.
Now, to your point This is exactly the case. The "report" is essentially just the findings. The file and the report make absolutely no mention of the methodology and tools used by the forensic analyst.

To site another example
The analyst mentions he found a torrent relevant to the case, without mentioning the name of the torrent, without specifying whether it is a *.torrent file saved in a folder to be loaded on a client later, or a torrent file already loaded on a torrent client, or whether - if in fact loaded on a torrent client - that torrent was active (seeding/downloading) or not.
He simply says "LOOK GUYS I FOUND AN ILLEGAL TORRENT! NOT GONNA SAY ANYTHING ELSE, TRUST ME IT'S ILLEGAL", and that's it.

Once more, I'm not an expert, but this seems very amateurish to me.

More or less it would be like attempting to review a literary sum up without having read the actual original book.

I believe you just hit the nail on the head, and this is why I'm so frustrated with this forensic guy.

 
Posted : 15/05/2015 11:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

First of all I want to thank you for having the patience, and for taking the time to reply to me. I know that most - if not all - of you are professionals and you most likely have better and more productive things to do. I really appreciate your help and input.

Only to let you know how maybe I have "the patience" because I am not a professional in this specific field
http//www.forensicfocus.com/c/aid=65/interviews/2013/jacopo-forum-member-jaclaz/

Now, to your point This is exactly the case. The "report" is essentially just the findings. The file and the report make absolutely no mention of the methodology and tools used by the forensic analyst.

Once more, I'm not an expert, but this seems very amateurish to me.

I believe you just hit the nail on the head, and this is why I'm so frustrated with this forensic guy.

Yep ) , but maybe (just maybe) the issue is not with the guy or with the document, it is just that you were given only a (small) part of the "whole".
This counts as a general rule, not specific to digital forensics, people asking for advice or (educated) opinions tend to omit (sometimes intentionally to "keep more control", sometimes unintentionally, just because they think it is not relevant) information or documents, as an example this often happens when people asks for assistance on a public board for a computer related problem
http//homepage.ntlworld.com/jonathan.deboynepollard/FGA/problem-report-standard-litany.html

It is possible that your lawyer friend has not given to you (or was not given) the more relevant parts of the report or *whatever* may come in the form of attachments to it, in any case, as said, all that you can do with the current partial info is to highlight the parts that seem like not backed up by proper references and that seem more like apodictic/absolute statements than logical conclusions based on documented evidents.

jaclaz

 
Posted : 16/05/2015 12:13 am
(@elder_futhark)
Posts: 5
Active Member
Topic starter
 

Yep ) , but maybe (just maybe) the issue is not with the guy or with the document, it is just that you were given only a (small) part of the "whole".

It is possible that your lawyer friend has not given to you (or was not given) the more relevant parts of the report or *whatever* may come in the form of attachments to it…

I very much doubt that. There is perhaps at most a 1% chance this has happened, and I'm not hiding anything from you - that would be counter-productive on my part. In fact, I would be willing to translate the whole document and PM it to you (or you can PM me your email and I can email it to you), if you'd like me to - that is IF you're interested and willing to read it. In other words, before I invest the time to translate the document, I need to know that someone will read it.

Please understand that this is Greece, and we are pretty much on par with Papua New Guinea on these matters. The laws regarding internet/computer crime are atrocious (I suspect this is an attempt to 1-up the US), and the judges utterly ignorant when it comes to understanding technology. The Greek government and authorities are plagued by a fear of inferiority i.e. the fear of being compared to Europe and the US, and coming up short in meeting their standards. Apparently, in an attempt to catch up with them, the law in Greece has evolved faster than the people who are supposed to form and uphold it. It's a sad state of affairs.

As a side note, I found the LinkedIn profile of the forensic analyst in question. He has the following certifications CFCE, ACE, CEECS.

 
Posted : 16/05/2015 12:51 pm
Page 1 / 2
Share: