Notifications
Clear all

Proving Intent

50 Posts
15 Users
0 Likes
4,121 Views
(@konez90)
Posts: 11
Active Member
Topic starter
 

Hey, I have been asked for my class to figure out what it takes to prove intent in a cyber case. Is there any ways that you can do this easily using evidence from digital evidence?

 
Posted : 19/06/2012 10:15 pm
flamerescue150
(@flamerescue150)
Posts: 23
Eminent Member
 

Not sure what type of case you're referring to. But in CP cases for example, tying a user to specific google searches is useful as well as URLs that were physically typed (as opposed to reached by means of clicking a link). Frequency of visit in internet history (visit count) also helps show the user intended to be on those sites. If documents/pictures were downloaded and then organized into a folder structure, that can show knowledge and/or intent to possess. If the images were obtained through p2p such as limewire, check for search terms/filters the user may have applied to find specific content. Also, if the user previewed the illicit file while it was downloading and did not cancel the download, that can show knowledge and intent.

 
Posted : 19/06/2012 10:32 pm
(@konez90)
Posts: 11
Active Member
Topic starter
 

All right that helps a lot. And the case doesn't really matter any type of case involving computer crime. Thanks!

 
Posted : 19/06/2012 10:55 pm
(@armresl)
Posts: 1011
Noble Member
 

I believe you're a bit off on intent.

What about searching for one thing and getting something else (where search terms have been cleared out)
What about downloading a file which was altered by the peer sharing the file.
What about most all files downloaded are automatically shared?

There is lots more, but intent is really much deeper than this and it's something that if you work the defense side you need to put yourself in their shoes as to what happened..

Not sure what type of case you're referring to. But in CP cases for example, tying a user to specific google searches is useful as well as URLs that were physically typed (as opposed to reached by means of clicking a link). Frequency of visit in internet history (visit count) also helps show the user intended to be on those sites. If documents/pictures were downloaded and then organized into a folder structure, that can show knowledge and/or intent to possess. If the images were obtained through p2p such as limewire, check for search terms/filters the user may have applied to find specific content. Also, if the user previewed the illicit file while it was downloading and did not cancel the download, that can show knowledge and intent.

 
Posted : 20/06/2012 12:24 pm
flamerescue150
(@flamerescue150)
Posts: 23
Eminent Member
 

If I show a user went to google.com, typed "lolita", visited links resulting from the google search, downloaded cp and organized it into folder structures…. I would say that classifies as intent. Visiting these sites multiple times on different occasions only goes to further show intent. (the tricky part is placing the defendant behind the keyboard).

 
Posted : 20/06/2012 5:10 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

How are you going to tie that user to the keyboard, or just the user account?

If I show a user went to google.com, typed "lolita", visited links resulting from the google search, downloaded cp and organized it into folder structures…. I would say that classifies as intent. Visiting these sites multiple times on different occasions only goes to further show intent. (the tricky part is placing the defendant behind the keyboard).

 
Posted : 20/06/2012 10:12 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Hey, I have been asked for my class to figure out what it takes to prove intent in a cyber case. Is there any ways that you can do this easily using evidence from digital evidence?

This sounds like a question to law students. If so, you can give some examples of digital evidence from which deliberations on intent can be deducted, that have already been mentioned. For CF students instead, in my eyes, it's not a good idea to tell anything about browser histories etc. that would prove intent.

First of all, digital artifacts are no evidence in terms of natural science, what is most often forgotten. The main difference is, that every state of digital evidence can be consistently copied, spoofed, or reproduced. Of course, also physical evidence, e.g. fingerprints on a knife, can be spoofed. But the hypothetical possibility to preclude any inconsistency or implausibility just by choosing a sufficiently advanced and comprehensive approach is specific to digital technology.
So there are already too many CF guys out there, who walk into court rooms and explain "what happened" on a specific date and time or, even worse, what has been presumably done by a certain individiual. In fact, they should - and they only can - explain what they found on a disk; and that what they found is identical or not to what they would have found, if an alleged technical scenario has been conducted by whomever. This first abstraction has to be made to bring digital evidence in line with conventional one.

Second, legal evidence is different from scientific evidence, because criminal prosecution is a social practice. Justified by their relation as fellow men and members of the same society and legislation, it is for the judge or jury to appraise scientific findings as legal evidence against a defendant. It is exclusively their constitutionally ascribed job to resolve the abstractions from digital evidence to logical conclusions, and from logical conclusions to guilt. As nobody can look inside another person's head, proving intent is completely a matter of the second aspect. So clearly no expert witness should set himself up as the one who can prove intent just from looking at some data, and put these words into the mouths of judicature.
Unfortunately, jurisdiction itself tends to prefer experts who give simple, comprehensive answers which already imply essential conclusions of the verdict. So the quality of CF expertises directly affects the quality of jurisdiction. Therefore, everybody in this business should carefully stay within the limits of his professional opinion and functional assignment.

 
Posted : 21/06/2012 12:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

So there are already too many CF guys out there, who walk into court rooms and explain "what happened" on a specific date and time or, even worse, what has been presumably done by a certain individiual. In fact, they should - and they only can - explain what they found on a disk; and that what they found is identical or not to what they would have found, if an alleged technical scenario has been conducted by whomever. This first abstraction has to be made to bring digital evidence in line with conventional one.

A rare example of clear, clean way of thinking.

I too feel that from time to time some good CF (or more generally "expert witness") guys tend to forget their status of "scientists" and act as a lawyer or a judge, in the sense that even if not specifically asked for, they tend to provide instead of an objective "wide" range of possible causes of an artifact, the "only" possible cause according to them (which is obviously matching perfectly the theory of the party - accuse or defense - that actually hired them).

Which does not mean that one has not the right to form his/her own opinion on the matter and express it - if asked for it - but the way how one of the possibilities is presented as "the one and only truth" in some cases is - to me - surprising 😯 .

jaclaz

 
Posted : 22/06/2012 2:30 pm
(@pbeardmore)
Posts: 289
Reputable Member
 

Agreed with the last post. A computer forensic expert cannot show intent. They can forensically extract data that may be interpreted as showing intent by the court. In terms of expert opinion, our job is to be experts on hardware and software. "How likely is it that this computer was accessed via a trojan?" is a fair question. But to go outside of this zone and deal with issues concerning the state of mind of the suspect at the time they were pressing the buttons on the keyboard (if indeed it was their fingers) is perhaps going too far.

 
Posted : 22/06/2012 2:43 pm
erowe
(@erowe)
Posts: 144
Estimable Member
 

I have no criminal experience, but my colleagues who do have told me that they try to show control. Did the user exercise control over a CP image for instance by actually clicking on a thumbnail, opening a file, labeling and storing it, etc. Prefetch files, TypedURLs, and the like can go a long way to show user control.

Then there is the question of what it is reasonable to believe given the evidence. The Canadian case R. v. Johannson (2008 SKQB 451) is an interesting example of showing intent based on what it is reasonable to believe.

—–

"In taking the stand in his own defence, the accused denied having any intent to make the child pornography on his computer available to others. The accused testified that the LimeWire program had been installed and made operational by his friends, Tim Landeryou and Jim Meier, and that he had never "put his mind to how the program worked". Notwithstanding that the LimeWire program had several indicators that it was a shared or sharing program, the accused testified that he had "never turned his mind to what that meant". The accused's position is therefore that, although he intended to possess and review child pornography, he had no intent to make it available to others and that he should, therefore, be found to be not guilty of the offences in question."

"In this case, I have concluded that I do not believe the accused when he testified that he had no knowledge that the LimeWire program which he had used for several years involved a sharing of files such that others could upload material from his computer in the same fashion that he had used to download files to his computer."

"Although the accused denied ever having made the connection between the use of a shared file program and actual sharing, I am satisfied that this is either wilful blindness on his part or perhaps wishful thinking. His ability to delude himself or rationalize his activities can be seen by reference to his testimony that, even after viewing homosexual child pornography on a regular basis he is still able to maintain his religious affiliation and his sexual orientation."

—–

You may want to scan through the "EnCase Legal Journal" and search for "intent" if you are interested in US cases. I think you can get the journal for free at the Guidance Software web site - you just have to register if I recall. I believe a couple of cases they cite talk at least a bit about intent.

 
Posted : 22/06/2012 4:35 pm
Page 1 / 5
Share: