±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35745
New Yesterday: 2 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Reporting question

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

jblakley
Senior Member
 

Reporting question

Post Posted: Feb 10, 15 20:42

All,

I was given a computer to analyze, but was told upfront that someone else had logged into the profile to 'look around'. When they didn't find anything, they brought it to me. Should I put that in the report? All of the timestamps are off in relation to when the true person last logged in versus the last person.

Thanks...  
 
  

jaclaz
Senior Member
 

Re: Reporting question

Post Posted: Feb 10, 15 21:00

- jblakley
Should I put that in the report?

Well, what would be the alternative, hiding/failing to mention such a vital piece of information you were made aware of? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

jblakley
Senior Member
 

Re: Reporting question

Post Posted: Feb 10, 15 21:18

I wasn't sure. Personally, I haven't run into an issue in the past where someone actually told me someone else had logged in. With that information, I would assume full transparency, but I wanted to get other opinions...  
 
  

jaclaz
Senior Member
 

Re: Reporting question

Post Posted: Feb 10, 15 21:48

- jblakley
I wasn't sure. Personally, I haven't run into an issue in the past where someone actually told me someone else had logged in. With that information, I would assume full transparency, but I wanted to get other opinions...


I don't get it.

Possibilities are that the system (or filesystem or *whatever*) was (you choose) :
  1. noticeably modified by *something* or *someone* that is not the "true person" AND you know (because someone told you) that it has been accessed by *something* or *someone* that is not the "true person"
  2. noticeably modified by *something* or *someone* that is not the "true person" BUT you DO NOT know (because noone told you) that it has been accessed by *something* or *someone* that is not the "true person"
  3. seemingly (or as far as you can see) not modified BUT you know (because someone told you) that it has been accessed by *something* or *someone* that is not the "true person"
  4. seemingly (or as far as you can see) not modified AND you DO NOT know (because noone told you) that it has been accessed by *something* or *someone* that is not the "true person"

In case of issues (of *any* kind) you can possibly claim having made a mistake or omission in "good faith" in case #4, and possibly in case #2, BUT NOT in case #3, let alone #1.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: Reporting question

Post Posted: Feb 10, 15 23:58

- jblakley
Should I put that in the report?


Without a doubt. I would, but I would do so only as far as I could demonstrate through the data. I tend not to rely on what someone told me as "fact", in part because many times what one person refers to as "nothing" is actually quite a lot from a DF perspective.

What I might do is give the facts of the login (log entries, etc.) and then state that someone not the user in question had _reportedly_ logged in.  
 
  

jaclaz
Senior Member
 

Re: Reporting question

Post Posted: Feb 11, 15 18:11

- keydet89


Without a doubt. I would, but I would do so only as far as I could demonstrate through the data. I tend not to rely on what someone told me as "fact", in part because many times what one person refers to as "nothing" is actually quite a lot from a DF perspective.

What I might do is give the facts of the login (log entries, etc.) and then state that someone not the user in question had _reportedly_ logged in.


Welcome back Dr.House! Very Happy

house.wikia.com/wiki/Everybody_lies

Wink

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: Reporting question

Post Posted: Feb 11, 15 21:33

- jblakley
All,

I was given a computer to analyze, but was told upfront that someone else had logged into the profile to 'look around'. When they didn't find anything, they brought it to me. Should I put that in the report?


It's better that you state what input you received for the assignment, than leave it to someone else to imagine. Murphy rules: anything will be misunderstood, sooner or later. Much better that you pre-empt any speculations that may arise.


I usually have to discover that someone 'just looked around a little' for myself ... but it goes into the report, no matter what the customer says..  
 

Page 1 of 2
Page 1, 2  Next