Please, help to resolve this.

Computer forensics discussion.
Senior Member

Please, help to resolve this.

Post Posted: Jul 01, 17 16:29

Hi all,
Thanks everyone for this wonderful forum. I’m working in one private forensic lab, EU country. I ‘m deeply disturbed by the events, and I wish some colleagues here to share their experience and advice. It is time for me to make my decisions.
In the first days of May 2017, high ranking police officer from one Mediterranean country (in big financial trouble from the end of 2009, Rep. of Turkey on the right side of the map) calls my boss. The officer needed help and advice, how to “sort” and “iron out” some “problems” of his two cyber crime officers. My boss asked me and one of my colleagues to form a team, and to help, and be in touch with this officer, to solve the problems.
Their case is from the end of April 2014 - the high officer’s unit accused one man, pediatrician, of possession of CP, and divulged to the press information about the case. But this is not the end, and not the main problem they have –it is just the beginning of the story. Their “case”:
End of April 2014, the two above mentioned officers make live acquisition of the pediatrician’s computer (one). There is no chain of custody papers (of any kind!!), and no hash on acquisition, and the officer, who works on the suspect’s computer, not using any blocker, attach a USB stick, and works directly on the original data, extensively opening files there. After that, they “collect” the suspect’s HDD’s in one open supermarket nylon bag, and put the bag in their rear seat’s jeep. There was no sealing of the bag, either electrostatic enclosures- just plain HDD, in one open plain supermarket nylon bag.
The same day, the chief of the national cyber-crime police unit (now fired because of incompetence) divulged to the press various “case details” [we checked all of them- all of them proved to be shameless lies] and on the same evening, the chief was manifested himself in flesh on all national TV channels, milk the event. We ask the high ranking officer “Why?”- he answer “In scope immediately to nail the bastard [i.e.- the defendant], and to ask the prosecutor for publication of his personal data in the press. With such press coverage, the whole judiciary is obliged to be on our side, unconditionally. And they do not dare to take the other side” laughingly he said.
On the first trial in front of the judge, the two officers plainly confess all the details of their, actually, illegal methods of acquisition! Nobody in the court even care, or even gives a slightest attention what’s going on! When we ask the high ranking officer, how all this is possible to pass in one civilized court, his answer was -“The judges here hate all these crimes, and they swallow whatsoever we present to them without a grumble”. And laughing at the end, tells us, that “…the judges here does not possess the needed grasp about forensic details, neither are much interested to learn them”. This officer also tells us, that on the first trial, the two officers extensively lie to the court, and this is a real, and became big problem for them -the defendant is a foreigner, and he contacted his embassy and his native country authorities, and pledges them to intervene on his behalf. In court, the defense team was very, very competent, and the defendant himself nails the two officers virtually on the wall- in reality the defendant himself proves to be, this is not a joke- a computer geek, with profound and extended, deep, deep knowledge.
We ask for more details, and some of these are:
- No chain of custody of any kind exists, no hash on acquisition. On the day of the acquisition, they worked on original data – they confess this in court!
- There is not a single photography of the confiscated HDD! In their “confiscation’s protocol” there is one HDD serial number and number‘s model invalid! They forged the defendant signature there too.
- There is a big confusion about the right number of the confiscated HDD –the 2/3 of the judicial documents is with one number, the other 1/3- with other. We investigate- the two officers manipulate the disks and their numbers when they traveling to the capital.
- Actually, they confess in court, that they manipulate the disks contents AFTER the confiscation took place, in scope to “investigate” further.
- The official police forensic examination on these HDD was made 4 months later – almost half of the HDD are officially presented from the lab without any kind of digital hash whatsoever, the rest – with one hash value of unknown origin- the copy, or the “original” of the lab?
- There is no comparing between the hash values of the acquisition and the hashes of the lab [where they exists], because hashes of the acquisition simply do not exist.
- Because of the complete lack of proper hash, the defense is, objectively, unable to obtain copy from these disks- there is no forensic digital warranty whatsoever, that the contents there is the original one. Or will be the original one. Actually, and legally, this fact made all the evidences inadmissible in court, and the case will collapse. All of you understand, that there is no way all this to pass in any [civilized] court in the world!
- We investigate and obtain clear evidences, how on the date of the acquisition, the officer in charge implanted some illegal files on the defendant computer. We are in possession of all these analytical data!
I’m totally disgusted. All this is shameful. My colleague resigns from the “case”, but I’m a senior here, and this for me is not at all an easy step. I speak with my boss, and I brief him about all these details. He insists our help for their “case” to continue. But I’m unable to do this anymore. Your opinion guys? Actually, I must resign.
I’m happily married, have two small children, and this is the best job I ever had. But I have my principles.
When, on some occasions, I speak with this foreign high ranking officer, I was disgusted by his oriental manners, arrogance and incompetence- I clearly told him, that either the defendant’s home court nor a single European court will accept their “evidences”, and they will have a hard crash, with millions of euro in damage obliged to be paid in more than one level. Actually, plainly and clearly I told him, that they forged evidences, except the other things they do improperly and illegally. His answer was- “Calm down boy, our judicial system is on our side, whatsoever the bastard [i.e.- the defendant] say. I was just worried about the EU Court of human rights and the defendant’s national ombudsman and Court in his country of origin”.
There is a slightest chance any court to accept all these “evidences”??
Your advice guys?  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 01, 17 18:43

- calimelo
What is it that you have to do? Write an expert witness report?

No. Our advice is only about where their forensic “Achilles heel” is, and how these will be legally possible to be cured. But I do not expect that they there will forge evidences, or do illegal acquisition…. It is just illegal – all their activities there on this case are totally illegal!

My boss insists I myself to continue to provide “help and assistance”. But I can’t do this anymore. Second - we talk with my former colleague [and friend] on the case, and we probably, will seek legal advice how to proceed, bypassing our boss, and to uncover all those dishonest people there, and thus… help the defendant in some way? don't know. But all this means - we both must to resign.

Also, nobody knows all these police, judicial and high-ranking officials there, how corrupt they are- this is a factor too. I talk with colleagues outside of my work, whom I know personally- they told me, that this country there have a bad record of rampant judicial and police corruption. Actually, the chief of the national cyber-crime units there, was recently fired because he had collect too much bad press, with too many totally falsified cases of CP "possession", from which they either take illegal bribes [kickbacks], or take extra EU funds for "successful activity", i do not know precisely. Either I know it is this information true...but the cyber-crime chief there was really fired, and then, there was widespread rumors among EU officials, that he was really totally incompetent figure.

We looked carefully at all data- there was not a single illegal Internet activity from the man [the defendant].
They even forged his IP - but, hold on to your seats- the defendant in the court show proof ,that on the same date, and two days before and three days later, his phone line was broken -the company repair her- there is a bunch of sms from the phone company, proving this!! The court close his ears to this! It is just unbelievable... .

I don’t know really. It is just disgusting.
Why we, with all ours competence and years of hard work, must oblige and help corrupted officials to destroy honest peoples? For me, it is evidently clear, that the defendant just have professional feud with someone there, and they hired someone to do all this. Are you ever living in small towns? I do, for years, and I know what I'm talking about. The officer just transfer files form his USB key to the defendant's computer in scope to put him in jail. Because he thinks- he is stupid and naive, and he does not know, which forensic procedures are legal, and winch are not. It is simple like this. When the poor man is exposed to the press- you think there will be even a single judge to vote for him in court?? That is exactly why they go to the press- they use her like their extrajudicial weapon.

For your info- in this Mediterranean country, the judge and the jury after the end of the trial, go to the same room, and decide in common [which is unheard for civilized country] - there, there is no room only for the jury !

We talk to people there- in the whole country there, there is, may be, 3 or 4 really good private digital forensic specialists. All of them live in the two big cities. WHO the defendant will hire for his defense? Nobody. Just this the circus there use.

Your opinion about the admissibility in court of all this trash? and about the legality of their "acquisition's" procedures, reading all this?  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 01, 17 19:36

My advice is simple: The case you and your boss face is intransparent and not solvable. Maybe the money getting for this case is important for your boss and you to pay your salary.

But the case is hopeless. Step back, get away - you may think this is a good chance to show your skills and expertise in forensics but the case is too political and will kill you at the end. Why working day and night and giving all your personal care to at the end recognize that it was all for


Sometimes in live its better to clearly say NO. Even everybody hates you and puts even more pressure on you. But to protect yourself is the most important aspect. If you hang-in you become part of the game, your name is in danger and after it will be documented that you worked on this case. Its for your long-time negative impact.

Step back. Get out - too political.

Hopeless case. Stay strong!  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 01, 17 20:24

Ask your boss if he will fire you if you resign from this case? Sounds like a no-brainer but its crucial for you to know.

Its about your family and you first.  


Re: Please, help to resolve this.

Post Posted: Jul 02, 17 05:55

Send the same information you have posted here to the suspect's attorney. Or, to the media. Do it anonymously and be careful to delete information that might identify you. Or, find someone higher up and become a confidential informant.

The idea is to blow the whistle.

You need to get your own attorney before you do. Preferably an attorney who has experience with whistleblowing cases.

Be safe and be careful. Do the right thing and, InShallah, all will work and you will save an innocent man.

Last resort - Find a job in the USA. Plenty of criminals here too.  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 07:02

- MickArneke
It is just illegal – all their activities there on this case are totally illegal!

Assisting them in their dubious activities is illegal, too. Since the defendant apparently is an expat (from the EU? From your home country?), you, your boss, and your coworkers are heading for trouble.

Advice: Resign from this case. Resign from your current employment, if possible and if the one who accepted this assignment has major influence on the company. The development you described is totally foreseeable when doing business with Greek agencies. I never did, and never will, because we follow a strict whitelist, but they are also on many other's blacklists (if not relayed through and supervised by an EU body). Therefore, it doesn't make any sense how this is managed in your company, whether you/your boss accept their "requirements" or not.

PS: Do not blow the whistle. It is no secret that I despise the entire "concept" of whistleblowing and the (false) ethical theory behind it, but anyway: you are easy to track now.  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 11:18

C.R.S is absolutely right (excellent post!)

After consulting our internal legal:

Ask jamie (admin FF) to immediately delete your post. Check Google, archive.org and other
web history sites about deleting all you posted.

Our legal says all you posted here has parts of evidence which can be fired against you.

So act like hell to immediately delete everything!

Change your FF avatar: MickArneke (probably Michael Arneke) immediately too.  

