±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 146

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Please, help to resolve this.

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 ... 11, 12, 13  Next 

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 20:41

- RolfGutmann

Hold on. Make a decision. Just do it.

Will talk to my boss tonight, outside of the office.After that, I will ask for some help from my private attorney what to do further - there is no question about the legality of our actions whatsoever - just, the question is that some EU institutions MUST be informed immediately.

If someone here have the experience, which of them are the most productive to be informed, and totally independent of the "Mediterranean influence", will be glad to hear. Even in form of private message to me.
The OLAF is not appropriate - this is not in their sphere of competence, our lawyer told us. And nobody here have the slightest experience, how to do this properly and effectively.

Thank you all. Will keep all of you informed.
Will be glad of more opinions.  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 20:49

I can understand your indignation, but you seem like having been (and I am not in any way saying incorrectly) brought into the matter some sort of ethical or ideological weight that may be inappropriate for handling the case.

All in all a forensic scientist should be a scientist and report just his/her findings and report and explain the methods through which these findings were discovered, and the appropriateness of these methods.

For just one second, let's talk INSTEAD of this specific case, of another, hypothetical one, one in which the suspect is believed by you to be actually guilty and you personally know the investigators involved as good, honest, good willing people.(mind you it shouldn't make ANY difference in the way you examine the case)

No matter if a number of protocols were violated or commonly accepted methods were not used, the point may be whether this violation affected the case (just playing Devil's Advocate).

I will give you a few examples:
1) the disk where the image of the original is created must be wiped before
This is a common (and correct and smart) procedure, but it is not "vital" for the integrity of the image, surely it will be more complex to explain why this is not strictly needed:
still using a non-wiped disk does not change the evidence.

2) the disk can only be accessed through a write blocker for imagining it.
This is a common (and correct and smart) procedure, but it is not necessarily "vital" for the integrity of the image (as an example a read only OS or a software write blocker may be used) and even if the integrity of the image cannot be guaranteed, that doesn't mean that - say - changing a disk signature in the MBR (or changing a key in the Registry) creates out of nowhere tens or hundreds of compromising e-mails, images, logs, etc., some (usually minor) modifications to the file system may compromise finding some files, but it won't create them.

3) breaking the chain of custody invalidates the evidence
The constant, accurate, and continuous maintaining of a chain of custody represents a common (and correct and smart) procedure, but it is not necessarily "vital". You can leave a disk on the back seat of a car for two days in a non sealed bag, but this doesn't automatically mean that someone actually opened the car, got the disk, planted on it *any* (either incriminating or exculpating) evidence and then placed back the disk in the back of the car, it simply means that the LEO responsible of the custody cannot exclude that this happened.
And if you think a bit about it, the whole chain of custody (perfectly and continuously maintained) is only as reliable as the officer in charge of it is reliable, for a given time frame in the chain the device is in the hands of someone (or of someone else), and there is a presumption that this someone (or someone else) is honest, capable and properly trained and would never (intentionally or by accident) contaminate or tamper with a piece of evidence.
But the point remains whether there is proof of contamination (or tampering) or there is not.

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 22:01


* There is no such paper labeled "chain of custody" in the judicial papers there- of any kind, of any sort !! None exist, simply. We do not talk about imperfect one - we talk about missing one.

* No illegal Internet activity whatsoever. Not an IP+ MAC address shows illegal activities whatsoever.
* No illegal chats, no illegal skype, no illegal e-mails, no illegal history, bookmarks - nothing.
* No illegal torrents, nothing.
* They present-one false known.met analysis, which consist only by the names of the files, without any other details from the rest [ i.e. dates, last written, last shared etc, etc ]- they are unable to present working eMule installation of any kind there, with all his data, paths and needed registry values . No wiping software in presence, of any kind! They exhibit the [non-existent] eMule path of "installation" on the 3-rd partition, but the lab mentioned only one partition in existence there. No hidden partitions, no other tricks there. No p2p global identifier present that shows illegal activities- whatsoever.

* The officer 4 hours make live acquisition without blocker- he simply put his USB stick on the defendant's computer, without ANY blocker. He admit this in court ! When asked " What your USB had inside?' he does not answered. He admitted that he open crucial files, changing their date/time stamps. When asked "Why?" he answered " This is of no importance- the most important for us is to put the man immediately behind bars" - just like you read this. This invalided automatically all procedure there!

* There is no such thing like "open bag, full of digital evidences" - all must be sealed, written labels must exist, hdd's photography from place etc. Otherwise- not admissible here. They extract the hdd from the defendant's computer- they do not confiscate the whole computer himself. Nobody have right here to seat in a car, with notebook in hand, and on his right side - open bag, full of confiscated hdd. This happened in their case- they travel 6 hours by car to the capital. Please, do not tell us that this is legal... Smile

* There is no hash on acquisition whatsoever. The lab is 4 MONTHS after! not tomorrow. There is no sealed bag, no chain of custody paper! Based on what hash the lab will take all this for examination ?? From the lab, the half disks are without any hash, whatsoever! including- the most important hdd, on the analysis of which they put the man in jail! Make it clear- the basic evidence have no either hash on acquisition, either hash from the lab. Legally? where? in Africa? may be... .

* The defense asks for hash on acquisition like precondition to take the copy of all hdd's images. No hash on acquisition- no copies for the defense team- case collapse- the defense have legal right to take genuine copies!! because by this, the defendant exercise his fundamental rights in court!

* They manipulated the number of the confiscated hdd- they deliver in the capital, 1 hdd less than they officially confiscated. And make paper with 1 hdd LESS on the deliver port. And this document they stick on the open bag [to be delivered 4 months after, to the lab]. The next day, they understand that something is missing from the bag, they find the missing hdd by his number and ADD the missing disk in the open bag. SECOND paper is created, with number equally to the number of the confiscation paper- simply, they do not change the collated first document on the bag, and 4 months later, the bag is in the lab with the "wrong" paper [ i.e- one disk less] No chain of custody- the bag is open- everyone put there whatever he likes. Thus, the prosecutors was TOTALLY confused about the right number- until the last paper, they wrote 1 LESS, because they read the first paper, with one less! After the defendant team appeal, the last judicial paper is with the "right number" and, holds on to the seats - ALL the rest judicial documents are "declared" simply a "typo's product".

* In court they ADMITTED verbally and openly, that they "examine" "further the hdd AFTER their confiscation [ i.e. after the live acquisition ends] - which is totally illegal!

* From deep analysis, the defense team- one confiscated hdd have an invalid serial and model number- such disk simply does not exist in reality- the info is from the manufacturer. The lab give examination "result" from this disk. Are you hear this to happen, and where? I'm curious to know :).

* The most important- forensically speaking, the hdd contains inside evidences, that forged things inside exists - like date of log files, 2 years BEFORE the hdd is produced, AND NO single evidence of time/date manipulations. Not a single- and you know, that there is many way to investigate this.

And so more... registry values are presented, WITHOUT any Windows installed and mentioned in presence!!
Or software on 4 partitions [partitions, not virtual hdd, nor true crypt volumes, nor USB hdd]] is presented by their path- the lab does not mentioned any of these partitions to exist in reality - the lab mentioned only one in existence.  

Last edited by MickArneke on Jul 03, 17 03:18; edited 4 times in total

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 22:22

Its not your job to inform a EU institution about this. This all is above your head.

Its your boss' job to do this, he is reponsible for you. You have to convince him to do
someting. If you act above your boss, you will lose because everybody will ask

who are you?

who is your boss?

Your only job is to properly report this to your boss. Then stop.  

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 23:08

- MickArneke
My identity is well preserved. We have in our hand written order from our boss to help them – we act on written order. We coordinate all our actions with our legal department. All of our's work conversations and answers to them are recorded – this is the practice here. I do not do, or tell to them, or send to them, any illegal advice.

Better get outside legal advice who take into consideration your personal risk, or speak to your inhouse staff in greater depth, off the records, regarding "what if" scenarios. Internal legal departments are not the ones to stop a project.
Up to now, you don't seem well informed. A written order doesn't help you, it is evidence against you. Giving no "illegal advice" doesn't help you. It is the very nature of abetment, that your actions - taken for themselves with no specific knowledge - may be perfectly legal, but you actually know that they contribute to someone's illegal activity. In my words, you said that you'd help foreign police officers to make their forged evidence seem legit, or at least a little "cleaner", which leads to the prosecution of a potentially innocent. Moral doubt doesn't help you either, if you do it anyway.
You stand on the thin ice made of German case law, that an accessory, acting within his professional scope, must act in inner solidarity with the perpetrator to be liable to prosecution. A jurisdiction which is mainly constructed around legal advisors and can easily break underneath your feet, or is seen completely different in the defendant's home country.  

Last edited by C.R.S. on Jul 02, 17 23:32; edited 1 time in total

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 02, 17 23:28

- MickArneke
Legally? where? in Africa? may be... .

An (admittedly very) old N.Y. (United States of America) case, JFYI:

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Please, help to resolve this.

Post Posted: Jul 03, 17 00:01

Mick can you confirm exactly which:

(I) Legislation has been breached relevant to your country by reference to the Law title/Clause etc.?
(II) Regulation/s that have been breached by the officer's conduct?
(III) Law Enforcement Procedures that have been breached by the officer's conduct?
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

Page 3 of 13
Page Previous  1, 2, 3, 4 ... 11, 12, 13  Next