My cat did it – honest, Guv!

and he did it via remote access…

by Sam Raincock, IT and telecommunications expert witness

When evaluating computer forensics cases the tricky part is often not just evaluating what is found but determining how it came to reside there.

“It was downloaded via a web browser because I identified it in Temporary Internet Files…”
“I reconstructed the webpage and the image was downloaded as part of the page presented as SR1…”
“There is also evidence in the Internet History to support the proposition that the image was downloaded as part of the webpage…”
“Access to this website occurred after use of the search term ‘Forensic Focus’…”

However, sometimes computer forensics isn’t just about what happened and proving intent, it’s also about proving whodunit and ensuring the correct person is prosecuted for the crime they committed.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In the simplest of scenarios, it may be that an organisation has a policy (or not, as the case may be) of sharing user accounts or that the computer is used in a location where multiple people have access to it. In these situations, it may be that the perpetrator alleges that someone else is responsible or that there is doubt about who is the culprit.

Beyond Reasonable Doubt?

If a case is not investigated fully, it could fall at the first hurdle no matter how strong the evidence is of the crime. Ultimately, in a Criminal Court in the UK, the Prosecution needs to prove that the case against an accused is deemed to be beyond reasonable doubt. There are books written on the meaning of this phrase and suffice to say I am neither qualified nor knowledgeable enough to comment on its full meaning. However, in essence, it is built upon the fundamental principles that a person is innocent until proven guilty and that a Judge/Jury/Magistrate must be sure that the person is guilty (and if not, they should return a verdict of not guilty). Hence, this may present a problem for prosecuting computer cases where it can be clearly shown other people were accessing the computer.

Tackling the question of who was using the computer at the time

The issue of who was using the computer may be simple if it is possible to use other case evidence, for example if some of the alleged computer activity occurs (assuming an accurate time has been established) at a time when it is known others were not able to access the computer – they were not in the building or were known to be elsewhere. However, sometimes it is only the computer evidence upon which the judgement will be relied upon. In these types of matters, it is often necessary to investigate the activity around the times of the alleged offenses to determine if there is evidence of another party using the computer.

“A user listened to music by a particular artist, they then created a document named “Joe Bloggs” containing what appears to be a CV, exhibited as SR1. Five minutes after this document was created, the computer contains evidence that offending material was downloaded after the search term “DVD cover files”. The user then visited the Amazon website and accessed an account with the username “joe.bloggs” and password “bloggsy73”. They then accessed a perl script and whilst editing of this file occurred there was access to the offending files…”

In my experience, when investigating these types of cases, it is often when a list of activity is placed before an accused party that they admit their involvement. It becomes hard to deny patterns of their own behaviour and sometimes more importantly that such behaviour would be easily identifiable as them to others. Similarly, such analysis may find evidence of another person’s involvement which could end up turning a case around.

Analysis of user behaviour may also be crucial when the other users are deceased or where two people are accused of the same crime and it is necessary to determine what evidence is attributed to each defendant so that they can be appropriately charged.

New Evidence?

Although analysing user behaviour is often performed to provide strength to the question of whodunit, it may also be useful in determining new evidence.

I examined a case where I started analysing the usage patterns of the computer to determine how the previous two weeks may have influenced the sequence of events which led to a crime. During this analysis, it became apparent that there was (suggestive) evidence that two people were using the computer since there appeared to be different usage patterns exhibited. Although I didn’t know it before I started, the events that were uncovered were crucial to determining the motives in the case and a guilty plea.

Remote Access and Viruses

As investigators, sometimes we are asked the seemingly impossible question “could remote access or a virus be responsible?”

To analyse the possibilities fully for both of these questions is technically difficult and in some respects impossible to perform with certainty. However, my advice when facing such a defence is to think of the problem laterally and similar to any other whodunit investigation. How do viruses work? What evidence would disprove remote access as an explanation?

Let’s first look at viruses. How does a virus behave? The problem for an examiner is that we may not know exactly what a virus will do– they are a computer program, hence, they behave the way a programmer coded it. However, evaluating the evidence as a whole may assist. Is it likely that a virus will search on Limewire (or insert evidence to suggest this has occurred), download files related to the search, log into Amazon and buy a book, edit a CV, edit the TIF and IH and access the offending files? and then access the files three days later? And will this virus provide a similar pattern of evidence on multiple occasions?

Similarly with remote access…what types of remote access are permitted on the computer? Will this mean all users see the same session or will multiple sessions be created? What evidence would disprove remote access as a feasible explanation? Although this topic is perhaps an article in its own right, my advice is that beyond examining general usage behaviour, investigate the computer specifically for evidence that would tie a user to their machine, e.g. use of a CD-ROM, inserting a memory/USB stick etc. This would preferably be activity around the time of the offenses to show that a person was physically present when they were taking place. However, in the absence of this type of usage, it may be that an overall behaviour analysis at known times when a user was present may be compared to general usage around the time of the offenses to discover if there are any correlating patterns.

Think Laterally

Sometimes investigating cases is not just about the technical solutions but more about the lateral thinking process you can apply to investigate what may seem technically impossible.

Click here to discuss this article.

Read Sam’s previous columns

Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.

Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, sam@raincock.co.uk or http://www.raincock.co.uk.

Leave a Comment

Latest Videos

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification 

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

Si and Desi interview Emi Polito from Amped about how to become an Amped FIVE Certified Examiner (AFCE). They discuss the exam requirements, format, timeline for certification, and Amped’s future plans. Emi explains that the certification is aimed at demonstrating competency with the Amped FIVE video analysis software after completing training. The exam consists of multiple choice questions on theory and practical exercises using the software. Emi talks about the online exam format and process for passing or failing.

Emi also discusses the broader challenges many organizations face with validation and accreditation. He emphasizes Amped's commitment to developing tools that facilitate that process. The hosts reflect on the confusing accreditation landscape and Amped’s passion for improving training and certification in forensics. This episode provides an overview of Amped's new certification and perspective on challenges in the field of video forensics.

Show Notes:

Introducing The AFCE Certification (Amped FIVE Certified Examiner) - https://www.forensicfocus.com/news/introducing-the-afce-certification-amped-five-certified-examiner/

Video Evidence Principles With Amped Software - https://www.forensicfocus.com/podcast/video-evidence-principles-with-amped-software/

Digital Image Authenticity And Integrity With Amped Authenticate - https://www.forensicfocus.com/podcast/digital-image-authenticity-and-integrity-with-amped-authenticate/

File Analysis And DVR Conversion Training From Amped Software - https://www.forensicfocus.com/reviews/file-analysis-and-dvr-conversion-training-from-amped-software/

Amped FIVE Speed Estimation 2d Filter And Training From Amped Software - https://www.forensicfocus.com/reviews/amped-five-speed-estimation-2d-filter-and-training-from-amped-software/

Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence - https://www.forensicfocus.com/podcast/amped-softwares-martino-jerian-on-key-challenges-and-opportunities-for-video-evidence/

LEVA 2023 Training Symposium - https://www.leva.org/

Forensic Collision Investigation & Reconstruction Ltd - https://www.fcir.co.uk/

Amped FIVE Certified Examiner - https://ampedsoftware.com/afce-certification

Introducing the Amped FIVE Certification Program - https://blog.ampedsoftware.com/2023/10/04/introducing-the-amped-five-certification-program

Amped Software YouTube - https://www.youtube.com/ampedsoftware
How to Use the Validation Tool in Amped FIVE - https://blog.ampedsoftware.com/2023/03/29/how-to-use-the-validation-tool-in-amped-five

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_VKk-mhlae1c

Becoming An Amped FIVE Certified Examiner (AFCE)

Forensic Focus 1st December 2023 4:25 pm

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data. 

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

Subscribe to the Forensic Focus Podcast: https://www.forensicfocus.com/podcast/

Si and Desi are joined by Brittany and Ailsa from digital forensics software company ADF Solutions. They discuss how ADF is addressing key challenges for digital forensics practitioners, including handling the massive volumes of data from mobile devices and the cloud.

The guests outline ADF's focus on developing their software as an easy-to-use onsite triage tool that can help quickly identify pertinent evidence. Key features include advanced handling of video files, AI-assisted classification of images, and new screen recording capabilities for mobile devices that allow suspects to safely share relevant data.

The hosts and guests also explore ADF's ongoing research into areas like facial recognition, handling new device types like games consoles and smart watches, and identifying deepfake media.

00:00 – Introduction to Ailsa and Brittany
03:00 – The challenge of vast amounts of data
05:50 – Recovering data from Chromebooks
08:50 – Triaging using ADF tools
12:30 – Benefits of using ADF Solutions’ tools
15:50 – Limitations in types of apps
17:20 – Keeping up with technological advancements
19:15 – ADF customer base
21:00 - Artificial intelligence in classifying images
30:00 – ADF Solutions’ triaging kit
37:00 – Training with ADF
40:00 – Target user
44:50 – Roadmap of future devices to examine
51:30 – Main focus for ADF Solutions going forwards

Show Notes:
AI-generated CSAM article on Sky News - https://news.sky.com/story/thousands-of-ai-generated-child-abuse-images-being-shared-online-research-finds-12991727

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_4z-EgH54KZk

The Power Of Digital Forensics: How ADF Solutions Is Revolutionizing The Digital Forensics Industry

Forensic Focus 30th November 2023 2:57 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles