My cat did it – honest, Guv!

and he did it via remote access…

by Sam Raincock, IT and telecommunications expert witness

When evaluating computer forensics cases the tricky part is often not just evaluating what is found but determining how it came to reside there.

“It was downloaded via a web browser because I identified it in Temporary Internet Files…”
“I reconstructed the webpage and the image was downloaded as part of the page presented as SR1…”
“There is also evidence in the Internet History to support the proposition that the image was downloaded as part of the webpage…”
“Access to this website occurred after use of the search term ‘Forensic Focus’…”

However, sometimes computer forensics isn’t just about what happened and proving intent, it’s also about proving whodunit and ensuring the correct person is prosecuted for the crime they committed.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In the simplest of scenarios, it may be that an organisation has a policy (or not, as the case may be) of sharing user accounts or that the computer is used in a location where multiple people have access to it. In these situations, it may be that the perpetrator alleges that someone else is responsible or that there is doubt about who is the culprit.

Beyond Reasonable Doubt?

If a case is not investigated fully, it could fall at the first hurdle no matter how strong the evidence is of the crime. Ultimately, in a Criminal Court in the UK, the Prosecution needs to prove that the case against an accused is deemed to be beyond reasonable doubt. There are books written on the meaning of this phrase and suffice to say I am neither qualified nor knowledgeable enough to comment on its full meaning. However, in essence, it is built upon the fundamental principles that a person is innocent until proven guilty and that a Judge/Jury/Magistrate must be sure that the person is guilty (and if not, they should return a verdict of not guilty). Hence, this may present a problem for prosecuting computer cases where it can be clearly shown other people were accessing the computer.

Tackling the question of who was using the computer at the time

The issue of who was using the computer may be simple if it is possible to use other case evidence, for example if some of the alleged computer activity occurs (assuming an accurate time has been established) at a time when it is known others were not able to access the computer – they were not in the building or were known to be elsewhere. However, sometimes it is only the computer evidence upon which the judgement will be relied upon. In these types of matters, it is often necessary to investigate the activity around the times of the alleged offenses to determine if there is evidence of another party using the computer.

“A user listened to music by a particular artist, they then created a document named “Joe Bloggs” containing what appears to be a CV, exhibited as SR1. Five minutes after this document was created, the computer contains evidence that offending material was downloaded after the search term “DVD cover files”. The user then visited the Amazon website and accessed an account with the username “joe.bloggs” and password “bloggsy73”. They then accessed a perl script and whilst editing of this file occurred there was access to the offending files…”

In my experience, when investigating these types of cases, it is often when a list of activity is placed before an accused party that they admit their involvement. It becomes hard to deny patterns of their own behaviour and sometimes more importantly that such behaviour would be easily identifiable as them to others. Similarly, such analysis may find evidence of another person’s involvement which could end up turning a case around.

Analysis of user behaviour may also be crucial when the other users are deceased or where two people are accused of the same crime and it is necessary to determine what evidence is attributed to each defendant so that they can be appropriately charged.

New Evidence?

Although analysing user behaviour is often performed to provide strength to the question of whodunit, it may also be useful in determining new evidence.

I examined a case where I started analysing the usage patterns of the computer to determine how the previous two weeks may have influenced the sequence of events which led to a crime. During this analysis, it became apparent that there was (suggestive) evidence that two people were using the computer since there appeared to be different usage patterns exhibited. Although I didn’t know it before I started, the events that were uncovered were crucial to determining the motives in the case and a guilty plea.

Remote Access and Viruses

As investigators, sometimes we are asked the seemingly impossible question “could remote access or a virus be responsible?”

To analyse the possibilities fully for both of these questions is technically difficult and in some respects impossible to perform with certainty. However, my advice when facing such a defence is to think of the problem laterally and similar to any other whodunit investigation. How do viruses work? What evidence would disprove remote access as an explanation?

Let’s first look at viruses. How does a virus behave? The problem for an examiner is that we may not know exactly what a virus will do– they are a computer program, hence, they behave the way a programmer coded it. However, evaluating the evidence as a whole may assist. Is it likely that a virus will search on Limewire (or insert evidence to suggest this has occurred), download files related to the search, log into Amazon and buy a book, edit a CV, edit the TIF and IH and access the offending files? and then access the files three days later? And will this virus provide a similar pattern of evidence on multiple occasions?

Similarly with remote access…what types of remote access are permitted on the computer? Will this mean all users see the same session or will multiple sessions be created? What evidence would disprove remote access as a feasible explanation? Although this topic is perhaps an article in its own right, my advice is that beyond examining general usage behaviour, investigate the computer specifically for evidence that would tie a user to their machine, e.g. use of a CD-ROM, inserting a memory/USB stick etc. This would preferably be activity around the time of the offenses to show that a person was physically present when they were taking place. However, in the absence of this type of usage, it may be that an overall behaviour analysis at known times when a user was present may be compared to general usage around the time of the offenses to discover if there are any correlating patterns.

Think Laterally

Sometimes investigating cases is not just about the technical solutions but more about the lateral thinking process you can apply to investigate what may seem technically impossible.

Click here to discuss this article.

Read Sam’s previous columns

Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.

Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, sam@raincock.co.uk or http://www.raincock.co.uk.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles