Notifications
Clear all

Copied from USB?

12 Posts
8 Users
0 Reactions
1,183 Views
(@dleer)
Active Member
Joined: 17 years ago
Posts: 5
Topic starter  

Hi all!

I have a case where a student, using a teacher’s logged in computer in the classroom, is accusing this teacher of having 2 pictures of her in his profile’s “My Pictures” folder. I am trying to determine who of the student or teacher put the pictures in the folder. XP Pro / SP3

These pictures’ contents are not inappropriate. The student says that he got them off of her Facebook page but one of the two pictures (picture1.jpg) contains its EXIF info so we know that it didn’t come from there.

For picture1.jpg, the “Modified” time (4/29/2010 at 110222 PM) is a few hours after the time the EXIF info says the picture was taken (4/29/2010 at 610 PM). This would be the time that the picture was downloaded from the camera to a computer.
The “Created” time (11/1/2010 at 101021 AM and 101055 AM) would correspond to the times these files were created in the “My Pictures” folder.

On 11/1/2010 at 82513 AM, a USB memory stick was connected to the teacher computer.

Given that both were using the same logged in session, I know that there won’t be any actions that can be tied to one or the other but finding out who was using the computer at certain times could help. Knowing who owns the USB memory stick could help too…

1) Thu Dec 31 2009 143800 - m… - C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg
2) Thu Dec 31 2009 143800 - macb - [EXIF] LNK/ModifyDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk]
3) Thu Dec 31 2009 143800 - .a.. - [LNK] C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg <-/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk
4) Thu Apr 29 2010 181056 – macb - [EXIF] EXIF/CreateDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg]
5) Thu Apr 29 2010 181056 – macb - [EXIF] EXIF/DateTimeOriginal metadata from [/mnt/windows_mount/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg]
6) Thu Apr 29 2010 230222 - m… - C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg
7) Thu Apr 29 2010 230222 – macb - [EXIF] LNK/ModifyDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/Recent/ student1.lnk]
8) Thu Apr 29 2010 230222 - .a.. - [LNK] C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg <-/mnt/windows_mount/Documents and Settings/teacher/Recent/student1.lnk
9) Mon Nov 01 2010 082513 – macb - [SetupAPI] DriverContext Reported hardware ID(s) from device parent bus. Context Reported compatible identifiers from device parent bus. Context Driver install entered (through services.exe). Information Compatible INF file found. Information Install section. Context Processing a DIF_SELECTBESTCOMPATDRV request. Information [c/windows/inf/disk.inf]. Information . Information . Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Information Copy-only installation [USBSTOR/DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.02/334952057EE1BA95&0]. Context Processing a DIF_SELECTBESTCOMPATDRV request. Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Context Installation in progress [c/windows/inf/disk.inf]. Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Information [USBSTOR/DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.02/334952057EE1BA95&0]. Information Device successfully setup [USBSTOR/DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.02/334952057EE1BA95&0].
10) Mon Nov 01 2010 082518 – macb - [SetupAPI] DriverContext Reported hardware ID(s) from device parent bus. Context Reported compatible identifiers from device parent bus. Context Driver install entered (through services.exe). Information Compatible INF file found. Information Install section. Context Processing a DIF_SELECTBESTCOMPATDRV request. Information [c/windows/inf/volume.inf]. Information . Information . Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Information Copy-only installation [STORAGE/REMOVABLEMEDIA/7&3557892&0&RM]. Context Processing a DIF_SELECTBESTCOMPATDRV request. Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Context Installation in progress [c/windows/inf/volume.inf]. Information . Context Processing a DIF_SELECTBESTCOMPATDRV request. Information [STORAGE/REMOVABLEMEDIA/7&3557892&0&RM]. Information Device successfully setup [STORAGE/REMOVABLEMEDIA/7&3557892&0&RM].
11) Mon Nov 01 2010 082530 - m..b - C/WINDOWS/Prefetch/WIAACMGR.EXE-212ED878.pf
12) Mon Nov 01 2010 082535 - …b - C/Documents and Settings/teacher/Recent/File1.lnk
13) Mon Nov 01 2010 082535 - …b - C/Documents and Settings/teacher/Recent/Removable Disk (E).lnk
14) Mon Nov 01 2010 082559 - …b - C/Documents and Settings/teacher/Recent/File2.lnk
15) Mon Nov 01 2010 082602 - …b - C/Documents and Settings/teacher/Application Data/Microsoft/Office/Recent/Removable Disk (E).LNK
16) Mon Nov 01 2010 082603 - macb - [IE History] URLVisited teacher @file///E/File2.ppt cache stored in /URL -
17) Mon Nov 01 2010 082603 - ma.. - C/Documents and Settings/teacher/Recent/File2.lnk
18) Mon Nov 01 2010 082720 - …b - C/Documents and Settings/teacher/Recent/student1.lnk
19) Mon Nov 01 2010 082805 - …b - C/Documents and Settings/teacher/Recent/student2.lnk
20) Mon Nov 01 2010 101021 - …b - C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg
21) Mon Nov 01 2010 101026 - macb - [IE History] URLVisited teacher@file///E/student1.jpg cache stored in /URL -
22) Mon Nov 01 2010 101040 - macb - [IE History] URLVisited teacher@file///E/File1.jpeg cache stored in /URL -
23) Mon Nov 01 2010 101040 - ma.. - C/Documents and Settings/teacher/File1.lnk
24) Mon Nov 01 2010 101055 - …b - C/Documents and Settings/teacher/My Documents/My Pictures/student2.jpg
25) Mon Nov 01 2010 101055 - …b - C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg
26) Mon Nov 01 2010 101055 - macb - [EXIF] LNK/CreateDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk]
27) Mon Nov 01 2010 101055 - ..cb - [LNK] C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg <-/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk
28) Mon Nov 01 2010 101437 - macb - [IE History] URLVisited teacher@file///C/Documents and Settings/teacher/My Documents/student1.jpg cache stored in /URL -
29) Mon Nov 01 2010 120349 - macb - [IE History] URLVisited teacher@file///E/Student2.jpg cache stored in /URL -
30) Mon Nov 01 2010 120655 - macb - [IE History] URLVisited teacher@file///C/Documents and Settings/teacher/My Documents/Student2.jpg cache stored in /URL -
31) Mon Nov 01 2010 120808 - macb - [IE History] URLVisited teacher@file///C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg cache stored in /URL -
32) Mon Nov 01 2010 120808 - macb - [EXIF] LNK/AccessDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk]
33) Mon Nov 01 2010 120808 - m… - [LNK] C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg <-/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk
34) Mon Nov 01 2010 120808 - ma.. - C/Documents and Settings/teacher/Recent/Student2.lnk
35) Thu Nov 04 2010 145404 - macb - [IE History] URLVisited teacher@file///C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg cache stored in /URL -
36) Thu Nov 04 2010 145404 - macb - [IE History] URLVisited teacher@file///C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg cache stored in /URL -
37) Thu Nov 04 2010 145404 - .a.. - C/Documents and Settings/teacher/My Documents/My Pictures/student1.jpg
38) Thu Nov 04 2010 145404 - ma.b - C/Documents and Settings/teacher/Recent/My Pictures.lnk
39) Thu Nov 04 2010 145404 - ma.. - C/Documents and Settings/teacher/Recent/student1.lnk

My questions would be
- Would it be correct to say that the USB memory stick was inserted (line 9), a Windows Explorer window opened up displaying the files in thumbnail view?
- With this information, is there a way to tell that the 2 picture files were copied from the USB memory stick to the “My Pictures” folder? Lines 20 and 24 would tend to suggest that…

Thanks for your thoughts!
Dave


   
Quote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Any chance to check the Serial of the USB stick?

Out of curiosity what is the charge?

I mean, IF someone uploads photos on a public place like Facebook, I presume that anyone is entitled to save them on his/her own computer.

As well I presume that anyone can see any other people things on Facebook and visit any other prople profile.

Am I missing something?

jaclaz


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

I have a case where a student, using a teacher’s logged in computer in the classroom, is accusing this teacher of having 2 pictures of her in his profile’s “My Pictures” folder.

Umm. What was she doing using his login and, assuming that she had his permission, why was she looking his "My Pictures" folder? If I tell you that you can sit at my desk that doesn't mean to imply that you can rifle through my file drawers.

I am trying to determine who of the student or teacher put the pictures in the folder. XP Pro / SP3

These pictures’ contents are not inappropriate. The student says that he got them off of her Facebook page

Huh? Based upon what follows, that makes little sense unless she is trying to set him up.

but one of the two pictures (picture1.jpg) contains its EXIF info so we know that it didn’t come from there.

The question is, is there a Facebook picture which appears to be identical to the picture found on the computer?

For picture1.jpg, the “Modified” time (4/29/2010 at 110222 PM) is a few hours after the time the EXIF info says the picture was taken (4/29/2010 at 610 PM). This would be the time that the picture was downloaded from the camera to a computer.

How reliable are the dates? How have you established that they are reliable, especially the camera date?

Where were the pictures taken and by whom? Where was the teacher in relation to the picture taking or the camera?

So far your questions are more related to good detective work than forensics. Without the detective work, the forensics is circumstantial, at best and unreliable at worst.

The “Created” time (11/1/2010 at 101021 AM and 101055 AM) would correspond to the times these files were created in the “My Pictures” folder.

On 11/1/2010 at 82513 AM, a USB memory stick was connected to the teacher computer.

Ok, who connected the USB device and to whom did it belong? Is no one admitting to having done it? Is there any evidence that the USB device had been connected to the teacher's computer, previously?

The student must have recognized the pictures if she thought that they were from Facebook, so who had possession all of these months between April and November? Who could have made copies?

1) Thu Dec 31 2009 143800 - m… - C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg
2) Thu Dec 31 2009 143800 - macb - [EXIF] LNK/ModifyDate metadata from [/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk] 3) Thu Dec 31 2009 143800 - .a.. - [LNK] C/Documents and Settings/teacher/My Documents/My Pictures/Student2.jpg &lt;-/mnt/windows_mount/Documents and Settings/teacher/Recent/Student2.lnk

Are the above dates, correct? They seem to predate when the photos in question were taken. And what is with the /mnt/windows_mount? Are you generating these data with a timeline tool such as what is found with the SIFT Workstation?

Jaclaz has, correctly IMHO, asked what is the issue here? Is the student alleging improper conduct on the part of the teacher or is there something else?

It seems to be that attempting to answer the question with digital forensics is putting the cart before the horse. What is needed, first, is good detective work. The forensics should be used to either support or rebut the witnesses' description of events, not to substitute for good interviewing skills.

Which gives me a chance to soapbox, here. Frequently, I am sent images or given a task in which I am asked to "Look at the computer and tell me what happened, here?" In almost every case my response is "What did the subject say happened?"

I don't say this to be flip. Digital forensics is a part of good detective work, not a substitute for it. Computers can be manipulated to tell any story that you want but you have to be pretty good to maniupate them in such a way that it can't be detected. Nonetheless, the story begins with the witnesses not the devices.

What is the student interested in having happen by making this claim? Why? Is she the only student to be given access to the teacher's computer or are there others?

What is the school policy with respect to personal folders on school computers? Is there a roaming desktop or is the only copy what is kept on the C drive?

There are a lot of other questions that I would want to see answered before I attempted to make sense of the digital data.


   
ReplyQuote
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
 

Ok, I did not spend a ton of time looking over your output, but here is what I am seeing thus far

1 You can say that at Mon Nov 01 2010 082513 a U3 CRUZER MICRO with the serial number 334952057EE1BA95 was plugged in for the first time.

2 Technically, as far as my limited understanding, you can not conclusively prove that a file was copied from and to somewhere; in that there is no log of copies, only of creation. I guess if I were in your shoes, I would do some Link file analysis, and look if any of the pictures point to the USB drive near when the suspected copying took place. I would also do some Registry analysis to try and determine when the USB stick was taken out. Carvey says lists a specific registry key, but the one time I tried this it did not make logical sense. Thumbs.DB and Internet Explorer cache would be good places to turn over as well. Until most of those things were examined, I personally would not feel comfortable saying the pictures were copied from the thumbdrive. I do not believe that a simple timeline is going to give you the answers you are seeking.

That said, the above depends on what exactly you are trying to prove or disprove.


   
ReplyQuote
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
 

OK, so a female student that was using a male teachers computer is trying to say that she found two pics of her on his Facebook profile. Off the top of my head I wonder if Facebook can tell when the photos were posted?

As others have asked "What crime has been committed?" As a former SRO I have been put in situations where the Administration wanted me to investigate policy issues rather than criminal ones. Is that possibly what is going on here? The tail ain't supposed to wag the dog, but it happens.

Using the term "totality of the circumstances" I wonder what their relationship was prior to the discovery of these images? What kind of grades did she have? Any evidence of texting between the two? I wonder why the hell he was logged into Facebook, but if he chose the "keep me logged in" option she could have just clicked on it and been in like Flynn.
I guess I would want to know if the Teacher was present at whatever event to have taken the photos, but I guess someone else could have given him the photos?

Hopefully you will return to give us an update


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

It seems to be that attempting to answer the question with digital forensics is putting the cart before the horse. What is needed, first, is good detective work. The forensics should be used to either support or rebut the witnesses' description of events, not to substitute for good interviewing skills.

JFYI (and in case of need of a practical example wink )
http//www.marriedtothesea.com/
http//www.marriedtothesea.com/110410/put-the-cart.gif

jaclaz


   
ReplyQuote
(@techie714)
Eminent Member
Joined: 15 years ago
Posts: 37
 

Just throwing this out there, I've used this software before & it works pretty well. USBDeview

http//www.nirsoft.net/utils/usb_devices_view.html


   
ReplyQuote
pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
 

Hi all!

I have a case where a student, using a teacher’s logged in computer in the classroom, is accusing this teacher of having 2 pictures of her in his profile’s “My Pictures” folder. I am trying to determine who of the student or teacher put the pictures in the folder. XP Pro / SP3

What account owns the file?

And when you find that out, can you prove who the 'person' was at the keyboard?

These pictures’ contents are not inappropriate. The student says that he got them off of her Facebook page but one of the two pictures (picture1.jpg) contains its EXIF info so we know that it didn’t come from there.

When you upload a JPG to Facebook from your cameras' SD card - does facebook strip the EXIF information?

My questions would be
- Would it be correct to say that the USB memory stick was inserted (line 9), a Windows Explorer window opened up displaying the files in thumbnail view?
- With this information, is there a way to tell that the 2 picture files were copied from the USB memory stick to the “My Pictures” folder? Lines 20 and 24 would tend to suggest that…

Do you have both the thumbdrive and the hard drive?

You have a good working theory at this point - try to prove it wrong or find some inconsistencies.


   
ReplyQuote
(@dleer)
Active Member
Joined: 17 years ago
Posts: 5
Topic starter  

Sorry for taking so long to respond… Been pretty busy!

@jaclaz
- There isn’t any charge yet. The teacher had 2 accusations brought against him and this is one of them.
- The USB stick is not available so no chance on checking it out.
- Whatever is out on the web and publicly available is usually up for grabs to download. So if the teacher did download those pictures, it wouldn’t be too much of a problem. The problem arises when the teacher bypasses the school’s content filter because access to social networks from school networks is blocked.
- Facebook users can make their profile private, allowing only their “friends” access to their pictures and other content. The user has to accept a friend so in this case, the student would have had to “befriend” the teacher. In many schools and districts, it is against policy for teachers and students to mingle for reasons that are not academic.

@seanmcl
- Usually, there aren’t as many computers as students in a classroom, so it is permissible for a student to use the teacher’s computer, while it’s logged into with his/her credentials, for research purposes. Policy stipulates that the teacher has to be present in the classroom.
- Since the student’s Facebook profile is private, I cannot see what pictures she has posted.
- Given that the EXIF data exists for the picture in question, it shows that it was taken with a camera phone. Therefore, the date and time should be correct since the phone synchronizes date and time with the cell phone provider.
- The student took the picture of her reflection in a mirror.
- Who knows where the teacher was? All I can say is that he wasn’t in the picture…
- It is not known to whom the USB stick belongs to. I don’t have access to the classroom and cannot interrogate the teacher or student.
- You can see that the first line of the timeline is for a picture named “student2.jpg”. The “student1.jpg” picture was taken 4 months later.
- I’m sure that if I was allowed to question the teacher and student, both would deny having ever put those pictures in that folder. It would be the word of one against that of another.

@hcso1510
- If you click on a picture posted in someone’s Facebook profile, the date that it was added is shown. In my case, I cannot access the student’s pictures.
- The “crime”, more like a possible policy infringement, would be teacher-student involvement. Depending on policy, this could result in the teacher’s dismissal.
- There aren’t any history entries relative to Facebook or any proxy servers or sites.
- At the time the student says that she discovered the pictures in the teacher’s “my Pictures” folder, the teacher was absent from the classroom, a blatant breach of policy.

@Techie714
- Thanks for the link. I’ve used that tool before as well as USBDeviceForensics (http//www.woany.co.uk/usbdeviceforensics/).

@pbobby
- The owner of the files is the teacher’s domain account, settings that were inherited when the files were copied to the destination folder.
- The teacher was certainly not at the keyboard since he had left the classroom, leaving the computer logged on with his credentials.
- Facebook will strip all EXIF data from an uploaded picture and resize it to their maximum allowable size. I forgot now what that size is but it’s certainly smaller than the file size shown by its EXIF data.
- The only available media was the hard drive.

From what I have gathered, I cannot say who of the teacher or student put those pictures in the teacher’s “My Pictures” folder. I also don’t know who the USB memory stick belongs to or who was at the keyboard. There’s simply not enough data to come to a definite conclusion. Based on my report and their own internal information and conclusions, the school has now closed the case.

Thanks to everyone for their assistance and insight!


   
ReplyQuote
hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
 

Thanks for the update. I don’t know if you plan on addressing more questions, but I have some.

If nothing more this sort of like forensicakb’s investigation thread?

You mentioned Facebook strips exif data and resizes uploaded images. Do they maintain the exif data and can they provide that info upon being served with judicial process?

When was the student’s photo placed in the teachers “my photos?” Now if you have the date, could Facebook provide you with a specific time it was uploaded?

Since you don’t have access to the classroom can I assume that you are not in law enforcement? This seems to be one of many cases where forensics and investigations go hand in hand.

Do you know if there was any previous communication between the student and the teacher? SMS, CDR’s? Was the teacher planning on giving her a failing grade?

I wonder if the teacher volunteered or was asked to take a polygraph?
If Facebook strips exif data then how would one of the pics contain exif data if you got the pics from Facebook? (picture1. jpg)

On 11/1 at 82513 am was class in session and was that student that made the discovery on the teacher’s computer? Was there a student using the computer earlier in the day? Did he make a habit of allowing the same students to use his computer on a daily basis?

The 101021 and 55 times. Is there a time differential here? Does this have to do with GMT or maybe the location of a server?

What did the school ultimately do?

I know you may not be able to answer these questions but it’s fun to exercise my noggin from time to time.


   
ReplyQuote
Page 1 / 2
Share: