Notifications

Clear all

Forensic Report (Created/Modified/Deleted Date of files)

Elder_Futhark · 2015-05-15T02:19:04Z

Hello,The case file of a copyright infringement case (multimedia files such as mp3, video, pics, etc.) was brought to me by a defense attorney that requested my assistance with the analysis of the forensic report. I'm not an expert, I'm just a PC enthusiast, and avid PC gamer, but I thought I'd give it a try. The forensic report lists two PCs. One running on Windows Vista 64-bit, and the second on Windows XP SP2 32-bit.Here are a few things I found strange about the report, and I need help withFirst of all, the forensic report only mentions the "DATE CREATED"* of the files, but not the "DATE MODIFIED"**Note "FILE CREATED / FILE MODIFIED" in EnCase.Feel free to correct me on this, but as far as I know, the only way to make sure that a file has been downloaded from a specific machine is to compare the created date to the modified date and see whether they are identical i.e. either exactly the same or with minor deviation (perhaps a few seconds).Once someone starts to move files from one machine to another, or even from one folder to another within the same machine, it becomes impossible to figure out whether the file was actually downloaded from the machine in question, or whether it was copied there from an external source (HDD or USB drive). In my opinion, the fact that the forensic report only mentions the created date of the files in question is very problematic and diminishes its credibility significantly. I would very much appreciate it if someone could actually verify this for me.I would also like to know if there is a safe way for someone to actually determine whether a file was downloaded on a specific machine.There is also an issue regarding some files that were found deleted, and were recovered.The forensic analyst has failed to determine when the majority of the recovered files were deleted. There is no "DATE DELETED" for 88% of the recovered files. Instead, the analyst found that 12% of the files were deleted on DATE-X, so -he claims- it follows that the remaining 88% was also deleted on DATE-X or later. I would also like to know whether this is acceptable, and if not, to what extent does it weaken the overall credibility of the forensic report.As a side note, I would like to point out that the USN journal ($UsnJrnl) is NOT mentioned in the forensic report at all.That's all for now. Feel free to ask for more details that might help addressing my points.Thank you in advance.- EF

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 10 years ago

15 Posts

4 Users

0 Reactions

4,595 Views

RSS

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

16/05/2015 3:30 pm

In fact, I would be willing to translate the whole document and PM it to you (or you can PM me your email and I can email it to you), if you'd like me to - that is IF you're interested and willing to read it. In other words, before I invest the time to translate the document, I need to know that someone will read it.

Well, it would be a lot of work for you and probably it would lead to nowhere for the reasons I exposed earlier, maybe I could find some other "red flag alerts", but still all they could represent could be some raised eyebrows.

What you (actually your lawyer friend) really need is the actual disk images and have them examined "fresh" by an independent expert that from the actual data may confirm or debunk the conclusions of that report.

In your situation, with only what seems like "the findings" all you can do is decide whether they seem OK to you or they seem not OK.

I mean, IF when you read the report you had found everything clear, consequential and logical, it would have been possible to avoid this new examination of the data, but the moment you have even only one little doubt this becomes necessary and unavoidable.

Your role is more or less that of a "quality control" on a production line, you examine the product and if *anything* in it doesn't satisfy you, you mark it as defective and send it back to production, you may well report what issues you found, but still the problem is to be solved by the production engineers that will need to fix/repair the product or produce one more without defects.

Please understand that this is Greece, and we are pretty much on par with Papua New Guinea on these matters.

I don' t think there is that much distance from Greece to Italy, and I believe the very basics of a trial or litigation are the same in most of the western world, the standard procedure is that an "expert witness" report is verified and if needed countered by the other side's expert witness report, whenever the first one is thought to be either lacking or plainly wrong, and both parts have access to verified disk images.

As a side note, I found the LinkedIn profile of the forensic analyst in question. He has the following certifications CFCE, ACE, CEECS.

Yep, but those are more or less "badges", they say that the guy studied and passed an exam/certification, which is good of course but they obviously don't say anything about the quality of his work or specifically on the quality of this particular report, and everyone can of course make mistakes or do for a number of reasons some sloppy work.

Another expert analyzing the same RAW data may logically get to completely different conclusions, or may confirm the overall results of the previous report correcting procedure errors or possible omissions, there is no way to say in advance.

jaclaz

ReplyQuote

Elder_Futhark

(@elder_futhark)

Active Member

Joined: 10 years ago

Posts: 5

Topic starter 21/05/2015 3:47 am

*snip*

Hello jaclaz,

What can you infer from the following sample dates?

Sample

First of all, can you understand whether the files were originally downloaded from the machine they were recovered from by looking at this sample? Could these two sample files have been copied from an external HDD to the machine they were recovered from (why/why not)? I can post more samples if it would help. Could one arrive to any specific/definite conclusions by looking at these samples/dates?
The "Last Written" date on the first file is 5 years earlier than the other dates, and on the second file it is 6 years earlier. What does that mean?
Finally, could these files have been hidden [file properties->attributes->hidden]?
Generally speaking, how does EnCase "treat" or "see" hidden files that were created, or copied, or moved on a HDD, and ultimately deleted?

Thank you.

ReplyQuote

PaulSanderson

(@paulsanderson)

Honorable Member

Joined: 19 years ago

Posts: 651

21/05/2015 1:19 pm

You can't infer anything - the data is provided completely out of context and (without appearing to be rude) is why I say you should walk away from this. If you ask questions like this then in my opinion you are not nearly qualified enough to do the job as you have a huge hole in your understanding of the relevance and weight to be applied to discrete data.

I'm sure you have more information - such as the path. But the fact that you supplied just that small screenshot without supporting data and asked the question you did really casts doubts on your ability.

As I said I am not trying to offend but just pointing giving my opinion. What I suppose I am doing is commenting on your methodology without access to all the data (which is what you are doing). Arguably having been to court on numerous occaisons and having written hundreds of reports and looked at hundreds of other experts reports I know what I am doing though )

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

21/05/2015 5:58 pm

I have to agree with Paul…

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

21/05/2015 9:22 pm

What can you infer from the following sample dates?

I can infer nothing, but we can play this game the other way round.
Get from here
http//www.filedropper.com/testmft

A file containing a smallish NTFS image containing just three (empty) files of which one is deleted and a .csv extraction of the $MFT data created with the nice tool by Joakim Schicht Mft2Csv
http//www.forensicfocus.com/Forums/viewtopic/t=8010/
https://github.com/jschicht/Mft2Csv

Compare the information in the .csv with the data you provided, and tell me if they seem to you more complete (or more detailed) than the ones you provided.

jaclaz

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
291 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed