Join Us!

Forged Digital Fore...
 
Notifications
Clear all

Forged Digital Forensics Report  

Page 1 / 2
  RSS
ArsenalConsulting
(@arsenalconsulting)
Junior Member

Hello All,

We are starting to publish details about a forged digital forensics report we received during the Odatv trial in Turkey. The report is particularly interesting to us because the report was on our letterhead, with my signature, but we had nothing to do with it or the “case” it related to. It may also be quite interesting to the DFIR community because we aren’t just talking about a report but also multiple emails, scanned documents, other exhibits, and a website.

Is this (a forged digital forensics report, never mind the rest of it) a first in our industry? We haven’t been able to find similar cases.

You can find the report here

https://ArsenalExperts.com/Case-Studies/Odatv/#forged-report

Some things in the queue for this part of the case study

1.) English translation of the entire email chain and attachments (Ek-1.jpg and EK-3.jpg)
2.) Possibly adding information about a criminal complaint related to the forged report
3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)

As always I’m open to suggestions on what to add next.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

Quote
Posted : 11/07/2017 7:52 pm
jaclaz
(@jaclaz)
Community Legend

3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)

For those unable to understand the ad-personam reference, here it is
https://www.forensicfocus.com/Forums/viewtopic/t=14665/

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board roll
Questions-and-Answers-for-Turkish-Experts-re-Barış-Pehlivans-Odatv-Computer.pdf

The little square is the Turkish ş (S-Cedilla)
https://en.wikipedia.org/wiki/Ş

…and speaking of Turkey and forged documents
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

jaclaz

ReplyQuote
Posted : 11/07/2017 10:20 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board

I think our web guy has now taken care of all the special characters… thanks for alerting me to the issue. If you have any thoughts on what kind of content you would like to see next please let me know. I'm overdue when it comes to adding information about reversing the RATs so hopefully that will be up soon.

…and speaking of Turkey and forged documents
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

I'm not sure if you are aware, but this (Sledgehammer a/k/a Balyoz in Turkish) is our case as well. The case study for this one, if we ever get to it, will be a monster. The story may be better told in a book format. The CDs containing MS Office documents from 2002/2003 (according to file system and Office date/times, consistent with the version of software used to burn the CDs and last versions of Office to save the documents) but with embedded references to ClearType fonts and compressed XML… that was just the beginning.

Mark

ReplyQuote
Posted : 19/07/2017 2:31 am
finbarr
(@finbarr)
Junior Member

I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.

I emailed a pdf copy of my report to the client - they altered it and then instructed counsel and provided the altered report which was then served. As a result - I now only accept instructions from counsel and digitally sign reports to help identify any post creation tampering.

Judge immediately found against my client (the correct choice even without the tampering) and further charged him with Perverting the Course of Justice - "Goodnight Louise". D

ReplyQuote
Posted : 31/07/2017 7:33 pm
athulin
(@athulin)
Community Legend

If you have any thoughts on what kind of content you would like to see next please let me know.

Are you taking any particular countermeasures? Digital signage would help partially, it seems, but any reader would need to know that absence of a signature should be a red flag.

And I'm having some nightmarish visions of being asked to authenticate a printed copy of a 50-page report. "Sure, if you would wait for a moment or two while I compare it with the original … "

… with embedded references to ClearType fonts …

OpenType fonts?

ReplyQuote
Posted : 31/07/2017 8:25 pm
jaclaz
(@jaclaz)
Community Legend

… with embedded references to ClearType fonts …

OpenType fonts?

No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection")
https://www.microsoft.com/typography/ClearTypeFonts.mspx

Namely, Calibri and Cambria
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

Not to be confused with ClearType (the font display technology)
https://www.microsoft.com/en-us/Typography/ClearTypeInfo.aspx

And not to be confused with ClearType (the other display technology)
https://www.microsoft.com/appliedsciences/content/projects/ClearTypeDisplay.aspx

(hope this Clears the matter wink )

jaclaz

ReplyQuote
Posted : 31/07/2017 9:40 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection")
https://www.microsoft.com/typography/ClearTypeFonts.mspx

Namely, Calibri and Cambria
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting… I may do a couple more slides like this to demonstrate the compressed XML issue as well

https://twitter.com/ArsenalArmed/status/885130463110713345

Mark

ReplyQuote
Posted : 01/08/2017 12:42 am
ArsenalConsulting
(@arsenalconsulting)
Junior Member

Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting… I may do a couple more slides like this to demonstrate the compressed XML issue as well

https://twitter.com/ArsenalArmed/status/885130463110713345

If anyone would like to see the compressed XML issue refined down to two slides, here it is

https://twitter.com/ArsenalArmed/status/892728512561500160

Mark

ReplyQuote
Posted : 02/08/2017 6:49 pm
ArsenalConsulting
(@arsenalconsulting)
Junior Member

I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.

That's amazing… especially if the client knew there was a possibility of the "updated" report ending up in public proceedings and under your scrutiny.

Did the analysis stop at comparison of the two versions, or was a forensic image obtained from the computer used to update the report? I'm interested in any other details you can share. Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. 😉

Mark

ReplyQuote
Posted : 02/08/2017 7:15 pm
jaclaz
(@jaclaz)
Community Legend

Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. 😉

As a side note, and JFYI, this is a niche where just a few days ago a new program/service has been announced
https://www.forensicfocus.com/Forums/viewtopic/t=15491/
https://trewmte.blogspot.it/2017/07/whats-happening-with-contemporaneous.html

which adds to the digital signature also a "certified timestamp".

jaclaz

ReplyQuote
Posted : 02/08/2017 10:20 pm
Merriora
(@merriora)
Junior Member

I believe that being able to validate electronic notes and documents will be essential as we move towards presenting electronic files in court. In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.

I am always surprised to see a report that I created with hundreds or even thousands of pages of ‘internet history’ and ‘messages’ being presented as a printed document in court and then being questioned on that document.

To quote jaclaz

In theory there is no difference between theory and practice, but in practice there is.

In theory, my reports should not be hundreds of pages and I should have a clear understanding of what information I will be questioned on in court as the expert, but in practice time constraints often lead to rushed court cases with unforeseen questions coming from both crown and defense due to lack of communication prior to trial.

Since my report is presented to me months or potentially years after it was created, I must assume that the printed document in court presented to me is un-altered.

A change may be obvious if a conclusion has been altered, but much harder to detect if words may have been added or removed to a message (accidentally or on purpose) and I am simply questioned on a few records that defense will later use to show his client’s innocence.

The ability to validate electronic files as being un-altered is the main purpose of my application which allows you to digitally sign notes, notebooks and associated electronic files. The digital signature also includes a certified timestamp from an independent timestamping authority to further validate the file. This way you can ensure that the document has not changed.

For technical people, it is easy enough to check the validity of a Digital Signature in Adobe, but as athulin points out

…[the] reader would need to know that absence of a signature should be a red flag

Therefore, I believe the presence of a digital signature needs to be clearly displayed on your potential document. I think it also needs to be clear on your site that no documents will be released without this signature being present and the lack of a signature is a sign that the document is not valid and authentic.

The client must understand what signatures are valid and if they are passing the report on to another person as in the case of Finbarr, what stops that client from editing the document and re-signing with their own Digital Signature?

Would Crown have recognized that the valid signature is not the signature of the expert consultant?

It appears that Finbar has found a good solution in only dealing with Crown but could there be a better way?

I put this question out the community as a sincere question as we currently don’t do this within our application, but this could be added if it would add value and potentially solve this issue.

We currently allow Drag/Drop Validation (or by HASH). What if this also showed the Consultants Information to show that its timestamped by that particular consultant?

So not only is the file validated, but it also shows to be created by ACME Consulting?

Could this be a possible solution to this issue?

Example Image of Validation idea at https://www.forensicnotes.com/acme-validation

ReplyQuote
Posted : 07/08/2017 1:39 am
jaclaz
(@jaclaz)
Community Legend

Could this be a possible solution to this issue?

Example Image of Validation idea at https://www.forensicnotes.com/acme-validation

I am not sure to understand how it could work (actually I am pretty sure I don't understand it).
You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? ?

jaclaz

ReplyQuote
Posted : 07/08/2017 2:43 am
Merriora
(@merriora)
Junior Member

You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? Confused

Sorry, I'm not referring to this being an idea to solve the issue with printed documents, but rather electronic documents.

(another question for another thread… How many courts actually allow electronic documents currently and how many are moving towards this in the future?)

In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version. I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate (ie Give you a Valid or Invalid status on printed documents). The best would be to highlight potential issues/changes especially when dealing with images within reports. At least if the potential changes are highlighted by doing a comparison (OCR printed documents Vs. Electronic version), then you can quickly check those areas of the printed reports to see if changes exist or if it was simply an issue with the OCR for that section of the report.

But still, the key would be to have an original Digitally Signed and Timestamped version to compare against.

ReplyQuote
Posted : 07/08/2017 2:58 am
jaclaz
(@jaclaz)
Community Legend

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version.

So, when you are on the stand, the prosecutor (or the defense attorney) gives you a 100 page document asking you if you recognize it as yours and you say "OK, let me scan these 100 pages on my portable 100 Kg high speed feed automatic scanner, and let's OCR it, it will take only a few minutes. Where is a mains plug? Do you have an extension cord?".

I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate

Right assumption. )

Now, back to the real world, what do you propose for electronic documents on the stand?
1) you bring your own tablet/latop with you on the stand with your copy of the report
2) you bring your own tablet/laptop with you on the stand and the attorney gives you a USB stick on which the file is, you load it into the device, verify the digital signature and proceed in reading aloud the relevant part
3) you are given a Court issued device, let's say an el-cheapo e-book reader with your report pre-loaded and proceed to verification before reading
4) ….?

jaclaz

ReplyQuote
Posted : 07/08/2017 2:49 pm
Merriora
(@merriora)
Junior Member

(duplicate post - won't delete)

ReplyQuote
Posted : 07/08/2017 8:50 pm
Page 1 / 2
Share: