Forged Digital Fore...
 
Notifications
Clear all

Forged Digital Forensics Report

17 Posts
5 Users
0 Likes
1,493 Views
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

Hello All,

We are starting to publish details about a forged digital forensics report we received during the Odatv trial in Turkey. The report is particularly interesting to us because the report was on our letterhead, with my signature, but we had nothing to do with it or the “case” it related to. It may also be quite interesting to the DFIR community because we aren’t just talking about a report but also multiple emails, scanned documents, other exhibits, and a website.

Is this (a forged digital forensics report, never mind the rest of it) a first in our industry? We haven’t been able to find similar cases.

You can find the report here

https://ArsenalExperts.com/Case-Studies/Odatv/#forged-report

Some things in the queue for this part of the case study

1.) English translation of the entire email chain and attachments (Ek-1.jpg and EK-3.jpg)
2.) Possibly adding information about a criminal complaint related to the forged report
3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)

As always I’m open to suggestions on what to add next.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

 
Posted : 11/07/2017 7:52 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)

For those unable to understand the ad-personam reference, here it is
https://www.forensicfocus.com/Forums/viewtopic/t=14665/

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board roll
Questions-and-Answers-for-Turkish-Experts-re-Barış-Pehlivans-Odatv-Computer.pdf

The little square is the Turkish ş (S-Cedilla)
https://en.wikipedia.org/wiki/Ş

…and speaking of Turkey and forged documents
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

jaclaz

 
Posted : 11/07/2017 10:20 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board

I think our web guy has now taken care of all the special characters… thanks for alerting me to the issue. If you have any thoughts on what kind of content you would like to see next please let me know. I'm overdue when it comes to adding information about reversing the RATs so hopefully that will be up soon.

…and speaking of Turkey and forged documents
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

I'm not sure if you are aware, but this (Sledgehammer a/k/a Balyoz in Turkish) is our case as well. The case study for this one, if we ever get to it, will be a monster. The story may be better told in a book format. The CDs containing MS Office documents from 2002/2003 (according to file system and Office date/times, consistent with the version of software used to burn the CDs and last versions of Office to save the documents) but with embedded references to ClearType fonts and compressed XML… that was just the beginning.

Mark

 
Posted : 19/07/2017 2:31 am
finbarr
(@finbarr)
Posts: 26
Eminent Member
 

I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.

I emailed a pdf copy of my report to the client - they altered it and then instructed counsel and provided the altered report which was then served. As a result - I now only accept instructions from counsel and digitally sign reports to help identify any post creation tampering.

Judge immediately found against my client (the correct choice even without the tampering) and further charged him with Perverting the Course of Justice - "Goodnight Louise". D

 
Posted : 31/07/2017 7:33 pm
athulin
(@athulin)
Posts: 1146
Noble Member
 

If you have any thoughts on what kind of content you would like to see next please let me know.

Are you taking any particular countermeasures? Digital signage would help partially, it seems, but any reader would need to know that absence of a signature should be a red flag.

And I'm having some nightmarish visions of being asked to authenticate a printed copy of a 50-page report. "Sure, if you would wait for a moment or two while I compare it with the original … "

… with embedded references to ClearType fonts …

OpenType fonts?

 
Posted : 31/07/2017 8:25 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… with embedded references to ClearType fonts …

OpenType fonts?

No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection")
https://www.microsoft.com/typography/ClearTypeFonts.mspx

Namely, Calibri and Cambria
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

Not to be confused with ClearType (the font display technology)
https://www.microsoft.com/en-us/Typography/ClearTypeInfo.aspx

And not to be confused with ClearType (the other display technology)
https://www.microsoft.com/appliedsciences/content/projects/ClearTypeDisplay.aspx

(hope this Clears the matter wink )

jaclaz

 
Posted : 31/07/2017 9:40 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection")
https://www.microsoft.com/typography/ClearTypeFonts.mspx

Namely, Calibri and Cambria
http//rodrik.typepad.com/dani_rodriks_weblog/2012/10/did-microsoft-steal-its-fonts-from-the-turkish-army.html

Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting… I may do a couple more slides like this to demonstrate the compressed XML issue as well

https://twitter.com/ArsenalArmed/status/885130463110713345

Mark

 
Posted : 01/08/2017 12:42 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting… I may do a couple more slides like this to demonstrate the compressed XML issue as well

https://twitter.com/ArsenalArmed/status/885130463110713345

If anyone would like to see the compressed XML issue refined down to two slides, here it is

https://twitter.com/ArsenalArmed/status/892728512561500160

Mark

 
Posted : 02/08/2017 6:49 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
Topic starter
 

I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.

That's amazing… especially if the client knew there was a possibility of the "updated" report ending up in public proceedings and under your scrutiny.

Did the analysis stop at comparison of the two versions, or was a forensic image obtained from the computer used to update the report? I'm interested in any other details you can share. Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. 😉

Mark

 
Posted : 02/08/2017 7:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. 😉

As a side note, and JFYI, this is a niche where just a few days ago a new program/service has been announced
https://www.forensicfocus.com/Forums/viewtopic/t=15491/
https://trewmte.blogspot.it/2017/07/whats-happening-with-contemporaneous.html

which adds to the digital signature also a "certified timestamp".

jaclaz

 
Posted : 02/08/2017 10:20 pm
Page 1 / 2
Share:
Share to...