Forged Digital Fore...
 
Notifications
Clear all

Forged Digital Forensics Report

17 Posts
5 Users
0 Likes
1,489 Views
Merriora
(@merriora)
Posts: 44
Eminent Member
 

I believe that being able to validate electronic notes and documents will be essential as we move towards presenting electronic files in court. In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.

I am always surprised to see a report that I created with hundreds or even thousands of pages of ‘internet history’ and ‘messages’ being presented as a printed document in court and then being questioned on that document.

To quote jaclaz

In theory there is no difference between theory and practice, but in practice there is.

In theory, my reports should not be hundreds of pages and I should have a clear understanding of what information I will be questioned on in court as the expert, but in practice time constraints often lead to rushed court cases with unforeseen questions coming from both crown and defense due to lack of communication prior to trial.

Since my report is presented to me months or potentially years after it was created, I must assume that the printed document in court presented to me is un-altered.

A change may be obvious if a conclusion has been altered, but much harder to detect if words may have been added or removed to a message (accidentally or on purpose) and I am simply questioned on a few records that defense will later use to show his client’s innocence.

The ability to validate electronic files as being un-altered is the main purpose of my application which allows you to digitally sign notes, notebooks and associated electronic files. The digital signature also includes a certified timestamp from an independent timestamping authority to further validate the file. This way you can ensure that the document has not changed.

For technical people, it is easy enough to check the validity of a Digital Signature in Adobe, but as athulin points out

…[the] reader would need to know that absence of a signature should be a red flag

Therefore, I believe the presence of a digital signature needs to be clearly displayed on your potential document. I think it also needs to be clear on your site that no documents will be released without this signature being present and the lack of a signature is a sign that the document is not valid and authentic.

The client must understand what signatures are valid and if they are passing the report on to another person as in the case of Finbarr, what stops that client from editing the document and re-signing with their own Digital Signature?

Would Crown have recognized that the valid signature is not the signature of the expert consultant?

It appears that Finbar has found a good solution in only dealing with Crown but could there be a better way?

I put this question out the community as a sincere question as we currently don’t do this within our application, but this could be added if it would add value and potentially solve this issue.

We currently allow Drag/Drop Validation (or by HASH). What if this also showed the Consultants Information to show that its timestamped by that particular consultant?

So not only is the file validated, but it also shows to be created by ACME Consulting?

Could this be a possible solution to this issue?

Example Image of Validation idea at https://www.forensicnotes.com/acme-validation

 
Posted : 07/08/2017 1:39 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Could this be a possible solution to this issue?

Example Image of Validation idea at https://www.forensicnotes.com/acme-validation

I am not sure to understand how it could work (actually I am pretty sure I don't understand it).
You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? ?

jaclaz

 
Posted : 07/08/2017 2:43 am
Merriora
(@merriora)
Posts: 44
Eminent Member
 

You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? Confused

Sorry, I'm not referring to this being an idea to solve the issue with printed documents, but rather electronic documents.

(another question for another thread… How many courts actually allow electronic documents currently and how many are moving towards this in the future?)

In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version. I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate (ie Give you a Valid or Invalid status on printed documents). The best would be to highlight potential issues/changes especially when dealing with images within reports. At least if the potential changes are highlighted by doing a comparison (OCR printed documents Vs. Electronic version), then you can quickly check those areas of the printed reports to see if changes exist or if it was simply an issue with the OCR for that section of the report.

But still, the key would be to have an original Digitally Signed and Timestamped version to compare against.

 
Posted : 07/08/2017 2:58 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version.

So, when you are on the stand, the prosecutor (or the defense attorney) gives you a 100 page document asking you if you recognize it as yours and you say "OK, let me scan these 100 pages on my portable 100 Kg high speed feed automatic scanner, and let's OCR it, it will take only a few minutes. Where is a mains plug? Do you have an extension cord?".

I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate

Right assumption. )

Now, back to the real world, what do you propose for electronic documents on the stand?
1) you bring your own tablet/latop with you on the stand with your copy of the report
2) you bring your own tablet/laptop with you on the stand and the attorney gives you a USB stick on which the file is, you load it into the device, verify the digital signature and proceed in reading aloud the relevant part
3) you are given a Court issued device, let's say an el-cheapo e-book reader with your report pre-loaded and proceed to verification before reading
4) ….?

jaclaz

 
Posted : 07/08/2017 2:49 pm
Merriora
(@merriora)
Posts: 44
Eminent Member
 

(duplicate post - won't delete)

 
Posted : 07/08/2017 8:50 pm
Merriora
(@merriora)
Posts: 44
Eminent Member
 

OK, let me scan these 100 pages on my portable 100 Kg high speed feed automatic scanner, and

You make it sound like that would not be a viable option? wink

As stated in my first post, once the report is printed, validation does become extremely difficult. I think any solution may be cumbersome to implement and originally sound like more trouble than its worth, but in the case of printed documents, what is the alternative?

1. Assume the document is authentic and unmodified
OR
2. Manually check every page, line by line and compare

This discussion was started because it appears we can no longer assume that Digital Forensic reports will not be modified. That clients sometimes have reasons for wanting a different outcome in the report and that sometimes a report may be changed or modified along the way to court either on purpose or by mistake. These changes may be naively completed with the idea they are ‘fixing’ the report to be more readable or correct an issue they believe they discovered (date/time conversion).

Whatever the reason for the alteration, manually checking your own work is still not a guarantee of spotting the change, as you are still likely going to see what your brain expects to see.. ( https://www.wired.com/2014/08/wuwt-typos

So the only solution I see to this problem would be using OCR, but I would be very interested in hearing better ideas or solutions as I think my idea is far from perfect in dealing with printed documents in a timely manner.
If verification was required in the actual courtroom, I would see this being done prior to court or request a break to validate the document. But please note, I don’t think that either option is a great solution, but rather a necessary step when required.

One potential solution involves changing the way the courts operate if they plan to continue to use printed reports during court proceedings. Before a report is ever printed, it is in an electronic form so the validation should occur at this phase with any reports being presented to have a ”stamp of authenticity” affixed. Of course, this would still require that original report to be digitally signed and timestamped so that proper validation could occur.

Although I offer this as a potential solution, I recognize that this would be very difficult to implement in the courts unless a court ruling in the future requires this type of change.

Now, back to the real world, what do you propose for electronic documents on the stand?

How electronic evidence is presented in court is a bigger discussion as so many variables come into play, including the amount of investment the courts are willing to make on proper hardware which will vary based on city and region.

I think BYOD to court could result in better quality hardware, but also generate its own issues especially if that equipment fails. In my opinion, the equipment needs to be provided by the courts as any issues with BYOD would be used by the other side as a reason to convict or drop a charge. Court delays are now a major reason to stay a charge in some regions.

I think individual tablets issued by the court would also cause issues as they are difficult to use to find key information in large documents due to the small screen size. (assuming smaller cheaper tablets and not MS Surface Pro's)

When dealing with electronic documents in court, I would hope to see dual screens in the testimony box with the ability to search and find information in your documents on your screen and then slide it over to the screen seen by the judge, lawyers and potential jury (if required).

Validation in this setting would be simple as the report in the court could clearly display the generated HASH value and Digital Timestamp. As the ‘expert’ testifying, you could simply confirm that the HASH matches the value you recorded at the time of generating the report.

In situations where this information is not presented (HASH, Timestamp), then the system should allow copying of the files to an external system that allows validation via the internet and/or Adobe Reader.

At the very least, the 'expert' should be presented with the digital copy that will be used in court prior to testifying so that he/she can validate the document. Then in court, Crown or Defense could ask "You had a chance to validate the electronic version of your report and examination notes prior and are confident that it was authentic and original?" - Expert "Yes, I did validate the electronic version as being authentic and assume that the report and notes I am viewing today in court are the same as what was provided to me prior".

The above reply has focused on validating documents in court. The reality is that few criminal or civil cases result in actual court proceedings. The ACME consulting idea is more geared towards validation of documents prior to court proceedings when the ‘expert’ is not involved.

In particular, the phase where a report is sent to a client (or his lawyer) and the information is shared among those involved in the case to see if it can be settled without going to court. In my opinion, it is this phase where a document has a higher chance of being modified or changed. Being able to validate a document as being authentic during this phase would be essential on both sides before they settle out of court. Being able to drag/drop an electronic document and quickly validate that it is authentic and issued by ACME consulting would provide this assurance.

 
Posted : 07/08/2017 8:52 pm
athulin
(@athulin)
Posts: 1146
Noble Member
 

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version. I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate (ie Give you a Valid or Invalid status on printed documents).

OCR has problems curly quotes tends to become straight quotes, em dashes may become en dashes (or vice versa), and in bad cases something like 'rn' may be translated as 'm', or 'li' may become 'h'. Spacing (which is equally important) is rarely well handled depending on the software, you may find one space become two, and minimal empty space inserted at the end of words. Good OCR tends to requires fairly extensive training.

It seems that 'these documents are the same' (where both documents are scanned)) should mean something like 'every page contains exactly the same black marks in exactly the same places.' Any discrepancy needs to be investigated.

However, for that OCR would be overkill scan the images 'soft' (greyscale), do any necessary transformation to place a page from document A on top of the corresponding page from document B, and subtract. ideally, this should produce a blank page. In practice, the result from two identical pages leaves 'flyspecks'. Where there is a difference in contents, … 'birdspecks' is perhaps a more appropriate description. Those need to be investigated.

However … that ties 'sameness' to graphical form. And that may not be the right thing. To allow more flexibility, some kind of segmentation of the scanned page, similar to that many OCR programs do, may be desirable.

If a printed document should be compared to an electronic document, … well, it's a bit of a detour to print the electronic document in order to scan it,

 
Posted : 08/08/2017 7:57 pm
Page 2 / 2
Share:
Share to...