It’s not always what you find...
by Sam Raincock
In digital forensics we are often asked to determine the presence of evidence. However, what happens when we do not find anything? How do we prove something wasn’t there?
Proving something is present is generally a trivial problem – you find it, it’s there. Of course the complex part is explaining how it came to reside on a digital device and the circumstances surrounding it….that’s what the field of digital forensics is all about. However, proving something isn’t there and/or was never there are also questions we are asked to comment on…
Please use this thread for discussion of Sam's latest column.
Along the same lines of not finding what is suspected to exist (such as specific internet usage or a word processing document), would be not finding seemingly non-evidence data that should exist.
As an example, by "not finding" a specific registry key that exists by default in an OS build would be suspicious in that it would be abnormal to be missing. This type of not finding data can be evidence in and of itself. Not finding any data in unallocated space would be another example as there is usually at least something in unallocated space unless the space was wiped.
Its difficult, if not impossible, to prove a negative that evidence/data existed at one time without corroborating information. But, for data that should exist based on default settings or installation, that lack of data may be evidence.
Not finding the files in question only proves they do not currently exist on the media, not that they never existed on that particular media. Not finding certain files that are created with every install of Windows is a different story.
As one of our fellow (fictional) investigator states "when you have eliminated the impossible, whatever remains, however improbable, must be the truth".
I had a period where complex search and sorting methodologies where my entertainment.
Searches which eliminate the impossible are always faster and more efficient.
As Ms. Raincock states "very few things are impossible".
On the other hand many things are improbable therefore our job is to be convincing with our selection of improbable threshold.
Jhup, I think the key is knowledge about the improbable to allow you to comment about it and give a justifiable likelihood/opinion. It is the knowledge and understanding the processes you've applied to data (or problem you are trying to solve) which allows you to assess if in your opinion there is anything there/it is possible.
My article was more about getting people to think about what they write and how it may be perceived.
Looking at the live sound files on a mobile telephone, finding none and then concluding there was "no evidence of sound files on the device" would be the incorrect conclusion because the processes applied to the data were not sufficient to state that.
Similarly, it is knowledge of the complexity of problems which allows us to determine those that are 'nearly' impossible to solve and those that just need some time. For example, comparing the ability to determine a truecrypt password (strong and not reused etc.) to if we could determine the meaning of evidence in Shadow Copies. With the Shadow copies example, I think it is obvious the problem would be solved – the OS does it so it is possible, the files must have structure.
Bshaver, an interesting take on this and another good thing for people to consider when they are examining – I think you’ve come up with an article topic in its own right )
Kind regards
Sam Raincock
Sam,
Great article. I agree with you but I've run into problems with this. For example a client may read "I found no evidence of…" and ask what that means. If you then say "there's a possibility that…" then they may demand that you determine if it did happen. As you know this would be akin to searching for a needle in a haystack without knowing if the needle even exists. Some clients will demand that you give them a straight answer of yes/no. How do we deal with that?
It seems as if we're caught between a rock and a hard place when it comes to issues such as this.
Also, I'd love to talk to you about VSCs some time. It is very possible to find information about something found in a VSC.
DFICSI
I think the key is to simplistically. In my experience if you explain a technical area clear enough to a legal professional they can then appreciate why there isn't a yes or no response. I usually like to use examples as I think people are much more likely to gain knowledge from them that they can then relate to the point you are trying to make.
Like all people, if a legal professional does not understand the reason for complexity of something they may try to perceive the problem you are trying to solve as being simpler than it is. It is my view that it is the job of the writer to produce their report in such a manner to enable them to understand the issues. This should not only assist them in understanding what the examiner is stating in their evidence but will hopefully also allow them to better cross-examine.
For example, let's take heuristic searches
You could say 'I have performed searches for "Forensics", "focus", "hello" and "world" using X. These searches did not find any occurrences of these words on the computer. My search for “killing” found 43 occurrence…..”
Comment – As discussed in the Background Section of my statement, searching is not a precise process, it may not find every occurrence of a word. Similarly, it is important to note that when a search returns a number of occurrences…………..
I have examined the 43 occurrences identified above and found 3 which relate to MSN Messenger chat logs. These conversations are exhibited in SRC-SR1. These MSN Messenger conversations were between……..
You can then explain what you mean by searches in your background section giving appropriate simple to relate to examples
For example, if you search for “Dear Sirs”, this may not find occurrences of “DearSirs” or “Dear Sir”. Similarly, as discussed previously, due to the way the searches work they may not find occurrences such as “Dear Sirssss”…………….
My advice when it comes to explaining technically complex areas to provide your writing to a complete layperson with no real forensics or IT knowledge to see if what you write is understood by all. If a lawyer understands why, in my experience very few would then come back and ask for a yes or no answers. If they don’t understand then you need to reword your report so that it is simple enough for them to appreciate the significance.
With respect to VSC files, I know it is now possible to obtain information from VSC files ) but before it was determined how to do it, I did review statements that said it wasn't possible (it was only not possible in the then current knowledge/time constraints to allow the examiner to obtain a solution). It is dealing with this type of statement that my article was about as well as the thinking processes behind questioning what is it means to say something is not possible.
Kind regards
Sam Raincock
Hehe, I am showing my age! - MSN Messenger - that would be the 'old' Windows Live Messenger )
Sam Raincock
Thanks Sam.
This article resonates with with me in one particular sense When I *don't* find what I or the client thinks is on the hard drive or mobile device, I'm always asking myself "Did I look hard enough? Did I look in the right places? Did I miss something?"
Self-doubt is a very pesky adversary!
And when I write the report, I say something to the effect that 'During my examination, I did not find evidence of ____.'
I never say that it wasn't there, just that I didn't find it.
Or you could have the fun like i do on a couple of jobs where you're asked to find
1) "everything the opposing side may have recovered in relation to xxx" not knowing the tools, processes, or keywords they may have used.
2) Refute the magic virus that did everything nefarious and deleted itself defence.
roll