Mac forensics quest...
 
Notifications
Clear all

Mac forensics question. PLEASE HELP

9 Posts
5 Users
0 Reactions
742 Views
(@watson)
New Member
Joined: 16 years ago
Posts: 3
Topic starter  

I am involved in a legal dispute re the validity of a document and need advice. I've tried researching this and keep hitting dead ends. The other side has presented a document which I know to be fraudulently back dated. They have only agreed to have the "created on" date and the serialization on a NEW hard drive (that the doc and others was moved to recently) considered in proving the validity of the document. All computers involved are Apple.

I have a question re the validity of the two factors they are planning on using to determine the legitimacy of the document in question. When I asked numerous Mac people specifically if a document created on a back dated old mac was transferred (and therefore re-serialized) with other documents to a new hard drive, if ANY red flags would arise to cast ANY doubt over the files "creation date" and serializiation, they said "ABSOLUTELY NOT". If these are the factors they are using, the only legit verdict will be "inconclusive", although based on the language in the legal document, that will somehow mean "legit" in regards to the document in question, and the findings.

If you tell me that "inconclusive" is not the only possible outcome here, and that you can establish the validity of this document based on these two factors, then I'd like to know how or why that is so. Obviously the "created on" date is a ridiculous determining factor, as it is incredibly easy to back date a computer and create a new document, then save it where it is impossible to determine the legitimacy. The serialization seems equally inconclusive once files are transferred en mass to a new computer. Please tell me how re-serialized files will be of any help as well.

I know that looking at OS or software versions won't matter if someone has an older mac to create the doc, but are there any other factors/data you can look at in this case that will prove beyond a reasonable doubt that this document, and it's "created on" date, is legit?

If you are an mac forensic expert and would be willing to go on record re this, I would like to talk with you re consulting on this matter.

Thank you, and I appreciate any responses.


   
Quote
(@benclelland)
Eminent Member
Joined: 19 years ago
Posts: 21
 

Instead of relying on the HFS created date have you looked at the meta data within the document itself? This could be something that you could both agree on then as you will probably understand it better.


   
ReplyQuote
(@watson)
New Member
Joined: 16 years ago
Posts: 3
Topic starter  

They will not agree to any tests beyond the two I stated. I need to show that these two tests, by their nature, are "inconclusive". See below. THANKS!!!!!

Exhibit A to XXXXX Agreement

XXXXXX has been asked to image and then examine the imaged copy of the hard drive of a computer that contains a certain file (the “File”) that will be identified by the Clients. XXXXXXX will examine the hard drive to determine whether (a) the creation date of the File is in fact 2001; and (b) the serial number of the File is consistent with the File being transferred to the computer at or about the time that it was purchased (i.e., at or around the same time as files from the prior computer were transferred onto the new computer). THIS DETERMINATION WILL BE BASED ON THE INFO AVAILABLE FROM THE HARD DRIVE FROM THE CLIENT'S COMPUTER.

XXXXXXX has informed Clients that their examination will reveal that either (1) the “created by” date is a date in 2001, there is nothing to indicate that the “created by” date of File was tampered with and the serial number of the File is consistent with the File being transferred to the computer at or about the time that it was purchased; (2) the “created by” date of the File was tampered with and it appears that the File was created within the past year; or (3) the serial number of the file containing the Treatment raises material questions because it indicates that the file was created or copied to Mr. XXXXXXX’s computer recently (i.e., in the past YEAR).


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

What version of the OS are you talking about? With a 2001 create date it could have been OS 8, OS 9 or OS X. Also, what application created the document?


   
ReplyQuote
Beetle
(@beetle)
Reputable Member
Joined: 17 years ago
Posts: 318
 

They will not agree to any tests beyond the two I stated. I need to show that these two tests, by their nature, are "inconclusive". See below. THANKS!!!!!

Exhibit A to XXXXX Agreement

XXXXXX has been asked to image and then examine the imaged copy of the hard drive of a computer that contains a certain file (the “File”) >>SNIP<<

(1) the “created by” date is a date in 2001, there is nothing to indicate that the “created by” date of File was tampered with and the serial number of the File is consistent with the File being transferred to the computer at or about the time that it was purchased; (2) the “created by” date of the File was tampered with and it appears that the File was created within the past year; or (3) the serial number of the file containing the Treatment raises material questions because it indicates that the file was created or copied to Mr. XXXXXXX’s computer recently (i.e., in the past YEAR).

I assume that the 'serial number' that they a referring to is the HFS+ CNID. If so, it is specific to the volume that the document is located on. These CNIDs are assigned sequentially as files are originally created on the drive. The CNID allocation is tracked in a structure on the HFS+ volume itself (volume header) and is not stored with the file but referred to in the catalogue node structures. The CNID of file X on drive A will be different than the same file on drive B unless you are looking at the bit stream image of A. A technique that I use when dates are questioned is to examine the CNID of all the files on the drive and then "bracket" the suspect file(s) by referring to the CNIDs of files on either side of the CNID of the suspect file and then examine _those_ files to see if the bracketing dates are consistent with the suspect file date. It also helps if you have access to information that is independent of the bracket files (such as references to those files from independent sources) to confirm those dates are demonstrably accurate.


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

XXXXXX has been asked to image and then examine the imaged copy of the hard drive of a computer that contains a certain file (the “File”) that will be identified by the Clients. XXXXXXX will examine the hard drive to determine whether

(a) the creation date of the File is in fact 2001;

Given the limits of your examination (and based upon assumptions that I am making about the original OS and destination OS), and assuming that you cannot look at file metadata, and assuming that (as noted by another poster), the destination isn't a bit for bit copy, you can't say this. Neither can they.

It is possible that you could find other evidence of backdating if, for example, you had other files seemingly created during the same time frame which could not have been created at that time. But if their goal was to create the impression that file was created in 2001, assuming the limits of your description, then by copying the file to another system, they have made it virtually impossible to validate the date.

Is there any chance that this move to a new computer could be constrained as spoliation? Is this Federal or local jurisdiction and when did the events in question take place?

(b) the serial number of the File is consistent with the File being transferred to the computer at or about the time that it was purchased.

Given the above, what does that matter? If purchasing the second computer was done in anticipation of faking the create date, i.e., if you can suggest that at the time the second computer was purchased, the party had a reasonable expectation that the date of file creation of the file in question would be relevant to a pending or anticipated legal action, what does it matter if the copy date is accurate?

I don't know the facts but it seems to me that the second question says nothing about the veracity of the allegation set forth in the first question, which cannot be addressed to a reasonable degree of computer forensic certainty.

Again, that is given only what you have posted.


   
ReplyQuote
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
 

When I asked numerous Mac people specifically if a document created on a back dated old mac was transferred (and therefore re-serialized) with other documents to a new hard drive, if ANY red flags would arise to cast ANY doubt over the files "creation date" and serializiation, they said "ABSOLUTELY NOT". If these are the factors they are using, the only legit verdict will be "inconclusive", although based on the language in the legal document, that will somehow mean "legit" in regards to the document in question, and the findings.

Beetle had a great thought if the suspect file had been copied consecutively in the midst of other stipulated non-suspect files to a newly-formatted system. Then, Catalog Node ID's (serial numbers) should be assigned consecutively in contiguous drive space.

For example
Non-suspect File (write #n) CNID = 1038
Non-suspect File (write #n+1) CNID = 1039
Suspect File (write #n+2) CNID = 1040
Non-suspect File (write #n+3) = 1041

Were the CNID assignments not consecutive and the destination pristine, and given your constraints, it would be an error to reach anything but an "inconclusive" verdict.


   
ReplyQuote
(@watson)
New Member
Joined: 16 years ago
Posts: 3
Topic starter  

THANKS so much for the replies.

The details of the case are

A complainant with 7 prior felony fraud convictions has presented a document that he is trying to show was written in 2001 as a claim against another literary property, written and copyrighted in 2003. It is hopeful that this will be handle via negotiation between the lawyers on both sides without going to court. There's not a lot of money at stake, but rather the life's work of one artist who has been targeted by a career criminal.

I'm sure he's aware of serialization issues, and has "created" other documents that were also transferred to this new computer. The original computer is not available.

My goal is to show that, via the two factors above, there is no "conclusive" way to show that the date of the doc is valid.

As it stands today, the other side is trying to say that "if there's no evidence of tampering" it must be a legit doc.

Thank you for all your help.


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

There are a number of methods by which files could be copied which would render serialization unreliable. For example, if he created a carefully selected series of archives and then restored from archive.

The bottom line, from your perspective, is that you cannot establish, definitely, that the documents were created in the time frame specified without either using document metadata or independent verification.

The fact that you can't disprove the create date does not make it reliable.


   
ReplyQuote
Share: