by Sam Raincock
and he did it via remote access…When evaluating computer forensics cases the tricky part is often not just evaluating what is found but determining how it came to reside there.
"It was downloaded via a web browser because I identified it in Temporary Internet Files…"
"I reconstructed the webpage and the image was downloaded as part of the page presented as SR1…"
"There is also evidence in the Internet History to support the proposition that the image was downloaded as part of the webpage…"
"Access to this website occurred after use of the search term 'Forensic Focus'…”However, sometimes computer forensics isn’t just about what happened and proving intent, it’s also about proving whodunit and ensuring the correct person is prosecuted for the crime they committed…
Please use this thread for discussion of Sam's latest column.
I examined a case where I started analysing the usage patterns of the computer to determine how the previous two weeks may have influenced the sequence of events which led to a crime. During this analysis, it became apparent that there was (suggestive) evidence that two people were using the computer since there appeared to be different usage patterns exhibited. Although I didn’t know it before I started, the events that were uncovered were crucial to determining the motives in the case and a guilty plea.
This works during analysis very well - after spending enough time on the case you 'learn' the habits of the computer users. The intuition-method becomes a much tougher sell in the courtroom.
Ultimately, in a Criminal Court in the UK, the Prosecution needs to prove that the case against an accused is deemed to be beyond reasonable doubt… it is built upon the fundamental principles that… a Judge/Jury/Magistrate must be sure that the person is guilty (and if not, they should return a verdict of not guilty).
I understand the sentiments, but don't be too quick to refer to criminal Courts in the UK generically. Remember that Scotland has (and always has had) its own civil and criminal legal systems (and banknotes, and education system, …!) and that in criminal proceedings in Scotland the verdict can be "Not proven" as a third option.
Good Point GraceCourt, something that slipped my mind when writing the article. It would have been better phrased as England, Wales and Northern Ireland.
Thank you for pointing out the error. Appreciated.
Kind regards
Sam Raincock
Interesting thoughts.
Behavior pattern as evidence. Is user behavior sufficiently unique?
What is the statistical probability of a match?
What is the statistical probability of a false positive?
What is the statistical probability of recreating such "unique" identification?
What is the statistical probability that such fake but identical pattern can be used to malfeasance?
Decades ago, when BBSes roamed the telcos, I wrote a program that did just what I question here.
The program collected data (monolingual text corpus) of unique source. Then, from a seed, the program was able to create a new piece of data, indistinguishable under general inspection from the original source materials.
The cat may not have done it, but the possibility to recreate someone's usage pattern in the digital universe is much simpler than imitating a hand signature, fingerprint, or DNA in my opinion.
jhup
The potential is there for anything to be faked – I (and a team of monkeys) could theoretically write a program which emulated anything on a computer –it was Limewire that downloaded X and someone accessed Y webpage using IE, however, such propositions are generally accepted types of evidence. A simpler example may be the general acceptance of evidence extracted from mobile telephones e.g. for the content of SMS messages. Something that may be technically easier to spoof than computer activity.
Similarly to DNA evidence and fingerprint evidence you cannot stop someone attempting to fake something if they have the appropriate knowledge and skills (e.g. in the simplist form something like planting DNA). However, similarly to this, when applied to a computer, from a digital spoofing prospective, you need a programmer able to emulate/model that person’s computer usage e.g. general computer behaviour, passwords, interests, spelling mistakes….. etc. and to contaminate the computer in such a way that would leave no evidence of the spoofed usage. Personally, I would say this would be technically challenging.
Ultimately, such behavioural analysis (and general analysis about what happened on a computer) is supporting evidence and potentially opinion based. There is nothing to say someone didn’t gain physical access to the computer and attempted to emulate being someone else etc. However, it all comes down to the evidence available as a whole. Aside from this, the purpose of the article is that in my experience, such analysis can often be very useful in providing enough evidence for a person who did commit the crime to plead or to provide other evidence that may support the use of the device by another person which would require further investigation.
jhup, you certainly make some good points though and always worthwhile considering in overall evaluations.
Kind regards
Sam Raincock