Join Us!

Please, help to res...
 
Notifications
Clear all

Please, help to resolve this.  

Page 1 / 6
  RSS
MickArneke
(@mickarneke)
Member

Hi all,
Thanks everyone for this wonderful forum. I’m working in one private forensic lab, EU country. I ‘m deeply disturbed by the events, and I wish some colleagues here to share their experience and advice. It is time for me to make my decisions.
In the first days of May 2017, high ranking police officer from one Mediterranean country (in big financial trouble from the end of 2009, Rep. of Turkey on the right side of the map) calls my boss. The officer needed help and advice, how to “sort” and “iron out” some “problems” of his two cyber crime officers. My boss asked me and one of my colleagues to form a team, and to help, and be in touch with this officer, to solve the problems.
Their case is from the end of April 2014 - the high officer’s unit accused one man, pediatrician, of possession of CP, and divulged to the press information about the case. But this is not the end, and not the main problem they have –it is just the beginning of the story. Their “case”
End of April 2014, the two above mentioned officers make live acquisition of the pediatrician’s computer (one). There is no chain of custody papers (of any kind!!), and no hash on acquisition, and the officer, who works on the suspect’s computer, not using any blocker, attach a USB stick, and works directly on the original data, extensively opening files there. After that, they “collect” the suspect’s HDD’s in one open supermarket nylon bag, and put the bag in their rear seat’s jeep. There was no sealing of the bag, either electrostatic enclosures- just plain HDD, in one open plain supermarket nylon bag.
The same day, the chief of the national cyber-crime police unit (now fired because of incompetence) divulged to the press various “case details” [we checked all of them- all of them proved to be shameless lies] and on the same evening, the chief was manifested himself in flesh on all national TV channels, milk the event. We ask the high ranking officer “Why?”- he answer “In scope immediately to nail the b*****d [i.e.- the defendant], and to ask the prosecutor for publication of his personal data in the press. With such press coverage, the whole judiciary is obliged to be on our side, unconditionally. And they do not dare to take the other side” laughingly he said.
On the first trial in front of the judge, the two officers plainly confess all the details of their, actually, illegal methods of acquisition! Nobody in the court even care, or even gives a slightest attention what’s going on! When we ask the high ranking officer, how all this is possible to pass in one civilized court, his answer was -“The judges here hate all these crimes, and they swallow whatsoever we present to them without a grumble”. And laughing at the end, tells us, that “…the judges here does not possess the needed grasp about forensic details, neither are much interested to learn them”. This officer also tells us, that on the first trial, the two officers extensively lie to the court, and this is a real, and became big problem for them -the defendant is a foreigner, and he contacted his embassy and his native country authorities, and pledges them to intervene on his behalf. In court, the defense team was very, very competent, and the defendant himself nails the two officers virtually on the wall- in reality the defendant himself proves to be, this is not a joke- a computer geek, with profound and extended, deep, deep knowledge.
We ask for more details, and some of these are
- No chain of custody of any kind exists, no hash on acquisition. On the day of the acquisition, they worked on original data – they confess this in court!
- There is not a single photography of the confiscated HDD! In their “confiscation’s protocol” there is one HDD serial number and number‘s model invalid! They forged the defendant signature there too.
- There is a big confusion about the right number of the confiscated HDD –the 2/3 of the judicial documents is with one number, the other 1/3- with other. We investigate- the two officers manipulate the disks and their numbers when they traveling to the capital.
- Actually, they confess in court, that they manipulate the disks contents AFTER the confiscation took place, in scope to “investigate” further.
- The official police forensic examination on these HDD was made 4 months later – almost half of the HDD are officially presented from the lab without any kind of digital hash whatsoever, the rest – with one hash value of unknown origin- the copy, or the “original” of the lab?
- There is no comparing between the hash values of the acquisition and the hashes of the lab [where they exists], because hashes of the acquisition simply do not exist.
- Because of the complete lack of proper hash, the defense is, objectively, unable to obtain copy from these disks- there is no forensic digital warranty whatsoever, that the contents there is the original one. Or will be the original one. Actually, and legally, this fact made all the evidences inadmissible in court, and the case will collapse. All of you understand, that there is no way all this to pass in any [civilized] court in the world!
- We investigate and obtain clear evidences, how on the date of the acquisition, the officer in charge implanted some illegal files on the defendant computer. We are in possession of all these analytical data!
I’m totally disgusted. All this is shameful. My colleague resigns from the “case”, but I’m a senior here, and this for me is not at all an easy step. I speak with my boss, and I brief him about all these details. He insists our help for their “case” to continue. But I’m unable to do this anymore. Your opinion guys? Actually, I must resign.
I’m happily married, have two small children, and this is the best job I ever had. But I have my principles.
When, on some occasions, I speak with this foreign high ranking officer, I was disgusted by his oriental manners, arrogance and incompetence- I clearly told him, that either the defendant’s home court nor a single European court will accept their “evidences”, and they will have a hard crash, with millions of euro in damage obliged to be paid in more than one level. Actually, plainly and clearly I told him, that they forged evidences, except the other things they do improperly and illegally. His answer was- “Calm down boy, our judicial system is on our side, whatsoever the b*****d [i.e.- the defendant] say. I was just worried about the EU Court of human rights and the defendant’s national ombudsman and Court in his country of origin”.
There is a slightest chance any court to accept all these “evidences”??
Your advice guys?

Quote
Posted : 01/07/2017 5:29 pm
MickArneke
(@mickarneke)
Member

What is it that you have to do? Write an expert witness report?

No. Our advice is only about where their forensic “Achilles heel” is, and how these will be legally possible to be cured. But I do not expect that they there will forge evidences, or do illegal acquisition…. It is just illegal – all their activities there on this case are totally illegal!

My boss insists I myself to continue to provide “help and assistance”. But I can’t do this anymore. Second - we talk with my former colleague [and friend] on the case, and we probably, will seek legal advice how to proceed, bypassing our boss, and to uncover all those dishonest people there, and thus… help the defendant in some way? don't know. But all this means - we both must to resign.

Also, nobody knows all these police, judicial and high-ranking officials there, how corrupt they are- this is a factor too. I talk with colleagues outside of my work, whom I know personally- they told me, that this country there have a bad record of rampant judicial and police corruption. Actually, the chief of the national cyber-crime units there, was recently fired because he had collect too much bad press, with too many totally falsified cases of CP "possession", from which they either take illegal bribes [kickbacks], or take extra EU funds for "successful activity", i do not know precisely. Either I know it is this information true…but the cyber-crime chief there was really fired, and then, there was widespread rumors among EU officials, that he was really totally incompetent figure.

We looked carefully at all data- there was not a single illegal Internet activity from the man [the defendant].
They even forged his IP - but, hold on to your seats- the defendant in the court show proof ,that on the same date, and two days before and three days later, his phone line was broken -the company repair her- there is a bunch of sms from the phone company, proving this!! The court close his ears to this! It is just unbelievable… .

I don’t know really. It is just disgusting.
Why we, with all ours competence and years of hard work, must oblige and help corrupted officials to destroy honest peoples? For me, it is evidently clear, that the defendant just have professional feud with someone there, and they hired someone to do all this. Are you ever living in small towns? I do, for years, and I know what I'm talking about. The officer just transfer files form his USB key to the defendant's computer in scope to put him in jail. Because he thinks- he is stupid and naive, and he does not know, which forensic procedures are legal, and winch are not. It is simple like this. When the poor man is exposed to the press- you think there will be even a single judge to vote for him in court?? That is exactly why they go to the press- they use her like their extrajudicial weapon.

For your info- in this Mediterranean country, the judge and the jury after the end of the trial, go to the same room, and decide in common [which is unheard for civilized country] - there, there is no room only for the jury !

We talk to people there- in the whole country there, there is, may be, 3 or 4 really good private digital forensic specialists. All of them live in the two big cities. WHO the defendant will hire for his defense? Nobody. Just this the circus there use.

Your opinion about the admissibility in court of all this trash? and about the legality of their "acquisition's" procedures, reading all this?

ReplyQuote
Posted : 01/07/2017 7:43 pm
RolfGutmann
(@rolfgutmann)
Community Legend

My advice is simple The case you and your boss face is intransparent and not solvable. Maybe the money getting for this case is important for your boss and you to pay your salary.

But the case is hopeless. Step back, get away - you may think this is a good chance to show your skills and expertise in forensics but the case is too political and will kill you at the end. Why working day and night and giving all your personal care to at the end recognize that it was all for

nothing?

Sometimes in live its better to clearly say NO. Even everybody hates you and puts even more pressure on you. But to protect yourself is the most important aspect. If you hang-in you become part of the game, your name is in danger and after it will be documented that you worked on this case. Its for your long-time negative impact.

Step back. Get out - too political.

Hopeless case. Stay strong!

ReplyQuote
Posted : 01/07/2017 8:36 pm
TinyBrain
(@tinybrain)
Active Member

Ask your boss if he will fire you if you resign from this case? Sounds like a no-brainer but its crucial for you to know.

Its about your family and you first.

ReplyQuote
Posted : 01/07/2017 9:24 pm
Pachuco
(@pachuco)
New Member

Send the same information you have posted here to the suspect's attorney. Or, to the media. Do it anonymously and be careful to delete information that might identify you. Or, find someone higher up and become a confidential informant.

The idea is to blow the whistle.

You need to get your own attorney before you do. Preferably an attorney who has experience with whistleblowing cases.

Be safe and be careful. Do the right thing and, InShallah, all will work and you will save an innocent man.

Last resort - Find a job in the USA. Plenty of criminals here too.

ReplyQuote
Posted : 02/07/2017 6:55 am
C.R.S.
(@c-r-s)
Active Member

It is just illegal – all their activities there on this case are totally illegal!

Assisting them in their dubious activities is illegal, too. Since the defendant apparently is an expat (from the EU? From your home country?), you, your boss, and your coworkers are heading for trouble.

Advice Resign from this case. Resign from your current employment, if possible and if the one who accepted this assignment has major influence on the company. The development you described is totally foreseeable when doing business with Greek agencies. I never did, and never will, because we follow a strict whitelist, but they are also on many other's blacklists (if not relayed through and supervised by an EU body). Therefore, it doesn't make any sense how this is managed in your company, whether you/your boss accept their "requirements" or not.

PS Do not blow the whistle. It is no secret that I despise the entire "concept" of whistleblowing and the (false) ethical theory behind it, but anyway you are easy to track now.

ReplyQuote
Posted : 02/07/2017 8:02 am
RolfGutmann
(@rolfgutmann)
Community Legend

C.R.S is absolutely right (excellent post!)

After consulting our internal legal

Ask jamie (admin FF) to immediately delete your post. Check Google, archive.org and other
web history sites about deleting all you posted.

Our legal says all you posted here has parts of evidence which can be fired against you.

So act like hell to immediately delete everything!

Change your FF avatar MickArneke (probably Michael Arneke) immediately too.

ReplyQuote
Posted : 02/07/2017 12:18 pm
jaclaz
(@jaclaz)
Community Legend

No. Our advice is only about where their forensic “Achilles heals” are, and how these will be legally possible to be cured.

As a side note only.

Bad comparison ( .

The whole point of Achille was that he was invulnerable everywhere BUT in one single spot, his left heel.

What you describe is about someone which is absolutely vulnerable and undefendable everywhere except - maybe - in one or at the most a handful of teeny-tiny spots.

jaclaz

ReplyQuote
Posted : 02/07/2017 3:39 pm
MickArneke
(@mickarneke)
Member

C.R.S is absolutely right (excellent post!)

After consulting our internal legal

Ask jamie (admin FF) to immediately delete your post. Check Google, archive.org and other
web history sites about deleting all you posted.

Our legal says all you posted here has parts of evidence which can be fired against you.

So act like hell to immediately delete everything!

Change your FF avatar MickArneke (probably Michael Arneke) immediately too.

Let me be more clear…

My identity is well preserved. We have in our hand written order from our boss to help them – we act on written order. We coordinate all our actions with our legal department. All of our's work conversations and answers to them are recorded – this is the practice here. I do not do, or tell to them, or send to them, any illegal advice. The high superior officer judgements about their legal system and their legal practices, concern only him- we do not express any approve, or disapprovement or comment his "statements".
Because of my not so adequate English phrasing, you, probably, misinterpreted what I wrote.

Our help to them was

To provide them with forensic advises what they do properly and what they do not do [ they have very, very low level of forensic culture and understanding]. All our advises before to be sending to them will be approved from our legal team – like contents, like written phrase etc. All is legal. We do not give them any illegal advice, or advice them to do illegal things- after I read all I read [ their documents], I decide not to continue. This is before I give them any forensic analysis on anything in deep.

To clarify for them forensic details, which they do not understand.

To tell them, which things may help their case, or are strong point in their case, based on what forensic evidences they may present- artifacts, registry analysis and so on.

I simply explain in my post that based on the documents I saw [ we do not have in our possession any digital image copy ] and before I even start to helping them, I was deeply distressed and unable to continue further with my help, because I saw that their case is not legal. I simply explain to them that seems to me, and from forensic point of view, and from our legal system point of view, there case is not admissible in court. The high-ranking tells me “It is admissible”. I asked him “How, without proper hashing and legal live acquisition procedures?” He answered laughing “Nobody from the judges here care about hashing . They even do not know what hashing is all about. “.

I do not give them any advice on forensic matters, because after I see all I saw, I decide not to continue. And was deeply disturbed by what I saw [like papers, info] and what I hear like phone conversations. And this I share with all of you.
From my part- there was no any forensic advice on any subject- I explain to them plainly and clearly, that they do not have a case, and why forensically they do not have a case, according to my forensic knowledge. The high ranking told me that they have. I politely end the call and go to my boss to brief him.

All the info they give us, and I give you, are open and legal documents from their country of origin – because the first trail passed- all this info is widely accessible, because all this information was hear in OPEN court, OPENLY.

ReplyQuote
Posted : 02/07/2017 5:17 pm
MDCR
 MDCR
(@mdcr)
Active Member

You think you are immune from reprisals? You think that it isn't easy to tie one identity on the net with another?

Some people spend 40 hours a week doing that and they have more experience and are more clever than you in this field.

ReplyQuote
Posted : 02/07/2017 5:44 pm
jaclaz
(@jaclaz)
Community Legend

After consulting our internal legal

Hey Rolf, JFYI, having a lawyer
1) being available on a Saturday afternoon or Sunday morning
2) being actually giving an answer within a few hours

makes yet another event that may only happen in Switzerland.

@MickArneke
What I would do (since I am not a professional digital forensic investigator it is OK to ignore my suggestion) is the following
1) Make a spreadsheet
2) in first column (A) list the activities that should have been done (according to you or best practice)
3) in second column (B) describe HOW these activities should have been performed (still according to you or best practice)
4) in third column (C) describe how these activities have ACTUALLY been performed (leave blank if activity was not performed) according to the info you have
5) in fourth column (D) assign a percentage vote (0% where columns C and B are totally different, 100% where columns C and B are substantially identical).
6) sum those percentages and rate the result against the maximum (i.e. 100% for each row)

As an example, if you have 20 rows and thus the max points are 20, the sum of column D will be (maybe) something like 3 or 4.

Would anyone (in his/her right mind) go ahead with *anything* (be it an exam, a test, a checklist, whatever) with a result of anything less than 18/20 (or possibly 15/20 to be very, very lenient)?

jaclaz

ReplyQuote
Posted : 02/07/2017 5:57 pm
MickArneke
(@mickarneke)
Member

No. Our advice is only about where their forensic “Achilles heel” are, and how these will be legally possible to be cured.

As a side note only.

Bad comparison ( .

The whole point of Achille was that he was invulnerable everywhere BUT in one single spot, his left heel.

What you describe is about someone which is absolutely vulnerable and undefendable everywhere except - maybe - in one or at the most a handful of teeny-tiny spots.

jaclaz

Will explain

The official police forensic laboratory results, for us, was a totally mess, a nonsense. More we read all this nonsense there, more we understand, that all of the “evidence of guilt” they present, are actually a product of forged evidences. The defense team show in court clearly all this nonsense- they are brilliant. The high officer [ he make private offer to us, like I understand from my boss] asked us to cure this with suggestion FROM forensic point of view - i.e. interpretations, contrary to those of the defense team. This was their “Achilles heel”, BUT, no single forensic expert exist, which will be able to do something about this, because the data there are clearly forged, and manifests themselves like forged data. These peoples there, simply DO not understand this, because of their arrogance, rampant incompetence, lack of whatsoever forensic knowledge. They also do not understand that these things make their country and judicial system- pure circus. They even do not understand that, without proper hash, the lab must decline to examine those data, simply because of lack of proof of the genuinity of the forensic material the lab take. Thus, their official lab [ Their OFFICIAL and NATIONAL FORENSIC Lab, not some small obscure lab !!! ] commits crime, presenting to the court their forensic conclusions, clearly knowing beforehand, that they work on non genuine data ! This is simply unbelievable !!

More, inside the vast majority of the official prosecutor's judicial documents, the prosecutors on various stage of the judicial procedure, INVENTED and fabricated [non existent] "evidences" by - frivolous assumptions, totally false phrasing and misguided "conclusions", or based simply on NON existent digital data. Or - clearly lies in various paragraphs in their documents.

We asked the high-ranking-

"What is this all about? It is false and fabricated!"

He answer to us

" Don't 'worry- all this will pass like "right of the prosecutors to have theirs own opinion".

We asked him

" For God's sake, what kind of "opinions", when all these are fabricated, and are NOT based on any digital proof?"

He close his remarks

" You are naive there - we here knows better how to catch the criminals!"

But before reading all these documents, I do not know all this, and just I think that they have gaps, or wrong artifacts interpretations, or , from the forensic point of view, wrong defense arguments, which may be cured.

Please note- their “live acquisition” lasts about 4 hours on the spot, for ONE computer with 2 hdd, one of them empty of evidences whatsoever– 4 hours with a USB stick on defendant’s computers without blocker – THEY admit this in court !!! The court does not react because, probably, they do not know even what the difference is between computer mouse and live mouse.

What he do 4 hours there then? Wrote the “War and Peace” continued , instead of Leo Tolstoy?

The phrase "they lie to the court" - yes, they do, because, par example, we clearly read one of the two officer statement. He wrote and tell in court the same - "… the defendant obstruct our work, because he does not give us the password from his encrypted files- but, hold on your chairs- THEIR official forensic expertise conclude, that, no installed encrypted software on the defendant computer was found, either encrypted files there existed. And this is only one spot.
The other officer state clearly that he "find" on the defendant's computer software named… but… this officer never touch the defendant's computer, because from the begging to the end, only the other officer works on the machine!

They ask from us to "heal" all this ! I answered - "It is impossible, because you do illegal things". That's all. We do not advise them anything illegal!

ReplyQuote
Posted : 02/07/2017 6:43 pm
MickArneke
(@mickarneke)
Member

You think you are immune from reprisals? You think that it isn't easy to tie one identity on the net with another?

Some people spend 40 hours a week doing that and they have more experience and are more clever than you in this field.

You have a spot. But we are human too. We are not "weapons" in someone's hands. And not obliged to serve all these dubious characters and judicial incoherence there. Just my two cents.

But in my country, and according of our laws, I do not do anything illegal.
Please note - all info I give you is an open info, not a secret info. This information is not "divulged" illegally, it is already hear in OPEN court, with public present there, and in open session.

Ask me - why I do this? I wrote the one reason- because i must resign, and I want to share with colleagues, and just take second opinion.

Second- all this time, I myself and my colleague [and friend], openly admired the doc there [the defendant]. Not secretly- openly, after we read all their lies, nonsense documents and judicial hypocrisy, without end. He must be courageous man, i do not know him.

Are you able to imagine in YOUR country, someone to accuse [ and put in jail - they put the man in jail] you of something digital, unable even to present in court that the data, based on which they accused YOU, are digitally genuine??

When you speak to the judge and tell him
" First, I want proof, that the whole data is genuine, before accusing me of anything illegal- it is my basic right"

he answers you

" I do not even understand, what you talking about".

How you will react? Throw the book to the judge face?? The judicial system there DO NOT implement the law- they INTERPRETED the law, according to the taste of everyone's judge there.

ReplyQuote
Posted : 02/07/2017 6:50 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Stop.

Hold on. Make a decision. Just do it.

ReplyQuote
Posted : 02/07/2017 9:12 pm
MickArneke
(@mickarneke)
Member

Stop.

Hold on. Make a decision. Just do it.

Will talk to my boss tonight, outside of the office.After that, I will ask for some help from my private attorney what to do further - there is no question about the legality of our actions whatsoever - just, the question is that some EU institutions MUST be informed immediately.

If someone here have the experience, which of them are the most productive to be informed, and totally independent of the "Mediterranean influence", will be glad to hear. Even in form of private message to me.
The OLAF is not appropriate - this is not in their sphere of competence, our lawyer told us. And nobody here have the slightest experience, how to do this properly and effectively.

Thank you all. Will keep all of you informed.
Will be glad of more opinions.

ReplyQuote
Posted : 02/07/2017 9:41 pm
Page 1 / 6
Share: