After consulting our internal legal
Hey Rolf, JFYI, having a lawyer
1) being available on a Saturday afternoon or Sunday morning
2) being actually giving an answer within a few hours
makes yet another event that may only happen in Switzerland.
@MickArneke
What I would do (since I am not a professional digital forensic investigator it is OK to ignore my suggestion) is the following
1) Make a spreadsheet
2) in first column (A) list the activities that should have been done (according to you or best practice)
3) in second column (B) describe HOW these activities should have been performed (still according to you or best practice)
4) in third column (C) describe how these activities have ACTUALLY been performed (leave blank if activity was not performed) according to the info you have
5) in fourth column (D) assign a percentage vote (0% where columns C and B are totally different, 100% where columns C and B are substantially identical).
6) sum those percentages and rate the result against the maximum (i.e. 100% for each row)
As an example, if you have 20 rows and thus the max points are 20, the sum of column D will be (maybe) something like 3 or 4.
Would anyone (in his/her right mind) go ahead with *anything* (be it an exam, a test, a checklist, whatever) with a result of anything less than 18/20 (or possibly 15/20 to be very, very lenient)?
jaclaz
No. Our advice is only about where their forensic “Achilles heel” are, and how these will be legally possible to be cured.
As a side note only.
Bad comparison ( .
The whole point of Achille was that he was invulnerable everywhere BUT in one single spot, his left heel.
What you describe is about someone which is absolutely vulnerable and undefendable everywhere except - maybe - in one or at the most a handful of teeny-tiny spots.
jaclaz
Will explain
The official police forensic laboratory results, for us, was a totally mess, a nonsense. More we read all this nonsense there, more we understand, that all of the “evidence of guilt” they present, are actually a product of forged evidences. The defense team show in court clearly all this nonsense- they are brilliant. The high officer [ he make private offer to us, like I understand from my boss] asked us to cure this with suggestion FROM forensic point of view - i.e. interpretations, contrary to those of the defense team. This was their “Achilles heel”, BUT, no single forensic expert exist, which will be able to do something about this, because the data there are clearly forged, and manifests themselves like forged data. These peoples there, simply DO not understand this, because of their arrogance, rampant incompetence, lack of whatsoever forensic knowledge. They also do not understand that these things make their country and judicial system- pure circus. They even do not understand that, without proper hash, the lab must decline to examine those data, simply because of lack of proof of the genuinity of the forensic material the lab take. Thus, their official lab [ Their OFFICIAL and NATIONAL FORENSIC Lab, not some small obscure lab !!! ] commits crime, presenting to the court their forensic conclusions, clearly knowing beforehand, that they work on non genuine data ! This is simply unbelievable !!
More, inside the vast majority of the official prosecutor's judicial documents, the prosecutors on various stage of the judicial procedure, INVENTED and fabricated [non existent] "evidences" by - frivolous assumptions, totally false phrasing and misguided "conclusions", or based simply on NON existent digital data. Or - clearly lies in various paragraphs in their documents.
We asked the high-ranking-
"What is this all about? It is false and fabricated!"
He answer to us
" Don't 'worry- all this will pass like "right of the prosecutors to have theirs own opinion".
We asked him
" For God's sake, what kind of "opinions", when all these are fabricated, and are NOT based on any digital proof?"
He close his remarks
" You are naive there - we here knows better how to catch the criminals!"
But before reading all these documents, I do not know all this, and just I think that they have gaps, or wrong artifacts interpretations, or , from the forensic point of view, wrong defense arguments, which may be cured.
Please note- their “live acquisition” lasts about 4 hours on the spot, for ONE computer with 2 hdd, one of them empty of evidences whatsoever– 4 hours with a USB stick on defendant’s computers without blocker – THEY admit this in court !!! The court does not react because, probably, they do not know even what the difference is between computer mouse and live mouse.
What he do 4 hours there then? Wrote the “War and Peace” continued , instead of Leo Tolstoy?
The phrase "they lie to the court" - yes, they do, because, par example, we clearly read one of the two officer statement. He wrote and tell in court the same - "… the defendant obstruct our work, because he does not give us the password from his encrypted files- but, hold on your chairs- THEIR official forensic expertise conclude, that, no installed encrypted software on the defendant computer was found, either encrypted files there existed. And this is only one spot.
The other officer state clearly that he "find" on the defendant's computer software named… but… this officer never touch the defendant's computer, because from the begging to the end, only the other officer works on the machine!
They ask from us to "heal" all this ! I answered - "It is impossible, because you do illegal things". That's all. We do not advise them anything illegal!
You think you are immune from reprisals? You think that it isn't easy to tie one identity on the net with another?
Some people spend 40 hours a week doing that and they have more experience and are more clever than you in this field.
You have a spot. But we are human too. We are not "weapons" in someone's hands. And not obliged to serve all these dubious characters and judicial incoherence there. Just my two cents.
But in my country, and according of our laws, I do not do anything illegal.
Please note - all info I give you is an open info, not a secret info. This information is not "divulged" illegally, it is already hear in OPEN court, with public present there, and in open session.
Ask me - why I do this? I wrote the one reason- because i must resign, and I want to share with colleagues, and just take second opinion.
Second- all this time, I myself and my colleague [and friend], openly admired the doc there [the defendant]. Not secretly- openly, after we read all their lies, nonsense documents and judicial hypocrisy, without end. He must be courageous man, i do not know him.
Are you able to imagine in YOUR country, someone to accuse [ and put in jail - they put the man in jail] you of something digital, unable even to present in court that the data, based on which they accused YOU, are digitally genuine??
When you speak to the judge and tell him
" First, I want proof, that the whole data is genuine, before accusing me of anything illegal- it is my basic right"
he answers you
" I do not even understand, what you talking about".
How you will react? Throw the book to the judge face?? The judicial system there DO NOT implement the law- they INTERPRETED the law, according to the taste of everyone's judge there.
Stop.
Hold on. Make a decision. Just do it.
Stop.
Hold on. Make a decision. Just do it.
Will talk to my boss tonight, outside of the office.After that, I will ask for some help from my private attorney what to do further - there is no question about the legality of our actions whatsoever - just, the question is that some EU institutions MUST be informed immediately.
If someone here have the experience, which of them are the most productive to be informed, and totally independent of the "Mediterranean influence", will be glad to hear. Even in form of private message to me.
The OLAF is not appropriate - this is not in their sphere of competence, our lawyer told us. And nobody here have the slightest experience, how to do this properly and effectively.
Thank you all. Will keep all of you informed.
Will be glad of more opinions.
@MickArneke
I can understand your indignation, but you seem like having been (and I am not in any way saying incorrectly) brought into the matter some sort of ethical or ideological weight that may be inappropriate for handling the case.
All in all a forensic scientist should be a scientist and report just his/her findings and report and explain the methods through which these findings were discovered, and the appropriateness of these methods.
For just one second, let's talk INSTEAD of this specific case, of another, hypothetical one, one in which the suspect is believed by you to be actually guilty and you personally know the investigators involved as good, honest, good willing people.(mind you it shouldn't make ANY difference in the way you examine the case)
No matter if a number of protocols were violated or commonly accepted methods were not used, the point may be whether this violation affected the case (just playing Devil's Advocate).
I will give you a few examples
1) the disk where the image of the original is created must be wiped before
This is a common (and correct and smart) procedure, but it is not "vital" for the integrity of the image, surely it will be more complex to explain why this is not strictly needed
https://www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=13/
still using a non-wiped disk does not change the evidence.
2) the disk can only be accessed through a write blocker for imagining it.
This is a common (and correct and smart) procedure, but it is not necessarily "vital" for the integrity of the image (as an example a read only OS or a software write blocker may be used) and even if the integrity of the image cannot be guaranteed, that doesn't mean that - say - changing a disk signature in the MBR (or changing a key in the Registry) creates out of nowhere tens or hundreds of compromising e-mails, images, logs, etc., some (usually minor) modifications to the file system may compromise finding some files, but it won't create them.
3) breaking the chain of custody invalidates the evidence
The constant, accurate, and continuous maintaining of a chain of custody represents a common (and correct and smart) procedure, but it is not necessarily "vital". You can leave a disk on the back seat of a car for two days in a non sealed bag, but this doesn't automatically mean that someone actually opened the car, got the disk, planted on it *any* (either incriminating or exculpating) evidence and then placed back the disk in the back of the car, it simply means that the LEO responsible of the custody cannot exclude that this happened.
And if you think a bit about it, the whole chain of custody (perfectly and continuously maintained) is only as reliable as the officer in charge of it is reliable, for a given time frame in the chain the device is in the hands of someone (or of someone else), and there is a presumption that this someone (or someone else) is honest, capable and properly trained and would never (intentionally or by accident) contaminate or tamper with a piece of evidence.
But the point remains whether there is proof of contamination (or tampering) or there is not.
jaclaz
* There is no such paper labeled "chain of custody" in the judicial papers there- of any kind, of any sort !! None exist, simply. We do not talk about imperfect one - we talk about missing one.
* No illegal Internet activity whatsoever. Not an IP+ MAC address shows illegal activities whatsoever.
* No illegal chats, no illegal skype, no illegal e-mails, no illegal history, bookmarks - nothing.
* No illegal torrents, nothing.
* They present-one false known.met analysis, which consist only by the names of the files, without any other details from the rest [ i.e. dates, last written, last shared etc, etc ]- they are unable to present working eMule installation of any kind there, with all his data, paths and needed registry values . No wiping software in presence, of any kind! They exhibit the [non-existent] eMule path of "installation" on the 3-rd partition, but the lab mentioned only one partition in existence there. No hidden partitions, no other tricks there. No p2p global identifier present that shows illegal activities- whatsoever.
* The officer 4 hours make live acquisition without blocker- he simply put his USB stick on the defendant's computer, without ANY blocker. He admit this in court ! When asked " What your USB had inside?' he does not answered. He admitted that he open crucial files, changing their date/time stamps. When asked "Why?" he answered " This is of no importance- the most important for us is to put the man immediately behind bars" - just like you read this. This invalided automatically all procedure there!
* There is no such thing like "open bag, full of digital evidences" - all must be sealed, written labels must exist, hdd's photography from place etc. Otherwise- not admissible here. They extract the hdd from the defendant's computer- they do not confiscate the whole computer himself. Nobody have right here to seat in a car, with notebook in hand, and on his right side - open bag, full of confiscated hdd. This happened in their case- they travel 6 hours by car to the capital. Please, do not tell us that this is legal… )
* There is no hash on acquisition whatsoever. The lab is 4 MONTHS after! not tomorrow. There is no sealed bag, no chain of custody paper! Based on what hash the lab will take all this for examination ?? From the lab, the half disks are without any hash, whatsoever! including- the most important hdd, on the analysis of which they put the man in jail! Make it clear- the basic evidence have no either hash on acquisition, either hash from the lab. Legally? where? in Africa? may be… .
* The defense asks for hash on acquisition like precondition to take the copy of all hdd's images. No hash on acquisition- no copies for the defense team- case collapse- the defense have legal right to take genuine copies!! because by this, the defendant exercise his fundamental rights in court!
* They manipulated the number of the confiscated hdd- they deliver in the capital, 1 hdd less than they officially confiscated. And make paper with 1 hdd LESS on the deliver port. And this document they stick on the open bag [to be delivered 4 months after, to the lab]. The next day, they understand that something is missing from the bag, they find the missing hdd by his number and ADD the missing disk in the open bag. SECOND paper is created, with number equally to the number of the confiscation paper- simply, they do not change the collated first document on the bag, and 4 months later, the bag is in the lab with the "wrong" paper [ i.e- one disk less] No chain of custody- the bag is open- everyone put there whatever he likes. Thus, the prosecutors was TOTALLY confused about the right number- until the last paper, they wrote 1 LESS, because they read the first paper, with one less! After the defendant team appeal, the last judicial paper is with the "right number" and, holds on to the seats - ALL the rest judicial documents are "declared" simply a "typo's product".
* In court they ADMITTED verbally and openly, that they "examine" "further the hdd AFTER their confiscation [ i.e. after the live acquisition ends] - which is totally illegal!
* From deep analysis, the defense team- one confiscated hdd have an invalid serial and model number- such disk simply does not exist in reality- the info is from the manufacturer. The lab give examination "result" from this disk. Are you hear this to happen, and where? I'm curious to know ).
* The most important- forensically speaking, the hdd contains inside evidences, that forged things inside exists - like date of log files, 2 years BEFORE the hdd is produced, AND NO single evidence of time/date manipulations. Not a single- and you know, that there is many way to investigate this.
And so more… registry values are presented, WITHOUT any Windows installed and mentioned in presence!!
Or software on 4 partitions [partitions, not virtual hdd, nor true crypt volumes, nor USB hdd]] is presented by their path- the lab does not mentioned any of these partitions to exist in reality - the lab mentioned only one in existence.
Its not your job to inform a EU institution about this. This all is above your head.
Its your boss' job to do this, he is reponsible for you. You have to convince him to do
someting. If you act above your boss, you will lose because everybody will ask
who are you?
who is your boss?
Your only job is to properly report this to your boss. Then stop.
My identity is well preserved. We have in our hand written order from our boss to help them – we act on written order. We coordinate all our actions with our legal department. All of our's work conversations and answers to them are recorded – this is the practice here. I do not do, or tell to them, or send to them, any illegal advice.
Better get outside legal advice who take into consideration your personal risk, or speak to your inhouse staff in greater depth, off the records, regarding "what if" scenarios. Internal legal departments are not the ones to stop a project.
Up to now, you don't seem well informed. A written order doesn't help you, it is evidence against you. Giving no "illegal advice" doesn't help you. It is the very nature of abetment, that your actions - taken for themselves with no specific knowledge - may be perfectly legal, but you actually know that they contribute to someone's illegal activity. In my words, you said that you'd help foreign police officers to make their forged evidence seem legit, or at least a little "cleaner", which leads to the prosecution of a potentially innocent. Moral doubt doesn't help you either, if you do it anyway.
You stand on the thin ice made of German case law, that an accessory, acting within his professional scope, must act in inner solidarity with the perpetrator to be liable to prosecution. A jurisdiction which is mainly constructed around legal advisors and can easily break underneath your feet, or is seen completely different in the defendant's home country.
Legally? where? in Africa? may be… .
An (admittedly very) old N.Y. (United States of America) case, JFYI
https://
jaclaz