Join Us!

Please, help to res...
 
Notifications
Clear all

Please, help to resolve this.  

Page 2 / 6
  RSS
jaclaz
(@jaclaz)
Community Legend

@MickArneke
I can understand your indignation, but you seem like having been (and I am not in any way saying incorrectly) brought into the matter some sort of ethical or ideological weight that may be inappropriate for handling the case.

All in all a forensic scientist should be a scientist and report just his/her findings and report and explain the methods through which these findings were discovered, and the appropriateness of these methods.

For just one second, let's talk INSTEAD of this specific case, of another, hypothetical one, one in which the suspect is believed by you to be actually guilty and you personally know the investigators involved as good, honest, good willing people.(mind you it shouldn't make ANY difference in the way you examine the case)

No matter if a number of protocols were violated or commonly accepted methods were not used, the point may be whether this violation affected the case (just playing Devil's Advocate).

I will give you a few examples
1) the disk where the image of the original is created must be wiped before
This is a common (and correct and smart) procedure, but it is not "vital" for the integrity of the image, surely it will be more complex to explain why this is not strictly needed
https://www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=13/
still using a non-wiped disk does not change the evidence.

2) the disk can only be accessed through a write blocker for imagining it.
This is a common (and correct and smart) procedure, but it is not necessarily "vital" for the integrity of the image (as an example a read only OS or a software write blocker may be used) and even if the integrity of the image cannot be guaranteed, that doesn't mean that - say - changing a disk signature in the MBR (or changing a key in the Registry) creates out of nowhere tens or hundreds of compromising e-mails, images, logs, etc., some (usually minor) modifications to the file system may compromise finding some files, but it won't create them.

3) breaking the chain of custody invalidates the evidence
The constant, accurate, and continuous maintaining of a chain of custody represents a common (and correct and smart) procedure, but it is not necessarily "vital". You can leave a disk on the back seat of a car for two days in a non sealed bag, but this doesn't automatically mean that someone actually opened the car, got the disk, planted on it *any* (either incriminating or exculpating) evidence and then placed back the disk in the back of the car, it simply means that the LEO responsible of the custody cannot exclude that this happened.
And if you think a bit about it, the whole chain of custody (perfectly and continuously maintained) is only as reliable as the officer in charge of it is reliable, for a given time frame in the chain the device is in the hands of someone (or of someone else), and there is a presumption that this someone (or someone else) is honest, capable and properly trained and would never (intentionally or by accident) contaminate or tamper with a piece of evidence.
But the point remains whether there is proof of contamination (or tampering) or there is not.

jaclaz

ReplyQuote
Posted : 02/07/2017 9:49 pm
MickArneke
(@mickarneke)
Member

@jaclaz

* There is no such paper labeled "chain of custody" in the judicial papers there- of any kind, of any sort !! None exist, simply. We do not talk about imperfect one - we talk about missing one.

* No illegal Internet activity whatsoever. Not an IP+ MAC address shows illegal activities whatsoever.
* No illegal chats, no illegal skype, no illegal e-mails, no illegal history, bookmarks - nothing.
* No illegal torrents, nothing.
* They present-one false known.met analysis, which consist only by the names of the files, without any other details from the rest [ i.e. dates, last written, last shared etc, etc ]- they are unable to present working eMule installation of any kind there, with all his data, paths and needed registry values . No wiping software in presence, of any kind! They exhibit the [non-existent] eMule path of "installation" on the 3-rd partition, but the lab mentioned only one partition in existence there. No hidden partitions, no other tricks there. No p2p global identifier present that shows illegal activities- whatsoever.

* The officer 4 hours make live acquisition without blocker- he simply put his USB stick on the defendant's computer, without ANY blocker. He admit this in court ! When asked " What your USB had inside?' he does not answered. He admitted that he open crucial files, changing their date/time stamps. When asked "Why?" he answered " This is of no importance- the most important for us is to put the man immediately behind bars" - just like you read this. This invalided automatically all procedure there!

* There is no such thing like "open bag, full of digital evidences" - all must be sealed, written labels must exist, hdd's photography from place etc. Otherwise- not admissible here. They extract the hdd from the defendant's computer- they do not confiscate the whole computer himself. Nobody have right here to seat in a car, with notebook in hand, and on his right side - open bag, full of confiscated hdd. This happened in their case- they travel 6 hours by car to the capital. Please, do not tell us that this is legal… )

* There is no hash on acquisition whatsoever. The lab is 4 MONTHS after! not tomorrow. There is no sealed bag, no chain of custody paper! Based on what hash the lab will take all this for examination ?? From the lab, the half disks are without any hash, whatsoever! including- the most important hdd, on the analysis of which they put the man in jail! Make it clear- the basic evidence have no either hash on acquisition, either hash from the lab. Legally? where? in Africa? may be… .

* The defense asks for hash on acquisition like precondition to take the copy of all hdd's images. No hash on acquisition- no copies for the defense team- case collapse- the defense have legal right to take genuine copies!! because by this, the defendant exercise his fundamental rights in court!

* They manipulated the number of the confiscated hdd- they deliver in the capital, 1 hdd less than they officially confiscated. And make paper with 1 hdd LESS on the deliver port. And this document they stick on the open bag [to be delivered 4 months after, to the lab]. The next day, they understand that something is missing from the bag, they find the missing hdd by his number and ADD the missing disk in the open bag. SECOND paper is created, with number equally to the number of the confiscation paper- simply, they do not change the collated first document on the bag, and 4 months later, the bag is in the lab with the "wrong" paper [ i.e- one disk less] No chain of custody- the bag is open- everyone put there whatever he likes. Thus, the prosecutors was TOTALLY confused about the right number- until the last paper, they wrote 1 LESS, because they read the first paper, with one less! After the defendant team appeal, the last judicial paper is with the "right number" and, holds on to the seats - ALL the rest judicial documents are "declared" simply a "typo's product".

* In court they ADMITTED verbally and openly, that they "examine" "further the hdd AFTER their confiscation [ i.e. after the live acquisition ends] - which is totally illegal!

* From deep analysis, the defense team- one confiscated hdd have an invalid serial and model number- such disk simply does not exist in reality- the info is from the manufacturer. The lab give examination "result" from this disk. Are you hear this to happen, and where? I'm curious to know ).

* The most important- forensically speaking, the hdd contains inside evidences, that forged things inside exists - like date of log files, 2 years BEFORE the hdd is produced, AND NO single evidence of time/date manipulations. Not a single- and you know, that there is many way to investigate this.

And so more… registry values are presented, WITHOUT any Windows installed and mentioned in presence!!
Or software on 4 partitions [partitions, not virtual hdd, nor true crypt volumes, nor USB hdd]] is presented by their path- the lab does not mentioned any of these partitions to exist in reality - the lab mentioned only one in existence.

ReplyQuote
Posted : 02/07/2017 11:01 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Its not your job to inform a EU institution about this. This all is above your head.

Its your boss' job to do this, he is reponsible for you. You have to convince him to do
someting. If you act above your boss, you will lose because everybody will ask

who are you?

who is your boss?

Your only job is to properly report this to your boss. Then stop.

ReplyQuote
Posted : 02/07/2017 11:22 pm
C.R.S.
(@c-r-s)
Active Member

My identity is well preserved. We have in our hand written order from our boss to help them – we act on written order. We coordinate all our actions with our legal department. All of our's work conversations and answers to them are recorded – this is the practice here. I do not do, or tell to them, or send to them, any illegal advice.

Better get outside legal advice who take into consideration your personal risk, or speak to your inhouse staff in greater depth, off the records, regarding "what if" scenarios. Internal legal departments are not the ones to stop a project.
Up to now, you don't seem well informed. A written order doesn't help you, it is evidence against you. Giving no "illegal advice" doesn't help you. It is the very nature of abetment, that your actions - taken for themselves with no specific knowledge - may be perfectly legal, but you actually know that they contribute to someone's illegal activity. In my words, you said that you'd help foreign police officers to make their forged evidence seem legit, or at least a little "cleaner", which leads to the prosecution of a potentially innocent. Moral doubt doesn't help you either, if you do it anyway.
You stand on the thin ice made of German case law, that an accessory, acting within his professional scope, must act in inner solidarity with the perpetrator to be liable to prosecution. A jurisdiction which is mainly constructed around legal advisors and can easily break underneath your feet, or is seen completely different in the defendant's home country.

ReplyQuote
Posted : 03/07/2017 12:08 am
jaclaz
(@jaclaz)
Community Legend

Legally? where? in Africa? may be… .

An (admittedly very) old N.Y. (United States of America) case, JFYI
https://www.cnet.com/news/electronic-evidence-anchors-porn-case/

jaclaz

ReplyQuote
Posted : 03/07/2017 12:28 am
trewmte
(@trewmte)
Community Legend

Mick can you confirm exactly which

(I) Legislation has been breached relevant to your country by reference to the Law title/Clause etc.?
(II) Regulation/s that have been breached by the officer's conduct?
(III) Law Enforcement Procedures that have been breached by the officer's conduct?

ReplyQuote
Posted : 03/07/2017 1:01 am
MickArneke
(@mickarneke)
Member

Legally? where? in Africa? may be… .

An (admittedly very) old N.Y. (United States of America) case, JFYI
https://www.cnet.com/news/electronic-evidence-anchors-porn-case/

jaclaz

You want proofs of tampering - they exist- but they are indirect analysis - i.e. windows registry values with no Windows in existence mentioned, no his version, etc and many others… .

But you are unable to go further in your forensic examination, because of lack of hash values, and inability to obtain copies of the images.

You accept that the lack of hash on acquisition + lack of complete [and methodologically correct] hashes from the lab are permissible in court today?

Your proposition for further forensic examination of the tampering, without the digital copies in presence?

ReplyQuote
Posted : 03/07/2017 1:05 am
jaclaz
(@jaclaz)
Community Legend

You accept that the lack of hash on acquisition + lack of complete [and methodologically correct] hashes from the lab are permissible in court today?

I don't "accept" anything (nor I am in a position to "accept" even if I wanted to), you just showed us an example where this actually happened, and I showed you a not-so-different case that also actually happened.
Maybe a similat case never happened in your country (or in mine) but seemingly they can happen and not only - as you hinted - in a third world country.

The methods and procedures (that in some countries may well be strictly dictated by Law) that you use daily may not be the "only" way all over the world or they may be in other countries mere recommendations, "best practices" or academic (or industry) de facto standards, while still not being mandatory.

I am trying to help you free yourself of your current (as said understandable) indignation to (hopefully) see the case with some detachment.

You seem like being focused on the malpractices on the handling of the evidence, which in some cases may be only formal or however tolerated by the local Law (or - possibly lower - standards), what I was proposing you was to try treating the case assuming - temporarily - that such malpractices didn't actually invalidate the evidence or didn't substantially alter it, and look instead for what actually can be found on the devices, and whether what is found has been "planted".

It is extremely difficult AFAICT to "plant" evidence without leaving some traces.

Your proposition for further forensic examination of the tampering, without the digital copies in presence?

Ah well, if there is nothing to examine it will be hard to examine (further) anything, but if such images existed and were available, a scientific way to examine them would be to find any evidence that can be gathered from them including (but not limited to) evidence of tampering with their contents.

jaclaz

ReplyQuote
Posted : 03/07/2017 1:37 am
MickArneke
(@mickarneke)
Member

Mick can you confirm exactly which

(I) Legislation has been breached relevant to your country by reference to the Law title/Clause etc.?
(II) Regulation/s that have been breached by the officer's conduct?
(III) Law Enforcement Procedures that have been breached by the officer's conduct?

Will do not do this. You know why I'm unable to do this. )
Just ask yourself, where in one civilized curt, judge will accept forensic EnCase evidence file without matching hashes. If this acceptance without hashes is valid for UK, ask yourself then

* How the genuineness of the evidences is supported by missing hashes? How otherwise this genuineness must be proved - by declaration of good faith?
* What image copies the defense will be able to obtain, without a proof, that the data is digitally the same data form the day of their acquisition? Remember you, that the right of obtaining copies is a basic right of the defense, and not satisfying this is a break of the European Convention on Human Rights, Article 6.
* The defense is not obliged to proof- the prosecution is obliged to proof his accusations- what kind of proof may exist without clear forensic evidences of the genuineness of the digital data. Without valid digital data, what case exist at all?

Actually, i do not think that today competent forensic specialist exist who ignore the correct hash procedure in his work.

p.s. How many forensic specialists, testifying in court, you know to

* accepting before judge, openly and vocally, that they work on defendant's computer, without blocker, with an USB storage device attached, and consistently opening files on the target computer, for 4 hours
* accepting before judge, openly and vocally, that they were working on the defendant's computer , opening and changing file attributes, with also vocally and openly declarations, that the files date/ time stamps they changed are "irrelevant thing", of no matter whatsoever.
* accept, that hash on acquisition is not an important thing- more important is to put the defendant immediately in jail.

and NOT to be eaten to their bones immediately from the defense lawyers? You need penal code articles, why they will be eaten?

We know all these details- we asked peoples there - do not think, that if you live in [some way] , modern country, the rest do too. They do not.

ReplyQuote
Posted : 03/07/2017 5:51 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Just make a decision. The facts in raw are clear.

ReplyQuote
Posted : 03/07/2017 9:32 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Do you need further help?

ReplyQuote
Posted : 04/07/2017 8:54 pm
MickArneke
(@mickarneke)
Member

Do you need further help?

I just re-reading patiently all the opinions here, waiting for more. And thinking.
Actually, the situation today for me [and us, like lab] became absolutely clear. We are in process of making important decisions. The frame takes shape today.
No bad feelings towards me at all. My job is secure.

From third person we hear, that national ombudsman human rights team will sue in court [defendant's country] the two officers and their lab immediately. I do not known for sure, if it is true, or not.

Thank you for your interest.

ReplyQuote
Posted : 04/07/2017 9:17 pm
MickArneke
(@mickarneke)
Member

I reread some things here, and wish to comment some points

jaclaz wrote, p.3, here

“…2) the disk can only be accessed through a write blocker for imagining it.
This is a common (and correct and smart) procedure, but it is not necessarily "vital" for the integrity of the image (as an example a read only OS or a software write blocker may be used) and even if the integrity of the image cannot be guaranteed, that doesn't mean that - say - changing a disk signature in the MBR (or changing a key in the Registry) creates out of nowhere tens or hundreds of compromising e-mails, images, logs, etc., some (usually minor) modifications to the file system may compromise finding some files, but it won't create them.”

IT IS totally untrue! Details

- Here, we speak about putting someone’s USB key in the defendant's computer, without blocker. We do not talk about making image not using blocker [ which also is not ok at all ] ! And working with this USB key in, for 4 hours! Even with the standards of the 2014, the USB capacities are huge. Based on the case frame here, there is no need to transfer e-mails or to made some extensive modifications or make sophisticated tampering- it is enough to transfer 20 files, put 1000-2000 in the unallocated space + to put logs, or whole directories from 3 or 4 software packages, to put one man in jail for knowledgeable “possession”. More, implanting one p2p searching terms files and adding one “known.met” and “shareddir.dat” file from someone’s else computer - it is already ready for the court presentation the “intention of possession” clause.

“And if you think a bit about it, the whole chain of custody (perfectly and continuously maintained) is only as reliable as the officer in charge of it is reliable, for a given time frame in the chain the device is in the hands of someone (or of someone else), and there is a presumption that this someone (or someone else) is honest, capable and properly trained and would never (intentionally or by accident) contaminate or tamper with a piece of evidence.
But the point remains whether there is proof of contamination (or tampering) or there is not.”

NOT TRUE at all!

First- in this case, there is a mass evidences of tampering, existing in the every each of the confiscated defendant’s hdd. Second, like I wrote, the protocol of confiscation have 3 invalid, for various reasons, hdd- i.e. one of them, have an invalid serial and model number – i.e. he does not exist in reality- and there is a forensic exam result from this hdd!! At least at my country, there is no evidence hdd, “forgotten” in someone’s car, especially not sealed, and especially in the back seat of the car, with the one of the officer’s notebook on the right of them, and traveling with this open and unsealed bag [ and the hdd evidences in her] for 4-5 hours. More- I personally do not know from my practice, officer to admit in court, that he, AND AFTER the acquisition ends, makes more “ investigations” of the confiscated hdd [ they must be, presumably, already sealed].
The confiscated hdd here, in my country, is a sealed forensic package - nobody forget this in his car, even for a minute- they do not traveled to the sea for sunbathing, with their forensic material waiting in the car.

ReplyQuote
Posted : 11/07/2017 9:25 pm
jaclaz
(@jaclaz)
Community Legend

I reread some things here, …

No you haven't (or you did not fully understand the meaning of my notes), I was NOT at all commenting your specific case.

In your country, like in every other country, you rely mainly on the integrity of the forensic investigators and examiners, the "sealed" bag that you are so proud of is periodically unsealed and resealed by the investigator or by the examiner, all handling is done by either the investigator or the examiner, the imaging is done by the examiner, etc., and the procedures are generally very UNLIKE that used for - say - launching a nuclear missile or "two man rule"
https://en.wikipedia.org/wiki/Two-man_rule

and rest assured that in your country, like in every other country, a determined "crook" (examiner or investigator) can alter evidence every which way you can imagine (and also a few that you cannot even imagine), the difference being that in these (hopefully rare) cases it is done "professionally", leaving no traces, and surely without telling about it in Court.

jaclaz

ReplyQuote
Posted : 11/07/2017 9:59 pm
MickArneke
(@mickarneke)
Member

I'm not able to believe this - they go to another lab, same story. But the second lab cut them short in a heartbeat.
Most important- the second lab will sue all of them by name, and will make statement to various European agencies.

More details come through the second lab - we talk to them. They are contacted now by a businessmen ( no official person now) who want to help two of his police relatives… but the same story. By the way- the money they propose to the second lab was much, much more.

And more technical details surfaces - actually, third person, not member of the acquisition team, take the hdd's with him, and for some hours, there is a gap, where these disks goes… .

And more, more forensics details too.

@jaclaz, pls no more generalities ) and mentoring tone. )

ReplyQuote
Posted : 27/07/2017 7:55 am
Page 2 / 6
Share: