Suspicious set up -...
 
Notifications
Clear all

Suspicious set up - any further lines?

25 Posts
15 Users
0 Likes
2,388 Views
(@c-r-s)
Posts: 170
Estimable Member
 

Nevertheless, I think it's worth conveying to 'non-tech' people that it's not simply a case that this is something with no evidence, rather it's set up in such a deliberate way so as to avoid there being any evidence. Would this be a worthwhile report and able to infer significant suspicions?

It depends on your role within the investigation, whether it is yours to make criminalistic, not forensic statements. This is certainly true for LE staff who cover the entire investigation. However, I sometimes read supposedly technical reports from CF-only people, which contain all sorts of legal, criminalistic, criminological, social and statistical assumptions to drive the investigation into a certain direction. It's a pain in the…. Well, it doesn't raise confidence in the reporting, to put it this way.
From a forensic point of view, this is absence of evidence and should be reported as such by forensic staff.

Could a finding such as this be able to justify making a further, perhaps deeper, search of the suspect address in the hopes of finding external storage media?

The question suggests you're CF-only? When you report your findings and non-findings, you'll see.

Or generally are searches a one shot thing unless they come to attention for a further offence

No, they aren't strictly one shot. But forensic reports are a matter-of-fact thing, not a better-get-someone-searched-'cause-you-never-know thing. Jesus, think of the common citizen reading here, and your user location isn't Any-stan.

 
Posted : 13/08/2016 12:46 am
joakims
(@joakims)
Posts: 224
Estimable Member
 

Maybe file slack, $MFT records slack, or even $LogFile and/or $UsnJrnl analysis would help.

 
Posted : 13/08/2016 3:01 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Concerning your task, try researching the whole infrastructure and get as much information as possible from the ISP as well, don't focus on a single workstation's data, because from what you write, the data you try to figure isn't there )

User habits for anonymity and the non-existent data on a computer doesn't make anybody a criminal or suspicious!

 
Posted : 14/08/2016 7:57 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Technical part

Maybe file slack, $MFT records slack, or even $LogFile and/or $UsnJrnl analysis would help.

I second this - if items have been downloaded and then deleted they might show up in one of these areas.

Did you check the registry? If he has a hidden network storage and he's mapped a drive to it then it should show up in some manner.

Is Tor installed, out of interest? Or the Tor Firefox extension?

————–
Now for the Moral part

There simply is no other explanation in my view for disabling the paging file and overwriting any new data and not keeping any files stored than because of trying to avoid leaving evidence behind.

Again, be very careful with what you're saying, and your initial assumptions. From your comments I think you're LE, and potentially new to the field. Not everyone who comes through your door is going to be guilty. You need to cultivate a view of impartiality to each investigation - it is your job to report the facts, not to make things up based on your gut instinct.

Consider the following statement

.. trying to avoid leaving evidence behind.

You don't know this. You can't know this. Evidence of what? You have no evidence. But to an observer it appears as if you are stating that there was absolutely was evidence, but it is no longer there.
Now to rephrase

.. trying to avoid leaving any trace of the browsing history.

This is factually correct. He has taken steps to avoid saving his browser history. This does not mean he has destroyed evidence.

Furthermore, saying "there is no other explanation" is a very strong statement, legally. Here are six possible explanations I came up with in 4 minutes

- If my PC has 64GB RAM, I don't feel like I necessarily need a 64GB pagefile.sys file sitting around on my HDD. Could this be a consideration if the source HDD is relatively small?
- If it's an SDD he might have removed the pagefile if he's especially concerned about wear-levelling.
- Maybe he believes removing the pagefile speeds up his PC.
- The guy is really protective about the sort of porn he watches.
- The guy secretly likes model railways and doesn't want his wife to know, because her previous husband left her for a train conductor!
- He is one of those guys who thinks the "system" is inherently evil and does what he can to thwart the authorities, when all he's actually been looking at are conspriracy forums.

All could be true. Some could be disproven given the specifications of the computer in question, but the last four ..?

Just be careful. Consider the facts. Be cautious with phrases like "there is no other explanation" and the term "evidence".

Now, please check the registry and $MFT, $logfile, $UsnJrn! )

 
Posted : 15/08/2016 12:42 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

There simply is no other explanation in my view for disabling the paging file and overwriting any new data and not keeping any files stored than because of trying to avoid leaving evidence behind.

Disabling paging Performance, paging is slow in comparison to hardware memory. Not uncommon on older boxes.

Overwriting data Making sure that a, say library computer is clean and wont let anyone steal data from other people.

So… how is that "no other explanation" theory of yours holding up?

 
Posted : 17/08/2016 8:36 am
(@subujoseph)
Posts: 51
Trusted Member
 

Interesting Topic.

In regard to reporting I follow this rule - State the Facts and Don't Give an Opinion. That being said, when it comes to writing a Technical Report for non-technical people such as Lawyers and the Jury, I will include the meaning of the Facts. For example, <b>Fact</b> - an image was found in the internet cache. <b>Meaning</b>It means it was created by internet browsing. </b>

So in this case I will write a report on the following lines -
"There is no evidence of blah blah blah… However, the current setup of the computer will not store any internet activity and CCleaner was set up to wipe the free space with xx no of overwrites"

You can then explain the current set up of the computer.

Have you found any evidence of CCleaner being used? If you have found, then you can include that as well.

But as other members have aptly pointed out, to reach a conclusion along the following lines

There simply is no other explanation in my view for disabling the paging file and overwriting any new data and not keeping any files stored than because of trying to avoid leaving evidence behind.

is not advisable.

If there is no evidence, then simply there is no evidence. A simple analogy would be - if you are stating that there is a Cup and Saucer revolving around the Earth, then you will have to prove it.
You cannot just say that we currently don't have any powerful telescopes to see it and in the future when such a telescope it invented then you will find the evidence of the Cup and Saucer.

 
Posted : 17/08/2016 3:57 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

I fully appreciate what everyone is saying about drawing my own conclusions being a dangerous line. But I'm really concerned there could be something more that can be done that we are letting get away.

Let me reiterate - there are no files or folders or documents of any description stored on the computer. But the case strongly suggests the individual would have TBs of data. That means there are two possibilities (3 if you consider there could be another computer that wasn't found, but that seems unlikely given the efforts taken to set this up)

1. Cloud storage - if this was the case I'd expect to see some evidence of this. Even if the access details were not known, then the setup for iCloud or OneDrive, Dopbox or whatever would be installed probably with some type of sync folder. But nothing of any description of this. Yes I know there could be some web based cloud storage but doesn't seem practical to download from the web and then overwrite the entire free space after every single shut down.

2. External storage - seems the most likely in this case. Considering enough data to carry every book ever written can be stored on something the size of a postage stamp these days this could be very easy to conceal very well. I don't know about others but my somewhat experience has found that when people go searching for evidence once they find a computer the rest of their search is rather cursory.

So I feel I would be irresponsible not to highlight the fact that there is almost certainly a missing piece/s of evidence that could be vital that is likely still out there.

Could this justify a second deeper search or is this just one that was too smart?

 
Posted : 17/08/2016 4:30 pm
(@subujoseph)
Posts: 51
Trusted Member
 

Before you go any further, I would consider what events lead to your investigation.

i.e. How did you get hold of the suspects device? What piece of intelligence lead to the suspects device being seized? I think such information will be helpful for your investigation.

There is no harm in informing your OIC verbally or via email (i believe you are in LE) of the situation and they can then they can conduct further searches.

 
Posted : 17/08/2016 4:41 pm
(@c-r-s)
Posts: 170
Estimable Member
 

So I feel I would be irresponsible not to highlight the fact that there is almost certainly a missing piece/s of evidence that could be vital that is likely still out there.

This conclusion is obviously invalid from a forensic point of view. There is no CF method to deduce it from your digital evidence. In my opinion it's even invalid from the criminalistic perspective When you find potential preparations for a crime and - after a reasonable thorough investigation - nothing else, it's most likely that the suspect simply didn't carry on.

Again, this is not a forensic question. Therefore, you must know, whether you give the answer. It's irresponsible, as a technician, to suggest that you're able to draw conclusions from your technical expertise which, in fact, you can't. Someone without technical knowledge might actually believe in the near-certainty of these two arbitrary possibilities which you pointed out.

This is really dangerous in my eyes. Sadly, it even seems to be the default mode of how CF examination and expert statements work in a legal system. I have a legal background as well and sometimes I talk to legal staff, who don't know my technical business. They excitedly tell me stories of what theses brilliant techies can find out nowadays, just given a computer's harddrive Who's done it, when, why, whatever, unbelievable! The have no idea, what CF is about and how limited its capabilities are.
Apparently nobody tells them, maybe because the examiner with the most and most extensive answers, far reaching into foreign lands, is the most competent in their eyes and gets the next mandate. However, I work for intel, not LE, and there it is important, since all the digital stuff is easily, unobtrusively and regularly manipulated by opponents and third parties

As CF practitioners we receive evidence in form of storage content which is basically a big number. We explain what the number probably means, with several caveats. The interpretation of this number forms an isoloated logical reference system. Anything outside this logical box, be it another number from a different storage or events in the outside world, can only be linked to this number by an aditional probabilistic assessment for which CF doesn't give any answers at all.

 
Posted : 17/08/2016 6:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As CF practitioners we receive evidence in form of storage content which is basically a big number. We explain what the number probably means, with several caveats. The interpretation of this number forms an isoloated logical reference system. Anything outside this logical box, be it another number from a different storage or events in the outside world, can only be linked to this number by an aditional probabilistic assessment for which CF doesn't give any answers at all.

I like the idea of the big number. )

In the specific case wotsits has a BIG 0.000000000000000000000…

The point here seems more to revolve around what are the duties (and sphere of influence) of a digital forensic examination.

Should the examiner plainly state that the number is 0, that nothing can be inferred from it and leave it alone?

Or suggest that usually such big numbers are different from 0 and thus express the opinion that the situation is "uncommon"?

Mind you that "uncommon" or "unusual" is very different from "suspicious", let alone "significantly suspicious" or "almost certainly a missing piece/s of evidence that could be vital that is likely still out there".

Maybe it is just me (excessively picky), but words have a meaning and in such things as statements that might be used in a legal context (possibly a criminal one) they do have a weight.

jaclaz

 
Posted : 17/08/2016 7:42 pm
Page 2 / 3
Share: