Join Us!

Suspicious set up -...
 
Notifications
Clear all

Suspicious set up - any further lines?  

Page 2 / 2
  RSS
subujoseph
(@subujoseph)
Member

Interesting Topic.

In regard to reporting I follow this rule - State the Facts and Don't Give an Opinion. That being said, when it comes to writing a Technical Report for non-technical people such as Lawyers and the Jury, I will include the meaning of the Facts. For example, Fact - an image was found in the internet cache. MeaningIt means it was created by internet browsing.

So in this case I will write a report on the following lines -
"There is no evidence of blah blah blah… However, the current setup of the computer will not store any internet activity and CCleaner was set up to wipe the free space with xx no of overwrites"

You can then explain the current set up of the computer.

Have you found any evidence of CCleaner being used? If you have found, then you can include that as well.

But as other members have aptly pointed out, to reach a conclusion along the following lines

There simply is no other explanation in my view for disabling the paging file and overwriting any new data and not keeping any files stored than because of trying to avoid leaving evidence behind.

is not advisable.

If there is no evidence, then simply there is no evidence. A simple analogy would be - if you are stating that there is a Cup and Saucer revolving around the Earth, then you will have to prove it.
You cannot just say that we currently don't have any powerful telescopes to see it and in the future when such a telescope it invented then you will find the evidence of the Cup and Saucer.

ReplyQuote
Posted : 17/08/2016 4:57 pm
wotsits
(@wotsits)
Active Member

I fully appreciate what everyone is saying about drawing my own conclusions being a dangerous line. But I'm really concerned there could be something more that can be done that we are letting get away.

Let me reiterate - there are no files or folders or documents of any description stored on the computer. But the case strongly suggests the individual would have TBs of data. That means there are two possibilities (3 if you consider there could be another computer that wasn't found, but that seems unlikely given the efforts taken to set this up)

1. Cloud storage - if this was the case I'd expect to see some evidence of this. Even if the access details were not known, then the setup for iCloud or OneDrive, Dopbox or whatever would be installed probably with some type of sync folder. But nothing of any description of this. Yes I know there could be some web based cloud storage but doesn't seem practical to download from the web and then overwrite the entire free space after every single shut down.

2. External storage - seems the most likely in this case. Considering enough data to carry every book ever written can be stored on something the size of a postage stamp these days this could be very easy to conceal very well. I don't know about others but my somewhat experience has found that when people go searching for evidence once they find a computer the rest of their search is rather cursory.

So I feel I would be irresponsible not to highlight the fact that there is almost certainly a missing piece/s of evidence that could be vital that is likely still out there.

Could this justify a second deeper search or is this just one that was too smart?

ReplyQuote
Posted : 17/08/2016 5:30 pm
P_R_H
(@p_r_h)
Junior Member

Your job is to provide factual information not your assumptions and concerns.

You seem to be convinced that this person is guilty of a crime despite having no evidence to prove it.

Perhaps, skip the investigation and you can decide what the suspect did, the police can just go with that.

ReplyQuote
Posted : 17/08/2016 5:41 pm
subujoseph
(@subujoseph)
Member

Before you go any further, I would consider what events lead to your investigation.

i.e. How did you get hold of the suspects device? What piece of intelligence lead to the suspects device being seized? I think such information will be helpful for your investigation.

There is no harm in informing your OIC verbally or via email (i believe you are in LE) of the situation and they can then they can conduct further searches.

ReplyQuote
Posted : 17/08/2016 5:41 pm
C.R.S.
(@c-r-s)
Active Member

So I feel I would be irresponsible not to highlight the fact that there is almost certainly a missing piece/s of evidence that could be vital that is likely still out there.

This conclusion is obviously invalid from a forensic point of view. There is no CF method to deduce it from your digital evidence. In my opinion it's even invalid from the criminalistic perspective When you find potential preparations for a crime and - after a reasonable thorough investigation - nothing else, it's most likely that the suspect simply didn't carry on.

Again, this is not a forensic question. Therefore, you must know, whether you give the answer. It's irresponsible, as a technician, to suggest that you're able to draw conclusions from your technical expertise which, in fact, you can't. Someone without technical knowledge might actually believe in the near-certainty of these two arbitrary possibilities which you pointed out.

This is really dangerous in my eyes. Sadly, it even seems to be the default mode of how CF examination and expert statements work in a legal system. I have a legal background as well and sometimes I talk to legal staff, who don't know my technical business. They excitedly tell me stories of what theses brilliant techies can find out nowadays, just given a computer's harddrive Who's done it, when, why, whatever, unbelievable! The have no idea, what CF is about and how limited its capabilities are.
Apparently nobody tells them, maybe because the examiner with the most and most extensive answers, far reaching into foreign lands, is the most competent in their eyes and gets the next mandate. However, I work for intel, not LE, and there it is important, since all the digital stuff is easily, unobtrusively and regularly manipulated by opponents and third parties

As CF practitioners we receive evidence in form of storage content which is basically a big number. We explain what the number probably means, with several caveats. The interpretation of this number forms an isoloated logical reference system. Anything outside this logical box, be it another number from a different storage or events in the outside world, can only be linked to this number by an aditional probabilistic assessment for which CF doesn't give any answers at all.

ReplyQuote
Posted : 17/08/2016 7:36 pm
jaclaz
(@jaclaz)
Community Legend

As CF practitioners we receive evidence in form of storage content which is basically a big number. We explain what the number probably means, with several caveats. The interpretation of this number forms an isoloated logical reference system. Anything outside this logical box, be it another number from a different storage or events in the outside world, can only be linked to this number by an aditional probabilistic assessment for which CF doesn't give any answers at all.

I like the idea of the big number. )

In the specific case wotsits has a BIG 0.000000000000000000000…

The point here seems more to revolve around what are the duties (and sphere of influence) of a digital forensic examination.

Should the examiner plainly state that the number is 0, that nothing can be inferred from it and leave it alone?

Or suggest that usually such big numbers are different from 0 and thus express the opinion that the situation is "uncommon"?

Mind you that "uncommon" or "unusual" is very different from "suspicious", let alone "significantly suspicious" or "almost certainly a missing piece/s of evidence that could be vital that is likely still out there".

Maybe it is just me (excessively picky), but words have a meaning and in such things as statements that might be used in a legal context (possibly a criminal one) they do have a weight.

jaclaz

ReplyQuote
Posted : 17/08/2016 8:42 pm
badgerau
(@badgerau)
Member

Well articulated "Chris_Ed"

Not having all the specifics of the scene, have you considered that the suspect computer your examining was used purely as a pass through modem, in that some other device was connecting through it to the internet.

ReplyQuote
Posted : 24/08/2016 6:53 am
Bunnysniper
(@bunnysniper)
Active Member

Some ideas and hints on this

- joakims already mentioned the NTFS evidence sources- no evidence there?
- i would check for all autorun locations, perhaps some kind of cleaning script?
- is there a hibernation file?
- there are so called hidden TrueCrypt volumes. Did you search for them?
BriMor Labs has a nice blog post about it
http//www.brimorlabsblog.com/2014/01/identifying-truecrypt-volumes-for-fun.html
- when MAC was changed, you can find evidence on the DHCP server perhaps? My Wifi SOHO router is acting as DHCP at home and has a full history of IP + MAC adresses
- did you check the Windows Event Logs?
- i would check the Performance Logs, too

and last but not least any existing Windows Memory dump file or Error reporting archive? Even if you do not find a full memory dump, you might find the name and path of a crashed application.

Good hunting!
Robin

ReplyQuote
Posted : 29/08/2016 5:40 pm
Jmundy
(@jmundy)
New Member
Posted by: @jaclaz

Significant suspicions of what, exactly?

Significant suspicions of acting in such a way to raise the possibility to infer significant suspicions, of course. wink

Next step being of course wider use of precogs 😯 .

And now, only seemingly OT, some previous questionable use of "significant"
http//www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=0001yB

The vigorous, vaguely quantitative, words “significant” and “significantly” are used 5 times on this slide, with meaning ranging from “detectable in a perhaps irrelevant calibration case study” to “an amount of damage so that everyone dies” to “a difference of 640-fold.” None of the 5 “significants” refer to “statistical significance;” such wordplay may suggest that a formal statistical analysis has been done.

@wotsits
Wait until you find a smart guy with no hard disk and booting from a CD/DVD to a ramdisk …
… now that would be really suspicious…

jaclaz

What would the approach be in the scenario @jaclaz mentions? would it even be possible to prove such a set up had even happened?

ReplyQuote
Posted : 29/05/2020 9:42 pm
jaclaz
(@jaclaz)
Community Legend

https://en.wikipedia.org/wiki/Evidence_of_absence

jaclaz

ReplyQuote
Posted : 30/05/2020 9:39 am
athulin
(@athulin)
Community Legend

Not sure if it's entirely relevant any more, as the thread is so old, but ... in this case I would be interested in:

How does the system boot?  Is this 'empty' Windows environment at the top of the boot list, or is just what gets booted if no of five other boot alternative works? 

Is PXE booting on the boot-order list? Does the system allow PXE booting from user-selected boot key, or only from the boot-order list? (that is, can the user select PXE with some F8-like boot option key?)

Does BIOS/UEF/etc. allow for MAC address reconfiguration? Or is something more heavyweight required for that?

 

If the laptop was used by a technician as a tool in an environment where PXE booting (or similar technical solution) was used, I'd expect something like this kind of set-up. Boot priority list would be at least a) PXE boot, b) local Windows or other environment where MAC address could be changed easily for testing and troubleshooting of PXE boot code delivery.

And in such environment, DHCP and PXE server logs would probably be the first things to check, followed by a check of what the booted environment actually is. (It might still exist on a SAN somewhere.)

 

ReplyQuote
Posted : 30/05/2020 10:44 am
Page 2 / 2
Share: