Would they really have gone to these lengths to attempt to alter the encase image files?
If I were to do this, I'd write the encase image out to an identical HDD, set the bios date and time to the time the evidence should be planted and boot the drive up in an identical system.
I'd then plant the evidence and then by setting my system date and time back on my forensic workstation, I'd re-image the evidence….
Maybe there would be better ways to do this, I am not sure. Either way, if the Original device has been handled correctly, imaging it again would prove evidence planting had taken place?
This thread brings back memories of a line from the Karate Kid
Mr. Miyagi "If do right no can defense"
Honestly, if you are looking for the answer to such a complex problem here on the forum, then there is a pretty big problem.
Why does this statement have to be true.
"Of course, a really good tampering job would take hours because of having to clean up so many digital footprints made on the way in"
Anyone with above average CF knowledge could accomplish this in a relatively short time frame.
9/10 in cases like this the other side controls the original hard drive, the original PC (so you can't check the BIOS), and the drive images. How is it that it takes hours to do something like this when you control all 3?
Doesn't take long to wipe an MRU and repopulate it with 10 new items or 25 if you modded the reg file.
What does the report from the other side look like?
When was the time of the first image?
Was a log of the imaging made electronically?
Lots of questions to answer with little information.
Why does this statement have to be true.
"Of course, a really good tampering job would take hours because of having to clean up so many digital footprints made on the way in"
Anyone with above average CF knowledge could accomplish this in a relatively short time frame.
I sincerely doubt this, meaning, that I doubt that someone could accomplish this with the certainty that it would be undetectable. True, it could be impractical to detect it (since, in many cases, either side does not have unlimited resources), but to falsify the creation of files at a given point in time without creating inconsistencies between the MFT, pagefile, LOGFILE, Restore Points, registry, A/V scans, if there were some, would not be trivial.
In fact, I doubt it so much that I'd be willing to supply an image to anyone who wishes and challenge them to alter it, in the way described by the OP, namely, adding images, changing dates, etc., without detection, i.e., without my being able to establish to a reasonable degree of forensic scientific certainty, that the image had been altered.
Lots of questions to answer with little information.
On this we are agreed!
When one side controls all 3 things become much easier.
Restore point? Av Scan? Images are being added not software, nor changes to the system.
While some AV software is set to scan anything new added to the system, this is certainly not the norm.
To add to the statement
"I sincerely doubt this, meaning, that I doubt that someone could accomplish this with the certainty that it would be undetectable"
Undetectable to who? The entire forensic community? You? Patrick? The OP? Undetectable is going to be relative to the person who is looking and the knowledge they have.
Another way to look at the problem is to put your self in the prosecution shoes. How do you prove that the data you have now is identical to the state it was when first received.
If you immediately imaged and hashed then there is a good case for no tampering. If the chain of custody is 'vague' then anything can be accused, and different to deny
I work for the Defense.
The defendant claims the encase Evidence file that the Prosecution provided has been tampered with.He believes that they have inserted images, adjusted the timestamps, and then copied that tampered drive to a second drive to make the Encase “Evidence” files from.
How can I answer this the best definitive way?
Thank you!
Look at the preponderance of the data. What does it show? Does it show numbers of illicit images or contraband files accessed via the web or P2P, and accessed by a user?
While there is a public API for altering timestamps, look to other sources of data within the system. Does the Event Log (assuming Windows here) show any indication of system times being altered? How about Registry analysis? Are there indications that a user account can be tied to the activity that landed the defendant in court?
Go back to the evidence itself. Was the original hard drive documented and secured? How about the image? Can you take the acquisition documentation, re-image the original hard drive using the same process as described in the acquisition documentation and obtain an identical image? Basically, is the acquisition process repeatable?
Essentially what the defendant is asking is that someone prove a negative…prove that you did NOT access and alter the evidence.
Hello to everybody.
Just a simple question/idea.
A newbie in that forum joined in 01/10 had this question. Nobody has proved it. And a lot of people try to solve this "problem". And if this one is the "bad guy" you gave hints for his/her defence. ?
And if this one is the "bad guy" you gave hints for his/her defence. ?
Plenty of valid suggestions already made which will not help the defendant any unless his accusations are true. If they are, I wish him luck. Assuming they are not…..well, I also wish him luck taking responsible and decent LE examiners on with an unproved argument and hope that the Judge rewards him well for it wink
Hello to everybody.
Just a simple question/idea.
A newbie in that forum joined in 01/10 had this question. Nobody has proved it. And a lot of people try to solve this "problem". And if this one is the "bad guy" you gave hints for his/her defence. ?
And if you come onto a forum looking how to do this then the poster is extremely stupid and obvoiusly don't understand the entire forensic procedure.
At any point in time the evidence can be challenged and if the correct procedure was in place then all steps can be verified, validated and repeated. Any discrepencies could easily be identified by a competent investigator.
When one side controls all 3 things become much easier.
Restore point? Av Scan? Images are being added not software, nor changes to the system.
Added by what? A live system, perhaps. If you mount the volume so that you can write to it, you have made changes to it even if you do nothing else. As you add files and change dates (read the OP), you are going to make further changes. Now, assuming these changes are of sufficient nature to constitute evidence for prosecution, the likelihood that you would be able to do this in such a way as to avoid detection (and in the time frame between device seizure and imaging) is, IMHO, slim to nil.
While some AV software is set to scan anything new added to the system, this is certainly not the norm.
I'm not going to debate that. My off the shelf AV scanner detects new viruses in the temporary files created while FTK is processing case files and it has been doing it for years. Nonetheless, my point is that there are other processes which write to the file system and knowledge of how these work might be used to detect the tampering.
Undetectable to who? The entire forensic community? You? Patrick? The OP? Undetectable is going to be relative to the person who is looking and the knowledge they have.
Beside the point, really. We are talking about the assertion that a prosecution or plaintiff would risk evidence tampering charges. They don't know who the opposing expert would be or how sophisticated.
All the opposing expert has to do is to find enough data to establish a reasonable doubt as to the defendant's guilt on the basis that the evidence has been tampered with (and within the time frame between seizure of the drive and imaging of that drive which, in most LE cases in which I have worked, is not very long).
For many reasons, I do not think that this can be done in a practical manner and I would not base my defense on such a theory unless the tampering was evident.
As Harlan pointed out, you can't take the position that the proof that the tamperer was good was that you couldn't detect it. That would be like arguing that the evidence that somebody wiped a file was that no trace of it could be found on his computer.