TuckerHST no this is not the only evidence of contraband images. Let me give you a little bit of history on what I'm working on with out going into to many details. We conducted a compliance check on our sex offenders. This one was found to have what appeared to be child pornography. He was charged and arrested. I have him recorded talking to other persons admitting what he was doing and numerous times saying he was guilty of looking at these sites.
I'm new to the forensic world so to speak. Here is what I have found the only evidence I gave to the DA was the pagefile.sys carved images, since I thought it would be easier for the Jury or DA to understand that since the data was in the page file.sys someone was actively viewing Lolita type sites. The phone conversations I hope will put the suspect in front of the computer since he admitted surfing those sites.
I found images in the unallocated space as well. I am under the impression since its in the unallocated space there is no meta data that would contain the date / time viewed etc… I was able to use IEF (internet Evidence finder) and it revealed that IE private browsing was used to surf tons of pornographic websites. The only thing about this that struck me as odd is in the unallocated pictures the only ones I seen were from firefox cache not internet explorer unless I just overlooked them. IEF parsed queries shows searches for all kinds of things sexually related. It also found two .flv files of online adult camera footage not of children.
I got to say however some of the searches did give dates which still confuses me. The dates according to IEF were in 2009 and the location was the page file.sys that according to Encase was created in 2012 so im a little confused about that. Hence why i'm trying to find as much information as possible on the page file.sys. My hope is that if the person doesn't take a plea deal that if this goes to trial his multiple admissions of guilt, him already being a sex offender with child molestation charges, and the pictures from the pagefile.sys are worth a million words I think.
I will be more than happy to try and keep you all posted as this case moves forward. With that being said like most other departments due to budget constraints I can't go to any type of forensic classes so I'm learning on my own. This website has been a tremendous help to me. Well I hope that kind of sums up everything for you. If you got suggestions or advice send it my way I need all the help I can get.
Thanks,
Pete
Pete, given that this is a compliance issue of a previously convicted sex offender, the phone conversations will probably be enough to get a plea deal. If it was a new case, I would be concerned that data carved from pagefile.sys might not be sufficient, lacking temporal data.
If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?). Also, you might want to check this thread http//www.forensicfocus.com/Forums/viewtopic/t=10560/ which may strengthen your argument that contraband was downloaded and viewed, even though the original files are no longer available in the file system.
Actually, reviewing MRU lists and LNK files would come before the $LogFile and $UsnJrnl, but you've probably already done that.
Thanks for sharing this case with us.
If there is evidence of software like CCleaner being installed, you might also want to assert that the computer was likely wiped (otherwise, why no deleted contraband files, or other relevant evidence in unallocated space?).
Or, more simply, correctly maintained
http//www.forensicfocus.com/Forums/viewtopic/t=5410/
Please also remember - generally speaking - that you have to place the suspect before the keyboard and screen, see
http//www.forensicfocus.com/Forums/viewtopic/t=9275
http//www.forensicfocus.com/Forums/viewtopic/p=6559899/#6559899
jaclaz
Update. Trial is coming up and I'm doing more work on this case again. The individual was indicted on 20 counts of Sexual Exploitation of children. So my issue. Just went through my first actual forensics class a few weeks back. Got with the DA reprocessed to see if I could get more supporting evidence for the charges.
So what are my concerns. First, I have never actually had to testify on the stand, since most stuff is just probation violations they settle. So yes I am a little nervous I don't want to mess this up. I could use all the help I can get to prepare me for court. So here are the tools I have available to use Encase 6 and 7, FTK 4 and 5 and I also have a trial of IEF 6. IEF6 found tons of pornographic websites with titles Lolita's, Illegal Child Porn etc… I have numerous volume shadow copies with the pagefile.sys and registry keys etc…. I exported a few of the pagefile.sys and ran IEF 6 on them and low and behold porn everywhere. Yet no cookies, index.dat, .lnk files etc…
So based on the pagefile.sys can I show, "Constructive Possession?" Which in my case is defined," Constructive possession of contraband exists where a person, though not in actual possession, knowingly has both the power and the intention at a given time to exercise dominion or control over a thing." also, "Both Knowledge and possession may be proved, like any other fact, by circumstantial evidence."
The computer evidence isn't the only thing we have to prosecute on we have audio too with a wealth of information as well. As if that all isn't confusing enough I will be sitting down with the ADA in a couple weeks to prep for trial. What kind of questions should I have her ask that supports our case? I have about a week to get a supplemental report to her. Any advice suggestions would greatly be appreciated. Please bear with me I am very new to forensics and have a real generic grasp on everything. Something that may be obvious to a seasoned examiner may not be obvious to me. I did try to find information in intelliforms but once I cracked the users password in PRTK then pasted the ntuser.dat file in it said no passwords found. There is no typedurl's or search strings either.
I'm going to let those who are more experienced with criminal matters give advice on testifying, but I do see a few questions you should know the answer to before heading to trial
1) Does all your evidence come from pagefile.sys files? If that's all you have, then this might be ripe for a malware defense. It sounds like you don't have anything that places the suspect behind the keyboard while these artifacts were placed on the computer. Not that this person didn't do it, but that's one way the defense attorney could explain away the images in pagefile.sys. Be prepared for this. Look for malware that could have done this so you can say you looked and found none. This probably requires more than a virus scan of the image. If it's possible malware could still be there, load the image up in a VM and see what happens with wireshark.
2) Maybe don't mention the trial version of IEF anywhere. A defense attorney might jump on that and make a big deal of it. IEF does a good job of pointing out where, exactly, the data was found in the file you fed it. Take that information and go back to EnCase or FTK and verify what IEF is telling you. Put that in the report, not the IEF information. Don't lie about it, just don't volunteer information that could be used to impeach your credibility.
3) The constructive posession question is best answered by an attorney. The defense could argue malware did it. See #1.
4) Has the defense hired a digital forensics expert? If so, what is he expected to say at trial? You can prepare the DA for cross examination by providing him questions for the defense expert.
5) Did you check for artifacts from other browsers? The artifacts you mentioned are all from IE. What about a portable browser on a thumb drive or TrueCrypt volume? You'll have a lot stronger case from the digital evidence if you can find something like browser history that places a person behind the keyboard.
6) Did you feed IEF the entire image file, or just the pagefile.sys? IEF is pretty good at extracting results from unallocated space. If IEF found nothing else, I'd spend some time figuring out exactly how these pictures made it into the pagefile. You're going to have to explain why there are no browser artifacts to accompany the pictures in the pagefile.
I would add that the "malware" defense can be limited by the amount of material AND by it's variety.
I mean, say that a "common" malware exists that automatically downloads a number of p0rn (and in this case illegal, like CP) images.
The intention of the author of such a malware is clearly that to lure the "unsuspecting user" into joining a site or a given number of sites.
In order to do this, besides downloading the images it is in the interest of the malware author to show them to the one in front of the screen, and provide him a way to register/join and - presumably - pay for the contents.
Now it is clear that the images that you can access once registered/logged in (and having payed for access) should normally be more than the ones automatically downloaded or in higher resolution than the ones in "preview pages".
Additionally, such a "common" malware would most likely be detected and neutralized by a "common" antivirus, so determining if on the machine there has been running an Antivirus (and an updated one) could be part of the reasons to exclude the existence of such malware on the machine.
As well if the various volume shadow copies cover an extended period of time and each one has inside "different" images, it is unlikely that such a "malware" was there (and changed the sites/images), it would mean that several different malwares have "taken possession" of the PC over the time.
If the above exclude the presence of a "common" malware there is always the resource of "planted malware", i.e. the defense may say that someone - with the specific intention of damaging the suspect - has crafted a "special" malware (that downloads CP without making the user aware of it) and that is so advanced that it is undetectable by the Antivirus (and your later scans) and that has been "planted" on the PC artfully.
Here we are in the realm of fantasy IMHO, but the extension over time of the shadow volume evidence (timeline) may be a good point to raise.
I mean if I wanted to discredit you and (besides being such a genius as would be needed to code this undetectable malware) and be so evil as to plant the malware, would I also have the patience to plant that in - say - 2011 and wait two whole years before triggering *something* that may alert LE of this?
jaclaz
How about the "common" malware of storage zombie? Seen it with Tor running in background…
Let us never underestimate the reason why one is willing to do evil.
How about the "common" malware of storage zombie? Seen it with Tor running in background…
Let us never underestimate the reason why one is willing to do evil.
Well, then it was not "undetectable" wink .
jaclaz