I have a case in which we know a suspect has uploaded images to a Yahoo! Group (as reported by Yahoo!). Yahoo! is the actual complainant here.
I cannot for the life of me find any evidence to support this; at this point. The date and times stamps Yahoo! reports do not match the suspects machine. I have checked and double checked the suspects BIOS and event logs to ensure there have been no changes. I have poured through the ntuser, application data and keyword searches…nothing.
I have run NetAnalysis….nothing. I have run NetAnalysis using the Deleted History Extractor….nothing.
Thoughts? What or where else might I look?
I suppose I'd start by saying - have you got the suspect's correct machine? Did he have an laptop under his bed that you didn't get hold of (for example)?
How do you "know" anything? A confession? Then why do you need forensics? There is NO doubt that this guy is the perv?
I am thinking no one is certain. At least not certain enough to gamble with their own freedom/money. Maybe somebody else's but not theirs. Which is usually how it is.
Has no thought been given to, for instance, a compromised account? How about an annonymous proxy? Or a compromised (there is that word again. Pops up distressingly often in digital forensics…) wireless network? Or a perv clueful enough to hide his tracks?
Repeat If DF tools indicate (never prove) guilt then per chance they indicate innocense as well?
In addition to Jonathan's and u2bigman's points, I have two words for you
Boot
and
Disk
I suppose I'd start by saying - have you got the suspect's correct machine? Did he have an laptop under his bed that you didn't get hold of (for example)?
Good questions to which I have no answers. This case was delivered to our lab by the investigators, and they indicate that all related evidence was seized.
I am a bit suspicious that this suspect was using a portable browser on a USB. I can see an external device being used routinely, and a lnk file, referencing the USB device, that used Mozilla. Of course, I have no USB to analyze….
How do you "know" anything? A confession? Then why do you need forensics? There is NO doubt that this guy is the perv?
I am thinking no one is certain. At least not certain enough to gamble with their own freedom/money. Maybe somebody else's but not theirs. Which is usually how it is.
Has no thought been given to, for instance, a compromised account? How about an annonymous proxy? Or a compromised (there is that word again. Pops up distressingly often in digital forensics…) wireless network? Or a perv clueful enough to hide his tracks?
Repeat If DF tools indicate (never prove) guilt then per chance they indicate innocense as well?
Touche…
My careless use of the word "know" seems to have interrupted my request for new perspectives.
To provide a bit more…Yahoo! provides info about "suspect@yahoo.com", specifically IP address and uploaded files. ISP is subpoenaed and they provide physical address and MAC address, both confirmed to be suspects.
Suspect acknowledges the accounts existence and his usage of same. He claims "I don't know if there is anything illegal,. You guys tell me.". Tells the investigators I upload and download porn "allot".
Well, yes indeed, his archive of led images is strong…over 150k, and 1500+ multimedia.
I see typed urls leading to CP sites, I see Google and Yahoo! searches for CP related terms.
Based on this I am not quite ready to completely abandon focusing the investigation on him.