[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42FA67F0.3060507@science.org>
Date: Wed Aug 10 21:46:56 2005
From: jasonc at science.org (Jason Coombs)
Subject: Re: Operation Site-Key computer forensic searches
ruled illegal
Tharp, Robert wrote:
> ok. i understand now. that's very interesting. in the marine's case, did you
> actually prove that had happened? or did you just raise enough doubt that
> the prosecutors dropped the case.
The defendant's credit card number was definitely intercepted by a third
party by way of the keylogger. There was no doubt about that. The child
pornography found on the hard drive was entirely within the unallocated
clusters, meaning that at some point in the past there had most likely
been a few digital photos on the computer in the active filesystem, but
that those files were no longer found alongside the other files and
folders within the active filesystem.
One possible explanation for these circumstances is that the photos were
saved to the computer's hard drive by Internet Explorer as Temporary
Internet Files. We don't know for sure, and can't know for sure, that
this was the case because once a file is deleted and its entries in the
FAT or MFT (portion of hard drive in which Windows stores the list of
files and folders that are on the drive) are overwritten with other data
it is impossible to know what folder the file had previously been stored
within. So, we have to look at other factors -- we usually don't even
have a filename of the deleted file in this case, we only have the
digital photograph data; and a forensic technique called a "carve" has
to be performed to scrape the digital photograph data out of the
unallocated clusters starting from the beginning of the photograph data.
If you carve child pornography out of unallocated clusters on a hard
drive that belonged to a suspect whose credit card number appeared in
the site-key database, you don't have to be a rocket scientist to
conclude that, reasonably, the two circumstances are probably connected.
The flaw in this whole thought process is in attributing those two
connected events to a person just because the person is the owner of
both, given that there was a Trojan infection AND a keylogger installed
it was proved conclusively that somebody else had control of the
suspect's computer, and therefore had control of the suspect's identity.
However, this is not the way that forensic examiners write their
forensic examination reports. So-called "computer forensic examiners"
including those who work for the DOD Computer Forensics Lab (DCFL) who
did work in the Pearl Harbor case simply report what they find. They
don't offer interpretations. They don't even point out what should seem
obvious: that a Trojan and a keylogger are present BECAUSE somebody else
was in control of the computer via the Internet. Not as a result of some
virus or worm that automatically infected the defendant's computer
without a human intruder guiding them to do so.
This is a subtle but critical distinction ... My job has always been to
offer expert opinion testimony. This is what I do in the cases that I am
hired to work on. Despite being expert in law, judges and attorneys
often do not understand the difference between a computer forensic
examination report authored by a computer forensics lab and opinion
testimony; my Pearl Harbor testimony revolved around the need for a
civilian expert who could review the forensic examination and offer
critique and opinion as to the meaning and reliability of the
circumstantial evidence in linking the defendant to the crime.
In all other fields of forensics the forensic technician or criminalist
offers an opinion along with their report of findings. In every case
that I've worked on and every case that I've read transcripts and
researched where "computer forensics" serves as a source of evidence
against the accused, the information found on the suspect's hard drive
is represented to be proof of the actions of the owner of the hard
drive. When asked questions like "couldn't somebody else have been
sitting at the keyboard?" the forensic examiner will answer "yes" --
you'd be surprised how often this question doesn't get asked by the
defense attorney -- but then say something like "but I found the data
associated with the defendant's user account". The forensic examiner is
the master of twisting the evidence to fit the accusation because there
is always a way to look at the data that makes the data tell the story
you want it to tell. Because the forensic examiners don't offer opinion
testimony, indeed they are not qualified to offer opinions in most cases
because they simply do not understand the computer programming that
caused the electronic evidence to exist.
The only forensic examiner who I have encountered who was a former
software developer was actually not skilled as a programmer of Windows
operating system or data communications software like the software he
typically testifies about -- rather, he was a database programmer who
used dBase to create databases and the programming instructions that
would put data in and get data out of the databases. Perhaps you've done
this yourself using Microsoft Office. It is not a difficult skill to
learn, and its practitioners do not need to understand how computer
software really works, they only need to understand the commands that
they have to use to cause their database to do what they want it to do.
In software engineering people with this capability are never selected
to write operating systems or software like Internet Explorer because
they simply do not understand software development -- they understand
database development. We call them "database programmers" but that's
just to be nice (and make resumes look good) -- they are not "computer
programmers" because without the database program that they know how to
operate these "programmers" would not be capable of writing "software".
This is all lost on the court in the same way that the distinction
between "computer forensics" and "software expert" is lost on the court,
resulting in a belief that a "computer forensics expert" is by
definition an expert in computers and software programming, but the
truth is usually that the computer forensics expert was trained to
operate some computer forensics software program like EnCase -- without
that program the so-called "expert" would not be capable of performing
an investigation into what happened to a computer in the past, what
software executed on it, what people appear to have used it, etc.
All of these issues sort of converge in a sick and twisted way when
computer evidence is planted by a third party (or when a third party
takes control of somebody else's computer and uses it to commit a crime,
which is, in effect, planting electronic evidence) because the people
who do the work investigating the computer evidence (on behalf of law
enforcement OR on behalf of the defense) simply do not have the
information security expertise necessary to explain first and foremost
that hard drives do not contain "computer evidence" but instead that
hard drives contain "data" -- and that data was stored on the hard
drives by the execution of "software" and that it is impossible to know
exactly what software executed in the past on a microprocessor.
The practice of using "computer forensics" to gather, present, and
explain "computer evidence" in court is in dire need of remediation.
Without competency in the information security field, no "computer
forensics expert" should be allowed anywhere near a courtroom.
There should also be minimum mandatory information security training
given to judges, attorneys, and members of a jury, before any one of
such persons is allowed to view "computer evidence" -- if the computer
forensic examiners aren't going to offer opinion testimony that calls
into question the legitimacy of their own investigative techniques then
the court must force this safeguard into the process.
Except where law enforcement has implemented strict forensic controls
during an investigation, and conducted ancillary surreptitious
monitoring of a suspect using video surveillance, keyloggers, screen
capture, runtime forensic logging of machine code executed by a CPU, and
other techniques that conclusively establish the physical presence of a
suspect, and the conclusive absence of hidden outside control or
influence over a computer that is the source of computer evidence, no
computer evidence should be allowed in court.
What's happening today is akin to giving intruders from the other side
of the world the ability to fill our filing cabinets, our wallets, our
bedrooms, our closets, and our vehicles with incriminating evidence
automatically through the Internet. Nobody ever explains this to the
judge, and law enforcement forensic examiners seem not to understand it.
Something must be done to fix this, and every person convicted of a
crime in the past where computer evidence was used without ensuring that
its pitfalls are well-understood should be given an immediate retrial.
Sincerely,
Jason Coombs
jasonc@...ence.org
Powered by blists - more mailing lists