±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forged Digital Forensics Report

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

ArsenalConsulting
Member
 

Forged Digital Forensics Report

Post Posted: Jul 11, 17 18:52

Hello All,

We are starting to publish details about a forged digital forensics report we received during the Odatv trial in Turkey. The report is particularly interesting to us because the report was on our letterhead, with my signature, but we had nothing to do with it or the “case” it related to. It may also be quite interesting to the DFIR community because we aren’t just talking about a report but also multiple emails, scanned documents, other exhibits, and a website.

Is this (a forged digital forensics report, never mind the rest of it) a first in our industry? We haven’t been able to find similar cases.

You can find the report here:

https://ArsenalExperts.com/Case-Studies/Odatv/#forged-report

Some things in the queue for this part of the case study:

1.) English translation of the entire email chain and attachments (Ek-1.jpg and EK-3.jpg)
2.) Possibly adding information about a criminal complaint related to the forged report
3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)

As always I’m open to suggestions on what to add next.

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed  
 
  

jaclaz
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 11, 17 21:20

- ArsenalConsulting

3.) Addressing UX per jaclaz (anyone want to loan us an awesome UX developer?)


For those unable to understand the ad-personam reference, here it is:
www.forensicfocus.com/...c/t=14665/

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board Rolling Eyes :
Questions-and-Answers-for-Turkish-Experts-re-Barış-Pehlivans-Odatv-Computer.pdf

The little square is the Turkish ş (S-Cedilla):
en.wikipedia.org/wiki/Ş

...and speaking of Turkey and forged documents:
rodrik.typepad.com/dan...-army.html


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ArsenalConsulting
Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 19, 17 01:31

- jaclaz

However, JFYI, you should also check filenames , this one includes a non-ASCII character which may cause some issues on some systems/filesystems, I cannot even copy the filename and paste it on the board

I think our web guy has now taken care of all the special characters... thanks for alerting me to the issue. If you have any thoughts on what kind of content you would like to see next please let me know. I'm overdue when it comes to adding information about reversing the RATs so hopefully that will be up soon.

- jaclaz

...and speaking of Turkey and forged documents:
rodrik.typepad.com/dan...-army.html

I'm not sure if you are aware, but this (Sledgehammer a/k/a Balyoz in Turkish) is our case as well. The case study for this one, if we ever get to it, will be a monster. The story may be better told in a book format. The CDs containing MS Office documents from 2002/2003 (according to file system and Office date/times, consistent with the version of software used to burn the CDs and last versions of Office to save the documents) but with embedded references to ClearType fonts and compressed XML... that was just the beginning.

Mark  
 
  

finbarr
Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 31, 17 18:33

I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.

I emailed a pdf copy of my report to the client - they altered it and then instructed counsel and provided the altered report which was then served. As a result - I now only accept instructions from counsel and digitally sign reports to help identify any post creation tampering.

Judge immediately found against my client (the correct choice even without the tampering) and further charged him with Perverting the Course of Justice - "Goodnight Louise". Very Happy
_________________
Your system must be restarted for these changes to take effect. 
 
  

athulin
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 31, 17 19:25

- ArsenalConsulting
If you have any thoughts on what kind of content you would like to see next please let me know.


Are you taking any particular countermeasures? Digital signage would help partially, it seems, but any reader would need to know that absence of a signature should be a red flag.

And I'm having some nightmarish visions of being asked to authenticate a printed copy of a 50-page report. "Sure, if you would wait for a moment or two while I compare it with the original ... "

... with embedded references to ClearType fonts ...


OpenType fonts?  
 
  

jaclaz
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 31, 17 20:40

- athulin

... with embedded references to ClearType fonts ...


OpenType fonts?


No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection"):
www.microsoft.com/typo...Fonts.mspx

Namely, Calibri and Cambria:
rodrik.typepad.com/dan...-army.html

Not to be confused with ClearType (the font display technology):
www.microsoft.com/en-u...eInfo.aspx

And not to be confused with ClearType (the other display technology)
www.microsoft.com/appl...splay.aspx

(hope this Clears the matter Wink )

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ArsenalConsulting
Member
 

Re: Forged Digital Forensics Report

Post Posted: Jul 31, 17 23:42

- jaclaz


No, ClearType (more exactly "belonging to the Microsoft ClearType Font Collection"):
www.microsoft.com/typo...Fonts.mspx

Namely, Calibri and Cambria:
rodrik.typepad.com/dan...-army.html



Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting... I may do a couple more slides like this to demonstrate the compressed XML issue as well:

twitter.com/ArsenalArm...3110713345

Mark  
 

Page 1 of 3
Page 1, 2, 3  Next