Forged Digital Forensics Report

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 19:50

Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 19:52

OK, let me scan these 100 pages on my portable 100 Kg high speed feed automatic scanner, and

You make it sound like that would not be a viable option? Wink

As stated in my first post, once the report is printed, validation does become extremely difficult. I think any solution may be cumbersome to implement and originally sound like more trouble than its worth, but in the case of printed documents, what is the alternative?

1. Assume the document is authentic and unmodified
2. Manually check every page, line by line and compare

This discussion was started because it appears we can no longer assume that Digital Forensic reports will not be modified. That clients sometimes have reasons for wanting a different outcome in the report and that sometimes a report may be changed or modified along the way to court either on purpose or by mistake. These changes may be naively completed with the idea they are ‘fixing’ the report to be more readable or correct an issue they believe they discovered (date/time conversion).

Whatever the reason for the alteration, manually checking your own work is still not a guarantee of spotting the change, as you are still likely going to see what your brain expects to see.. (https://www.wired.com/2014/08/wuwt-typos

So the only solution I see to this problem would be using OCR, but I would be very interested in hearing better ideas or solutions as I think my idea is far from perfect in dealing with printed documents in a timely manner.
If verification was required in the actual courtroom, I would see this being done prior to court or request a break to validate the document. But please note, I don’t think that either option is a great solution, but rather a necessary step when required.

One potential solution involves changing the way the courts operate if they plan to continue to use printed reports during court proceedings. Before a report is ever printed, it is in an electronic form so the validation should occur at this phase with any reports being presented to have a ”stamp of authenticity” affixed. Of course, this would still require that original report to be digitally signed and timestamped so that proper validation could occur.

Although I offer this as a potential solution, I recognize that this would be very difficult to implement in the courts unless a court ruling in the future requires this type of change.

Now, back to the real world, what do you propose for electronic documents on the stand?

How electronic evidence is presented in court is a bigger discussion as so many variables come into play, including the amount of investment the courts are willing to make on proper hardware which will vary based on city and region.

I think BYOD to court could result in better quality hardware, but also generate its own issues especially if that equipment fails. In my opinion, the equipment needs to be provided by the courts as any issues with BYOD would be used by the other side as a reason to convict or drop a charge. Court delays are now a major reason to stay a charge in some regions.

I think individual tablets issued by the court would also cause issues as they are difficult to use to find key information in large documents due to the small screen size. (assuming smaller cheaper tablets and not MS Surface Pro's)

When dealing with electronic documents in court, I would hope to see dual screens in the testimony box with the ability to search and find information in your documents on your screen and then slide it over to the screen seen by the judge, lawyers and potential jury (if required).

Validation in this setting would be simple as the report in the court could clearly display the generated HASH value and Digital Timestamp. As the ‘expert’ testifying, you could simply confirm that the HASH matches the value you recorded at the time of generating the report.

In situations where this information is not presented (HASH, Timestamp), then the system should allow copying of the files to an external system that allows validation via the internet and/or Adobe Reader.

At the very least, the 'expert' should be presented with the digital copy that will be used in court prior to testifying so that he/she can validate the document. Then in court, Crown or Defense could ask "You had a chance to validate the electronic version of your report and examination notes prior and are confident that it was authentic and original?" - Expert: "Yes, I did validate the electronic version as being authentic and assume that the report and notes I am viewing today in court are the same as what was provided to me prior".

The above reply has focused on validating documents in court. The reality is that few criminal or civil cases result in actual court proceedings. The ACME consulting idea is more geared towards validation of documents prior to court proceedings when the ‘expert’ is not involved.

In particular, the phase where a report is sent to a client (or his lawyer) and the information is shared among those involved in the case to see if it can be settled without going to court. In my opinion, it is this phase where a document has a higher chance of being modified or changed. Being able to validate a document as being authentic during this phase would be essential on both sides before they settle out of court. Being able to drag/drop an electronic document and quickly validate that it is authentic and issued by ACME consulting would provide this assurance.  

Re: Forged Digital Forensics Report

Post Posted: Aug 08, 17 18:57

- Merriora
For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version. I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate (ie: Give you a Valid or Invalid status on printed documents).

OCR has problems: curly quotes tends to become straight quotes, em dashes may become en dashes (or vice versa), and in bad cases something like 'rn' may be translated as 'm', or 'li' may become 'h'. Spacing (which is equally important) is rarely well handled: depending on the software, you may find one space become two, and minimal empty space inserted at the end of words. Good OCR tends to requires fairly extensive training.

It seems that 'these documents are the same' (where both documents are scanned)) should mean something like 'every page contains exactly the same black marks in exactly the same places.' Any discrepancy needs to be investigated.

However, for that OCR would be overkill: scan the images 'soft' (greyscale), do any necessary transformation to place a page from document A on top of the corresponding page from document B, and subtract. ideally, this should produce a blank page. In practice, the result from two identical pages leaves 'flyspecks'. Where there is a difference in contents, ... 'birdspecks' is perhaps a more appropriate description. Those need to be investigated.

However ... that ties 'sameness' to graphical form. And that may not be the right thing. To allow more flexibility, some kind of segmentation of the scanned page, similar to that many OCR programs do, may be desirable.

If a printed document should be compared to an electronic document, ... well, it's a bit of a detour to print the electronic document in order to scan it,  

