±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 215

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forged Digital Forensics Report

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

ArsenalConsulting
Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 02, 17 17:49

- ArsenalConsulting

Currently traveling and will respond to this thread in more detail later, but you may find these two slides (particularly the second slide) interesting... I may do a couple more slides like this to demonstrate the compressed XML issue as well:

twitter.com/ArsenalArm...3110713345


If anyone would like to see the compressed XML issue refined down to two slides, here it is:

twitter.com/ArsenalArm...2561500160

Mark  
 
  

ArsenalConsulting
Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 02, 17 18:15

- finbarr
I had a tribunal case about five years ago, where the client took my report and edited it to indicate a more favourable outcome.

I was unaware that this had happened until I was being cross-examined. After a bit of back and forth about the wording of the report they had versus the original I had with me we got to the bottom of what occurred.


That's amazing... especially if the client knew there was a possibility of the "updated" report ending up in public proceedings and under your scrutiny.

Did the analysis stop at comparison of the two versions, or was a forensic image obtained from the computer used to update the report? I'm interested in any other details you can share. Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. Wink

Mark  
 
  

jaclaz
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 02, 17 21:20

- ArsenalConsulting
Your experience provides all the incentive necessary to digitally sign PDFs. Well, with the requisite education for clients about the digital signatures as well. Wink

As a side note, and JFYI, this is a niche where just a few days ago a new program/service has been announced:
www.forensicfocus.com/...c/t=15491/
trewmte.blogspot.it/20...neous.html

which adds to the digital signature also a "certified timestamp".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Merriora
Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 00:39

I believe that being able to validate electronic notes and documents will be essential as we move towards presenting electronic files in court. In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.

I am always surprised to see a report that I created with hundreds or even thousands of pages of ‘internet history’ and ‘messages’ being presented as a printed document in court and then being questioned on that document.

To quote jaclaz
In theory there is no difference between theory and practice, but in practice there is.


In theory, my reports should not be hundreds of pages and I should have a clear understanding of what information I will be questioned on in court as the expert, but in practice time constraints often lead to rushed court cases with unforeseen questions coming from both crown and defense due to lack of communication prior to trial.

Since my report is presented to me months or potentially years after it was created, I must assume that the printed document in court presented to me is un-altered.

A change may be obvious if a conclusion has been altered, but much harder to detect if words may have been added or removed to a message (accidentally or on purpose) and I am simply questioned on a few records that defense will later use to show his client’s innocence.

The ability to validate electronic files as being un-altered is the main purpose of my application which allows you to digitally sign notes, notebooks and associated electronic files. The digital signature also includes a certified timestamp from an independent timestamping authority to further validate the file. This way you can ensure that the document has not changed.

For technical people, it is easy enough to check the validity of a Digital Signature in Adobe, but as athulin points out
…[the] reader would need to know that absence of a signature should be a red flag


Therefore, I believe the presence of a digital signature needs to be clearly displayed on your potential document. I think it also needs to be clear on your site that no documents will be released without this signature being present and the lack of a signature is a sign that the document is not valid and authentic.

The client must understand what signatures are valid and if they are passing the report on to another person as in the case of Finbarr, what stops that client from editing the document and re-signing with their own Digital Signature?

Would Crown have recognized that the valid signature is not the signature of the expert consultant?

It appears that Finbar has found a good solution in only dealing with Crown but could there be a better way?

I put this question out the community as a sincere question as we currently don’t do this within our application, but this could be added if it would add value and potentially solve this issue.

We currently allow Drag/Drop Validation (or by HASH). What if this also showed the Consultants Information to show that its timestamped by that particular consultant?

So not only is the file validated, but it also shows to be created by ACME Consulting?

Could this be a possible solution to this issue?

Example Image of Validation idea at: www.forensicnotes.com/...validation  
 
  

jaclaz
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 01:43

- Merriora

Could this be a possible solution to this issue?

Example Image of Validation idea at: www.forensicnotes.com/...validation


I am not sure to understand how it could work (actually I am pretty sure I don't understand it).
You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Merriora
Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 01:58

You are on the witness stand and given a (to simplify) 100 page printed document.

How can you determine if - say - on one page a file access date has been changed? Confused


Sorry, I'm not referring to this being an idea to solve the issue with printed documents, but rather electronic documents.

(another question for another thread... How many courts actually allow electronic documents currently and how many are moving towards this in the future?)

In my opinion, once it is printed, it is hard, if not impossible, to see alterations to the documents unless you are specifically looking for issues like this.


For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version. I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate (ie: Give you a Valid or Invalid status on printed documents). The best would be to highlight potential issues/changes especially when dealing with images within reports. At least if the potential changes are highlighted by doing a comparison (OCR printed documents Vs. Electronic version), then you can quickly check those areas of the printed reports to see if changes exist or if it was simply an issue with the OCR for that section of the report.

But still, the key would be to have an original Digitally Signed and Timestamped version to compare against.  
 
  

jaclaz
Senior Member
 

Re: Forged Digital Forensics Report

Post Posted: Aug 07, 17 13:49

- Merriora

For printed documents, the only way I see this working is to OCR each page and then do a comparison to an original Digitally Signed electronic version.

So, when you are on the stand, the prosecutor (or the defense attorney) gives you a 100 page document asking you if you recognize it as yours and you say "OK, let me scan these 100 pages on my portable 100 Kg high speed feed automatic scanner, and let's OCR it, it will take only a few minutes. Where is a mains plug? Do you have an extension cord?".

- Merriora

I have limited knowledge of OCR technology, but I would assume that it would be nearly impossible to design a system that is 100% accurate

Right assumption. Smile

Now, back to the real world, what do you propose for electronic documents on the stand?
1) you bring your own tablet/latop with you on the stand with your copy of the report
2) you bring your own tablet/laptop with you on the stand and the attorney gives you a USB stick on which the file is, you load it into the device, verify the digital signature and proceed in reading aloud the relevant part
3) you are given a Court issued device, let's say an el-cheapo e-book reader with your report pre-loaded and proceed to verification before reading
4) ....?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 2 of 3
Page Previous  1, 2, 3  Next