Notifications
Clear all

log file evidence

10 Posts
4 Users
0 Likes
635 Views
(@chrisfearns)
Posts: 11
Active Member
Topic starter
 

Am i correct in my assumption that there is considerable scope for covert tampering with the text content of a saved msn messenger conversation that took place between two people, in a situation where one but not the other of the two participants specifically saved the conversation locally to their hard drive?

 
Posted : 25/02/2006 1:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Chris,

I think that you're really over-thinking this whole thing. "…considerable scope for covert tampering"?

It sounds to me as if what you're really asking is that if someone saves an arbitrary text or HTML file, then modifies it at some point and saves it using the same filename, then can the original document be forensically recovered?

Barring any extraordinary conditions, I wouldn't think that you'd be able to recover the original file.

Harlan

 
Posted : 25/02/2006 1:39 am
(@chrisfearns)
Posts: 11
Active Member
Topic starter
 

thanks

 
Posted : 25/02/2006 4:54 am
(@gmarshall139)
Posts: 378
Reputable Member
 

If I understand you correctly you are supposing that one could open a file, alter it, save it in the same location, and wind up with a file whose created, accessed, and modified dates are all the same. Thus, the file appears to have never been changed.

All entirely possible under a variety of scenario's.

What I would look for if I suspected this

1. The msn chat log will have embedded dates and times. How do they compare with the file created time? (they should correspond closely with the time of the last chat entry)

2. Check the MFT for another entry for a file with the same name. One way to accomplish what you describe would be to copy the file to another media, deleted the original file, altered the copy and then put it back in the same path. Merely altering and then clicking "save as" (then the same file name & path) would only update the modified and accessed date. In this case a new MFT record would be created for the new file. The old one should still exist unless it is overwritten. It would also contain the time and date attributes of the original file.

3. Under the scenario described in #2 you would also expect to find the original file in unallocated space.

4. Again, under the scenario described in #2, and if the original was deleted through the recycle bin, you may find an INFO2 record which would show the date and time the original file was deleted.

This is only one scenario under which it could have been accomplished. There are other possibilities. I haven't looked at MSN in awhile, but isn't a new chat log created with each session? If so this simplifies your case a little since you wouldn't expect the file to be modified with each chat.

 
Posted : 25/02/2006 8:02 am
(@chrisfearns)
Posts: 11
Active Member
Topic starter
 

if you are editing some hours or even days after the original conversation, the simple act of temporarily changing the computers time and date settings mean that you can edit and therefore purport a file to have been last accessed and modified whenever you want it to appear, even to a date before the file was created if you wanted

 
Posted : 25/02/2006 3:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> any thoughts…..?

Sure. You can easily change the MAC times using open source tools, after you edit the file. The MS API for this is wide open and available, and you only need to have permissions to create and write to the file in order to do this. I've presented on this for the past several years. I have even used a demonstration with code written in Perl to do this.

Harlan

 
Posted : 25/02/2006 5:25 pm
(@chrisfearns)
Posts: 11
Active Member
Topic starter
 

thanks

 
Posted : 25/02/2006 6:25 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

I don't think your points b, c, and d are valid at all.

You summed it up in b when you you said "even though it hasn't been proven". I think the point of this thread is that it is very clearly possible to accomplish something as simple as altering a chat log. Does that mean it happened?

As for c, just asking a complainant to print something that supports their statements wouldn't taint the evidence in the least, after all they've been using the computer for some time. How is printing one more thing going to taint the evidence?

And to your point d, I have used evidence that was placed on a computer years before the computer was turned over for analysis. It's not very often that computers are siezed at the moment the crime is committed. The courts understand this.

What it comes down to is whether the judge or jury finds the complainant credible. If not then you wont have so much trouble selling them on your point b.

 
Posted : 25/02/2006 7:07 pm
(@chrisfearns)
Posts: 11
Active Member
Topic starter
 

thanks

 
Posted : 25/02/2006 9:29 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

Section 69 is obsolete, it was repealed by Section 60 of the Youth Justice and Criminal Evidence Act 1999. Since 14 April 2000 (in the UK), the admissibility in evidence of computer records has been governed by common law.

my point was that if the police who attended the house printed it off personally then i was under the impression that this taints the evidence.

ACPO guidelines for digital evidence, principles 1 to 4, will answer this one, especially in respect of your points at c & d, which I agree are not valid. The length of time passed doesn't matter, and the officers may well have been perfectly justified in their actions in printing documents direct from this persons computer.

Can I ask - are you the suspect/accused or a legal representative or defence computer expert/examiner?

Andy

 
Posted : 26/02/2006 12:21 am
Share: