Forensic Blogs

An aggregator for digital forensics blogs

by

The Single Piece of Evidence (SPoE) Myth

The Single Piece of Evidence (SPoE) Myth

Often a crime-drama television show will have a “single piece of evidence”, which explains the entire crime, and is used to get a guilty conviction. In real life very rarely does this situation arise. Instead typical investigations will uncover many pieces of evidence that are used during trial. Some of the evidence found during an investigation will be more persuasive to a jury, some will be less persuasive. However, it’s uncommon (and perhaps foolish) for a prosecutor to proceed to court with a single piece of evidence. What is somewhat more common, is for a prosecutor to proceed to court with multiple pieces of evidence, with perhaps one or two that are likely to be very persuasive.

One topic where the SPoE myth is often used is anti-forensics. Simply, anti-forensics is anything that a suspect does to hinder a forensic examination. Many of the sources of information that are used during an investigation (e.g. file system time stamps) can be easily modified. When a new anti-forensic technique has been discovered, there is sometimes a tendency to see the technique as a “silver bullet” which can halt an entire investigation.

The truth is, a single action (e.g. logging in, compiling a program, reading email, etc.) can impact many different aspects of the operating system, especially on a Windows system. Compromising the integrity of a “single piece of evidence” (e.g. the last accessed file system time stamp) is rarely fatal. This is because there are typically a number of places to look to find evidence to support (or deny) some theory.  Removing one piece of evidence may make an argument weaker (or stronger), but rarely does it invalidate the entire argument.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit Post to StumbleUpon

by

Sometimes the answers are enough, sometimes they’re not

When you watch someone who is new to investigations work a case, one thing that often needs to be explained is the idea that the “smoking gun”, by itself, often isn’t enough. What do I mean by this? Well, Not only am I interested in what you found (which is important in it’s own right) but also by how you found it.

Take for example, a case where relevant evidence is found in unallocated space. Perhaps the suspect deleted a file that contained relevant evidence. Assume that file system metadata information, that kept track of which clusters (or blocks for EXT2/3) were assigned to the file, and in which order, was over written. This means that you’ll have to use a data searching technique (e.g. signature finding, guess and check, etc.) to locate the relevant information. There are a number of different techniques that could be used to arrive at your conclusions. The path you took, may very well come under scrutiny, to verify the soundness of your logic. In this scenario, not only is the “smoking gun” evidence important, but how you found the evidence (and knew how to “properly” interpret it) is also important.

There are times however, when simply “finding the answer” is good enough. One example that came up today was about passwords for encrypted files. Assume you’re conducting an examination of a system, and come across an encrypted file. For whatever reason, the suspect is unavailable. Now assume that you have an image of physical memory, (i.e. RAM) and are able to use a tool such as the Volatility Framework or Memparser to analyze the image. During your analysis you find what you believe to be the password to the encrypted file. You can test your hypothesis by simply attempting to decrypt the file. If you are correct, the file will decrypt properly. In this case, the fact that the password worked, would likely be good enough. You would still need to properly document your actions, however they would likely be less important than the outcome.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit Post to StumbleUpon

by

The admissibility vs. weight of digital evidence

There is always a lot of conversation about when digital evidence is and is not admissible. Questions like “are proxy logs admissible?” and “what tools generate admissible evidence?” are focused on the concept of evidence admissibility. Some of the responses to these questions are correct, and some not really correct. I think the underlying issues (at least from what I’ve observed) with the incorrect answers stems from a confusion of two similar yet distinct legal concepts: evidence admissibility and the weight of evidence.

Caveats and Disclaimers

Before we begin this discussion, I want you to be aware of the following items:

I am not a lawyer This is not legal advice Always consult with your legal counsel for legal advice The legal concepts discussed in this blog post are specific to the United States. Other jurisdictions are likely to have similar concepts. Every court case (civil, criminal and otherwise) is decided on a case-by-case basis. This means what is true for one case may not be true for another.

Essentially, evidence admissibility refers to the requirements for evidence to be entered into a court case. The weight of evidence however refers to how likely the evidence is to persuade a person (e.g. judge or jury) towards (or against) a given theory.

In the legal system, before evidence can be presented for persuasive use, it must be admitted by the court. If one side or the other raises an objection to the evidence being admitted, a judge will typically listen to arguments from both sides, and come to a decision about whether or not to admit the evidence. The judge will likely consider things like admissibility requirements (listed below), prejudicial effects, etc.

When it comes to court (and I’m going to focus on criminal court) the rules for what is and what is not admissible vary. There are however three common elements:

Authenticity Relevancy Reliability

Briefly, authenticity refers to whether or not the evidence is authentic, or “is what it is purported to be.” For example, is the hard drive being entered into evidence as the “suspect drive” actually the drive that was seized from the suspect system? Relevancy refers to whether or not the evidence relates to some issue at hand. Finally, reliability refers to whether or not the evidence meets some “minimum standard of trustworthiness”. Reliability is where concepts such as Daubert/Frye, repeatable and consistent methodology, etc. are used. The oft quoted “beyond a reasonable doubt” is used as a bar for determining guilt or innocence, not evidence admissibility.

These requirements apply equally well to all types of evidence, including digital evidence. In fact, there are no extra “hoops” that digital evidence has to cross through for admissibility purposes. You’ll also notice things like chain of custody, MD5 hashes, etc. aren’t on the list. For a simple reason, they aren’t strict legal requirements for evidence admissibility purposes. Devices such as a chain of custody, MD5 hashes, etc. are common examples of how to help meet various admissibility requirements, or how to help strengthen the weight of the evidence, but in and of themselves are not strictly required by legal statute.

There are “myths” surrounding evidence admissibility that are common to digital forensics. I’ll focus on the two most common (that I’ve seen):

Digital evidence is easy to modify and can’t be used in court Only certain types of tools generate admissible evidence

The first myth focuses around the idea that digital evidence is often easy to modify (either accidentally or intentionally.) This really focuses on the reliability requirement of evidence admissibility. The short answer is that digital evidence is admissible. In fact, unless there is specific support to a claim of alteration (e.g. discrepancies in a log file) the opposing side can not even raise this possibility (at least for admissibility purposes.) Even if there are discrepancies, the evidence is likely to still be admitted, with the discrepancies going towards the weight of the evidence rather than admissibility. The exception to this might be if the discrepancies/alterations were so egregious as to undermine a “minimum standard of trustworthiness.”

The second myth is commonly found in the form of the question “What tools are accepted by the courts?” I think a fair number of people really mean “What tools generate results that are admissible in court?” Realize that in this case, “results” would be considered evidence. This scenario is somewhat analogous to a criminalist photographing a physical crime scene and asking the question “What cameras are accepted by the courts?” As long as the camera records an accurate representation of the subject of the photograph, the results should be admissible. This would be some “minimum standard of trustworthiness”. To contrast this to weight, realize that different cameras record photographs differently. A 3 megapixel camera will have different results than a 1 megapixel camera. An attorney could argue about issues surrounding resolution, different algorithms, etc. but this would all go to the weight (persuasive factor) of the evidence, not the admissibility.

Hopefully this clarifies some of the confusion surrounding evidence admissibility. I’d love to hear other people’s comments and thoughts about this, including any additional questions.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit Post to StumbleUpon