It’s the little things

Posted on June 8, 2011. Filed under: forensic | Tags: , , , |

A while back I was asked to help out with a fraud case. The investigators had done a pretty decent job of extracting relevant information but a critical aspect of the hinged on the dates when a couple of letters were written. We had some issues around the way a disc image had been captured which meant that everything except the “last modified” date was considered unreliable.

These letters had been written in word and the timestamps in the filesystem were about 2 years AFTER the dates in the text in the documents. The meta-data in the documents agreed with the filesystems.

The defence experts, quite rightly, put forward a suggestion that the computer used to create the documents could have had an inaccurate clock, possible even set to a future date. Unlikely, in my opinion, but possible and probably enough to create “reasonable doubt” if the evidence came to court.

However, as we explored the issue further and got further and further into the niceties of Windows XP clock synchronisation using NTP when connected to the Internet something in my subconscious prodded me.

Just out of curiosity, I ran the GNU “strings” program against one of the documents and out popped a couple of JPEG JFIF headers. so – I carved out the two JPEGs and checked the EXIF data. Both contained dates which matched the filesystem – hardly surprising and not much help countering the “clock was wrong” argument – but they also contained a signature from the program used to produce them. It was a version of photoshop which wasn’t produced until at least 18 months after the dates in the letter text.

Either the suspect had been indulging in time travel, or the letters as printed must have been created some time after the date he claimed.

Sometimes, we forget that there’s more to timeline analysis than just the clock data. Knowing when a piece of software or a file first appeared can be very helpful too.

http://www.n-gate.net/

 

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

2 Responses to “It’s the little things”

RSS Feed for Forensically sound(ing off) Comments RSS Feed

It is (or should be?) a “must be” practise, that in case of time considerations, one have to try to find as minimum as two different and (if possible) independent sources of timing information. Once you have only system time from analysed computer, time consideration is groudend “on the water”. (good input to “best practices” ;))

I would tend to agree, Marian. Unfortunately, in this case I was called in about 4 years after the initial seizure was mishandled so I had to devise ways of corroborating times. Luckily, the granularity required was fairly large (i.e. we could talk in terms of months rather than seconds).


Where's The Comment Form?

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: