Archive for July, 2011

Nothing else of significance…

Posted on July 31, 2011. Filed under: forensic | Tags: , , , , , , , |

This week I was approached to quote for a defence case. Helpfully, the solicitor sent me a copy of the prosecution statement so I could prepare a realistic quote. Unfortunately, for the “other side”, I’ve spent most of the week working on a couple of proposals for new ISO standards – including something on content of reports for various purposes – so was particularly sensitive to languages issues.

As soon as I saw the source of the statement, I knew I was going to find a phrase that troubles me – and there it was, near the end “Nothing else of significance was found”.

The report details the material upon which the case is based, but gives little in the way of context or other material found. It builds the case for the prosecution solicitor nicely, but doesn’t allow anyone else to form an opinion about the significance of the material because it doesn’t actually give any detail of anything except the “significant” material as determined by the report’s writer.

It’s a format and form of words that I’ve seen several times over the years, and every time I see it, it sounds an alarm.

I’ve always been told that my responsibility as an “expert witness” is to the court (or whoever is going to make a final judgment based on all the reports submitted), and is to state the facts and my interpretation as best I can based on the information available to me. If I find evidence of guilt, I should state it, if I find evidence of innocence, I should state that. I also believe that I should try to make as much information as possible available so that a proper judgment can be made.

To this end, I don’t just list things of “significance” but I try to give an indication of the context in terms which a non-practitioner can understand.

For example, if an email relates directly to the case, I don’t just list that email. I give the total number of emails found and the number found which involve the same people in the “significant” one. If illegal images are found, I try to determine how they have been downloaded, whether they’ve been deliberately saved or just cached, and whether there’s a pattern of searching or browsing that relates to them.

I try never to build a case directly myself but I will, quite happily, poke holes in someone else’s case – especially if they are concealing, deliberately or accidentally, useful information behind statements like “nothing else of significance was found”.

In my book, saying something like that is almost tantamount to dissembling. A digital evidence examiner rarely has the full facts and circumstances of the case available. A prosecution examiner or first responder will have no idea of possible defences or excuses. Limiting the report to the most damning evidence doesn’t help anyone.

Well – it doesn’t help anyone except the “other side”. A good independent examiner will read that sort of report and realise that there’s a lot more work they could do, and SHOULD do, to determine if a proper rebuttal can be produced – and that means more time and bigger fees. I’m not a fan of the use of Bayesian ratios in reports because I know how few people really understand them, but I know why some forensic disciplines use them – they force the reporting scientist to think about the evidence and alternative explanations, resulting in a closer examination of “insignificant” material at times.

At a time when pressure is on to reduce spending on legal aid, perhaps it’s time someone looked more closely at standard reports coming from both sides to see if they are really fit for purpose ? The better those reports are, the less work needs to be done performing re-examination, re-analysis and re-interpretation.

n-gate ltd.

Advertisements
Read Full Post | Make a Comment ( None so far )

Power & Pageantry

Posted on July 18, 2011. Filed under: motoring | Tags: , , , , |

Those who know me, know that I have interests apart from thing “forensic” in nature – the main one being classic Lotus cars. I’m not going to kick off yet another debate about the direction that Group Lotus, under Proton, are trying to move in, nor am I going to talk about the problems between the new Team Lotus, Group Lotus and Classic Team Lotus.

Instead, something more positive.

I’m fortunate enough to run a 1990 Lotus Excel as my every day car (yes, it can be done, no it doesn’t stand for “Lots of Trouble, Usually Serious”, and yes it is damn good fun). Allied to that, I’m very involved with LotusExcel.net which has become the meeting place for the unofficial and disorganised owners’ club (we also cater to the earlier wedge Elites & Eclats).

As a club, we were invited to join other clubs at the Cholmondeley Pageant of Power over the weekend of 15th to 17th July. It rained. It rained a LOT. We got wet. We got muddy. We had a bloody good time standing in a field watching very expensive machines trying to avoid contact with hay bales on a slipper tarmac surface.

CPOP is described as “The Goodwood of the North”, but it’s far more than that. The Goodwood Festival of Speed has become an event for money & celebrities. Huge sections of it are closed to the public and even the press.

CPOP still doesn’t take itself that seriously and is all the better for it. It’s possible to get close to everything, including unrestricted access to the paddock where you can see the cars up close, talk to the drivers and mechanics and generally do things that are no longer possible anywhere else in motorsport.

Yes, there are some wrinkles still to be ironed out, but on the whole this event needs to carry on so that everyone can get closer to the action and relive the glory days of motorsport while learning a bit more heritage, history and technology.

Of course, the main thing they need to change for next year is to let the clubs onto the track at some point. Even a couple of parade laps would be nice – we promise not to do anything too silly. Honest!

 

Read Full Post | Make a Comment ( None so far )

Valid conclusions?

Posted on July 12, 2011. Filed under: forensic | Tags: , , , , , , , |

WARNING : Initial thoughts on a recent situation ahead – incomplete  – more to follow, eventually !

Recently, the Casey Anthony trial in the USA has been a source of discussion in many fora, but most recently a bit of a “spat” seems to be in danger of breaking out between the developers of two of the tools used to analyse the web history.

Leaving aside the case itself, let’s start by looking at what the two developers have to say about the issue that came up during cross-examination :

http://blog.digital-detective.co.uk/2011/07/digital-evidence-discrepancies-casey.html

http://www.cacheback.ca/news/news_release-20110711-1.asp

No preference is implied by the ordering of those links, by the way, it’s just the order in which I became aware of them. I don’t use either tool – I have my own methods for doing these things when necessary.

Two issues arise from these two posts, for me :

i) Both developers admit that there were possible problems with their tools which may have resulted in incorrect results and no-one was aware of this until the two tools were run side by side

ii) Neither tool seems to have been validated for the case in question. I’m sure they were verified (i.e checked for conformance to design/specification) but not convinced that they were tested against the requirements for the case.

Here comes the repetitive bit : as far as I’m concerned under the requirements of current and proposed ISO standards, neither tool could be considered reliable. There is no clear documentation about errors nor is there evidence that either has been subjected to a proper structured validation process. Dual-tooling is not validation. It merely compares two implementations of methods designed to solve the same problem as the developers understand things. At no point does anyone check that the results are correct, just how similar they are. Two implementations of the same wrong algorithm are more likely than not to come up with the same wrong results.

This is typical of the issues we will see more and more of in the digital forensics world – we depend too much on third-party tools which use algorithms developed through reverse engineering and have not been completely tested.

I’m not suggesting that every tool needs to be tested in every possible configuration on every possible evidence source -that’s plainly impossible – but we do need to get to a position where properly structured validation is carried out, and records which document that validation – including areas which have NOT been tested – are maintained and made available.

An examiner should always be free to use new methods, tools & processes, but should be personally responsible for choosing them and justifying their use. Information about usage limits & limitations on testing are vital and any competent examiner should be able to carry out additional validation where it is needed.

Let the flamng (of this post) begin…

 

P.S. – I’ve been doing a lot of work on models & systems for validation recently – they’re currently commercially confidential but if you’ld like to discuss the issues more please do contact me via n-gate.net

Read Full Post | Make a Comment ( 10 so far )

Mobile phone hacking – a warning to all

Posted on July 7, 2011. Filed under: security | Tags: , , , , , , , , |

In the UK we are currently undergoing a media frenzy about “mobile phone hacking” – unauthorised access to voicemail. Firstly, the rant – IT’S NOT HACKING! (well technically it is – but it’s not some fancy complicated technical attack requiring specialist knowledge and equipment).

A lot of people are under the impression that mobile phone voicemail is only accessible from the mobile phone itself and some may even believe that messages are stored on the phone. In fact, messages are recorded at the mobile network providers’ data centres and played back over the network when the user dials in to pick them up. It isn’t even necessary to have access to the mobile phone itself to get access to someone’s voicemail account – dialling their number while the phone is off or busy on another call results in call diversion so a message can be left, and this is where the “hack” can start. By pressing the right key sequence during the “please leave a message” welcome message, anyone can get to the menu which allows voicemail to be played back. It’s a feature designed to let users listen to their messages from anywhere in the world, whether their phone is working or not, and is genuinely useful – but it creates a backdoor through which messages can be accessed.

Of course, a PIN is required to gain access to the mailbox but many people leave the default PIN on their account, and these are very well known – most are published on the network providers’ websites or are available in the manuals available with any phone or SIM from the provider. In other cases, PINs can be guessed in the same way as passwords by doing a little bit of background research to find out things like birthdays of relatives, friends or pets, other significant dates or registration numbers of cars. Other methods, like social engineering – where carefully crafted questions and behaviour are used to get the target to reveal their PIN or even just “shoulder surfing” (watching someone enter their PIN while they listen to their messages) can be very successful too.

However the PIN is obtained, once the attacker has it, they have full control of the voicemail system and can listen to and delete messages at will.

For some users this could lead to personal data being disclosed, while for businesses it could be used to discover sensitive material.

If you don’t need voicemail, turn it off. If you do need it – don’t use the default PIN, use a number which isn’t associated with anything that is obviously connected to you – and change it regularly. Avoid obvious PINs like 1111, 1234, 9999 and so on – treat it like the PIN for your bank card, it could have similar value to someone who wants to spy on you. The same rules also apply to the answering machine on your land line – most of them have remote access capabilities so anyone who dials your number could listen to your messages if they can guess the access code.

Get into the habit of checking your voicemail. If you regularly seem to be receiving messages without the network telling you that they’re waiting, it could be an indication that someone else is listening to them. Don’t store sensitive messages on the server for too long either. Delete them as soon as you can.

If you’re going to leave a message for someone – don’t disclose any sensitive material, or better yet send a text message. SMS is far more difficult to intercept without legal authority.

Of course, there is another way to access voicemail – but that does require some technical skill and access to right equipment. It would be unprofessional of me to describe it here though. Suffice to say that OFCOM take an interest in anyone trying to offer the service commercially.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: