Excellent news

Posted on November 29, 2011. Filed under: All, Education, forensic | Tags: , , , , , , , , , , , , |

Yet again, other activities have kept me away from this blog for far too long. Personally, I think that’s probably a good thing. A mix of casework and research commissions means I can afford to eat properly again (and those who know me will know how important it is that I maintain my physique – particularly in the current high winds).

The major projects that are keeping me busy are on a new website : Forensic Excellence where work on two of the three major elements of “forensic” quality systems is underway. The other bit of news is that I have an interview for funding of some work on the third element, and hope to be able to kick that work off towards the middle of next year.

Onwards and sideways!

Read Full Post | Make a Comment ( None so far )

Nothing else of significance…

Posted on July 31, 2011. Filed under: forensic | Tags: , , , , , , , |

This week I was approached to quote for a defence case. Helpfully, the solicitor sent me a copy of the prosecution statement so I could prepare a realistic quote. Unfortunately, for the “other side”, I’ve spent most of the week working on a couple of proposals for new ISO standards – including something on content of reports for various purposes – so was particularly sensitive to languages issues.

As soon as I saw the source of the statement, I knew I was going to find a phrase that troubles me – and there it was, near the end “Nothing else of significance was found”.

The report details the material upon which the case is based, but gives little in the way of context or other material found. It builds the case for the prosecution solicitor nicely, but doesn’t allow anyone else to form an opinion about the significance of the material because it doesn’t actually give any detail of anything except the “significant” material as determined by the report’s writer.

It’s a format and form of words that I’ve seen several times over the years, and every time I see it, it sounds an alarm.

I’ve always been told that my responsibility as an “expert witness” is to the court (or whoever is going to make a final judgment based on all the reports submitted), and is to state the facts and my interpretation as best I can based on the information available to me. If I find evidence of guilt, I should state it, if I find evidence of innocence, I should state that. I also believe that I should try to make as much information as possible available so that a proper judgment can be made.

To this end, I don’t just list things of “significance” but I try to give an indication of the context in terms which a non-practitioner can understand.

For example, if an email relates directly to the case, I don’t just list that email. I give the total number of emails found and the number found which involve the same people in the “significant” one. If illegal images are found, I try to determine how they have been downloaded, whether they’ve been deliberately saved or just cached, and whether there’s a pattern of searching or browsing that relates to them.

I try never to build a case directly myself but I will, quite happily, poke holes in someone else’s case – especially if they are concealing, deliberately or accidentally, useful information behind statements like “nothing else of significance was found”.

In my book, saying something like that is almost tantamount to dissembling. A digital evidence examiner rarely has the full facts and circumstances of the case available. A prosecution examiner or first responder will have no idea of possible defences or excuses. Limiting the report to the most damning evidence doesn’t help anyone.

Well – it doesn’t help anyone except the “other side”. A good independent examiner will read that sort of report and realise that there’s a lot more work they could do, and SHOULD do, to determine if a proper rebuttal can be produced – and that means more time and bigger fees. I’m not a fan of the use of Bayesian ratios in reports because I know how few people really understand them, but I know why some forensic disciplines use them – they force the reporting scientist to think about the evidence and alternative explanations, resulting in a closer examination of “insignificant” material at times.

At a time when pressure is on to reduce spending on legal aid, perhaps it’s time someone looked more closely at standard reports coming from both sides to see if they are really fit for purpose ? The better those reports are, the less work needs to be done performing re-examination, re-analysis and re-interpretation.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

Mobile phone hacking – a warning to all

Posted on July 7, 2011. Filed under: security | Tags: , , , , , , , , |

In the UK we are currently undergoing a media frenzy about “mobile phone hacking” – unauthorised access to voicemail. Firstly, the rant – IT’S NOT HACKING! (well technically it is – but it’s not some fancy complicated technical attack requiring specialist knowledge and equipment).

A lot of people are under the impression that mobile phone voicemail is only accessible from the mobile phone itself and some may even believe that messages are stored on the phone. In fact, messages are recorded at the mobile network providers’ data centres and played back over the network when the user dials in to pick them up. It isn’t even necessary to have access to the mobile phone itself to get access to someone’s voicemail account – dialling their number while the phone is off or busy on another call results in call diversion so a message can be left, and this is where the “hack” can start. By pressing the right key sequence during the “please leave a message” welcome message, anyone can get to the menu which allows voicemail to be played back. It’s a feature designed to let users listen to their messages from anywhere in the world, whether their phone is working or not, and is genuinely useful – but it creates a backdoor through which messages can be accessed.

Of course, a PIN is required to gain access to the mailbox but many people leave the default PIN on their account, and these are very well known – most are published on the network providers’ websites or are available in the manuals available with any phone or SIM from the provider. In other cases, PINs can be guessed in the same way as passwords by doing a little bit of background research to find out things like birthdays of relatives, friends or pets, other significant dates or registration numbers of cars. Other methods, like social engineering – where carefully crafted questions and behaviour are used to get the target to reveal their PIN or even just “shoulder surfing” (watching someone enter their PIN while they listen to their messages) can be very successful too.

However the PIN is obtained, once the attacker has it, they have full control of the voicemail system and can listen to and delete messages at will.

For some users this could lead to personal data being disclosed, while for businesses it could be used to discover sensitive material.

If you don’t need voicemail, turn it off. If you do need it – don’t use the default PIN, use a number which isn’t associated with anything that is obviously connected to you – and change it regularly. Avoid obvious PINs like 1111, 1234, 9999 and so on – treat it like the PIN for your bank card, it could have similar value to someone who wants to spy on you. The same rules also apply to the answering machine on your land line – most of them have remote access capabilities so anyone who dials your number could listen to your messages if they can guess the access code.

Get into the habit of checking your voicemail. If you regularly seem to be receiving messages without the network telling you that they’re waiting, it could be an indication that someone else is listening to them. Don’t store sensitive messages on the server for too long either. Delete them as soon as you can.

If you’re going to leave a message for someone – don’t disclose any sensitive material, or better yet send a text message. SMS is far more difficult to intercept without legal authority.

Of course, there is another way to access voicemail – but that does require some technical skill and access to right equipment. It would be unprofessional of me to describe it here though. Suffice to say that OFCOM take an interest in anyone trying to offer the service commercially.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

Juries vs. the Internet – time for a change ?

Posted on June 13, 2011. Filed under: forensic | Tags: , , , , , , , |

This story caught my eye this morning : http://www.telegraph.co.uk/technology/facebook/8571855/Juror-in-Facebook-contempt-prosecution-after-contacting-defendant-during-trial.html

It highlights one of the problems we have with jury trials in the age of pervasive technology. It is only natural for someone involved in deciding the fate of another to want to obtain as much information as possible so that they can be sure they’ve made the right decision. No matter how often a judge reminds a jury not to discuss the case and not to attempt to carry out their own research or to make contact with anyone else involved in the case, the temptation to “break the rules” must be almost overwhelming.

This is particularly true when complicated scientific or business evidence is involved. Much of it can be so obscure to the uninitiated that they feel they cannot hope to understand it without help, but that help is not provided to them, so they go off and do their own research – using untested, unapproved and unvalidated sources. Either that, or they believe what they’ve seen in the mass-media and we get the results of the dreaded “CSI effect” creeping in.

Perhaps its time we revised the jury system – not to abolish them, and not to have expert jurors only, but to give them access to court-approved sources of information in the jury room. Independent advisors, completely isolated from the trial materials, who can speak on the underlying principles of the technical evidence, seeking permission from the court before commenting and keeping rigorous notes of everything they discuss so that all parties can be fully aware of the issues being raised by the jury. Of course, jurors might need to be kept in isolation to prevent them seeking the extra information anyway, but perhaps having a source “on tap” in the jury room could help speed up their deliberations by giving them confidence that they know the whole story.

Of course, it might lead to longer trials, but that could be a price worth paying if we  can eliminate uncertainty and reticence to make a decision introduced by jurors who feel they need more information or worse, hurried decisions made by those who already think they know it all.

Read Full Post | Make a Comment ( None so far )

In the footsteps of Bob & Bing

Posted on April 7, 2011. Filed under: forensic, security | Tags: , , , , , , , , , |

Just 2 more days till I’m off to the ISO/IEC SC27 meeting in Singapore and I couldn’t resist the opportunity to use a clip from a relevant film;)

Anyway – some interesting new agenda items have appeared. Of these the most significant is new discussion slot on “Digital Forensic Processes”, suggesting there may be some new work items (aka drafting of new standards). It’s not clear where the request for this has appeared from or exactly what it relates to.

Given that I volunteered to be a rapporteur for study periods on “Digital Evidence Readiness & Analysis” and “Digital Evidence Validation & Verification” it seems a little redundant to me. We (the UK panel dealing with these) are proposing that readiness should be considered as part of Incident Management since it involves planning & auditing, Analysis should probably sit inside the existing draft 27037 document about evidence recovery, since it shares many common features and requirements, and that there should be a new standard for Validation & Verification.

With those in place, we think we cover all the critical phases of an investigation (and we are not going to say “forensic” because we now believe it is appropriate to broaden the standards so that every investigation is carried out to a high standard just in case it needs to go to court) – so I’m curious where the extra discussion has come from. Maybe the committee has realised just how much I like the sound of my own voice ?

 

Read Full Post | Make a Comment ( None so far )

Fitness for Purpose revisited

Posted on April 29, 2010. Filed under: forensic | Tags: , , , , , , , , , |

I posted a hint, a few weeks ago, that I was intrigued by differing attitudes to the validation task which is effectively required by ISO17025 and the Forensic Science Regulator’s standards.

The two attitudes seem to be :

  • “Well, it’s just testing isn’t it ? How hard can it be ? “
  • “We have to do it, but think of the complexity! How many hardware and software configurations do we need to consider ? “

One comes from end-users of the tools, one from developers. I’ll let you decided which is which. the second response, though, is particularly interesting in light of some stories I’ve heard from teams who have tried to get accreditation for mobile phone work. There has been a suggestion that they have to test every handset which their systems claim they support – even the American spec. phones which don’t work in the UK.

Interestingly, in spite of the requirement to do this validation, there doesn’t seem to be much work going on to determine what we mean by “valid”. Personally, I fall back on software engineering definitions of validation and verification in this situation – it has to do the right thing in the right way. How do we find out how commercial software is doing something anyway ?

Back in December, I hosted a meeting of some industry representatives – mainly people I know or who were recommended to me, to look at the problem more closely. To start the ball rolling, I asked a couple of questions

  • What do we mean by fitness for purpose ?
  • What do we mean by purpose ?

Fairly obviously, the second questions needs to be answered before the first can be dealt with, but the outcome of the discussions we had was quite fascinating to me. You can find a copy of the full report in the “Regulation” section at http://www.n-gate.net/, but the short version is – we struggled to define purpose.

As we considered the various phases of a digital forensic investigation, and the different types of devices, methods and data which might have to be considered it became clear that relatively few people have sat down and done a proper old-fashioned requirements analysis. The view of the group was that we should launch a pilot programme to see if a requirements-led approach can work. The group recommended starting with the data acquisition phase (carefully chosen phrase as it encompasses non-digital data too) as this is the foundation of everything else that can be done.

Thinking more about this process has led me to start challenging accepted wisdom in digital forensics – for example, do we always have to try to get a complete image of every storage device ? Even the ACPO guide doesn’t say it, but anyone who doesn’t can rely on their methods being challenged in court. A proper requirements analysis, determined in part by the type of case might help here.

As always, though, we have the golden question – who has the gold to pay for this ?

(If you have any to spare, let me know – I’d love to get my teeth into this problem properly)

Read Full Post | Make a Comment ( None so far )

What’s in a name ?

Posted on March 29, 2010. Filed under: All, forensic | Tags: , , , , |

I’M ON THE TRAIN!

on my way back from yet another meeting. Funny how I used to hate them when I was a salaried employee, but find them quite interesting since there’s no way they can turn into extra work, unless I want them to, now.

The topic and participants aren’t really relevant to this entry, other than to note that it was a meeting about standards (of a sort) in digital forensics and that the participants were drawn from quite a wide community.

What I found really interesting about it was the way that the meeting seemed to start with the premise that digital forensics is a sub-discipling of information security. That’s something I’ve heard time and time again over the years and have even struggled with when it comes to getting papers published. The info. sec. community quite rightly understand that there is a “forensic” element required in their work – especially when things go wrong or when some sort of attack is attempted, but I would argue that digital forensics goes beyond the realms of info. sec. (and that’s why I always got bad referees’ reports on papers).

It’s not just about law enforcement either, which is the other view I’ve heard expressed on occasion.

No, to me, digital forensics is about the investigation of activity using data found on digital devices. The activity itself may not be a crime, may not constitute misuse, but may have some value in another context. Yes we ought to understand that, strictly speaking, “forensic” means it relates to courts & the law, but common use of the word now seems to mean “investigative science” (isn’t that redundant – isn’t all good science investigative anyway ? ) and digital forensics is a tool which can be deployed in a multitude of contexts. So, my stance is that it overlaps law enforcement and information security as a discipline in its own right, with features from both of those areas and more.

In fact – on Wednesday this week, snow permitting, I’ll be talking about yet another use – digital forensics in fire investigation – in Aberdeen.

Leave your thoughts and comments and I might award a buttery for the best one 😉

Of course, maybe the real problem is that we haven’t stopped to define digital forensics properly yet…

Read Full Post | Make a Comment ( 6 so far )

Credit, debt and security

Posted on October 14, 2009. Filed under: All, forensic, life | Tags: , , , , , |

Sitting at home with nothing but the radio and daytime TV for company is an interesting experience. I tend to keep the TV on while I’m working just to have some background noise and movement.

One thing I’ve noticed recently, though, is that there’s a steadily growing number of adverts for “pre-paid credit cards”. Let’s just review that for a moment – pre-paid credit cards.

Now – a normal credit card is really a debt card – i.e. a token which represents a notional sum of money which someone is willing to lend you, and in the UK such things are governed by the consumer credit act. This makes the lender jointly responsible with the retailer and can give a handy degree of protection if something goes wrong with a purchase.

Then we have debit cards – which are a mechanism for getting access to such funds as are available in a bank account and nothing more, unless an overdraft has been agreed. These are not governed by the consumer credit act.

So, where do pre-paid credit cards lie ? Well – the process is simple – the user “loads” cash onto the card, just like making a deposit into a bank account – in effect, giving the card company an interest-free loan. When the card is used, only the available balance in the account can be spent. These cards are being marketed as a way of controlling your own spending without having to carry cash.

So what is the card ?

To me, it looks very like another form of debit card with none of the consumer protection of a true credit card and fewer of the checks required to open a bank account.

I’ll go further – the adverts seem to be targeting the age group who traditionally have problems getting credit cards because of age and low income. These cards look like real credit cards and can be used in much the same way BUT have less protection – even less since chip & PIN was introduced.

Ah, chip and PIN – I hate this system. Under the old scheme where the bearer had to sign the slip, the retailer could be held liable for fraudulent transactions because it could be claimed that they had failed to check the signature properly. With chip and PIN the responsibility shifts and the first claim is that the card holder has not protected the PIN properly. Don’t get me started on abuse of CVV for mail order and Internet transactions…

So, now we have a card with low initial requirements, no consumer credit act protection and nothing significant in the way of proper anti-fraud mechanisms.

Oh dear. I can see at least 6 criminal activities which would benefit from these cards already.

Read Full Post | Make a Comment ( 7 so far )

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: