It’s the little things

Posted on June 8, 2011. Filed under: forensic | Tags: , , , |

A while back I was asked to help out with a fraud case. The investigators had done a pretty decent job of extracting relevant information but a critical aspect of the hinged on the dates when a couple of letters were written. We had some issues around the way a disc image had been captured which meant that everything except the “last modified” date was considered unreliable.

These letters had been written in word and the timestamps in the filesystem were about 2 years AFTER the dates in the text in the documents. The meta-data in the documents agreed with the filesystems.

The defence experts, quite rightly, put forward a suggestion that the computer used to create the documents could have had an inaccurate clock, possible even set to a future date. Unlikely, in my opinion, but possible and probably enough to create “reasonable doubt” if the evidence came to court.

However, as we explored the issue further and got further and further into the niceties of Windows XP clock synchronisation using NTP when connected to the Internet something in my subconscious prodded me.

Just out of curiosity, I ran the GNU “strings” program against one of the documents and out popped a couple of JPEG JFIF headers. so – I carved out the two JPEGs and checked the EXIF data. Both contained dates which matched the filesystem – hardly surprising and not much help countering the “clock was wrong” argument – but they also contained a signature from the program used to produce them. It was a version of photoshop which wasn’t produced until at least 18 months after the dates in the letter text.

Either the suspect had been indulging in time travel, or the letters as printed must have been created some time after the date he claimed.

Sometimes, we forget that there’s more to timeline analysis than just the clock data. Knowing when a piece of software or a file first appeared can be very helpful too.

http://www.n-gate.net/

 

Read Full Post | Make a Comment ( 2 so far )

ISO ISO baby – part 2

Posted on April 20, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , |

Well, I’m just about back on BST after spending last week in Singapore. In the words of Robin Williams – “IT’S HOT!” out there, and sticky, but the locals are very friendly, the food is excellent (Kopi & Kaya Toast highly recommended for breakfast).

Of course, I wasn’t just out there for a “jolly” (but thanks for dinner Microsoft – I promise to say nice things about you for a few hours at least), but was attending the latest meeting of ISO/IEC JTC1 SC27 working groups. This is the “Information Technology – Security Techniques” sub-committee responsible for the infamous 270xx family of standards.

My main responsibility was to assist with the ongoing task of editing the 27037 “Guidelines for the identification, collection, acquisition and preservation of digital evidence” document. It’s coming along nicely, but we still have considerable debate about whether this is a standard for law-enforcement, Infosec. or both.

My own view is that, because of the nature of the committee responsible, it needs to be an Infosec. document which can be useful for everyone – including law enforcement. This approach to it seems to be paying off as some of the resistance to it is falling away.

The problem with treating it as a document for law-enforcement is that any international standard in this area is bound to come into conflict with local law, local procedure etc. (you’ll see the truth of that when you read the final version and see how often we have had to include a reminder about local legislation  etc. overriding the guidance). Worse still is the possibility that an ISO document might try to tell judges how to deal with evidence & matters of law.

We can do no more than issue some helpful information and try to set a minimum standard which will allow anyone involved in investigating digital incidents to have confidence that any organisation, working to the same standard, will use methods which are compatible. In that respect, ISO/IEC 27037 looks like it’s going to work. Ideally, of course, everyone will adopt is as a minimum standard – and that can only be good news, because there will better understanding of the issues surrounding digital evidence handling and fewer situations where examiners, like me, have to turn down cases because of problems in the early stages.

I just hope we can achieve the same with the three new projects that we’re hoping to launch in October – “Investigation Principles & Process”, “Guidelines for Analysis & Interpretation of Digital Evidence”, and “Guidance on assuring suitability and adequacy of investigation methods”.  We (the UK group) are also hopeful that our proposal for some new work on “Incident Readiness” (particularly investigate readiness) will also be launched in October.

If you have any suggestions for what should be included in those standards, please do let me know. These things are just written by “the great and the good” (proof : they let me play!) but are the result of debate, discussion and consensus. More ideas  = better results.

Read Full Post | Make a Comment ( 1 so far )

Credit, debt and security

Posted on October 14, 2009. Filed under: All, forensic, life | Tags: , , , , , |

Sitting at home with nothing but the radio and daytime TV for company is an interesting experience. I tend to keep the TV on while I’m working just to have some background noise and movement.

One thing I’ve noticed recently, though, is that there’s a steadily growing number of adverts for “pre-paid credit cards”. Let’s just review that for a moment – pre-paid credit cards.

Now – a normal credit card is really a debt card – i.e. a token which represents a notional sum of money which someone is willing to lend you, and in the UK such things are governed by the consumer credit act. This makes the lender jointly responsible with the retailer and can give a handy degree of protection if something goes wrong with a purchase.

Then we have debit cards – which are a mechanism for getting access to such funds as are available in a bank account and nothing more, unless an overdraft has been agreed. These are not governed by the consumer credit act.

So, where do pre-paid credit cards lie ? Well – the process is simple – the user “loads” cash onto the card, just like making a deposit into a bank account – in effect, giving the card company an interest-free loan. When the card is used, only the available balance in the account can be spent. These cards are being marketed as a way of controlling your own spending without having to carry cash.

So what is the card ?

To me, it looks very like another form of debit card with none of the consumer protection of a true credit card and fewer of the checks required to open a bank account.

I’ll go further – the adverts seem to be targeting the age group who traditionally have problems getting credit cards because of age and low income. These cards look like real credit cards and can be used in much the same way BUT have less protection – even less since chip & PIN was introduced.

Ah, chip and PIN – I hate this system. Under the old scheme where the bearer had to sign the slip, the retailer could be held liable for fraudulent transactions because it could be claimed that they had failed to check the signature properly. With chip and PIN the responsibility shifts and the first claim is that the card holder has not protected the PIN properly. Don’t get me started on abuse of CVV for mail order and Internet transactions…

So, now we have a card with low initial requirements, no consumer credit act protection and nothing significant in the way of proper anti-fraud mechanisms.

Oh dear. I can see at least 6 criminal activities which would benefit from these cards already.

Read Full Post | Make a Comment ( 7 so far )

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: