Re: Operation Site-Key computer forensic searches ruled illegal

[Jason Coombs <jasonc () science org>]

Tharp, Robert wrote:
> ok. i understand now. that's very interesting. in the marine's case, did you
> actually prove that had happened? or did you just raise enough doubt that
> the prosecutors dropped the case.

The defendant's credit card number was definitely intercepted by a third 
party by way of the keylogger. There was no doubt about that. The child 
pornography found on the hard drive was entirely within the unallocated 
clusters, meaning that at some point in the past there had most likely 
been a few digital photos on the computer in the active filesystem, but 
that those files were no longer found alongside the other files and 
folders within the active filesystem.

One possible explanation for these circumstances is that the photos were 
saved to the computer's hard drive by Internet Explorer as Temporary 
Internet Files. We don't know for sure, and can't know for sure, that 
this was the case because once a file is deleted and its entries in the 
FAT or MFT (portion of hard drive in which Windows stores the list of 
files and folders that are on the drive) are overwritten with other data 
it is impossible to know what folder the file had previously been stored 
within. So, we have to look at other factors -- we usually don't even 
have a filename of the deleted file in this case, we only have the 
digital photograph data; and a forensic technique called a "carve" has 
to be performed to scrape the digital photograph data out of the 
unallocated clusters starting from the beginning of the photograph data.

If you carve child pornography out of unallocated clusters on a hard 
drive that belonged to a suspect whose credit card number appeared in 
the site-key database, you don't have to be a rocket scientist to 
conclude that, reasonably, the two circumstances are probably connected.

The flaw in this whole thought process is in attributing those two 
connected events to a person just because the person is the owner of 
both, given that there was a Trojan infection AND a keylogger installed 
it was proved conclusively that somebody else had control of the 
suspect's computer, and therefore had control of the suspect's identity.

However, this is not the way that forensic examiners write their 
forensic examination reports. So-called "computer forensic examiners" 
including those who work for the DOD Computer Forensics Lab (DCFL) who 
did work in the Pearl Harbor case simply report what they find. They 
don't offer interpretations. They don't even point out what should seem 
obvious: that a Trojan and a keylogger are present BECAUSE somebody else 
was in control of the computer via the Internet. Not as a result of some 
virus or worm that automatically infected the defendant's computer 
without a human intruder guiding them to do so.

This is a subtle but critical distinction ... My job has always been to 
offer expert opinion testimony. This is what I do in the cases that I am 
hired to work on. Despite being expert in law, judges and attorneys 
often do not understand the difference between a computer forensic 
examination report authored by a computer forensics lab and opinion 
testimony; my Pearl Harbor testimony revolved around the need for a 
civilian expert who could review the forensic examination and offer 
critique and opinion as to the meaning and reliability of the 
circumstantial evidence in linking the defendant to the crime.

In all other fields of forensics the forensic technician or criminalist 
offers an opinion along with their report of findings. In every case 
that I've worked on and every case that I've read transcripts and 
researched where "computer forensics" serves as a source of evidence 
against the accused, the information found on the suspect's hard drive 
is represented to be proof of the actions of the owner of the hard 
drive. When asked questions like "couldn't somebody else have been 
sitting at the keyboard?" the forensic examiner will answer "yes" -- 
you'd be surprised how often this question doesn't get asked by the 
defense attorney -- but then say something like "but I found the data 
associated with the defendant's user account". The forensic examiner is 
the master of twisting the evidence to fit the accusation because there 
is always a way to look at the data that makes the data tell the story 
you want it to tell. Because the forensic examiners don't offer opinion 
testimony, indeed they are not qualified to offer opinions in most cases 
because they simply do not understand the computer programming that 
caused the electronic evidence to exist.

The only forensic examiner who I have encountered who was a former 
software developer was actually not skilled as a programmer of Windows 
operating system or data communications software like the software he 
typically testifies about -- rather, he was a database programmer who 
used dBase to create databases and the programming instructions that 
would put data in and get data out of the databases. Perhaps you've done 
this yourself using Microsoft Office. It is not a difficult skill to 
learn, and its practitioners do not need to understand how computer 
software really works, they only need to understand the commands that 
they have to use to cause their database to do what they want it to do. 
In software engineering people with this capability are never selected 
to write operating systems or software like Internet Explorer because 
they simply do not understand software development -- they understand 
database development. We call them "database programmers" but that's 
just to be nice (and make resumes look good) -- they are not "computer 
programmers" because without the database program that they know how to 
operate these "programmers" would not be capable of writing "software".

This is all lost on the court in the same way that the distinction 
between "computer forensics" and "software expert" is lost on the court, 
resulting in a belief that a "computer forensics expert" is by 
definition an expert in computers and software programming, but the 
truth is usually that the computer forensics expert was trained to 
operate some computer forensics software program like EnCase -- without 
that program the so-called "expert" would not be capable of performing 
an investigation into what happened to a computer in the past, what 
software executed on it, what people appear to have used it, etc.

All of these issues sort of converge in a sick and twisted way when 
computer evidence is planted by a third party (or when a third party 
takes control of somebody else's computer and uses it to commit a crime, 
which is, in effect, planting electronic evidence) because the people 
who do the work investigating the computer evidence (on behalf of law 
enforcement OR on behalf of the defense) simply do not have the 
information security expertise necessary to explain first and foremost 
that hard drives do not contain "computer evidence" but instead that 
hard drives contain "data" -- and that data was stored on the hard 
drives by the execution of "software" and that it is impossible to know 
exactly what software executed in the past on a microprocessor.

The practice of using "computer forensics" to gather, present, and 
explain "computer evidence" in court is in dire need of remediation. 
Without competency in the information security field, no "computer 
forensics expert" should be allowed anywhere near a courtroom.

There should also be minimum mandatory information security training 
given to judges, attorneys, and members of a jury, before any one of 
such persons is allowed to view "computer evidence" -- if the computer 
forensic examiners aren't going to offer opinion testimony that calls 
into question the legitimacy of their own investigative techniques then 
the court must force this safeguard into the process.

Except where law enforcement has implemented strict forensic controls 
during an investigation, and conducted ancillary surreptitious 
monitoring of a suspect using video surveillance, keyloggers, screen 
capture, runtime forensic logging of machine code executed by a CPU, and 
other techniques that conclusively establish the physical presence of a 
suspect, and the conclusive absence of hidden outside control or 
influence over a computer that is the source of computer evidence, no 
computer evidence should be allowed in court.

What's happening today is akin to giving intruders from the other side 
of the world the ability to fill our filing cabinets, our wallets, our 
bedrooms, our closets, and our vehicles with incriminating evidence 
automatically through the Internet. Nobody ever explains this to the 
judge, and law enforcement forensic examiners seem not to understand it.

Something must be done to fix this, and every person convicted of a 
crime in the past where computer evidence was used without ensuring that 
its pitfalls are well-understood should be given an immediate retrial.

Sincerely,

Jason Coombs
jasonc () science org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/