Re: Help put a stop to incompetent computer forensics

[Jason Coombs <jasonc () science org>]

anonymous wrote:
> I know when running EnCase or some other software you can see the 
> cookies of the machine. More importantly, you can see what "search 
> items" the invidual was searching for.


No, you cannot. You can see what the Internet Explorer history files 
contain. This does not prove that a person typed search terms into 
Google. If you'd like me to prove this to you, ship your computer to me. 
I will ship it back to you and it will contain proof that you are a 
very, very bad person.


> So I can tell if the person had the intent or atleast give some ammo to 
> the prosecution that the perp was searching for "zzzzz" and "yyyy" etc.

No you can't. You can tell that the Internet Explorer history files 
contain data.


> So if their entire defense is that a trojan put the kiddie porn on their 
> machine yet their search items were things related to that sort of thing 
> then we can show the the perp was searching for related topics.

Come on, do you even understand what a Trojan is?

By definition, the Trojan gives a third-party the ability to control the 
computer from a remote location. I'm not suggesting that the Trojan was 
programmed to plant evidence. I'm saying that a third-party was in 
control of the computer and any data that you see on the computer's hard 
drive, including things that you seem to think "prove" that a person 
typed on the attached keyboard, reflects, at best, the actions of many 
people and a lot of software -- and at worst the data are meaningless 
because the files have been tampered with on purpose by a third party.

> But I do believe that once an analysis of the perp's hard drive has been 
> done said examiner should be able to determine if the information on the 
> machine was from the surfing habits of the perp, or if they may have 
> come from a trojan. Besides, if a trojan was present it should still be 
> there when the examiner is looking at the system!

No. The analyst can only determine that the computer may have been 
executing software in the past at various purported times (based on 
date/time stamps) -- or, maybe what you can determine is that the 
computer has been receiving files from elsewhere, and the date/time 
stamps don't have any connection whatsoever to the local computer but 
have some connection to another computer. Furthermore, Trojan infections 
come and go, and you probably know that remote exploitable 
vulnerabilities make it unnecessary to plant a Trojan -- if the 
attacker/intruder is only interested in gaining control of the computer 
one time, and a victim comes along with a vulnerable IE browser, then 
arbitrary code can be executed and no Trojan infection will necessarily 
result. That's up to the attacker. Nevertheless, the arbitrary code 
execution resulted in the attacker being able to do anything they want 
with the computer, including launch IE and visit Web sites and enter 
search terms which IE will log.

> However, if the information came from an email, cd, diskette or other 
> media then it's going to open a whole other can of worms.

It's not a can of worms for a CD or diskette to be found alongside a 
computer, that's called reasonable circumstantial evidence. Computer 
data stored on hard drives connected to the Internet is NOT reasonable 
circumstantial evidence. It's just data.

The "circumstances" under which data come to be on a hard drive are 
UNKNOWN unless law enforcement have established appropriate forensic 
controls to monitor computer operation during an investigation.

When the circumstances of software execution on a computer and the data 
communications to and from a computer are UNKNOWN, all data from that 
computer should be excluded from use in court as "evidence" of anything.

Sincerely,

Jason Coombs
jasonc () science org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/