funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Police blotter: Web cookies become defendant's alibi

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 27 Oct 2006 09:07:56 -0400
A few quick comments. a). An IE cookie files contains an internal time stamp
which is much harder to fake than file timestamps.  b).  Regardless of the
timestamp of the cookie files, it is unknown who was at the keyboard whent
the cookies files were made or accessed.  c).  A more complete investigation
may have found other files on the hard drive in the timeframe of interest.
 
Richard
 
  _____  

 
http://news.com.com/Police+blotter+Web+cookies+become+defendants+alibi/2100-
1047_3-6129993.html?tag=nefd.top
 

What: A Texas man says the timestamp of cookies on his Web browser proves he
was actually online and not where prosecutors claim he was. 

What happened, according to court documents: 

After a stormy divorce between Erin McRae and Everett Eugene Russell, a
judge granted McRae a protective order requiring her ex-husband to stay away
from her residence. 

McRae moved to her stepfather's home in Shady Shores, Texas. Around 10 a.m.
on Feb. 26, 2005, she noticed a white truck parked on the road. She and her
friend Heather both claim they then spotted Russell walking down the fence
line along the stepfather's house. 

...

The third component of the alibi is what makes this case relevant to Police
blotter. Russell claimed he was surfing the Web that morning, checking on an
IRS income tax return and shopping online at Home Depot's and Lowe's Web
sites. 

He made a disk showing the Web sites that he had visited on Feb. 26, 2005,
and the cookies on the disk indicated that he was on the IRS Web site at
10:29 a.m. CST. The disk also indicated that Russell was online from 10:29
a.m. to 11 a.m. and again at 1:04 p.m. (
<http://dw.com.com/redir?destUrl=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FHTTP
_cookie&siteId=3&oId=2100-1047-6129993&ontId=1040&lop=nl.ex> Cookies are, of
course, small chunks of data saved in
<http://dw.com.com/redir?destUrl=http%3A%2F%2Fiteslj.org%2Fs%2Fib%2Fcookies.
html&siteId=3&oId=2100-1047-6129993&ontId=1040&lop=nl.ex> text files that
let a Web site recognize you upon future visits.) 

But prosecutors argued that the cookie file could have been altered, and a
jury agreed. There's no explanation in the opinion as to why Russell's
attorney didn't subpoena logs from those Web sites or his Internet service
provider that--if available--could have provided a much stronger alibi. It's
also unclear if Russell was relying on information in individual cookies,
which would be set by each Web site, or the file system's timestamp on the
entire file. 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: