Methodology

It’s not always what you find…

by Sam Raincock, IT and telecommunications expert witness

In digital forensics we are often asked to determine the presence of evidence. However, what happens when we do not find anything? How do we prove something wasn’t there? Proving something is present is generally a trivial problem – you find it, it’s there. Of course the complex part is explaining how it came to reside on a digital device and the circumstances surrounding it….that’s what the field of digital forensics is all about. However, proving something isn’t there and/or was never there are also questions we are asked to comment on. Take the following for example:

· Examine this laptop and establish if it has accessed the website http://www.forensicfocus.com.

· Examine this mobile telephone and determine if it sent a text message with the content “Forensic Focus”.

Let’s look at the first example. In the event there is “no evidence of access to http://www.forensicfocus.com found”, what remains is proving (or commenting on) a negative. However, just because you do not find any evidence of connections to the site, does this imply no connections ever occurred?

There are three main possibilities to consider. Firstly, the techniques used in your examination did not facilitate finding the evidence even though it is present. For example, if we simplistically relate this to an examination where only the live Internet history is examined initially, it is possible that a subsequent examination could determine some deleted Internet history and further evidence may be established.

Secondly, you did find the evidence but were unable to determine how to interpret it so you didn’t establish its meaning. For example, you found a partial registry file in deleted space but did not have the knowledge to interpret it and extract the evidence.

Thirdly, there is no evidence on the device of any connections occurring to http://www.forensicfocus.com. So no connection ever occurred?

Even given the last situation, with a computer, often the absence of any evidence is not evidence that it was never present. This is due to the fact that on a computer, data can be deleted and overwritten. Hence, it is possible that an event occurred but evidence of it is no longer available.

It’s not what you find, it’s what you don’t find

In the process of reviewing evidence reports, I often see statements made about something not being present or the inability to do something:

1. No video files were stored on the mobile telephone.

2. It’s not possible to determine how the files found in Shadow Copies came to reside there.

3. At 15:00 no activity was occurring on the computer.

4. There is no occurrence of the word “Forensic” on the memory card.

What do these statements actually mean? And more importantly, how will they likely be interpreted by a legal professional?

Let’s look at the first statement. “No video files were stored…..” It’s a strong statement that in its current wording would likely be interpreted as factual by a legal professional i.e. there are no video files. What happens when another examiner analyses the device using a different examination technique/software finding video files? It would give rise to an interesting case conference!

Let’s also consider points 2 to 4 from the above list:

· “It is not possible to determine how the files found in Shadow Copies came to reside there.” So why is it not possible? Because in the past, we didn’t know how to do it! However, it was not impossible – it was just that the writer did not know how to interpret the evidence they were examining.

· “At 15:00 no activity was occurring on the computer.” This statement may be true if you can prove it wasn’t switched on. However, what about a computer that is running, but you have not found any evidence (yet) around the time of interest? In this example, what would happen if a user was editing a Word document that they created at 13:00 and finished working on at 17:00?

· “There are no occurrences of the word “Forensic” on the computer.” What about if you search for “ForensicFocus”? Will the search terms you use return different results? In this example, depending on the search heuristic being implemented, will your results differ?

Dealing with a negative finding

The ability to deal with a negative finding is what is important. It is my belief that the report produced should use appropriate language to describe what is meant by not finding something. This makes it clear to the reader the significance of a negative finding as well as protecting the writer in the event their original statement is disproven. To do this you firstly need to consider what your negative finding means. Why have you not found the evidence? Could you examine the device further and find a partial file? Could someone else? Are the search terms you used the reason why you have not found what you were looking for? Do you trust the completeness of any scripts you are using?…

Let us take a case scenario where an examiner is asked to find sound recordings on a mobile telephone. Furthermore, let us say that the telephone was examined and it was concluded that it did not contain any sound files. The telephone was then re-examined by another examiner who, using different techniques, concluded a deleted sound recording was present but it is not possible to date its creation. Another examiner analyses the evidence and finds the sound recording and determines it was possible to date the original sound file. If the first two people have concluded a negative – they have both been disproved. What happens now to the evidence originally presented by the other two examiners?

So how can things be phrased to protect the examiner and also to provide a more objective view?

“I did not find any occurrences of ForensicFocus” may become “The searches X, Y, Z I performed using A did not find any occurrence of ‘ForensicFocus’.”. You could explain the search process in your background information section so that it is clear what this process may or may not find.

“No activity was recorded on the computer at 15:00” may become “The examinations I performed did not find any evidence of activity at 15:00. However, it should be noted that the way in which a computer operates means that……”. You could discuss how the absence of information does not prove an event did not occur – perhaps give an example that people can relate to, something like the editing of a Word document and the evidence this may produce.

There is nothing to see here, please move on!

Two things I personally consider before starting any statement: 1) there are people smarter and more knowledgeable than me, and 2) very few things are impossible – we just don’t know how to figure them out yet. I then start writing……

After that, my advice is to review the meaning and ensure the avowals you make (or are present in your report templates) are not open to misinterpretation.

So, the next time you are asked to consider if a device contains anything of evidential value and your examination fails to uncover anything of interest, would you really write “Nothing of evidential value was present on this device” in your report?

Click here to discuss this article.

Read Sam’s previous columns

Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.

Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, sam@raincock.co.uk or http://www.raincock.co.uk.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 955 other followers

%d bloggers like this: