Can computers survive cross-examination?

[whatthe]

http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed

First, are the files recovered from the computer to be considered original or hearsay? The point is an important one because, other than in special circumstances, hearsay evidence is generally considered to be inadmissible in criminal courts. Consider the computer as a "witness" of some kind. The contents of the various files--such as e-mails, documents and the like--consists of things which, in some sense, the computer has 'heard' the user say to it; and which, again in some sense, the computer has accurately remembered. Textual content of files must therefore be considered a form of documentary hearsay. In contrast, the time stamps, log file entries and other material produced by the computer as a result of its normal operation--programs acting without user intervention--might be considered as having been "witnessed" by the computer directly: these might be considered as original documentary evidence.

So the question is can there be proof beyond a reasonable doubt that all the 1 and 0's came off the computer and into court exactly as they were on the computer? You would think so but I think a lot of stuff would get very muddled by the lawyers, especially in jury cases.

[Tiger Shark]

This is why computer forensics are such fun. It's why you pull the cable not turn off the computer. Then you secure the drive in an accepted evidentiary way. Then you ghost the drive twice, make MD5 and SHA1 or 2 hashes of the drive and secure the first copy. Then you run MD5/SHA1/2 hashes of the copies and show that they are exact copies of the original drive. Now you can go to work because you have shown that you have exactly what was on the drive when the power was killed.

Before some bright spark jumps up and points out that the MD5 hash has been proven flawed - the "flaw" is that it has been _mathematically_ proven that a 1024 byte file could cause an MD5 collision. However, no-one yet knows the original form of the file nor the transformed version of the file that causes the collision. The simple fact is that while many in the forensics community are talking about leaving MD5 in preference of SHA1/2 they all agree that the courts do see the MD5 hash as a viable and trustable method of "fingerprinting" the evidence....

As to the computer being a "witness" the concept is silly to start with. No-one doubt's the evidence provided by the voice recordings produced in a wire tap. Why should they be concerned about the evidence held on a computer. In the voice capture we have never called the telephone the person was using a "witness".

As to the timestamps etc. that take place without user intervention... How stupid is that? It is the very act of the user creating a file that kicks into action the timestamp... If the user doesn't create the file for another three seconds the timestamp will be different.

Lastly, what would be the point of computers if they altered the users input. Imagine how pissed Tolstoy would have been if he wrote War and Peace in his shiny new laptop only to find, when he proofreads it, he's just written The Cat in the Hat.....

This is a specious argument probably spawned for someone trying to get some damning computer evidence thrown out of a court of law.

[cross]

Originally posted here by Tiger Shark

As to the computer being a "witness" the concept is silly to start with. No-one doubt's the evidence provided by the voice recordings produced in a wire tap. Why should they be concerned about the evidence held on a computer. In the voice capture we have never called the telephone the person was using a "witness".

The concern IMO is not that the evedence is accurate, but that you can not distinguish who was at the keyboard (or remotly controlling the machine). With a wire tap, you hear a voice, which can be linked to a person. The evedence from a computer is useless, anything and everything can happen on a computer, therefore you can not prove anything beyond a resonable doubt. Any lawyer worth a damn will get all computer evedence thrown out or ignored by a jury.

[Tiger Shark]

but that you can not distinguish who was at the keyboard

In an investigation where it is critical to prove that a given person was using the computer at the time certain things occurred thare are plenty of ways to determine that and they will be used - up to and including breaking the door in while he sits there.

The vast majority of the evidence gleaned from computers and used in a court is used as corroborating evidence to the crime rather than the primary evidence upon which the entire case rests.

[nihil]

Hi Tiger~

As to the timestamps etc. that take place without user intervention... How stupid is that? It is the very act of the user creating a file that kicks into action the timestamp... If the user doesn't create the file for another three seconds the timestamp will be different.

I have a problem with that one, in that I have seen some pretty weird times and dates on machines with a CMOS battery that is flat or on the way out. I seem to recall that there was an option in scandisk to make the date "sensible" from a systems stability viewpoint, to get round corruption problems?

Anyway, all you would have to do is go into control panel and change the system clock?

And I have a nice little tool to change file dates and times to whatever you want (for sale to the highest bidding law enforcement agency) ACK Phtt! I forgot, it was freeware and I would not want to violate the EULA

I will go with your "corroborating evidence" argument, particularly if it is supported by evidence from disinterested third parties such as ISPs.

We had an interesting case up here recently involving a council official, who appeared to have been downloading kiddie pr0n. It was only secure remote logs that got him off the hook, but it cost him his job in the meantime. Fortunately not my local council or police authority or I would be paying for their incompetence in my local taxes

[hogfly]

Hmmm the guy that wrote that article even sounds like a professor...dry,boring and never reaching a point..I guess that's why his article is on zdnet and not a real website... Maybe he was the expert witness in the case of the 'Trojan Defense'

Anyways to answer the original question, yes it's routine to verify the data you are presenting in court is the exact same data that was on the original disk. That's what hashing is all about, a means of verification that a==b.
The trick is for the lawyers to be smart enough to trap the so called "expert". They try to trick the expert just like in any other court case..getting them to dispute their findings. Or they try to call in to account that the expert isn't such an expert afterall. They'll force the expert to explain how hashing works and call their methods in to question. And if the expert botches that part of the cross, then you can pretty much kiss the case goodbye. You don't have chain of custody? Kiss the case goodbye.

Timestamps are a nice way to correlate data, but at the same time..timestamps are so volatile. You can pre/postdate a file in a number of ways(man utime) and it's trivial. However there are ways to detect this..such as inode discrepancies..which is why you have to have a firm understanding of how the filesystem creates the files..and no it's not random.

The key is tying the person to the file(s)/activity at the time in question. If your findings and the lawyer can't do that then game over.

[zencoder]

God this stuff pisses me off. I haven't even read the article, so I'm just gonna spout for a bit, sputter out, then go to bed with a Coke and 7.

Computer as a witness? Someone get my ****ing gun...the genepool needs cleansing.

Hearsay? **** the gun, I'll use my bare hands. Who the **** hired this dipshit to write such tripe? Computer forensics and evidentiary criminal proceedings has been through the ringer so many times there are literally volumes of information dictated to the subject. All of these questions have been asked, challenged, and ruled on already. Who the **** IS this guy? It's like pondering if Newton really had a magnetic vegitative aura instead of being lucky enough to sleep under a ripe apple whilst thinking gravatic thoughts.

BLARGH!!!!

</rant> G'night folks.

[nihil]

Zencoder I will take some small issue with you there, you are quite right, as is hogfly it all seems a bit "passe" and academic does it not?

My take is that this is an international issue, that needs sorting?.................say you have a situation that has been ruled on several times in the USA but (say) it has not been where I am living, so is not (yet) considered a crime, or an acceptable forensic, even if the activity is a crime............your chances of an extradition order are somewhere between zero and F*** all?

The internet is international, so we need international standards for forensics?

Hey, DNA and fingerprints are internationally accepted? that is my point

OH! what is a "7"?

Cheers

[XTC46]

"7" = segrams 7 if I am not mistake. one of my fav. drinks too. lol

[nihil]

Ah! as in "seven star".............the top of the range?

/me tends towards straight malts

Highland Park, The McAllan, Talisker, Laphroiag,.................and other such dental mouthwashes