wp56f0f848.png
Expert Witness & Digital Forensic Services










 

Site Contents: © Peter Sommer, 2015 Not to be reproduced without permission

PO Box 6447  London N4 4RX UK

wp782315a9.png

 

 

wp5e6bc680.png
wp782315a9.png
wpd913d621.png
wp612f0ec3.png
The following are common defences used when unfortunate or offending material is found on a computer and other devices.  All, depending circumstances, have some merit - it is the task of the digital forensics specialist to see how far they can supported, or refuted:

“Not my fingers on the keyboard” at the relevant time.  Computers in use in well-run large organisations tend to have carefully run access control systems with frequent mandatory password changes and/or the use of tokens or biometrics.  Account abuse in these circumstances usually only occurs where the user has shared their password/token or been very careless, or because of a corrupt system administrator.  But personal computers shared domestically or in a small office have much weaker, or no security.  Here, proof of who was on the keyboard may have to be a function of building a detailed chronology of activity on a computer and hoping to draw inferences from that

“Identity Theft” /Password compromise can occur in a variety of circumstances - carelessness and password sharing as above, but also the consequences of giving away information in a “phishing” exercise.  More rarely, keystroke loggers, to capture all keyboard activity,  may have been used.   Some keystroke loggers can be discovered by physical examination; others by looking for traces on a disk

Pop-up Windows as an excuse is tendered where some-one has been accused of accessing illegal material.  The pop-up window is a feature of web design and has legitimate uses in providing contextual information additional to that in the main window and for advertising.  Sometimes website owners sell pop-up advertising to third parties - and what is received is neither sought nor expected by the computer owner.  These situations can be established by an examination of page html and java code and the timings of the “unwanted” pages

Web Browser Hijack is another  excuse tendered where some-one has been accused of accessing illegal material.  There are rogue programs which can change the “home” page on a web-browser. This can be tested for by a forensic examination

Viruses are common occurrences which can cause systems to run slowly,  crash,  and cause various types of compromise.  They do not normally result in illegal material arriving on a computer.  Forensic technicians have techniques for using virus scanners (several different sorts if need be) so that they examine deleted elements of a disk as well as those in use.  Normally one would expect to see a trace.

Trojans  A trojan is a program which allows remote control of a computer.   They can be used to examine a computer from afar to steal information including passwords, to cause the computer to download illegal information, and to send out information and instructions in the name of the legitimate owner.  When many trojanised computers are made to operate together they are known as botnet.   Trojans leave traces on computers which can be scanned for in the same way as viruses.  In addition a trojanised computer can be started in a safe environment and examined to see if it has any unexpected ports open through which traffic could flow

Inherent Software  fault  Computer bugs are common,  particularly in new and very old systems.  But most computer failures result in systems crashing and failing to work, or producing obvious “nonsense” results.  They seldom produce results which seem to be plausible but to the disadvantage of an accused.  Careful examination of a system said to have produced such a result together with its service history normally gives an answer one way or the other

Database and Accounts faults  Similar considerations apply to faults said to reside within databases and in transaction records in accounts systems.   The most common reason for getting a plausible but misleading result is that the original data input  was faulty or had been compromised.
wp509779ef.png