Future of Forensic 4cast
August 18, 2010 by Lee Whitfield
Filed under Uncategorized
Dear all,
We had out first live show this last weekend (audio podcast will be posted soon). It seems to have been very well received by all who watched. I would love nothing more than to conduct live 4cast shows every two weeks but we have some minor drawbacks.
1) Video quality sux. There is no getting around this. It was blocky and barely watchable. More bandwidth is necessary. I would also like to have guests on cam too.
2) I tried, and failed, to get something set up whereby we could have live callers. My current equipment is somewhat limited (i.e. I have none) and investment is this area is looking more necessary with each passing week.
My current setup is amateur, at best (some may even say “What? You call that a setup?”). I want to make 4cast a lot more professional looking but, in order to do this I would need to upgrade my internet connection (recurring cost) and try to find some more adequate equipment (one-off cost). In order to facilitate this I am going to sell my soul and find some sponsorship. You may say “You’re already sponsored by Digital Forensic Magazine”, well, in short that is an agreement that we have in place but no money trades hands.
What I plan on offering is “on-screen” advertisements, and a spoken advert during the show. We can also offer limited advertising on the website.
If you know of anyone who would be looking to reach over 1000 digital forensic investigators each month with their message please let me know.
Also don’t forget that we are still taking donations. If you have some spare cash and would like to contribute please feel free to live a little and send us some money. Ideally this would have been the way to do things but the donations don’t cover all the costs and allow us to grow how we want.
Please get in touch if you can help!
Forensic 4cast Live – Rerun
August 15, 2010 by Lee Whitfield
Filed under News
We did it! The first live broadcast of Forensic 4cast went out earlier today. In case you missed it (whether by accident or by design) you can watch it below. If you’ve already seen it once and want to watch it again I have the number of a really good therapist…
Watch live video from Forensic 4cast on Justin.tv
Forensic 4cast Chat Room
August 14, 2010 by Lee Whitfield
Filed under News
When I announced the live episode of 4cast a couple of people asked if we were going to have a chat room/IRC channel.
I’m happy to say that we now have that set up. For you geeky types (which is pretty much everyone) the IRC channel can be reached by using the following settings in your favourite IRC client.
Chat Room
IRC Server: Lifeline.WyldRyde.org
Port: 6667
Channel: #f4c
If you prefer things to be a little more simple you can get there by following this link http://www.forensic4cast.com/chat.html
All of these details have also been provided on the static page http://www.forensic4cast.com/live/
Forensic 4cast – Live
August 13, 2010 by Lee Whitfield
Filed under News
Last episode we had a first for our little podcast, we had our first female on the show. We struck a blow for chauvinism worldwide… well… maybe not, but it was good to have Cindy on the show. She was awesome and is welcome back anytime.
This coming Sunday (August 15) we’re going to have another first. Episode 33 will be broadcast live.
In order to make this a success we will need a lot of interaction. We currently have Jesse Kornblum and Mark McKinnon lined up as guests so if you want to ask them a question or comment on anything we discuss you can do so in a couple of ways. First you can participate via Skype. Sadly Skype isn’t particularly great at adding calls to current conversations so we’ll have to work backwards meaning that I’ll have to call you on Skype. If you want to participate you can let me know during the show by sending a message on Twitter, emailing, commenting on our Facebook group or page, or by some other means. PLEASE DO NOT SKYPE ME as this will interrupt the broadcast.
Second, I have found a hashtag that we can use on Twitter #f4c. Anything posted with this hashtag will be scrolled along the bottom of the screen during the broadcast. You can use this to ask questions, comment, or just poke fun at me.
You can watch listen to the live broadcast at http://forensic4cast.com/live/ or http://justin.tv/schizophreud
We have our own chat room set up at http://forensic4cast.com/chat.html Just enter a username and you’re good to go (no password needed).
The broadcast will begin at 8pm BST, 3pm Eastern, 12pm Pacific. Hope to see you then!
How to do the Worst Job Possible
August 8, 2010 by Lee Whitfield
Filed under Methodologies & Best Practices
Occasionally we all see forensic reports that are as close to perfect as they could be. Where procedures and presentation are clear and concise and where the author has conducted research relevant to the investigation. Sadly this isn’t once of those instances…
This is a real report prepared by a real defence ‘expert’. Any references to those involved have been changed.
Sadly I can’t take the credit for finding this gem. The folks at Cranfield University know its origin and share it with their students as a very very bad example. I’d love to hear your thoughts on the report. I’ve also included a pdf of the report at the following location http://www.forensic4cast.com/wp-content/uploads/2010/08/report.pdf
REPORT
1.1 My Qualifications
I am Alfie Moon, MBCS. I work as a Director for The Queen Victoria PH plc, an IT business Management Consultancy. I have worked for The Queen Victoria PH since 1997 and prior- to that I was a Director of Angie’s Den. As a consultant my primary fields of activity are project and organisational effectiveness reviews, in a variety of technical environments and the production of expert reports under Civil Procedure Rules. I am a member of the British Computer Society.
I have worked full-time in the IT industry since 1963. Over this period I have been a programmer, designer, analyst, team leader, project manager and line manager responsible for several hundred staff. I have always, professionally and personally, been an advocate for, and a user of, the PC and internet environment. I have written code, reviewed organisational intra/internets and developed web sites.
1.2 The Charges
I have taken the charges from the Indictment and have addressed the 18 counts individually in the section on findings. Note that these charges all address the possession of indecent photographs of children, not of making them. I have not addressed the issue of whether such photographs were made by Dermis Watts.
1.3 Questions addresses
I was given the following instructions and have responded as indicated in italics
- Nothing that the prosecution expert computer witness asserts in his witness statement should be taken at face value. The evidence presented by Grant Mitchell and DC Phil Mitchell has been reviewed and verified by examination of the floppy disks and computer hard disk.
- Nothing that Dennis Watts says in his police interview should be taken at face value.Noted
- The Defence needs to know whether the images or traces of images of child pornography are actually on the hard disk in Mr Watts’s computer. Internet cache on the hard disk was reviewed; deleted files were recovered where possible and also reviewed.
- Mr Watts cannot remember the dates and times at which he was at home.Noted
- What dates and times were the child pornographic images downloaded from various websites on the internet by Mr Watts’s computer? Addressed in findings
- Can it be confirmed whether or not Mr Watts’s computer was used to download child pornographic images onto floppy disks? Addressed in findings
1.4 Evidence provided
On the 13th May 2002 I was provided with:
- the Indictment on 18 counts.
- Statements / Evidence from
- Dennis Watts, draft and final
- Pauline Fowler
- Ian Beale
- Katherine Slater
- Dorothy Cotton
- Phil Mitchell
- Grant Mitchell
On 17th May 2002 I was provided with:
- PF/1, four floppy disks and KS/1 Time Computer Tower
2. METHOD
2.1 Unsolicited email
Dennis Watts admits to providing his address to an unspecified number of pornographic web sites. In this circumstance I believe that he had no control over the material that might be sent to him, whether it is soft porn, hard porn or child pornography.
I tested this assumption by setting up a free Hotmail account (the web mail service used by Dennis Watts), surfing for porn sites and providing my Hotmail address to the first site that requested it. I received about 5 unsolicited emails, over a 3-day period, as a result.
2.2 Computer
I received the computer for examination on Friday 17th May 2002. It appears to be a standard Windows 98 machine using Internet Explorer for internet access through Orange Net. I have not used it to connect to the internet.
- There is no password protection in place. This is normal domestic behaviour but it does mean that the full range of facilities provided can be used by a casual user.
- The date and time were incorrect. Specifically the date was 16th April 2002, the time about 05.00. Thus the machine was running about one month, one day and 12 hours slow. I corrected the date and time using normal Windows facilities. I note that the evidence of DC Phil Mitchell of 13th November 2001 states that on initial examination of the computer the date was correct, the time nearly so. I conclude that the machine had been without power for some time.
I installed an undelete facility on the computer to allow me to examine any files that had been deleted by the user. The facility usually allows deleted files to be recovered and viewed. Where the defragmenter utility had been run (to make disk access more efficient or to hide deleted files) this utility is unable to recover deleted files. Note however that the defragmentation process is not selective. It can only be applied to a complete disk.
I undeleted all files possible, 2486 files. The earliest was dated 05/08/93, the latest, prior to my intervention was dated 10/07/01. Prior to that the latest dated 24/06/01. There were no deleted files dated 14/06/01.
I also created a set of folders on the hard drive to contain the floppy disk contents and working images from the internet cache and deleted files.
Once this report was completed I defragmented the hard drive to verify that all the deleted files had in fact been deleted, uninstalled the undelete utility and deleted the hard drive folders that I had previously set up.
2.3 Floppy disks
I received cloned copies of the four disks with the computer. I copied the contents to temporary folders on the hard drive for speed of access and ran the undelete utility on the disks themselves. No deleted files were found on any of the four disks.
2.4 Internet Cache
The intern et cache is a key issue in internet access and it is worth describing the fole it fulfils. All
internet files (formatting, text or images) are, in the first instance, received from the internet into the cache and in this process is not under user control. Where pages are requested from the internet the browser (Internet Explorer in this instance) will, in the interests of speed, first attempt to find the file in the cache. If it cannot be found it will access the file from the internet. As the cache fills up the space occupied by the oldest files will be reused.
While there are exceptions to this general rule (some pages can force the browser to access the internet for a more up to date version), the cache is essentially a good record of intemet access activity. If the user elects to save files then the saving process will copy the files from the cache to the selected location. The original will remain in the cache.
3. Findings
All photographs in the charges are stated to have been in Watts’s possession on 18th June 2001. Findings on them are given individually in the table below.
| Photograph from Charges | Prosecution evidence | Location | Origin | Last Accessed | |
| 1 | 0023.jpg
(evidence states 00223.jpg. I have taken the name on the charge to be a mis-type) |
Page 3 of PM | Exists on disk 2/lollypop1
Not in internet cache Not in deleted files |
PM page 3 states attached to incoming email from ‘Noddy’ | PM page 3 states email on 5.6.2001
00:47:41 |
| 2 | 000.jpg | As above | Exists on disk 2/lollypop1
Not in internet cache Not in deleted files |
As above | As above |
| 3 | 0010.jpg | As above | Exists on disk 2/lollypop1
Not in internet cache Not in deleted files |
As above | As above |
| 4 | 0000.jpg | As above | Exists on disk 2/lollypop1
Not in internet cache Not in deleted files |
As above | As above |
| 5 | 0005.jpg | As above | Exists on disk 2/lollypop1
Not in internet cache Not in deleted files |
As above | As above |
| 6 | 0147.jpg | Page 3 of PM | Exists on disk 2/lollypop2
Not in internet cache Not in deleted files |
PM page 3 states attached to incoming email from ‘Noddy’ | Email on 5.6.2001
00:59:12 |
| 7 | 0198.jpg | As above | Exists on disk 2/lollypop2
Not in internet cache Not in deleted files |
As above | As above |
| 8 | 0156.jpg | As above | Exists on disk 2/lollypop2
Not in internet cache Not in deleted files |
As above | As above |
| 9 | 0177.jpg | As above | Exists on disk 2/lollypop2
Not in internet cache Not in deleted files |
As above | As above |
| 10 | 014.jpg | As above | Exists on disk 2/lollypop2
Not in internet cache Not in deleted files |
As above | As above |
| 11 | 12.jpg | Page 3 of PM | Exists on disk 2/lollipop3
8 variants of 12.jpg exist in the internet cache, none are this image 9 variants of 12.jpg exist in the internet cache, none are this image |
PM page 3 states that this is attached to incoming mail from ‘Popeye’ | Email on 6.6.2001
12:31:24 |
| 12 | 080.jpg
There is no 080.jpg on the floppy disks but there is an aa080.jpg in the PF/1 listing |
PF/1 listing | Disk3/04
Not in internet cache Not in deleted files |
Created
9.6.01 Accessed 26.6.01 |
|
| 13 | 0704.jpg | PF/1 listing | Disk 3
Not in internet cache Not in deleted files |
Created
14.6.01 Accessed 14.6.01 |
|
| 14 | 2veryyoung.jpg | PF/1 listing | Disk 3
Not in internet cache Not in deleted files |
Created
3.6.01 Accessed 6.6.01 |
|
| 15 | 21.jpg | PF/1 listing | Disk 4
Not in internet cache Not in deleted files |
Yippee
Holland |
Created
8.6.01 Accessed 11.6.01 |
| 16 | 10.htm
Note that this is an .htm file and therefore not a photograph. It references YU107213910270 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph. |
N/a | N/a | N/a | N/a |
| 17 | 13.htm
Note that this is an .htm file and therefore not a photograph. It references hayley13 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph. |
N/a | N/a | N/a | N/a |
| 18 | 8.htm
Note that this is an .htm file and therefore not a photograph. It references 08 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph. |
N/a | N/a | N/a | N/a |
3.1 Conclusions
There are 18 ‘photographs’ defined in the table above, all located on floppy disks, of which the first 15 are actually photographs. I propose to ignore items 16-18, the .htm files for the reasons given above.
While the computer has clearly been used to surf the net for pornographic sites, some of which deal with incest and child pornography, to interact with internet chat rooms and receive emailed images it should be stressed that, according to my examination, none of the images on the floppy disks that are presented in the charges can be found on the computer hard drive, whether in the internet cache, in deleted files or elsewhere.
3.1.1 Emailed Items
Items 1 to 5 above were received, according to the prosecution evidence with which I have no reason to disagree, in a single email on the 5th June. Dennis Watts admits to having given his email address to an unspecified number of pornography web sites or chat rooms and, in this circumstance, he had no control on what might have been sent to him as a result. It seems to me that, while he had advertised his willingness to receive pornographic mail, he had not advertised a specific interest in child pornography.
The same observation holds for items 6 to 10 and item 11 above for emails received on the 5th and 6th June.
3.1.2 Were images viewed?
A general question arises on whether Dermis Watts actually viewed any images sent to him. He states that he always loaded pornographic images to his A drive (the floppy disk) for review later. Hotmail was developed for the US market where local calls to internet numbers tend to be free. This is not the case in the UK and Hotmail users here do develop behaviour to limit the cost of telephone calls. While Hotmail will generally open (and therefore present images to the user) any attachments in emails (photographs in this case) it is not invariably so. While my own equipment will do so I have friends who are not able to. It depends on a number of circumstance which can exist in complex combinations:
- The format in which the sender has sent the mail.
- The capability of the receiving computer
- The extent to which the user is ‘computer literate’
- Whether Hotmail itself has been modified, e.g. by the user changing security settings, to accept attachments
My view is that it cannot be proven that Dennis Watts would invariably view any email attachment sent to him before he saved it to a floppy disk.
3.1.3 Items 12 to 14
As noted in the table above I can find no evidence that these images exist on the computer hard drive in either the internet cache or as deleted files.
3.1.4 Item 15
As noted in the table above I can find no evidence that this image exists on the computer hard drive in either the internet cache or as deleted files.
This image appears to be from a Yippee site in Holland. I note that, in Dennis Watts’s witness statement, the police view that he would have needed a password to access this. It seems to me that Yippee is freely available in any language, if he were sent a hyperlink to such a site (as ‘here’s an interesting site, look at it’) then clicking on the hyperlink would have yielded the image. I have accessed the Yippee site directly; though it was empty it appeared to be available for access. I find it unlikely that access to images in this way would be possible without viewing the image.
3.1.5 Were the images on the floppy disk from the computer?
Dennis Watts does not claim that the floppy disks were given to him. It would be possible someone else to ‘fake’ the floppy disk contents but this would require time (to access the appropriate files using another computer, then to transfer them to a floppy disk) and the technical ability (changing the clock on the computer used to ‘fake’ the disk to give the desired time and date). Such a process would not need to make use of Dennis Watt’s computer. As noted the computer is not protected (i.e. it does not requirea user name and password to function).
It should be noted that (unless ‘faking’ was involved) all images written to the floppies would pass via the internet cache on the computer. It is possible, using utilities freely available to Dennis Watts, to delete the content of the internet cache, or to be more complex, to rename them such that they appear to be something completely different.
On balance, if files exist on the floppy disks and also on the hard drive, it can be reasonably assumed that they are the same. The corollary, that If they exist on the floppies but not on the hard drive, leads to the conclusion that:
- The content of the floppies have been faked or
- The contents of the hard drive have been modified
If the contents of the hard drive had been modified by deletion, this should have been visible in the contents of the deleted files.
I believe that the case for ‘faking’ the contents of the floppy disks is supported by the following set of observations:
- Disk 3 contains a number of folders but, in the root segment, are 7 images of children, 3 of one child, 4 of a second child. One image of the second child (0704.jpg) is presented in the charges
- These 7 images on disk 3 all have a modification date (i.e. the date on which they were saved to the floppy disk) of 14/06/01, timed between 10.08 and 10:45
- There is no activity identified (access to the internet or otherwise, or in the deleted files) on the computer hard drive for the date of 14/06/01 other than a game of minesweeper whlch is timed at 17.33.
SCHEDULE SHOWING WHICH IMAGES CAME FROM
WHICH FLOPPY DISK
| 1 | 00223.jpg | Disk 2 |
| 2 | 000.jpg | Disk 2 |
| 3 | 0010.jpg | Disk 2 |
| 4 | 0000.jpg | Disk 2 |
| 5 | 0005.jpg | Disk 2 |
| 6 | 0147.jpg | Disk 2 |
| 7 | 0198.jpg | Disk 2 |
| 8 | 0156.jpg | Disk 2 |
| 9 | 0177.jpg | Disk 2 |
| 10 | 014.jpg | Disk 2 |
| 11 | 12.jpg | Disk 2 |
| 12 | 080.jpg | Disk 3 |
| 13 | 0704.jpg | Disk 3 |
| 14 | 2veryyoung.jpg | Disk 4 |
| 15 | 21.jpg | Disk 4 |
| 16 | 10.htm | Disk 4 |
| 17 | 13.htm | Disk 4 |
| 18 | 8.htm | Disk 4 |
End of Report
FINAL RESULT
Following expert examination of the hard disk and floppy drives which resulted in the extraction and de-coding of link files from both allocated and unallocated space the defendant pleaded guilty to all (amended) counts and was sentenced to 12 months imprisonment. The above report was NOT submitted in evidence by the defence or used as any basis for mitigation.
Episode 32 – The Mecca for Digital Forensicators
August 4, 2010 by Lee Whitfield
Filed under Podcast Episodes
This week we discuss the British Cybercrime Challenge, the investigation carried out inside government institutions, PI Laws, Cindy Murphy’s article on mobile device investigations, and Ken Pryor’s post on the SANS forensic blog.
Digital Forensics Magazine Issue 4 Launches in August
August 4, 2010 by Lee Whitfield
Filed under News, Uncategorized
Digital Forensics Magazine, one of the fastest growing resources available for IT security specialists, is launching its fourth edition in August. With a global coverage, the print and online magazine is fast establishing itself as the must-have magazine for practitioners and students of digital forensics.
Issue 4, released online on August 1st, takes a look at how effective traditional digital forensic techniques are at obtaining forensically sound data in scenarios where computer misuse has been used in attempts to frame the innocent. The DFM team also investigates and details the state of digital forensics in law enforcement around the world identifying which countries are doing well and which have much to do, highlighting the disparity in skills and qualifications between each. In a world that is getting ever more interconnected and one in which international online crime is on the increase, the industry should look to establish and apply minimum standards .
Other features include:
- Preservation of Evidence – How an organization should establish its policy regarding the investigation of a computer crime scenarios
- Psychosocial Forensics – A novel approach to operational forensics
- iPhone Forensics – An exploration of the challenges that the iPhone has introduced for the digital forensic investigator
- In “Meet the DF Professionals”, DF Mag interviews viaForensics’ Andrew Hoog
- Live Data Collection – Ron Tasker asks why we should or shouldn’t capture live data at a crime scene
- Real Time Stenography – A use case for Real Time Network Forensics
- SANS’ Rob Lee asks, “Do you have what it takes to be a digital forensics pro?”
As well as the usual book reviews, legal section and product reviews, readers are given the chance to win a free ticket to the SANS Digital Forensics and Incident Response summit either in the UK in September 2010, or in the US next July 2011.
Digital Forensics Magazine issue 4 is published online on August the 1st and digital subscriptions start at under GBP30. Users can upgrade their subscription to the print and digital version for only GBP10 at any time.
To subscribe to Digital Forensics Magazine please visit www.digitalforensicsmagazine.com.
Digital Forensics Magazine is the flagship publication of TR Media Limited, a UK-based company which specializes in publishing academic quality consumer magazines and books for the information security sector. Digital Forensics Magazine combines the depth and research of the best academic journals with the more traditional consumer feel of a trade magazine. For more information, please visit www.digitalforensicsmagazine.com
