Silk Road forums

Discussion => Security => Topic started by: kmfkewm on July 06, 2013, 07:02 am

Title: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 06, 2013, 07:02 am
I am going to talk about CP but only indirectly as computer forensics relates to it. First I need to define what I mean by computer forensics, as this title is used as a sort of catch all, applying to everything from cryptanalysis to traffic analysis to data recovery to data locating to remote hacking and spying. The goal of cryptanalysis is to decrypt encrypted data, it is not voodoo science and is actually essentially applied mathematics. The goal of traffic analysis is often to determine where a target is located, it is not really voodoo science because it can be extremely useful, especially when no countermeasures are being taken against it (however it can also be, and often is, extremely misleading).  The goal of data recovery is to obtain data that somebody has attempted to destroy, either via physical damage of a drive platter or possibly by overwriting a file. This is not voodoo science, people really try to delete or destroy electronic files and people in data recovery really do use techniques that sometimes allow them to recover deleted files. The goal of data locating is to find files that somebody tried to hide, this is not voodoo science either, an example would be using a database of fuzzy hash signatures to quickly scan a drive looking for previously identified illegal files. Remote hacking and spying is not really voodoo science either, it has the goal of penetrating a suspect computer and obtaining evidence off of it covertly. Remote hacking can give misleading results, but there are real vulnerabilities and there are real ways to exploit them.

However, all of these things taken as a whole, and coupled with the art of analyzing system logs looking for intelligence and evidence (ie: traditional computer forensics, building a timeline of activity, linking activity to a specific user, etc), are essentially voodoo science when used in the context of criminal investigations. Let me give you some examples. Let's say that Alice downloads a bunch of CP (I suppose she is a high school teacher..) , but since she doesn't want to get caught she uses her neighbors WiFi. Now the police pick up on the downloading of the CP due to traffic analysis (ie: Alice's neighbors IP address shows up in the logs of a CP site). Now the police send a team to raid Alice's neighbors house based on the intelligence their traffic analysts have gathered. Now Alice's neighbor probably doesn't have much to worry about these days, since in recent times (although not historically), the police analyze the WiFi around the modem detected accessing CP, and they will likely detect Alice if she engages in a pattern of behavior (although if she only does it once and never again, and she makes sure to spoof her MAC address, then she will likely never be identified and the buck will stop at her neighbor). Fortunately for Alice's neighbor Bob, even if Alice only uses his WiFi once with a spoofed MAC address, the police are going to very likely determine that Bob did not download CP, because they will seize his computer and send it to a forensics lab. They will scan his computer looking for illegal images and find likely none or just a few older jailbait pictures that are present on the drives of most people who look at amateur pornography, and which the police do not give a fuck about. They will analyze various logs looking for a sign that Bob accessed the CP site in question (or any CP sites at all) and they will find no evidence of this. They will look for signs that Bob wiped or deleted illegal images, such as traces in his swap space, logs of titles of known illegal images, etc, and they will find nothing. After a few weeks, Bob will get his computer back and the case will be closed.

Now let's imagine that Alice is a bit more sophisticated. She wants to prove that computer forensics are not capable of obtaining evidence beyond a reasonable doubt. So she creates a virus that infects computers through a vulnerability in Firefox. Bob goes to one of the malicious websites and becomes infected with the virus. First the virus determines that Bob is running a popular P2P file sharing program. Then it searches for some canned keywords looking for child pornography. Then it downloads the CP and stores it in Bobs shared files, perhaps hidden in such a way that Bob cannot easily detect the presence of the files. Then the virus deletes all traces of itself. Hell, it never even really needs to leave RAM in the first place! After a while the police traffic analysts discover that somebody with Bob's IP address is sharing CP. They raid Bob as before, first checking for the presence of a WiFi thief (and finding that there is none, hell Bob has his internet connection encrypted with WPA 2 even!). Now they send the computer to the forensic lab as before. Except this time, the forensics agents quickly detect thousands of CP images in Bob's shared folder! Furthermore, they find logs that Bob was active on the computer during the time the CP was downloaded in the first place! They know it must be Bob because Bob was also checking his E-mail at the same time the files were downloaded! Now Bob is charged with downloading and distributing CP. At court Bob argues that he must have been infected with a virus, but the forensic experts counter that they scanned his entire drive with every leading commercial anti virus software out there, and absolutely nothing was detected! The jury quickly sentences to Bob to twenty years in prison and lifetime registration as a sex offender, and the case is closed.

It is so easy for a skilled hacker to completely fool computer forensics, entirely, from traffic analysis all the way to the analysts at the lab. In fact, it is so easy that I would never be convinced of somebodies guilt based upon a forensic analysis of their computer system, even when accompanied with traffic analysis, hell even when coupled with cryptanalysis. Even remote hacking and spying can be misleading if there is an active agent attempting to create misleading results. Basic things like using your neighbors WiFi are not likely to get them in trouble, at least not these days, but it is still essentially trivial to frame anybody you want for a CP crime in such a way that they *will* be convicted. Computer forensics is *always* hoping that there is not such an agent, they are *always* hoping to be one step ahead of the 'bad guys' and in 98% of the cases they come to the correct conclusion with their analysis. The fact of the matter is though in those other 2% of cases they are going to come to an incorrect conclusion, and their training is not going to be sufficient enough that they can even consider it as a possibility, and certainly the jury is going to not believe the person who attributes his problems to a virus that was never detected because it literally left no trace.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 06, 2013, 07:46 am
Seriously there have been exploits in the past for turning somebodies computer on the Gnutella network into a remote proxy, tricking it into downloading whatever you want it to, from whatever server you want it to, and storing it in its shared files ( which actually allows you to turn Gnutella into an anonymity network for yourself as well ;) ) . I wonder how many people arrested for sharing CP on this network even realize that such an attack is possible. In the majority of cases I highly HIGHLY doubt that the forensic analysts (who are sometimes trained for only a few months prior to being certified) going over the seized computers realize that such an attack is possible. They are not trained to look for things like this, they are trained to run P2P spidering software and basic software forensic tools that do all of the real work for them. Guess what, anybody who went to prison for having CP obtained from the Gnutella network, or who went to prison for having CP while running one of the many vulnerable Gnutella clients, did NOT get a fair trial if they did not know about this attack!

www.ics.forth.gr/~elathan/papers/gdos.acns06.pdf

Quote
3.2
Exploiting the HTTP protocol
A large number of HTTP requests that result in an HTTP 404 response code
may not be difficult to handle for a Web Server. The attack can be more efficient
if we can force the Gnutella peers to perform an actual download from the Web
Server. The download may not even be relevant to their search criteria Server.
This can be achieved by embedding a specifically constructed file name in the
QueryHit packet. For example, consider that a Query with search criteria “foo
bar” is received. The file name:

Quote
We have demonstrated how unstructured P2P systems can be misused for
launching DoS attacks against third parties. We have developed an attack that
exploits a number of weaknesses of unstructured P2P systems and manages to
instruct innocent Gnutella peers to generate a significant amount of traffic to a
victim host. The victim can be another Gnutella peer, but also a host outside
the Gnutella system, such as a Web Server.
Although the basic attack relies primarily on the ability to spoof QueryHit
responses, we also took advantage of the HTTP protocol used by Gnutella peers
for data transfers. This allowed us to construct malicious QueryHits that result in
downloads of arbitrary files from a target Web Server. An interesting observation
is that the use of HTTP in this case allowed the attack to “leak” to other systems
as well.
Finally, we have developed SEALING, an algorithm which aims at keeping
a local “Safe List” on each peer, containing IP addresses and port numbers of
hosts that have been characterized as non-Gnutella participants. Our algorithm
assumes that any connection from Gnutella participants to non-Gnutella partic-
ipants is a possible DoS attack.


Quote
Indeed, with modest effort we have managed to
develop techniques, which, if adopted by bogus peers, can result in DoS attacks
to third parties by redirecting a large number of peers to a single target host. In a
nutshell, whenever they receive a query, these bogus peers respond by saying that
the victim computer has a file that matches the query. As a result, a large number
of peers may try to download files from the unsuspected victim, increasing its
load significantly. Furthermore, we have developed mechanisms which trick this
large number of peers to actually download files from the unsuspected victim.
To make matters worse, in our methods, the victim does not even need to be
part of the P2P network but could also be an ordinary Web Server. Therefore,
it is possible for a significant number of peers attempt downloading files from a
Web Server, increasing its load and performing the equivalent of a DoS attack.

This attack can be used to get arbitrary people to download CP and put it in their shared files, and if it is carried out correctly Mr. 6 month forensic certificate is not going to be able to tell that this is what happened. Forensic analysts often are not going to be able to tell if somebody fell victim to this attack or if they actually downloaded and shared CP. And yet there are hundreds of thousands of people in prison right now for having downloaded CP off of gnutella and shared it. And probably NONE of them know about this!
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: Rastaman Vibration on July 06, 2013, 07:52 am
Holy shit dude! Poor Bob!  :o

Don't wanna be him!  :-\

But seriously, @km, reading that kinda makes me want to learn how to be a hacker. Mwahahahaha! Where's the evil face emoticon on here?
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: Miah on July 06, 2013, 09:44 am
I am going to talk about CP but only indirectly as computer forensics relates to it. First I need to define what I mean by computer forensics, as this title is used as a sort of catch all, applying to everything from cryptanalysis to traffic analysis to data recovery to data locating to remote hacking and spying. The goal of cryptanalysis is to decrypt encrypted data, it is not voodoo science and is actually essentially applied mathematics. The goal of traffic analysis is often to determine where a target is located, it is not really voodoo science because it can be extremely useful, especially when no countermeasures are being taken against it (however it can also be, and often is, extremely misleading).  The goal of data recovery is to obtain data that somebody has attempted to destroy, either via physical damage of a drive platter or possibly by overwriting a file. This is not voodoo science, people really try to delete or destroy electronic files and people in data recovery really do use techniques that sometimes allow them to recover deleted files. The goal of data locating is to find files that somebody tried to hide, this is not voodoo science either, an example would be using a database of fuzzy hash signatures to quickly scan a drive looking for previously identified illegal files. Remote hacking and spying is not really voodoo science either, it has the goal of penetrating a suspect computer and obtaining evidence off of it covertly. Remote hacking can give misleading results, but there are real vulnerabilities and there are real ways to exploit them.

However, all of these things taken as a whole, and coupled with the art of analyzing system logs looking for intelligence and evidence (ie: traditional computer forensics, building a timeline of activity, linking activity to a specific user, etc), are essentially voodoo science when used in the context of criminal investigations. Let me give you some examples. Let's say that Alice downloads a bunch of CP (I suppose she is a high school teacher..) , but since she doesn't want to get caught she uses her neighbors WiFi. Now the police pick up on the downloading of the CP due to traffic analysis (ie: Alice's neighbors IP address shows up in the logs of a CP site). Now the police send a team to raid Alice's neighbors house based on the intelligence their traffic analysts have gathered. Now Alice's neighbor probably doesn't have much to worry about these days, since in recent times (although not historically), the police analyze the WiFi around the modem detected accessing CP, and they will likely detect Alice if she engages in a pattern of behavior (although if she only does it once and never again, and she makes sure to spoof her MAC address, then she will likely never be identified and the buck will stop at her neighbor). Fortunately for Alice's neighbor Bob, even if Alice only uses his WiFi once with a spoofed MAC address, the police are going to very likely determine that Bob did not download CP, because they will seize his computer and send it to a forensics lab. They will scan his computer looking for illegal images and find likely none or just a few older jailbait pictures that are present on the drives of most people who look at amateur pornography, and which the police do not give a fuck about. They will analyze various logs looking for a sign that Bob accessed the CP site in question (or any CP sites at all) and they will find no evidence of this. They will look for signs that Bob wiped or deleted illegal images, such as traces in his swap space, logs of titles of known illegal images, etc, and they will find nothing. After a few weeks, Bob will get his computer back and the case will be closed.

Now let's imagine that Alice is a bit more sophisticated. She wants to prove that computer forensics are not capable of obtaining evidence beyond a reasonable doubt. So she creates a virus that infects computers through a vulnerability in Firefox. Bob goes to one of the malicious websites and becomes infected with the virus. First the virus determines that Bob is running a popular P2P file sharing program. Then it searches for some canned keywords looking for child pornography. Then it downloads the CP and stores it in Bobs shared files, perhaps hidden in such a way that Bob cannot easily detect the presence of the files. Then the virus deletes all traces of itself. Hell, it never even really needs to leave RAM in the first place! After a while the police traffic analysts discover that somebody with Bob's IP address is sharing CP. They raid Bob as before, first checking for the presence of a WiFi thief (and finding that there is none, hell Bob has his internet connection encrypted with WPA 2 even!). Now they send the computer to the forensic lab as before. Except this time, the forensics agents quickly detect thousands of CP images in Bob's shared folder! Furthermore, they find logs that Bob was active on the computer during the time the CP was downloaded in the first place! They know it must be Bob because Bob was also checking his E-mail at the same time the files were downloaded! Now Bob is charged with downloading and distributing CP. At court Bob argues that he must have been infected with a virus, but the forensic experts counter that they scanned his entire drive with every leading commercial anti virus software out there, and absolutely nothing was detected! The jury quickly sentences to Bob to twenty years in prison and lifetime registration as a sex offender, and the case is closed.

It is so easy for a skilled hacker to completely fool computer forensics, entirely, from traffic analysis all the way to the analysts at the lab. In fact, it is so easy that I would never be convinced of somebodies guilt based upon a forensic analysis of their computer system, even when accompanied with traffic analysis, hell even when coupled with cryptanalysis. Even remote hacking and spying can be misleading if there is an active agent attempting to create misleading results. Basic things like using your neighbors WiFi are not likely to get them in trouble, at least not these days, but it is still essentially trivial to frame anybody you want for a CP crime in such a way that they *will* be convicted. Computer forensics is *always* hoping that there is not such an agent, they are *always* hoping to be one step ahead of the 'bad guys' and in 98% of the cases they come to the correct conclusion with their analysis. The fact of the matter is though in those other 2% of cases they are going to come to an incorrect conclusion, and their training is not going to be sufficient enough that they can even consider it as a possibility, and certainly the jury is going to not believe the person who attributes his problems to a virus that was never detected because it literally left no trace.

A person with the skill to do that is not your average computer user and but as time progresses it's becoming an issue. In China hacking is encouraged by Corporations to steal other companies secrets. The American Government hacks the Chinese, the Chinese hack the US...and so on. It's amazing what can be done with the right knowledge. There's literally nothing that cannot be hacked into. I can write a program that hooks to your BIOS and logs your keystrokes using ISR's. Granted you'd have to have know some assembly code but in terms of hacking that's a very basic program that a skilled hacker would have no problems with. It's funny that you brought up this topic as I've just spent 3 days wiping, re-wiping, securing, checking registy files and doing everything I can to lock down my computer which still will never be close to 100%.

Any security professional worth his weight is at heart a hacker. If you can't hack and break into systems without leaving a trace you can't defend your network or system. Hacking is not something that you can pick up a dummies book and read it over the weekend. It's truly an art form. It's a combination of multiple disciplines. A hacker would be highly proficient in networking, programming, web development, TCP protocols, etc... but even with all that without the proper amount of creativity it would make them average at best. I see in the future an Information War on a global and epic scale where a hacker in one country could literally turn off a another country or cities power for example. That may be over the top or it might not be.



Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 06, 2013, 12:26 pm
Yes it is outside of the skill level of the average computer user, but in many cases it is inside the skill level of a novice hacker with a bit of a technical background and some time to spend reading some .pdf files. The attack against Gnutella that allows the attacker to cause nodes to download whatever the hell they want is trivial to implement, and it is sufficient of an attack to get the targets convicted for CP trafficking. Of course, there are other extremely advanced vectors that could be utilized as well, some of which will result in a system that is *forensically indistinguishable* from a system owned by somebody who actually downloaded and shared CP.

But it doesn't really matter if it can be done by 100% of computer users or only the top 1% most skilled computer users. The simple fact of the matter is that it can be demonstrated that computer forensics can be entirely misleading, it can be demonstrated that CP can end up on somebodies computer in such a way that forensic technicians have no choice but to say that the CP was intentionally downloaded and distributed, and in hundreds of thousands of CP cases the integrity of the evidence used to convict the so-called offender is 100% dependent on there not being somebody trying to frame the person convicted, or even random people. They don't allow traffic analysis by itself to secure a conviction (judges dismiss cases where the only evidence is from traffic analysis), but traffic analysis + the presence of CP + a forensic analysis showing that a user of the seized PC intentionally downloaded and distributed CP is enough for a conviction in 99.99% of cases. This is despite the fact that the presence of CP and a forensic analysis showing that a user of the PC intentionally downloaded it is just as prone to failure as traffic analysis. Due to people using open and hacked WiFi, plus people using proxy exit nodes, hacked cable modems, plus ISP's / websites / police / etc not being 100% accurate when it comes to keeping logs, the justice department has essentially determined that traffic analysis by itself can only be used for intelligence. Perhaps there needs to be a massive botnet that creates systems forensically indistinguishable from those owned by CP collectors before the justice department will realize that even the presence of CP and a forensic analysis showing how it got there are not reliable enough to be considered evidence either.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: fuckmadagascar on July 06, 2013, 03:33 pm
This is a really great read to reconsider our preconceived notions of computer forensics. However, I'm not a fan of all these percentages being thrown about. 2% in the original post could be 20% as far as I know, with no statistics to back that up.

Also, keep in mind - will these matters be enough to convince a jury?
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: thecatinthehat101 on July 06, 2013, 03:59 pm
Idk did you see the Jodi Areas Trial? She stuck that digital camera in a washing machine and ran it through a full cycle and the police still retrieved most of the pictures using computer forensics??

I think it depends on how bad the police want the evidence and what lengths they will go to get it don't you?
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: Miah on July 06, 2013, 06:35 pm
Yes it is outside of the skill level of the average computer user, but in many cases it is inside the skill level of a novice hacker with a bit of a technical background and some time to spend reading some .pdf files. The attack against Gnutella that allows the attacker to cause nodes to download whatever the hell they want is trivial to implement, and it is sufficient of an attack to get the targets convicted for CP trafficking. Of course, there are other extremely advanced vectors that could be utilized as well, some of which will result in a system that is *forensically indistinguishable* from a system owned by somebody who actually downloaded and shared CP.

But it doesn't really matter if it can be done by 100% of computer users or only the top 1% most skilled computer users. The simple fact of the matter is that it can be demonstrated that computer forensics can be entirely misleading, it can be demonstrated that CP can end up on somebodies computer in such a way that forensic technicians have no choice but to say that the CP was intentionally downloaded and distributed, and in hundreds of thousands of CP cases the integrity of the evidence used to convict the so-called offender is 100% dependent on there not being somebody trying to frame the person convicted, or even random people. They don't allow traffic analysis by itself to secure a conviction (judges dismiss cases where the only evidence is from traffic analysis), but traffic analysis + the presence of CP + a forensic analysis showing that a user of the seized PC intentionally downloaded and distributed CP is enough for a conviction in 99.99% of cases. This is despite the fact that the presence of CP and a forensic analysis showing that a user of the PC intentionally downloaded it is just as prone to failure as traffic analysis. Due to people using open and hacked WiFi, plus people using proxy exit nodes, hacked cable modems, plus ISP's / websites / police / etc not being 100% accurate when it comes to keeping logs, the justice department has essentially determined that traffic analysis by itself can only be used for intelligence. Perhaps there needs to be a massive botnet that creates systems forensically indistinguishable from those owned by CP collectors before the justice department will realize that even the presence of CP and a forensic analysis showing how it got there are not reliable enough to be considered evidence either.

I understand what you're saying as I'm utterly paranoid about computer/network security bordering on the unhealthy. Nothing like securing and locking down your computer while tweaking..not fun..but that's a story for another day. Really though in your example if Bob got convicted than he must of had a shitty ass lawyer and he should of called Saul.

All BS aside though I disagree with you that computer forensics are often worthless for evidence. They have worth. In and of itself it shouldn't be enough to convict someone and we have our warped legal system to blame for that. How much evidence is left behind depends on what system you run and your security measures. Windows leaves a lot of evidence behind and you can just follow the trail and usually you find something worthwhile. Linux I'm not sure about as just got into it.

What percentage of vendors on SR do you think if they're PC's were seized would have physical evidence on there?

The other thing is if that child porn was not intentionally downloaded by Bob but by Alice then you should be able to trace where those files came from and if not that seeing that they were inserted into Bobs PC would raise a reasonable doubt. When you download something it's a different action then say me inserting it into your PC. I understand using the proxies, hacked wi-fis but there's still always going to be a trace of some foreign activity. Now whether or not it's found by LE forensic I guess is the question. Are they're ppl that can totally mask that activity, I'm sure they're is.

Title: Re: In reality, computer forensics are often worthless for evidence
Post by: joolz on July 06, 2013, 07:11 pm
sure mate  ;)
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: fuckmadagascar on July 06, 2013, 07:51 pm
Idk did you see the Jodi Areas Trial? She stuck that digital camera in a washing machine and ran it through a full cycle and the police still retrieved most of the pictures using computer forensics??

Did she really? She should learn a thing or two about electronics before thinking that would do any damage to the camera's internal storage. (Assuming she wasn't using an SD card.)
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 06, 2013, 10:23 pm
This is a really great read to reconsider our preconceived notions of computer forensics. However, I'm not a fan of all these percentages being thrown about. 2% in the original post could be 20% as far as I know, with no statistics to back that up.

Also, keep in mind - will these matters be enough to convince a jury?

You are right I should not have used hard statistics because I am only going off of anecdote and guessing. I don't know if 2% of people busted with CP are framed or 20%, but I do know for a fact that it is possible to frame somebody for CP in such a way that forensics will come to the wrong conclusion. I also don't know if somebody having CP + their IP logged by LE + forensic analysis will lead to a conviction in 99.99% of cases, but I think I can find a statistic of over 96% of CP cases end up in a conviction, and also I can find numerous stories of judges dismissing charges when traffic analysis is the only evidence against a suspect. I believe that all of my other uses of percentage were clearly figures of speech (ie: it doesn't matter if 100% of computer users can do it or only the top 1%, doesn't really make a claim to the exact % of computer users capable).

I would hope that it would be enough to at least discredit forensic reports! If it can be demonstrated that forensic analysis is incapable of distinguishing between a system that was used by the owner to download and share CP, and a system that was hacked into or otherwise manipulated into downloading and sharing CP, I think that is enough to discredit forensic analysis. That leaves us with traffic analysis, which already is not considered enough to secure a conviction, the presence of CP which cannot be proven to have been intentionally downloaded or distributed, and a forensic analysis that has been discredited. That doesn't seem like it should be enough to convict somebody to me, certainly it would not convince me of somebodies guilt beyond a reasonable doubt let alone a shadow of a doubt.

Quote
I understand what you're saying as I'm utterly paranoid about computer/network security bordering on the unhealthy. Nothing like securing and locking down your computer while tweaking..not fun..but that's a story for another day. Really though in your example if Bob got convicted than he must of had a shitty ass lawyer and he should of called Saul.

I highly disagree. In my example Bob is, from the perspective of computer forensics, indistinguishable from somebody who intentionally downloaded and shared CP. Something like 96% of people arrested on CP charges are convicted. If Bob could have gotten off unless he had a shitty lawyer, then it seems to me that nearly everybody could get off, other than the people who incriminate themselves (through confessions or spontaneous verbalization, both of which are, admittedly, surprisingly common). I don't know the exact percentage, or even a ball park figure, of those who are convicted based upon the results of computer forensics alone, but if Bob can get off with a good lawyer then ALL of them should get off as well.

Quote
All BS aside though I disagree with you that computer forensics are often worthless for evidence. They have worth. In and of itself it shouldn't be enough to convict someone and we have our warped legal system to blame for that. How much evidence is left behind depends on what system you run and your security measures. Windows leaves a lot of evidence behind and you can just follow the trail and usually you find something worthwhile. Linux I'm not sure about as just got into it.

If a serial rapist could spontaneously change his DNA to that of arbitrary humans, would you still say that DNA is useful for evidence? If there is an over the counter tool that somehow allowed you to simply clone the barrel of a gun and modify the barrel of your own gun such that it leaves impressions identical to the cloned gun, would you still think that ballistic imprint correlation is useful for evidence? I can see that in some cases computer forensics are very useful for evidence, but the fact is that the analysts are relying on there not being a malicious agent trying to mislead them. It is similar to writeprint analysis, if no countermeasures are taken writeprint analysis can achieve accuracy in the high 90%'s, however if somebody intentionally tries to mimic the writeprint of somebody else the technique is easily tricked. So it is not true to say that writeprint analysis is worthless, but it is true to say that it is fairly trivial to write something such that it looks like somebody else wrote it. The writeprint analysts are hoping that the large majority of people don't attempt to make their writeprint look like that of someone else, just as the computer forensic analysts are hoping that there are not malicious agents trying to make it look like random people committed computer crimes. So no computer forensics are not worthless, but when it comes to establishing guilt beyond a shadow of a doubt they are entirely insufficient. The full point I am making is that the evidence that Windows leaves behind can be fraudulent such that forensics cannot possibly determine if it is indicative of guilt of a user of the physical PC. Also there are many different skill levels of forensic people working for LE, and in many cases forensics technicians are not trained well enough to do an in depth analysis.

Quote
What percentage of vendors on SR do you think if they're PC's were seized would have physical evidence on there?

For vendors on SR it is less of a concern because for them the evidence is the possession of drugs and the act of dealing the drugs. It is possible to frame somebody for drugs sure, but I imagine that LE would watch them such that they establish their involvement in drugs prior to arresting them. They will not determine a vendors IP address and then raid the vendor and convict them based upon discovering drugs. More likely they will put the vendor under surveillance and watch them pick up drug packages, watch them send out packages and then intercept them and determine that they contain drugs, and then raid the vendor (that is what happened to Enelysion anyway). In the case of CP, they detect an IP address involved with it and then they raid the person and secure a conviction based upon the presence of CP and a forensic analysis of the system.

Quote
The other thing is if that child porn was not intentionally downloaded by Bob but by Alice then you should be able to trace where those files came from and if not that seeing that they were inserted into Bobs PC would raise a reasonable doubt. When you download something it's a different action then say me inserting it into your PC. I understand using the proxies, hacked wi-fis but there's still always going to be a trace of some foreign activity. Now whether or not it's found by LE forensic I guess is the question. Are they're ppl that can totally mask that activity, I'm sure they're is.

For example look at the attack against Gnutella. It allows Alice to trick Bobs client into downloading any file from the internet. It is not really a different action for Bob to search for an mp3 and be sent an mp3 than it is for Bob to search for an mp3 and have his client manipulated into downloading CP. In this case forensics would probably be able to differentiate if they were trained well enough, there would likely be logs of Bob searching for various things and the CP would not be included. If it takes Bob a while to be raided though it is possible that logs would be gone by the time he is arrested, but the CP would still be present. It has been a few years since I studied forensics on Windows systems (I pretty much gave up that quest after determining that FDE is the nail in the coffin of traditional computer forensics...well I also stopped using Windows lol), I would need to refresh my memory a bit prior to determining if forensics could differentiate between a file the gnutella client is tricked into downloading versus a file it intentionally downloads. However, this was just a basic example of how somebody could be framed. A skilled hacker would not use such an attack if they determine it would leave a trace. There are certainly people who can penetrate into a system, carry out actions and then leave without a trace being left to indicate that the system was penetrated.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 06, 2013, 10:29 pm
Idk did you see the Jodi Areas Trial? She stuck that digital camera in a washing machine and ran it through a full cycle and the police still retrieved most of the pictures using computer forensics??

I think it depends on how bad the police want the evidence and what lengths they will go to get it don't you?

Sure in that case something that could be considered computer forensics was useful for obtaining evidence. A key difference is that they obtained evidence that was in itself incriminating, ie: the photographs. If somebody has pictures of them raping kids and the police use computer forensics to obtain the pictures, then the pictures are evidence. If somebody has pictures of somebody else raping kids, and the police use computer forensics to obtain them, they are not going to be able to prove beyond a shadow of a doubt that the person knowingly possessed the pictures, even if the forensics indicate that they did.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kennypowders on July 07, 2013, 12:56 am
kmfkewm, just shoot straight with us for once on this issue. Just how much CP do you view?
Hourly? Daily? Weekly? Monthly? Yearly?

Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 07, 2013, 01:24 am
I am not really talking about CP in this thread, it is just the best example of why computer forensics are often worthless for establishing guilt. I view as little CP as  possible as it doesn't interest me in the slightest.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kennypowders on July 07, 2013, 01:41 am
Okay, okay, I totally believe you.

And your OP was interesting. Quite thought provoking.. perhaps we will see some future defense attorneys try to swing this?

With distant admiration,
Kenny 'I hate kids. Why would I want to the fuck them?' Powders
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: kmfkewm on July 07, 2013, 02:09 am
Defense attorneys should definitely try to swing this. Particularly people who have been arrested for sharing CP on the Gnutella network, and convicted based entirely off of forensic analysis of their drive. If the forensic technicians did not rule out the attack in the .pdf I linked to, then the integrity of their analysis is clearly compromised and I would imagine that the evidence should be thrown out, especially if they no longer have a copy of the drive for further analysis or if they conclude that they cannot differentiate between someone who intentionally downloaded and shared CP and somebody who fell victim to this attack. I have never heard of somebody trying to use this particular attack as a defense in court (although some people have tried to use a virus defense, they often fail as there is no presence of a virus detected. Somebody skilled in hacking and forensics needs to demonstrate that the inability to detect a virus does not rule out forensics coming to an incorrect conclusion). In fact, I doubt that anybody has even considered this as a defense. The presented attack has always been in terms of turning Gnutella into a DDoS botnet (get arbitrary nodes to download files from a website to drain its resources), I don't know if anybody has considered the implications this attack has in regard to establishing guilt in cases involving illegal file possession and transfer.
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: Miah on July 07, 2013, 01:12 pm
Defense attorneys should definitely try to swing this. Particularly people who have been arrested for sharing CP on the Gnutella network, and convicted based entirely off of forensic analysis of their drive. If the forensic technicians did not rule out the attack in the .pdf I linked to, then the integrity of their analysis is clearly compromised and I would imagine that the evidence should be thrown out, especially if they no longer have a copy of the drive for further analysis or if they conclude that they cannot differentiate between someone who intentionally downloaded and shared CP and somebody who fell victim to this attack. I have never heard of somebody trying to use this particular attack as a defense in court (although some people have tried to use a virus defense, they often fail as there is no presence of a virus detected. Somebody skilled in hacking and forensics needs to demonstrate that the inability to detect a virus does not rule out forensics coming to an incorrect conclusion). In fact, I doubt that anybody has even considered this as a defense. The presented attack has always been in terms of turning Gnutella into a DDoS botnet (get arbitrary nodes to download files from a website to drain its resources), I don't know if anybody has considered the implications this attack has in regard to establishing guilt in cases involving illegal file possession and transfer.

The implications are huge. For example what if someone where to use that same technique you described to plant CP on a Senators PC. Maybe a rival would or an opposing party? In China things like that are done all the time but it's more on the B/E kinda missions. However I'm sure if a Senator was being accused the big guns would come out and maybe even get some help from the NSA if he's got the right connects. 

Since we have a dialog going on there's something I've been contemplating. So we're all aware that the NSA is spying on internet communications so that means it's receiving data from our computer and networks would it not then be possible to have some sort of defensive measure? Just off the top of my head maybe a some sort of virus or scrambler..I haven't really thought it all out and I'm not sure if it would of even work considering the NSA's hardware. The dudes that work they're are proficient I'm assuming but watch this: Edward Snowden is a high school dropout with no education in the Computer Field and he got into the NSA. Yes he was in the army for a year and a half but how does someone get into the NSA with that little experience. That's not to belittle Edward Snowden that's not the point, the point is I don't think the guys that work there are super geniuses.

Besides using Tor and such things my view is to protect the computer from network spying and traffic spying. There's a lot of open source programs that due this but I'm talking about adding another feature where it shows the activity but launches it's own attack. What kind of attack and if it would work is beyond me at this point. What do you think?
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: Miah on July 07, 2013, 01:22 pm
Also what OS do you think offers the most security. I've been looking at OpenBSD, Qubes looks nice , there's a whole bunch of linux OS but I've been a windows user my whole life(not proud of that) lol
Title: Re: In reality, computer forensics are often worthless for evidence
Post by: thecatinthehat101 on July 07, 2013, 01:36 pm
"Well now you know and knowing is half the battle GI Joe"

http://www.youtube.com/watch?v=iEVb7aM1K5g

P.S I think it was an Sd card in the camera too