Tuesday, November 30, 2010

My cat did it – honest, Guv!

by Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
and he did it via remote access...

When evaluating computer forensics cases the tricky part is often not just evaluating what is found but determining how it came to reside there.

"It was downloaded via a web browser because I identified it in Temporary Internet Files..."
"I reconstructed the webpage and the image was downloaded as part of the page presented as SR1..."
"There is also evidence in the Internet History to support the proposition that the image was downloaded as part of the webpage..."
"Access to this website occurred after use of the search term 'Forensic Focus'...”

However, sometimes computer forensics isn’t just about what happened and proving intent, it’s also about proving whodunit and ensuring the correct person is prosecuted for the crime they committed.

In the simplest of scenarios, it may be that an organisation has a policy (or not, as the case may be) of sharing user accounts or that the computer is used in a location where multiple people have access to it. In these situations, it may be that the perpetrator alleges that someone else is responsible or that there is doubt about who is the culprit.

Beyond Reasonable Doubt?

If a case is not investigated fully, it could fall at the first hurdle no matter how strong the evidence is of the crime. Ultimately, in a Criminal Court in the UK, the Prosecution needs to prove that the case against an accused is deemed to be beyond reasonable doubt. There are books written on the meaning of this phrase and suffice to say I am neither qualified nor knowledgeable enough to comment on its full meaning. However, in essence, it is built upon the fundamental principles that a person is innocent until proven guilty and that a Judge/Jury/Magistrate must be sure that the person is guilty (and if not, they should return a verdict of not guilty). Hence, this may present a problem for prosecuting computer cases where it can be clearly shown other people were accessing the computer...

Read more at http://www.forensicfocus.com/sam-raincock

Monday, November 29, 2010

Interview with George Chlapoutakis, Digital Forensics lecturer and owner of SecurityBible Networks

Lecturer in computer science and digital forensics, and owner of SecurityBible Networks, George is also a well respected member and contributor in the Forensic Focus forums, posting under the username DarkSYN.

Read our interview with him at


Friday, November 26, 2010

Project Ideas for Digital Forensics Students

Ideas for student projects suggested by Forensic Focus members (in the hope that further research will be shared with the rest of the computer forensics community) are available at the following page:


If you decide to base your project on one of these suggestions please contact us so that we can discuss making your work available to other researchers and practitioners. By doing so you will be making an immediate and positive impact on the field of digital forensics.

Please note: Projects marked with an asterisk (*) have been suggested by practitioners who are willing to discuss the subject matter in further detail and provide a limited degree of guidance to those students who have already formally agreed the project with their own supervisor. Contact us for details.

New project suggestions are always welcome and should be submitted here together with a short description and an indication of what level of support/guidance, if any, you are happy to provide to students.

Wednesday, November 10, 2010

Interview with Stephen Mason - Barrister, author and publisher

Forensic Focus: Stephen, can you tell us something about your background?

Stephen Mason
Stephen Mason

Stephen Mason: After leaving school in 1972 and spending six months at a bank in London, I joined the army (1973-1982). I served in what used to be known as the Royal Army Ordnance Corps as an Ammunition Technician. This work involved the inspection, repair and disposal of military ammunition, and included what is colloquially known as bomb disposal (this includes military bombs found from previous wars (known as explosive ordnance disposal ‘EOD’) and improvised explosive devices ‘IED’, commonly known as terrorist bombs).

I left the army to take a degree in 1982. My first degree is in history and educational philosophy, and I then took further qualifications to become a Barrister. I was called to the Bar in 1988.

Forensic Focus: How did you become involved in writing on electronic signatures?

Stephen Mason: In the autumn of 2002 I realised that few people knew anything about electronic signatures, so I sent in a book proposal to LexisNexis. It was duly accepted, and I wrote the text in the spring and summer of 2003. I had already written about the topic, and wanted to write a book that was useful to lawyers, ordinary users and technical people to illustrate the different types of electronic signatures that the law recognizes. This book covers over 100 jurisdictions with case law, and it is now in the second edition (Electronic Signatures in Law (2nd edn, Tottle Bloomsbury Professional Publishing, 2007)), and I am presently up-dating the text for a third edition in 2011.

The point is, electronic signatures cover a wide range of law, including: Employment law; family proceedings; divorce proceedings; formation of contracts; insurance; ewills; public administration; judicial use; property transactions; local government; planning applications; criminal proceedings and corporations. The list is endless.

Forensic Focus: You have been responsible for two books on electronic evidence, both of which are a first, and both are substantial texts. What made you do it?

Stephen Mason: Once the book on electronic signatures was published, my publisher wrote to ask me if there was sufficient material for a book on electronic evidence and electronic disclosure. I was convinced there was, although there was a gap between the initial e-mail (2004) and the first book being published (2007). Now in its second edition (Electronic Evidence (2nd edn, LexisNexis Butterworths, 2010)), I intend it to be a useful guide to lawyers and digital evidence specialists covering, as it does, 11 jurisdictions: Australia, Canada, England & Wales, Hong Kong, India, Ireland, New Zealand, Scotland, Singapore, South Africa and the United States of America.

The second book came about as a result of my work on the first book. I realised that the issue is global in nature, which is why I put together an additional 35 jurisdictions and edited the second book: International Electronic Evidence (British Institute of International and Comparative Law, 2008), covering: Argentina, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Romania, Russia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Thailand and Turkey.

Forensic Focus: You then went on to found and publish a new journal, the Digital Evidence and Electronic Signature Law Review. Why?

Stephen Mason: Once I finished my book on electronic signatures, I realised that most legal journals would not really focus on the practical legal issues and case law that I expected to occur in these fields as the century progressed. This is why I began the journal. It has gone through three name changes, partly because of my attempt to get the title right, partly to ensure people understand what the journal covers. I include articles, legal developments and case reports from judges, lawyers, academics and digital evidence specialists. I aim to cover the industry in relation to digital evidence and electronic signatures from across the world. I also include reports on technical advances and book reviews. Additionally, I publish case reports and translations into English of cases relating to electronic evidence and electronic signatures from across the world...

Read more at http://www.forensicfocus.com/stephen-mason-interview-051110

Monday, November 01, 2010

UK legal professionals - interested in writing for Forensic Focus?

Forensic Focus is looking for someone within the UK legal profession who might be interested in joining the current group of Forensic Focus columnists by writing a monthly column on computer forensics/computer crime issues.

This is not a paid position but would be useful for anyone wishing to raise their profile within the computer forensics community and present the perspective of UK legal professionals involved in this field. If you're interested, or would like to recommend someone who might be, please contact admin@forensicfocus.com