Wednesday, October 20, 2010

It’s not always what you find...

by Forensic Focus columnist, Sam Raincock

Sam Raincock from SRC is an IT and telecommunications expert witness specialising in the evaluation of digital evidence. She also provides training and IT security consultancy.
In digital forensics we are often asked to determine the presence of evidence. However, what happens when we do not find anything? How do we prove something wasn’t there?

Proving something is present is generally a trivial problem – you find it, it’s there. Of course the complex part is explaining how it came to reside on a digital device and the circumstances surrounding it….that’s what the field of digital forensics is all about. However, proving something isn’t there and/or was never there are also questions we are asked to comment on. Take the following for example:

· Examine this laptop and establish if it has accessed the website

· Examine this mobile telephone and determine if it sent a text message with the content “Forensic Focus”.

Let’s look at the first example. In the event there is “no evidence of access to found”, what remains is proving (or commenting on) a negative. However, just because you do not find any evidence of connections to the site, does this imply no connections ever occurred?

There are three main possibilities to consider. Firstly, the techniques used in your examination did not facilitate finding the evidence even though it is present. For example, if we simplistically relate this to an examination where only the live Internet history is examined initially, it is possible that a subsequent examination could determine some deleted Internet history and further evidence may be established.

Secondly, you did find the evidence but were unable to determine how to interpret it so you didn’t establish its meaning. For example, you found a partial registry file in deleted space but did not have the knowledge to interpret it and extract the evidence.

Thirdly, there is no evidence on the device of any connections occurring to So no connection ever occurred?

Even given the last situation, with a computer, often the absence of any evidence is not evidence that it was never present. This is due to the fact that on a computer, data can be deleted and overwritten. Hence, it is possible that an event occurred but evidence of it is no longer available...


No comments: