These days it is almost impossible to get anything accomplished without the help of an electronic device. This means that our family and work life are all tied up in some sort database that could range from a cell phone, to a computer server at work. This also means that these devices can harbor our most private secrets and if taken out of context could destroy your life and reputation *cough* S0nY.
The example below is a real case that we have worked (on many occasions) but the case details have been left out in order conceal the litigants.
Let us say that a three letter agency has accused you of committing a crime, that in your words, you did not do. Let us further say that this crime involves data being downloaded to your computer. What would be your options? How would you proceed on this matter? What if the charges brought against you only existed because of a three letter agency said they found something? Should you trust them? Should you get a plea deal?
So here are the options your attorney will most likely offer you:
1) Plead-Guilty and Settle because anything brought up in front of a jury, true or not, will not look good for your case as the three letter agency has magical powers, never omits, never makes mistakes and is neutral-ish :/
2) Plead Not-Guilty and fight it in court in order to convince the jury that the three letter agency is an insufficient expert. Good luck!
If you did not download the data both of these options are terrible, which in most cases people settle as they do not have the money or the evidence to prove the incident otherwise. That is why it is important to reach out to a certified forensic examiner who understands how computers, servers, cell phones, cell towers (ping theory) and how malware works.
It should be further noted that when these cases are brought to a three letter agency they have one job. That job is to determine, IF the data exists OR does not exist on that device, which is typical case work that should be sufficient for court. Right? An example of this would be: “We found the bloody knife in his hand”. Well that is also most likely an open shut case right? Okay, now let us look at from a digital device prospective: “Well we found the data on his computer”. Open / Shut case? I would argue, never.
As an examiner it is my job responsibility to bring the TRUTH regardless if it incriminates my client. The point of an examination, is to fully understand the data.
Multiple questions should be asked:
How did the data get on the computer?
What is the last accessed date?
When was the file/s created?
This information is critical when working all our cases as the client might not even be aware of the computers actions or that the file was even existed on the computer. Below I have created a timeline example along with a shortlist of questions that SHOULD be asked and ANSWERED when evaluating a computer.
An example of a timeline could go as followed:
1) At 08:00:01 user went to www.AlocalNewsSite.com
2) 08:00:01 the computer downloaded 4 different files
3) 08:00:30 computer went to a site called www.THISisaVirusWebsite.com
4) 08:00:32 computer downloaded 10 different files and executed them.
Now, what information or questions do you have from that small set of information?
1) Is it possible for a human to go to a website and manually download 4 files in 1 millisecond?
2) Is it possible for a human to click to another website within the next 29 milliseconds?
3) Was this action a mouse click or was it something in the webpage?
4) Why would this person go to this new website?
5) Have the ever been there before?
6) Is this website known for having malware?
7) What can that malware do to a computer?
8) The next and final question I would have is, “Is it possible for a user do manually download 10 files after being on a new website for 2 milliseconds.
As you can tell from just 4 pieces of information I was able to easily create 8 questions. Now imagine if you had to look at an entire 1TB hard drive! That is why I echo that it is highly important for you to get a certified forensic examiner who has been tested and can help you and your client get to the real answer of what happened on your computer.
If you have a case that is related to any digital data: email, deleted text messages, deleted computer files, intellectual property, malware or illegal data material please reach out to Alias Forensics for a professional consultation.