Forensics: Maintaining a balance in Computer Forensics

A few questions on the issue of proportionality:

  1. If a person was accused of shop lifting would you track his  mobile phone records over the past week?
  2. If a person was accused to domestice violence against his wife, would you DNA sweep the entire city where the  assualt occured, just to check it was  him and not somebody nearby who looked like him (and happened to live with his wife)?
  3. If a man was caught drink driving and failed on a breath test would you fingerprint the car and the pub he had been to?
  4. If a man was accused of murder, would you check  take a DNA swab from the suspect and compare it to the scene?

The answers to questions 1 to 3 should be “No, of course not”.  (4) should be, “Yes, Of course”.

When dealing with traditional forensics, these decisions about balancing proportionality, seem to be made regulary and without problems. An arresting officer of the drunk driver would not be expected to call the scenes of crime officer to fingerprint the car he has just arrested the drunk from. The CPS would not ask that the officer charging a shop lifter to conduct a full mobile phone analysis and the courts would not exepct a city wide DNA check for domestic violence. But this same logic and common sense is not applied to computer investigations.

Computer Forensics is increasinly full of questions that are far out of proprition to case:

  • Have you used an SHA-1 hash rather than an MD5 has?
  • Have you checked for viruses with more than 3 different tools?
  • Have you checked for stenagraphy?
  • Have you checked that the word documents have not been converted to DLLs in an attempt to hide data?
  • Have you recovered all of the file slack?
  • Have you considered the attack on the MD5 hash?

Most people in the computer forensics will have come some or all of these questions, and all who have will no doubt have answered them to the best of their ability. However virtually all of these questions are quite pointless, and are the equivalent of tracking a shop lifters movements for the past year. The shop lifter has been seen to take the goods, its on CCTV, he has the goods on him, he has no money, or any means of paying and tried to leave the shop. Its pretty clear cut. There is no reason to track his movements for a year or a week, especially when all he stole is a block of cheese worth £3.50.

Computer Forensics needs to take the same approach.  If you are investigating an individual for fraud, and you find emails and spreadsheets on his computer and on back up tapes over the past year  showing the fraud, then the issue of file slack is not relevant. The issue of virus checking is not relevant.  In fact a whole range of questions that the forensics investigator may try and premptively answer, are probably no relevant.

If a person has child abuse images on his computer, if it 100 or 100,000 – he has child abuse images on his computer. Going through unallocated space and file slack is not required, and discussions about MD5 and SHA-1 should certainly not be required. The offence is complete. The trojan horse defence is a known defence, so this should be looked into. But stenography? No not really. If the CPS already have a 100,000 images, what are they hoping for 100,001?

Aaah but he could have converted his word documents to EXE files, you cant prove that didn’t happen“… Does that matter? Is that a problem that is happening regulary? Is there any evidence to suggest that it has occured? Has a keyword search produced lots of hits in EXE files, that would not be expected? Is the person very tech savvy?

The 17 year old, white male, heroin addicted, shop lifter may be a deep deep undercover agent for the taliban. He may be, you can’t prove that he isn’t, on first look. But nobody is suggesting MI5, MI6, and the CIA are called to conduct a deep investigation in this shop lifters background. But with computer forensics, this seems to be what happens.

If it could happen, in theory, then we must investigate it and eliminate it.

Stegnography, DCO, and hash values are things that often subjects of great debate in the forensics industry and at Universities.


Furthermor,  these questions are often discussed regardless of the crime.  If a person is orchastrating a terrorist network through he laptop, these are fair questions to ask, but if a person has faked £100 worth of recipets then they are not.

But equally if a person is being investigated for manslaughter, following drunken fight outside a nightclub, the computer of the suspect will be seized, but does it really matter if the DCO is not looked at? This was not a premeditated crime, there is CCTV, DNA, and eye witness accounts. Is the issue of MD5 versus SHA1 hash values really going to come into play in the investigation? In fact is the computer going to have any real effect on the conviction of the person? Possibly, but it should all be kept in proportion.

If the evidence is a word document, on a back up tape, and email server. Then don’t look for stenography, you already have your conviction.

Many of these questions seem to get asked because the CPS doesn’t have the guts to do their job properly, but those in the computer forensics industry should still try and bring the same level of proportionality to investigations that other forensics investigators do.


One Response to “Forensics: Maintaining a balance in Computer Forensics”

  1. Concept Searching: Better or Worse than a Human? « Data – Where is it? Says:

    […] There is of course a risk to using concept searching, there is a risk to humans reviewing, and there is a risk to choosing keywords and the use of those keywords. It is about assessing those risks. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: