internet forensics judgment: An analysis of options available for better judgment

Shri

 

internet forensics

 

This morning when I checked my alerts from Google I found something of technical interest. This was a case decided by the judiciary in favor of convict that had resulted in mass criticism and media even shouting that New York court of appeals rules that looking at child pornography is not a crime.

 

The entire story was published by Connecticut Law Tribune in the form of an article by Attorney Monique Ferraro, manager of Technology Forensics LLC and was published online at http://www.ctlawtribune.com/getarticle.aspx?ID=42167

 

Though forensic examination is something that can never be generalized. Every case is different and every examination has its limitations yet there are number of things that persuaded me to write this article . Though I am not an expert in law I guess that viewing of child pornography is equally a crime as storing the images. Working on forensics I do understand that the data stored in cache is not an intentional storage. Normally people don’t store in cache (Though nothing can prevent them to store in cache folders if they want to) yet I disagree with the point that it has not been viewed at all. The data in cache comes when some page is opened up or something is viewed.

Again I do not disagree to the point that the page might have been opened up unintentionally owing to some malware or malicious scripts yet to prove or agree to it some more analysis is required. Data simply being in cache doesn’t qualify to be called unintentional in any case.

What when we open up some web page intentionally. The images are located in the same storage cache where supposedly unintentionally opened up images are stored. To come to the conclusion that it is unintentional I guess some more factors are needed to be considered. I just enlist few of them one by one.

 

  1. What is the browser that is used in this case. Every browser has a default location to store temporary data. Though this location can be modified yet one can easily find the modified location. What this means that finding a file in some cache folder will let you know from which browser it was opened. Here are few default paths for the location of cache folders.
    1. Internet explorer: C:\Documents and Settings\username\Local Settings\Temporary Internet Files ( For Win2000 and Windows XP) and c:\WINDOWS\Temporary Internet Files ( for Win95, Win98 ,Windows ME)
    2. Firefox: C:\Documents and Settings\<username>\Local Settings\
      Mozilla\Firefox\Profiles\<profile ID>\Cache (Windows XP)
    3. Google Chrome: C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data ( Windows XP) C:\Users\<username>\AppData\Local\Google\Chrome\User Data (Windows Vista)
  1. Once we know what browser has been used then analyzing the settings of that browser becomes important. Very often these uncalled-for pop ups are blocked with the pop up blocker. Most Browsers comes with pop up blockers that doesn’t allow pop ups.
  2. One needs to identify the pages from which these pics have arrived. This can be done with the help of the following.
    1. Browser history: Check the history of the browser to understand the webs visited and possible source of images.
    2. Searching the potential source of image: Once you have the images that you trust to have come from Internet then try out the reverse image search engines like “Tineye”, “RevIMG” and like. These search engines uploads your images and try to find the matching images on the web. This can potentially disclose the source of image or potential source of image.
    3. In case the suspected URL is found just check for two things.
      1. Is there any page linking to this page that can potentially lead to this page (To support the hypothesis that it was accidentally downloaded)
      2. Is there any malicious script running on that page.
  1. corroborate the image with the browsing history to get a better insight
  2. Check for any BHO installed on the system
  3. Very often the files downloaded from a page are downloaded at the same time. Time stamp analysis can reveal a lot including a malware. Just check the files downloaded at the time these suspected files were downloaded.
  1. In case the source can be traced then one can reconstruct the scenario to understand if the file was downloaded without user seeing it or accidentally or it was downloaded willfully.
  2. Check for the Anti virus. Very often anti viruses are capable of detecting the malicious script and block them. The logs of these can be extremely helpful in investigation to identify if there was something that was blocked and yet willfully seen.
  3. Typed URL’s are specifically recorded by Internet explorer in registry at the location HKCU\Software\Microsoft\Internet Explorer\TypedURLs (Keeps last 25 typed URL’s). There are number of tools to parse such things in case of chrome, Firefox and opera. Of course these information are located in several logs.
  4. Reconstruct the entire scenario: The image can be used to boot up in virtual environment for further analysis. This can be done with the help of VMWare and “Live View”. This can help understanding the behavior of browser.
  5. Log2timeline is an extremely great tool to get a time line from the evidence image. There are number of add ins for analysis.
  6. Check for the timestamps on the file. If the creation of the file and access of the file are two distinct dates then it is possible that the file has been repeatedly viewed or the page on which they are located has repeatedly been accessed.

 

Though there are number of other pointers to work on this case all I want to bring to notice is that with the recent developments in digital forensics a more detailed analysis is possible.

I do not suspect the capabilities of the investigator nor do I wish to comment on the scenario of this case, all I want is to bring out partially is what all can be done or could have been done in this case.

 

Please note that the article is written presuming that the system is running some kind of Microsoft operating system though it is partially valid for other OS as well.

 

By no means I claim this article to be comprehensive as there are number of additional ways to carve out the evidences. I shall soon come up with a more detailed article or possibly a presentation for the same.

 

Disclaimer: By no means this article is a comment on the judgment nor is it related to anything pertaining to my company. Its my personal view and possibly a little help for the future investigations in similar cases.

About the author

boonlia

boonlia tagged this post with: , , , Read 7 articles by

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>