Computer Forensics: An Example

Paul Ceglia's lawsuit against Facebook is fascinating, but that's not the point of this blog post. As part of the case, there are allegations that documents and e-mails have been electronically forged. I found this story about the forensics done on Ceglia's computer to be interesting.

Posted on April 3, 2012 at 6:53 AM • 25 Comments

Comments

Jan Willem de VriesApril 3, 2012 7:45 AM

The most remarkable being that the disks etc are investigated by a forensic team from Facebook. IMHO, then every for FB positive outcome is possible.
Giving over this material to a forensic team of the accused party is the same as giving up your claim.
It would have been different if a combined forensic team of both parties or a team from the court had done the research.

xxxApril 3, 2012 8:01 AM

@Jan: Nowhere does the article state that FB worked with the hardware. The usual way is to make a copy of the disk and investigate that. I would be surprised if independent copies didn't exist to verify any claims.

JimFiveApril 3, 2012 8:02 AM

@Jan
That's the way it works. The defendant has the right to examine the evidence against them. If you say, "I have these documents on my computer" the defense gets to say "Let me see that computer."
--
JimFive

JimFiveApril 3, 2012 8:06 AM

@xxx
This statement in the article: "Ceglia has since claimed these were planted post-facto on his computer and his lawyer’s by Facebook" at least implies that they are not working from copies. If they were then it would be simple to refute that claim.
--
JimFive

RobApril 3, 2012 8:29 AM

the business with the time zone offset is misleading, it implies the timezone was set correctly on the source system when the emails were sent. I have noticed a lot of personal computers where the clock displays the correct time but the timezone is incorrect.

PedanticApril 3, 2012 8:40 AM

@JimFive
Please re-read the article in full.
First, there is small chance that a lawyer's computer (which will have large amounts of work-product on it) is going to be examined by the opposing counsel. Instead the article states: "The firm produced the e-mail pursuant to a subpoena, which had the same image of the contract attached."
Second, the article explicitly: "Facebook’s forensic team imaged Ceglia’s hard drive", which means they made a copy of the hard drive to use for their examination. They did not run their examinations on the original hard drive.

Ross PattersonApril 3, 2012 8:45 AM

@JimFive: Indeed, the text of the report makes it clear that the court ordered Ceglia to turn the actual computers over to Facebook's investigators, and that he did so in at least most of the cases. The report also says quite clearly that court authorized the investigators to "create “forensically-sound copies” of the electronic assets produced by Mr. Ceglia" and then "to search those electronic assets" - not the copies.

All of which sounds unusual.

Fred PApril 3, 2012 8:48 AM

@Jan Willem de Vries-
In the U.S.A., for a civil suit, that's how it works.

That said, there's nothing preventing Ceglia from having their own investigatory team investigating the same evidence and/or from challenging each point from Facebook's team

Preston L. BannisterApril 3, 2012 9:21 AM

Re-installing Windows is a suspect activity? Wow. I must be really guilty of *something*.

Now if *only* the supposed-forged emails from that time had the wrong timezone set, then I would be highly suspicious. If there are any other emails from that time, and they have the same timezone offset, or if he sent email to a third party, or posted in public - with the same error - then it is more likely he simply had a mis-set clock.

Captain ObviousApril 3, 2012 9:21 AM

Apparently running your OS with an incorrect (and likely default) time zone is evidence of forensic fudging.

Also, reinstalling Windows at least twice in an 8 year period is highly suspicious. I guess reimaging mine at least annually would put me on a terror watch list.

Clive RobinsonApril 3, 2012 9:34 AM

The fact they say he re-installed Windows, also means he is likley to have upgraded applications as well, and is actually an awkward point for both parties to deal with. Afterall ask yourself howmany times you would have upgraded from the original time of the contract to an uptodate system today?

Whilst as acknowledged there are any number of reasons to do so including clearing malware out of a system upgrading to avoid obsolescence alone can have severe knock on effects.

First and formost is the issue of "data files" and how do you prevent them getting wiped and re-installing them from backup etc whilst also ensuring they can still be accessed...

For instance saving to floppy or other removable media can change the file system meta data, and this is generaly accepted by most people in the industry without comment.

But what if you do it through the application as you sometimes have to do, it can and often will change the file contents as well...

For instance say you copy the file from one system to another you find on opening it on the new system the document is broken. One solution is you load the document into the application from the C drive and save it to a floppy drive or other media the system knows is removable.

You then transfer the file on floppy to the new system and when you open it you discover it looks unbroken, what would you do? most of us would breath a sigh of relief and use it as a "war story" for the next time it comes for buying a round of drinks.

What many will not realise is that in the process the application can strip out or change things very significantly.

Sadly you sometimes have to do this when objects in the file are linked rather than embeded (just another reason to hate OLE).

Also consider what happens when you load a document from an old version of an application into a newer version and thus have to re-save it for the new version...

None of these mean that there is any ill intent but it can be difficult trying to explain this even to people who should understand the issue, let alone people who have a distinctly hostile intent.

It's just another reason why I tell people "paper paper never data" when dealing with information that might have legal implications.

LurkerApril 3, 2012 10:26 AM

Reinstalling the OS multiple times while the files on the computer are subject to discovery IS suspicious - OS installation likes to involve drive formatting, as the article notes. It's behavior that is potentially destruction of evidence, so it IS suspicious in the context of an ongoing lawsuit.

As to timestamps and time zones... if the machine had defaulted to DST off, it would have used GMT-5 (EST) at the latest, certainly not GMT-4. And of course, if it was on, why would it be using DST at the wrong time of the year (Again, assuming it to be as close to the recorded time stamps as is possible for a US time zone)?

I'd say that the questions raised are logical - the best excuse is that the physical hard drives were turned over to Facebook rather than images... and that's pretty damn flimsy to say "they're making this up and perfectly forging data and metadata". No jury is going to buy that forensics teams can conclusively determine data was faked AND that Facebook can fake data in a way forensics specialists can tell... I think. (Never underestimate human stupidity, after all)

DavidApril 3, 2012 10:29 AM

> "paper paper never data"

"data data never formatting" may work, too - ascii text isn't going to be unreadable any time soon, and won't be changed in reading/writing. If you need to store previous versions, use git.

-BApril 3, 2012 11:41 AM

There's a reason many larger legal departments were investigating WORM storage back as far as the late 90s. The original can't then be modified and is better able to stand up to any future legal requirements.

anonApril 3, 2012 1:57 PM

Merely formatting a drive, and reinstalling the OS doesn't necessarily destroy any existing data, unless the new OS lands on top of the old data. In many cases, data regions of the drive that remain unallocated can be read and recovered even after a disk is formatted.

And there are much easier ways to over-write deleted data on a hard drive, if that was his intention.

LinkTheValiantApril 3, 2012 2:22 PM

And there are much easier ways to over-write deleted data on a hard drive, if that was his intention.

You know that, I know that, all of us here know that. But you must remember that we are dealing with non-technically-minded people in the justice system. The sort of people who will conflate "reformatted for any number of reasons, possibly overwriting data" with "deliberately reformatted to overwrite incriminating data".

As various venerable contributors here are fond of reminding us, electronic technology is essentially a black box to the general population. "Well, the expert from the defense says so, so it MUST be true!"

SomeoneApril 3, 2012 2:54 PM

@Clive:

Copying a file can cause the "last modified" date to become NEWER than the contents of the file. I don't know of any case where it will cause the date to become OLDER than the actual contents of the file.

"This metadata anomaly constitutes evidence of backdating because a file that was last modified in October 2003 could not contain authentic emails from July 2004"

Clive RobinsonApril 3, 2012 3:57 PM

@ Someone,

I don't know of any case where it will cause the date to become OLDER than the actual contents of the file

Don't you?

That surprises me it used to happen all the time.

The OS does not know what the time or date is, put simply it cannot. It needs some external refrence when it starts up to tell it. The usual way is from the battery backed Real Time Clock (RTC) and SRAM that also holds all the BIOS settings as well.

Occasionaly the battery fails (especialy on some mother boards that are more than a couple of years old), on other occasions malware overwrites part or all of the memory including the RTC. The earliest date the OS can deal with tends to be 1970, some RTC's the earliest date could be 1900. However what hapens if the RTC is before 1970 is system dependent...

If the RTC gets mucked up it may not be corrected to the correct time and date by the user for some time.

So although I would deam it to be unlikely without examining the file system in a "geological manner" I would not rule it out, because similar things have happened to me.

After all 8-9 human years is the equivalent of 5-6 generations in computing terms.

Tony H.April 3, 2012 4:37 PM

"This metadata anomaly constitutes evidence of backdating because a file that was last modified in October 2003 could not contain authentic emails from July 2004"

I have a file right here, and the Windows properties include:

Created: 2-‎Jun-‎2009, ‏‎11:56:25 AM
Modified: ‎2-‎Oct-‎2008, ‏‎6:45:00 PM

It's not something I cobbled together using some API or magic command to show off - I just happened to notice the anomaly a few days ago. I am quite sure the desktop and server clocks were never this far apart. Well doubtless there's some plausible explanation for my file, but maybe there is for this unfortunate guy's too.

You can pry my hard drive from my cold, de... oh wait, I DON'T USE ONE! hahahahahahah!April 3, 2012 5:52 PM

I didn't read the article.

But, on the topic of privacy and security, there's a lot to be said about running The Tor Browser Bundle in an encrypted container (TrueCrypt) on a LiveCD, with the hard drive UNPLUGGED and UNUSED!

(just take the hard drives out and never use them again, USB thumb drives are cheap and can be encrypted with TrueCrypt, too, as an encrypted containter, partition, or the whole drive itself, just never use a proprietary OS like Windows or Mac OS X)

As a primer, read:

#Tor OPSEC - Operational Security - Great Resource of Information!

http://cryptome.org/0005/tor-opsec.htm

And:

#Lest We Remember: Cold Boot Attacks on Encryption Keys

https://citp.princeton.edu/research/memory/

If the keys (TC passwords) are in my head, complex enough, and never written down...

With the amount of RAM present in new computers, I see no logical reason to use a hard drive again when Linux LiveCDs, encryption, and thumb drives are on the cheap or free.

No unsafe hardware sex, either, this means no plugging your Tor/Truecrypt thumb drive into another system, any system, except for your Tor/Truecrypt system.

Run audits on your system, verify LiveCDs, make sure your router isn't backdoored like many or maybe all of the Cisco routers. Keep up to date if you use open source firmware for your routers. Consider replacing proprietary routers with an older PC as a router with an open source OS like OpenBSD or a prerolled firewall distro.

Test your connection with remote nmap, dabble with Snort, Tripwire and other monitoring tools.

Don't use external hard drives.

RAM is your friend, always.

Brandioch ConnerApril 3, 2012 7:56 PM

@Rob
"I have noticed a lot of personal computers where the clock displays the correct time but the timezone is incorrect."

A simple check would be to see what the headers of the other emails sent during that time period show.

Also, we're going on the presumption that the emails are FROM Ceglia's machine. If they were RECEIVED by Ceglia's machine then that is a different issue. They'd need access to the email headers of the email from the other machine during that time.

JTApril 4, 2012 7:52 PM

I still have yet to find a forensic investigator that can prove that a file has been altered when changing one bit via a hex editor.
Back about 8 years ago I sent a copy of two text files to a bunch of forensic guys I knew, one of which was a CART examiner with the Bureau.
One File was the original.
One File was altered via a hex editor to change the creation date.
Everything else was exactly the same.
Both were on a single floppy disk (I had a ton lying around).

Both dates were recent and within reason.
Nothing else in the files was different.
Not a single one of the 8 forensic experts could prove to me which was the original and which was the altered copy.
Every single one admitted, it wasnt possible (in the case I presented them with) to prove which was the original and which was the altered copy.

When the basis of all digital evidence in court is time stamps, how can the forensic field continue to be considered 'beyond reasonable doubt', when the simplest action shatters its illusion of reliability?

Nick PApril 5, 2012 9:46 PM

@ JT

I agree, esp with timestamps. I think using hardware from a neutral-as-possible group is important too. It "looks" like an HD copier but actually inserts stuff in as it goes along. Or the timestamp of the hash and image are preserved even though it's been modified. Too many issues. All too easy for the forensic investigators to plant evidence unless neutral parties are involved.

One strategy might be to have a cheap equivalent for local law enforcement. Several different people make a copy. The risk is the malicious forensic going first and subverting the actual image on the system right then. I still think copies by local law enforcement (or just a local forensic guy) and the plantiff's forensic team reduces risk.

NofailApril 6, 2012 7:59 AM

It is an aristocracy pattern: the best hacker win it all. The suggested zuckerberg early harvard investment strategy : with 2000 $ by an msoffice 0day exploit and secure your contracts definitely.

cyberstalk victimApril 15, 2014 1:55 PM

2.5 year cyber stalking case, ruined career unless I get help which no one is willing to do so far. I don't want this posted on your website but how else can I contact you to tell you more. I need to prove the blogs were backdated. I do have credibility and doctors and forensic experts who will write letters for me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..