Automated Production of Predetermined Digital Evidence

Digital evidence is increasingly used in juridical proceedings. In some recent legal cases, the verdict has been strongly influenced by the digital evidence proffered by the defense. Digital traces can be left on computers, phones, digital cameras, and also on remote machines belonging to ISPs, telephone providers, companies that provide services via Internet such as YouTube, Facebook, Gmail, and so on. This paper presents a methodology for the automated production of predetermined digital evidence, which can be leveraged to forge a digital alibi. It is based on the use of an automation, a program meant to simulate any common user activity. In addition to wanted traces, the automation may produce a number of unwanted traces, which may be disclosed upon a digital forensic analysis. These include data remanence of suspicious files, as well as any kind of logs generated by the operating system modules and services. The proposed methodology describes a process to design, implement, and execute the automation on a target system, and to properly handle both wanted and unwanted evidence. Many experiments with different combinations of automation tools and operating systems are conducted. This paper presents an implementation of the methodology through VBScript on Windows 7. A forensic analysis on the target system is not sufficient to reveal that the alibi is forged by automation. These considerations emphasize the difference between digital and traditional evidence. Digital evidence is always circumstantial, and therefore it should be considered relevant only if supported by stronger evidence collected through traditional investigation techniques. Thus, a Court verdict should not be based solely on digital evidence.

[1]  Craig S. Wright,et al.  Overwriting Hard Drive Data: The Great Wiping Controversy , 2008, ICISS.

[2]  Peter Gutmann,et al.  Data Remanence in Semiconductor Devices , 2001, USENIX Security Symposium.

[3]  Thomas Myer Apple Automator with AppleScript Bible , 2009 .

[4]  Aniello Castiglione,et al.  Network Profiling: Content Analysis of Users Behavior in Digital Communication Channel , 2012, CD-ARES.

[5]  Antonio Colella,et al.  Digital Profiling: A Computer Forensics Approach , 2011, ARES.

[6]  Giuseppe Cattaneo,et al.  Automated Construction of a False Digital Alibi , 2011, ARES.

[7]  R. Knight,et al.  Forensic identification using skin bacterial communities , 2010, Proceedings of the National Academy of Sciences.

[8]  Abraham Silberschatz,et al.  Operating System Concepts 8th Edition Binder Ready Version , 2008 .

[9]  Aniello Castiglione,et al.  The Digital Profiling Techniques Applied to the Analysis of a GPS Navigation Device , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[10]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[11]  Emmanuel Aroms NIST Special Publication 800-88 Guidelines for Media Sanitization , 2012 .

[12]  Giuseppe Cattaneo,et al.  The Forensic Analysis of a False Digital Alibi , 2012, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[13]  Giuseppe Cattaneo,et al.  On the Construction of a False Digital Alibi on the Android OS , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.

[14]  Giuseppe Cattaneo,et al.  Automatic, Selective and Secure Deletion of Digital Evidence , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[15]  Giuseppe Cattaneo,et al.  A Novel Anti-forensics Technique for the Android OS , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.