Abstract
This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”.
The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had.
So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?
I’ve Been Hacked
The “I’ve been hacked” tactic is the most common defense when it comes to crimes committed on or with computers. However obvious it might be, the burden of proof lies on you and not on the suspect. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?
Checking for Malware
Well, what about checking if there indeed was a malware? Will the absence of malware prove the suspect’s lie?
Scanning the disk image for malware is one thing, yet it rarely proves anything. No malware means nothing, and any malware that does exist does not prove anything. Why? If there is NO malware, why can’t it be explained by the fact that it just deleted itself by a command from a remote control center? If there IS malware, it does not automatically mean that it indeed downloaded anything.
Capturing a memory dump and looking for active VPN sessions may give you a hint of some unusual activities, but again it won’t prove anything.
In order to discover whether or not the “hacked” defense has grounds, you will need to look at other factors.
Physical Presence
One of the easiest things to check is proving whether or not the person was physically present at the crime scene. And since we’re talking about high-tech crimes, how about collecting location data from the suspect’s smartphone? Android smartphones record GPS coordinates every 15 minutes, passing them on to Google’s servers for location reporting. You may access these records by logging in to the suspect’s Google Account and either reviewing their Location History or using Google Takeout to download the data for offline analysis. Apple’s iPhones also collect location information, and although extracting the data is not as easy as acquiring Android phones it still can be done.

Belkasoft Evidence Center (BEC) can gather geolocation from different sources, such as Google Maps apps, browser searches, geo-enabled chats and so on. You can review one or multiple locations in the Google Maps window right inside the tool.
Timeline
Building a timeline based on multiple data sources is arguably one of the best ways to show the activity happened when the suspect was physically present at the crime scene. Don’t assume; instead, try to acquire as much data as possible to build a comprehensive, geo-tagged timeline.
- Location data. Proves physical presence at the crime scene
Please register to access full versions of Belkasoft articles