Abstract

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

I’ve Been Hacked

The “I’ve been hacked” tactic is the most common defense when it comes to crimes committed on or with computers. However obvious it might be, the burden of proof lies on you and not on the suspect. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Checking for Malware

Well, what about checking if there indeed was a malware? Will the absence of malware prove the suspect’s lie?

Scanning the disk image for malware is one thing, yet it rarely proves anything. No malware means nothing, and any malware that does exist does not prove anything. Why? If there is NO malware, why can’t it be explained by the fact that it just deleted itself by a command from a remote control center? If there IS malware, it does not automatically mean that it indeed downloaded anything.

Capturing a memory dump and looking for active VPN sessions may give you a hint of some unusual activities, but again it won’t prove anything.

In order to discover whether or not the “hacked” defense has grounds, you will need to look at other factors.

Physical Presence

One of the easiest things to check is proving whether or not the person was physically present at the crime scene. And since we’re talking about high-tech crimes, how about collecting location data from the suspect’s smartphone? Android smartphones record GPS coordinates every 15 minutes, passing them on to Google’s servers for location reporting. You may access these records by logging in to the suspect’s Google Account and either reviewing their Location History or using Google Takeout to download the data for offline analysis. Apple’s iPhones also collect location information, and although extracting the data is not as easy as acquiring Android phones it still can be done.

Belkasoft Evidence Center (BEC) can gather geolocation from different sources, such as Google Maps apps, browser searches, geo-enabled chats and so on. You can review one or multiple locations in the Google Maps window right inside the tool.

Timeline

Building a timeline based on multiple data sources is arguably one of the best ways to show the activity happened when the suspect was physically present at the crime scene. Don’t assume; instead, try to acquire as much data as possible to build a comprehensive, geo-tagged timeline.

Location data. Proves physical presence at the crime scene

Please register to access full versions of Belkasoft articles

Articles

Analyzing HiSuite Backups with Belkasoft Evidence Center

In this article, we are examining one of the Android mobile devices from the point of view of data extraction from backup. For the purpose of this article we picked up Huawei Honor 20 Pro smartphone for analysis. We will explain to you how to ... Read more

Mitigating security risks using Belkasoft Evidence Center

Due to the crisis resulting from the spread of COVID-19, more people are currently working from home than ever. In this article, we will examine the major security risks confronting organizations, especially those threats exacerbated by recent ... Read more

Subscribe to our Newsletter