Abstract

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child photos and was denying that, explaining the fact of these photos’ presence by malicious software they presumably had. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

I’ve Been Hacked

The “I’ve been hacked” tactic is the most common defense when it comes to crimes committed on or with computers. However obvious it might be, the burden of proof lies on you and not on the suspect. So how can you figure out whether or not the suspect’s computer has actually been subject to unauthorized activities?

Checking for Malware

Well, what about checking if there indeed was a malware? Will the absence of malware prove the suspect’s lie?

Scanning the disk image for malware is one thing, yet it rarely proves anything. No malware means nothing, and any malware that does exist does not prove anything. Why? If there is NO malware, why can’t it be explained by the fact that it just deleted itself by a command from a remote control center? If there IS malware, it does not automatically mean that it indeed downloaded anything.

Capturing a memory dump and looking for active VPN sessions may give you a hint of some unusual activities, but again it won’t prove anything.

In order to discover whether or not the “hacked” defense has grounds, you will need to look at other factors.

Physical Presence

One of the easiest things to check is proving whether or not the person was physically present at the crime scene. And since we’re talking about high-tech crimes, how about collecting location data from the suspect’s smartphone? Android smartphones record GPS coordinates every 15 minutes, passing them on to Google’s servers for location reporting. You may access these records by logging in to the suspect’s Google Account and either reviewing their Location History or using Google Takeout to download the data for offline analysis. Apple’s iPhones also collect location information, and although extracting the data is not as easy as acquiring Android phones it still can be done.

Belkasoft Evidence Center (BEC) can gather geolocation from different sources, such as Google Maps apps, browser searches, geo-enabled chats and so on. You can review one or multiple locations in the Google Maps window right inside the tool.

Timeline

Building a timeline based on multiple data sources is arguably one of the best ways to show the activity happened when the suspect was physically present at the crime scene. Don’t assume; instead, try to acquire as much data as possible to build a comprehensive, geo-tagged timeline.

Location data. Proves physical presence at the crime scene

Please register to access full versions of Belkasoft articles

Articles

"Does your DFIR tool have substantial updates?"

In his new article, Brett Shavers from DFIR.training talks about new features of Belkasoft Evidence Center 9.7. He notes that "BEC’s v9.7 update adds quite a few artifacts that some suites don’t even try to examine". He overviews the most ... Read more

Results of Customer Survey 2019: Findings and Insights

This piece presents the findings of our most recent customer survey held at the end of 2019. We asked a range of questions related to our customers’ needs, challenges, and preferences. As a result, our research team came into possession of a ... Read more

Subscribe to our Newsletter