You have mail. Maybe. And that’s the problem.
We admit electronic evidence into court and rely upon it in our day-to-day transactions all the time. But can we really and truly authenticate it? The answer is almost. Which means actually, no. But it’s good enough for government work. Which is to say, not really good enough.
The cornerstones of computer forensics are authenticity and relevance. If Alice sends Bob a relevant electronic communication, the goal of the forensic examiner is to demonstrate (by a preponderance of the evidence in a civil case and beyond a reasonable doubt in a criminal case) that Alice was the author of that communication.
Well, actually more. If the communication is relevant, we have to show that Alice wrote it (or if written by someone else, that Alice adopted or endorsed it), that Alice intended to communicate it, that Alice (or someone at Alice’s command) in fact did communicate it, that the message contents are in fact the contents authored by Alice or her proxy and are the contents intended to be communicated, that the message originated from a particular place at a particular time (that’s important for jurisdictional purposes, Statute of Limitations purposes and other purposes) that we all agree what time it is (does anybody really know what time it is… does anybody really care?) and that Bob in fact received the message at a particular date and time, and maybe that Bob acted on the message.
That’s what is supposed to happen. It rarely does.
What typically happens is that Bob hits CNTRL P and prints the email or text message, or screen captures it and voilà! It is admitted into evidence. Alice is toast. And most of the time (well, some of the time) that’s all we need. Alice admits that she sent the message, or there is some other means of authentication, and the evidence is admitted.
But that’s not nearly enough.
At the other end of the spectrum, forensic examiners seize Alice’s computer while other forensic examiners seize Bob’s. The intermediate mail servers (inbound, outbound and intermediate) or intermediate communications networks are seized, frozen and imaged. Tools are deployed to forensically image all of the contents of a dozen or so hard drives, which are loaded onto a document analytics platform, analyzed, cross referenced and authenticated. If all things go well (and we can exclude the possibility that someone else accessed Alice’s or Bob’s computers or accounts) we have a forensically admissible copy of the communications. Only for about $100,000 bucks. Or more.
More typically, some third party is subpoenaed for their documents and records. Google gets a subpoena or warrant for Alice’s emails. Some geek at Google, on order of some lawyer at Google who has reviewed the court order, prints out the contents and metadata and says, “yup.. that’s Alice’s email” or more accurately, “that’s what we found on Alice’s account.” When that communication is admitted into evidence, there’s nobody in court to explain what happened, what tools were used to collect the data, or even how this data is collected, stored, and managed in the first place.
Basic stuff. What IS an email? How is it created? How is it transmitted?
More basic stuff. What is an IP address? What does it mean? How is it assigned? How is it recorded? By what type of device? How is that device secured?
Even more basic stuff. How can emails be spoofed? How can the contents, author, subject, source or destination be spoofed? How do we really KNOW that Alice wrote the email we seized from Alice’s Gmail account? Even if it points to her IP address, put bluntly, what the HECK is an IP address and why should I trust it? How do we KNOW it points to HER IP address?
In most judicial proceedings, we make no effort whatsoever to answer any of these questions. Much less the more difficult questions like, what was the make, model and software version of the software used to collect, store, and transmit the forensic data? What are the vulnerabilities inherent in the process? How do you really KNOW what it is you think you know? Challenge your assumptions.
This doesn’t happen. Computer forensics is at one the one hand a very expensive overkill and on the other hand a series of unchallenged assumptions. Critical witnesses are never called to testify. How do you KNOW your phone bill is accurate (that’s an electronic record, right?). How was the data collected, stored, maintained, transmitted, collated, and then presented?
The answer… no clue whatsoever. And that describes the state of computer forensics today. Clueless. But admissible.
Security Current
Security Current improves the way security, privacy and risk executives around the world collaborate to protect their organizations and their information. Its CISO-driven proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions.
