Letter discussing Hacking and Contamination of Evidence
|
Letter discussing Hacking and Contamination of Evidence |
|
Dear S,
It is possible to draw conclusions about the likelihood that Mr D's’ computer was a victim of "hacking".
Mr D mentioned, at our meeting last week, that the computer was usually switched off when not in use, that there was no telephone answering software operating on the computer and that there was a conventional telephone answering machine connected to the telephone line.
Remote access to the computer would require that the computer be switched on and that a telephone connection would need to be open between the computer and the Internet or directly to another computer. Any attempt to establish a telephone connection with Mr D's computer by dialing in to it would fail because the call would be answered by the answering machine or by someone in the house.
For hacking to be successful, it would need to occur when someone in the house connected the computer to the Internet.
The History and Cache from the computer includes this sequence of Internet accesses:
|
User Accessed |
Link |
|
03/01/2001 10:12:05 |
:2001010320010104: D@http://www.deleted-1.com/members/nudists06/jf8343.jpg |
|
03/01/2001 10:12:22 |
:2001010320010104: D@http://www.deleted-1.com/members/nudists06/jf8348.jpg |
|
03/01/2001 10:13:07 |
:2001010320010104: D@http://www.deleted-1.com/members/nudists13/gallery5.html |
|
03/01/2001 10:13:28 |
:2001010320010104: D@http://www.deleted-1.com/members/nudists13/sr17224b.jpg |
|
03/01/2001 10:14:00 |
:2001010320010104: D@http://www.deleted-1.com/members/nudists13/sr17305.jpg |
|
03/01/2001 10:15:31 |
:2001010320010104: D@:Host: www.deleted-2.com |
|
03/01/2001 10:15:31 |
:2001010320010104: D@http://www.deleted-2.com |
|
03/01/2001 10:16:06 |
:2001010320010104: D@http://www.deleted-2.com/join.html |
|
03/01/2001 10:17:05 |
:2001010320010104: D@:Host: www.site-key.com |
|
03/01/2001 10:17:05 |
:2001010320010104: D@https://www.site-key.com/cgi-bin/user/join.pl?site=W3777707 |
|
03/01/2001 10:19:02 |
:2001010320010104: D@https://www.site-key.com/cvc2.html |
|
03/01/2001 10:21:23 |
https://www.site-key.com/cgi-bin/user/dojoin.pldbf0a352 |
|
03/01/2001 10:21:25 |
:2001010320010104: D@https://www.site-key.com/cgi-bin/user/dojoin.pl |
|
03/01/2001 10:31:19 |
:2001010320010104: D@http://www.deleted-2.com/members/euro.html |
|
03/01/2001 10:31:40 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/e2_veme1.html |
|
03/01/2001 10:31:55 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/E2_Vera_and_Merick_01.jpg |
|
03/01/2001 10:32:19 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/E2_Vera_and_Merick_10.jpg |
|
03/01/2001 10:32:42 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/E2_Vera_and_Merick_02.jpg |
|
03/01/2001 10:33:06 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/e2_veme2.html |
|
03/01/2001 10:33:15 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery05/e2veme/E2_Vera_and_Merick_15.jpg |
The table shows five records of access to deleted-1 and then a jump to deleted-2. It may be that deleted-1 included a link to deleted-2 and the jump occurred when someone clicked on the link.
The third access to deleted-2 is a page called join.html. This is followed by five accesses to a site called site-key. It may be that the site-key site allows access to restricted areas on sites (by providing a "key" to the "site"). The rest of the table is records of access to deleted-2. It may be that credit card details were provided at site-key to allow access to deleted-2. The possibility that this occurred as a result of hacking could be established by the examination of credit card records.
A later sequence of records:
|
User Accessed |
Link |
|
03/01/2001 16:22:12 |
:2001010320010104: D@http://www.deleted-2.com/members/update/lorr/lorr1.html |
|
03/01/2001 16:22:31 |
:2001010320010104: D@http://www.deleted-2.com/members/update/mon/mon1.html |
|
03/01/2001 16:23:00 |
:2001010320010104: D@http://www.deleted-2.com/members/update/jlm/jlm1.html |
|
03/01/2001 17:35:15 |
:2001010320010104: D@:Host: www.jungle.com |
|
03/01/2001 17:35:15 |
:2001010320010104: D@http://www.jungle.com |
|
03/01/2001 17:35:50 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/jpage2.cgi?ID=byte |
|
03/01/2001 17:36:54 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/newsearch_results_page.cgi?text= |
|
03/01/2001 17:37:40 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/jpage2.cgi?ID=peripherals&text= |
|
03/01/2001 17:37:57 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/newsearch_results_page.cgi?text=kodak |
|
03/01/2001 17:40:55 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/jpage2.cgi?ID=consumables&text=kodak |
|
03/01/2001 17:40:59 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/newsearch_results_page.cgi?text=kodak&SectionID=2001 |
|
03/01/2001 17:42:11 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/jpage2.cgi?ID=peripherals |
|
03/01/2001 17:42:29 |
:2001010320010104: D@http://www.jungle.com/scripts/generic_pages/newsearch_results_page.cgi?text=iomega&SectionID=2001 |
|
03/01/2001 17:44:11 |
:2001010320010104: D@http://www.deleted-2.com/members/video.html |
|
03/01/2001 17:45:22 |
:2001010320010104: D@http://www.deleted-2.com/members/video/andrea.mpg |
|
03/01/2001 17:48:55 |
:2001010320010104: D@http://www.deleted-2.com/members/update2/alx/alx1.html |
The first three records show the end of one Internet session at about 16:20. The next few records show a new Internet session starting at about 17:35 with a visit to jungle (a well known Internet shop). At 17:44 we see a sequence of accesses to deleted-2. It may be that a hacker was able to access the computer during the ten minutes of browsing at jungle, that the computer was accidentally left switched on and connected to the Internet and that the hacker was able to begin browsing deleted-2 by remote control.
Another sequence:
|
User Accessed |
Link |
|
03/01/2001 17:50:30 |
:2001010320010104: D@http://www.deleted-2.com/members/update2/sandra/sandra_019.jpg |
|
03/01/2001 17:50:57 |
:2001010320010104: D@http://www.deleted-2.com/members/update2/sandra/sandra3.html |
|
03/01/2001 17:51:31 |
:2001010320010104: D@http://www.deleted-2.com/members/update2/sarah/sarah1.html |
|
03/01/2001 17:52:18 |
:2001010320010104: D@http://www.deleted-2.com/members/update2/b/b1.html |
|
03/01/2001 20:24:19 |
:2001010320010104: D@http://www.deleted-2.com/members/index.html |
|
03/01/2001 20:24:43 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery09/la/la1.html |
|
03/01/2001 20:25:01 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery09/la/la2.html |
|
03/01/2001 20:25:19 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery09/la/la17.jpg |
Here we see the end of the earlier session of browsing at 17:52 and the start of a new session at 20:24. The 20:24 session begins at deleted-2. If the computer was disconnected from the Internet at 17:52, it would not be possible for a hacker to begin browsing at deleted-2 at 20:24. It may be that the computer was left switched on and connected to the Internet from 17:52 until 20:24 and the hacker was able to restart remote control at 20:24.
And again:
|
User Accessed |
Link |
|
03/01/2001 20:27:41 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery08/howto/howto1.html |
|
03/01/2001 20:28:36 |
:2001010320010104: D@http://www.deleted-2.com/members/gallery13/syou2/syou21.html |
|
04/01/2001 11:47:03 |
:2001010420010105: D@:Host: www.deleted-2.com |
|
04/01/2001 11:47:41 |
:2001010420010105: D@http://www.deleted-2.com/members/gallery09/mclt9000/mclt91.html |
Here we see one session end at 20:28 and a new session begin 11:47 the next day. It may be that the computer was left switched on and connected to the Internet overnight.
I counted six further sessions on 4th, 5th and 6th of January that begin with accesses to either deleted-1 or deleted-2. For a hacker to be responsible for all of these sessions, it would require that the computer should have been left connected to the Internet almost continuously for three days or more. There are other sessions through to the end of January that begin with access to deleted-1 or deleted-2.
From the evidence that is available to me, it is my opinion that the accesses to deleted-1 and deleted-2 (and the searches for "naked children" etc) were not the result of hacking.
It is possible to draw conclusions about the likelihood that Mr D's computer was a victim of contamination.
Earlier I described what appeared to be a subscription to deleted-2 via site-key and I suggested that the subscription involved a credit card transaction. The absence of any corresponding credit card transaction would be consistent with contamination. The presence of a card transaction would not be consistent with contamination.
The email confirming a subscription to deleted-1 cannot be as a result of contamination because the dates in the email were put there by computers on the Internet and not by Mr D's computer.
For the numerous accesses to deleted-1 throughout January to have been the result of contamination, it would be necessary to opened the email software on Mr D's computer and to have searched for and then read the email from iwest.org confirming the subscription. It is quite possible that the email was read after the computer was seized. It may be thought a coincidence that the email was opened and searched and that an email confirming the subscription was found.
For the numerous accesses to deleted-2 throughout January to have been the result of contamination if the subscription via site-key was not contamination would require some effort. It would have been necessary to open the browser software on Mr D's computer and to have searched the Internet history or the Internet cache to find the web page that refers to the subscription. It may be thought a coincidence that the browser history or cache was searched and that a reference to deleted-2 was found.
A summary of all sessions accessing deleted-1 and deleted-2 (and what appear to be attempts to find indecent images of children by searching the Internet):
|
Date |
Start |
End |
Duration |
|
03/01/2001 |
10:08 |
10:42 |
00:34 |
|
15:52 |
16:23 |
00:31 |
|
|
17:35 |
17:52 |
00:17 |
|
|
20:24 |
20:28 |
00:04 |
|
|
04/01/2001 |
11:47 |
12:13 |
00:26 |
|
15:21 |
16:07 |
00:46 |
|
|
19:05 |
19:12 |
00:07 |
|
|
05/01/2001 |
09:45 |
09:57 |
00:12 |
|
14:38 |
14:48 |
00:10 |
|
|
18:27 |
18:52 |
00:25 |
|
|
06/01/2001 |
14:46 |
15:16 |
00:30 |
|
22:54 |
0:00 |
01:06 |
|
|
07/01/2001 |
00:00 |
00:04 |
00:04 |
|
17:56 |
17:59 |
00:03 |
|
|
09/01/2001 |
19:40 |
19:55 |
00:15 |
|
10/01/2001 |
21:20 |
21:22 |
00:02 |
|
22:20 |
22:39 |
00:19 |
|
|
12/01/2001 |
08:17 |
08:18 |
00:01 |
|
21:40 |
21:57 |
00:17 |
|
|
14/01/2001 |
22:45 |
23:02 |
00:17 |
|
18/01/2001 |
22:27 |
22:31 |
00:04 |
|
23:25 |
23:36 |
00:11 |
|
|
19/01/2001 |
21:14 |
21:19 |
00:05 |
|
20/01/2001 |
21:03 |
21:06 |
00:03 |
|
21/01/2001 |
22:35 |
22:49 |
00:14 |
|
23/01/2001 |
20:50 |
20:53 |
00:03 |
|
24/01/2001 |
22:58 |
23:02 |
00:04 |
|
27/01/2001 |
18:21 |
18:29 |
00:08 |
|
Total Duration |
07:18 |
||
In addition to more than seven hours required to falsify the entries shown in the table, time would be required to repeatedly reset the clock and to reset file dates to restore the computer to show that it was last used before it was seized. I estimate the additional time to be about four hours. The total time required to create this amount of contamination is likely to be about twelve hours.
It may be thought that twelve hours is an excessive amount of time to have been spent contaminating evidence.
On 24 January 2001, an Internet session begins at 22:36 with accesses to scan.co.uk, an Internet shop. At 22:48, the accesses change to jungle.com, another Internet shop. At 22:58, the accesses change to deleted-2:
|
User Accessed |
Link |
|
24/01/2001 22:58:23 |
http://www.jungle.com/cgi-bin/members/join.cgicd77ee48 |
|
24/01/2001 22:58:23 |
http://www.jungle.com/images/members/gl_bot.gif |
|
24/01/2001 22:58:23 |
http://www.jungle.com/images/members/gr_bot.gif |
|
24/01/2001 22:58:23 |
http://www.jungle.com/images/members/submit.gif |
|
24/01/2001 22:58:54 |
http://www.deleted-2.com/members/index.html |
|
24/01/2001 22:59:06 |
http://c2.thecounter.com/id=1380692&size=1024&colors=32&referer=&java=true |
|
24/01/2001 22:59:07 |
http://config.sa.aol.com/sa/v1.0/AOL/UK/index.html |
|
24/01/2001 22:59:45 |
http://www.deleted-2.com/members/gallery05/e3genevieve/e3genev1.html |
If the accesses to scan and jungle were not the result of contamination and the accesses to deleted-2 were contamination then it would have been necessary to access the Internet cache to find the time of the last access to jungle. It would then require a precise reset of the date and time and a precise start to the accesses to deleted-2 produce the close time values shown in the above table.
It seems unlikely that the accesses to scan and to jungle and to deleted-2 were all the result of contamination because the accesses to scan and jungle are unlikely icing on the cake.
It seems unlikely that the access to deleted-2 are the result of contamination if the accesses to scan and jungle are not because of the effort required to produce the close time values.
In cop shows on television, the police are able to obtain detail records of telephone calls from telephone companies. I have no knowledge that such records can be obtained in the real world. It may be that telephone records would show that Internet calls did or did not occur at the times shown above for accesses to deleted-2 and to deleted-1. It seems unlikely that anyone would knowingly contaminate the computer after it was seized if they knew that telephone records would reveal the contamination.
I found nothing to suggest that contamination had occurred. It seems likely that the subscriptions to deleted-1 and to deleted-2 were not the result of contamination because they can easily be shown to be contamination by credit card records. It seems unlikely that anyone would search email and the history or cache prior to contaminating the computer. It seems unlikely that anyone would spend about twelve hours contaminating the computer when far less time would provide evidence of equal value. It seems unlikely that the accesses on 25 January were the result of contamination because of the apparent overkill. It seems unlikely that contamination would have been attempted when there is a risk that the contamination could be exposed by the examination of telephone records.
I found no technical evidence to show that contamination has not occurred (but it may be that it is tricky to prove a negative). An examination of the computer may reveal contamination. If no contamination occurred, no amount of examination will find anything to suggest that it did. It is my opinion that an examination of the computer for evidence of contamination cannot be justified. I am willing and able to undertake an examination if instructed to do so.
And finally, some Health Warnings:
· I am confident that the dates, times and other values in this report are correct but they have not been re-checked as they would be if this were a report to be used in evidence.
· The dates and times used are Last Access values. It is quite possible that the some (or many) items were accessed one or more times prior to the Last Access date and time shown and that there is no record of these previous accesses.
· The history and cache files that provided this data are maintained automatically by the computer and any amount of information may have been deleted by this automatic process.
Yours sincerely
Graham Dilloway