Slashdot Mirror
Worried about Digital Evidence Tampering?
2marcus writes "As digital technology continues to improve and is used in more and more applications, the ease of tampering with digital files becomes more pertinent. This is especially important in the field of criminal justice, where even the appearance of possible impropriety can sway a jury. CNN has an article on the issues with digital photos being used for fingerprints and other forensics evidence."
make digital evidence inadmissable. Photoshopping/gimping/email fraud/video editing is becoming too easy and too difficult to trace.
There has always been the possibility that the evidence could have been tampered with before. Since it is digital this only makes it slightly easier to do. It shouldn't matter however because it is always based on the honesty of the law enforcement official to do what is right.
"How to commit the perfect murder, using Microsoft's debug.exe"
Any form of physical evidence can be tampered with. That's why the chain of custody is such an important concept. Everybody who had control of that evidence from the point it was discovered to the courtroom needs to testify that they didn't nothing funny, and they saw to it that nobody else did anything funny. That makes tampered evidence just as bad as any other lie to the court, somebody's on the hook for perjury.
Ahh, digital evidence tampering, where would I be without you! I was quite good a creating doctors office letterhead for getting out of school. :)
Heck, where I come from not even regular (=non-digital) photos et al. are admitted as evidence in court - because they are too easily tampered with.
Basically only human intel is admitted as evidence (witnesses) - if you want to admit other evidence (such as footprints etc.) you show photos (as an illustration, not as the proof) of course, but _always_ backed up by witnesses (fellow officers, forensics guy) who could be called to testify under oath.
Yes, but then the question of "what is tampering".
There are actually cases of people photoshopping fingerprints to "bring them out".
Is that evidence tampering?
What if they just use a large burn/dodge tool? what if they just use a small one?
Where is the line?
If tampering is possible, even if it's unlikely, there will always be an out for people who don't want to believe evidence.
In practice, the rejection of valid evidence will probably be a bigger problem than the creation of invalid evidence.
Simply require all digital evidence to be encrypted. That way anybody who has a thought of tampering would have to consider the wrath of DMCA.
Nobody would tamper with digital evidence given THAT outcome.
Have we finally found a legitimate use for DRM?
My second-to-last year of college, I had signed a lease for a house just off campus for the next school year. It was looking forward to it because it was a nice house and I'd be rooming with my closest buddies.
Unfortunately, when we went to move in, the place was trashed and grossly out of code for the city/county. In an effort to be released from the lease, I took a bunch of photographs of everything that was wrong with the house, but I took them on my digital camera. I even brought my camera to a developer and had the photos professionally developed.
Nevertheless, I brought my pictures to a lawyer (school-subsidized, provided for student lessor/lessee problems) and he said that if I wanted to use them in any practical way, I had to go take the pictures again with a real camera (and you could _barely_ tell it was digital).
Fortunately, we had enough evidence that the landlord caved (and we all learned many valuable lessons about leasing, and the law in that time period).
A huge swarth of people who get convicted for life or death are poor and stupid minorities who are sentenced with usually little more than one person saying "I swear I saw the defendent...sure it was dark but I swear it!" The criminal justice system in the country (U.S.) is in such a poor state that I don't see how digital evidence is such a huge step backwards. Do you really think it would have been easier to free (or convict) O.J. if the photos of the crimescene were digital?
Seems kinda funny, the more you know about technology, the less trusting of it you are. Seems a bit like long time cops that remain paranoid for years after leaving the job. Witness electronic voting regularly get scoured here, as do other forms of tech that are supposed to be accepted as "unquestionable".
There has always been the possibility that the evidence could have been tampered with before. Since it is digital this only makes it slightly easier to do. It shouldn't matter however because it is always based on the honesty of the law enforcement official to do what is right.
... the fact that the jury recognized (and weighed most heavilly) was that the honesty of the law enforcement offical(s) was in serious doubt ... and quite frankly, often is.
... indeed, we even know of at least one case where the FBI insured that an innocent man was convicted of murder and sent to prison in order to protect their own informant.
... unless you want a scenerio where any Jury with any technical knowhow whatsoever will always vote to acquit, on the grounds that digital evidence is no more valuable than a he-said/she-said argument.
Bullshit.
This should matter a lot.
Mark Furman's bigotry was enough to create the appearance of "reasonable" doubt as to the veracity of the DNA evidence that unequivocably linked O.J. Simpson to the murder of his ex wife and her friend. Nevermind that the evidence was almost certainly NOT tainted or modified
Digital evidence is as fleeting as the wind. I can copy a file to your hard drive, make a phone call, and the assumption will be you're guilty. Or a cop could walk in with a CD, do the same thing, and convict you.
Gnupg and similiar encryption tools, combined with date and time stamping (perhaps even authenticated date and time stamping via ntp servers) could be deployed relatively simply and make data tampering virtually impossible (e-mails are certain to be real, and have been created on such-and-such a date, etc).
Similiar schemes might be applicable to preserving the integrity of digital imagry, video, etc., and it is very important that these issues be addressed.
We know that the police and the FBI do tamper with evidence. We know that they bear false witness in court
Law enforcement will tamper evidence on occasion, and making it easier for them to do so virtually insures that it will be tampered more often. In order to maintain (or even improve) the integrity of our justice system, we need to make modifying digital evidence as difficult (or impossible) as is possible, and we have numerous tools already to do so.
Dismissing this issue is foolish
The Future of Human Evolution: Autonomy
So technology has answered, its back in the hands of law enforcement to present their case properly.
modify ONLY copies
originals all go onto read-only media
checksum religiously
WRITE GOOD POLICY for maintaining digital evidence...and post it before you start using digital media. Review it once a year, or more often to revise for unforeseen issues. Educate your detectives, and your Asst. DA's.
Rinse, later, repeat.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
I work in the field, I create and deploy records management systems for police.
There's always an auditable chain of custody with all eveidence, digitally the product i use accomplishes it with encryptions and checksums. If an officer takes a pic out to alter it (they have to crop/lighten/darken mugshots so they look consistent for use in a lineup), his actions are logged, and a copy of the original is always kept. Just like checking stuff in and out of any CVS.
There are some digicams out there specially designed for the task which create special checksums and hashes to prove, mathematically that the image on a disk is the same one the camera took.
This is all tied to the officer who took the picture and entered it into the system, and ultimately would be held accountable for it.
If needed, I could be called on to swear an affidavid that the file hadn't been altered since taken/entered.
Now, for the most part, the agencies I've dealt with only use digital imagine for mugshots, and a few take digital shots of traffic accidents. But more and more are expanding the use of technology. 911 calls, and police radio chatter, being encoded to mp3 and permanently attached to the case file, stills from dashboard cameras, crime scene photos.
Frankly, you can prove mathematically with some simple tech these days that not even a single pixel in a digital photograph had been altered. It'd much easier to fake an old-fashioned analog photograph.
Of course, sleazy lawyers will wow clueless jury members with how easy it is to change things in photoshop, which they'll understand. And those jury members will be asleep when the mathemetician demonstrates that there's only a 1 in 400 kajillion chance of altering time image without changing the checksums...
I don't need no instructions to know how to rock!!!!
oh brave new world, that has such people in it!
I think anyone who knows ANYTHING about computers would tell you that there is no guarantee of security or stability.
Lawmakers should take this into account and require the prosecution or plaintiff show beyond a reasonable doubt that the data can in fact be reasonably trusted and has not been handled by an untrusted or malicious party.
Overall, this question raises a lot of issues. But I feel the courts need to decide on a set of guidelines that can be used to assure the jury and the defense that the evidence presented to support accusations can in fact be trusted.
Because who's to say an overzaelous prosecuter didn't hire someone to "put" something on the suspect HD?
But even then the courts might have a hard time ahead. Already we've seen cases that raise this question in which there can be no "safe-guard" and in fact the defense relies upon the exploitablity of software. This was demonstrated in the kiddie porn trial in the UK in which the defendant got aquitted because his lawyers successfully argued that a virus planted the porn on his PC.
Ulitmately, it is double-sided issues such as this that are leading us down the path of Microsofts Secure Computing initiative. But that is a mission that is doomed from the start... history shows us that no matter how secure they make it, some one will break it.
Witnesses credibility has been under debate for years. Witnesses can be influenced by suggestive questioning, their own backgrounds and prejudices, or the amount of sleep they have had on a given day. And how do you quantify or qualify that kind of tampering? Witness testimony has been used for millenia. No evidence is foolproof. The problem is 1. to know what kind of tampering can be done and be aware and wary of it and 2. to get the trust of the public in that type of evidence so it can be admitted, falible or not.
Do something about world hunger. Click here
No, law enforcement officers are required to maintain strict control and tracking of evidence now ("Chain of Evidence") to try and prove the evidence has not been tampered with. The mutability of digital records adds extra considerations, in some cases.
One way of hardening the chain is to burn the digital record onto a CD-R, with a least two witnesses and recording the serial number of the CD-R onto the evidence log.
that CNN is publishing this story; back in the late 1990s, they stole a frame from one of my computer generated animations of a pulsating star, and put it in a story on their website. They tweaked the colourmap a little, but apart from that the image is identical to my original animations.
They even had the gall to claim the copyright for themselves. Bastards.
Tubal-Cain smokes the white owl.
We've already seen a few kiddie-porn cases in Great Britain thrown out because the machines had been compromised, thus making it impossible to conclusively prove that the individual arrested was responsible for the crime.
But this points up a scary possibility, one which has already been hinted at in various places, which is that there's no robust trace of events. Once there's a backdoor in your system, there are a lot of things that can happen:
- secrets can be observed.
- "evidence" can be planted.
- activities can be spoofed.
Say you live under a repressive government, and somehow offend someone with 'l33t h@x0r skillz. You may find, for example, that you published a series of articles critical of the leadership. Yup, it came from your personalized copy of Word, and was sent from your IP address. If they've planted a keylogger, it could even be digitally signed with your PGP key. In a less oppressive environment, you might discover that you just mailed a collection of kiddie porn to the FBI.
Now the person screwing you could be some vicious script kiddie, but there's also the potential for abuse in the political world. Like the case in Malaysia, where an opposition leader was tarred with a faked sex scandal, political operatives can be neutralized by opponents through these means (please don't let Karl Rove read this posting!).
Scary stuff...
Eloi, Eloi, lema sabachtani?
www.fogbound.net
I would like to subimt this photo into evidence. It clearly shows Bert and Ernie as the true culprits behind this heinous act!
If the image don't fit you must acquit.
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
If you are interested in verifying images I'd check out veripic. I don't know all the details behind it, but it seems like they are able to tell if the image has been modifed. From what I remember, the requirement is that you have to specify which digital camera it was taken with.
http://www.veripic.com/certified
My guess on how they do it would be by checking how the image was encoded? any ideas?
If you think digital photos are easily tampered with, think about how easy it is to tamper with a WAV file. "I did not do it," can become "I did do it" with the flip of wrist.
And yet, with a simple md5 checksum or any other of dozens of other techniques, such a change is impossible to make undetectable. The chain of evidence would need to show that at time of recording the md5 checksum of the file was 258c2891488526d239077559ae4fabab, and that the md5 checksum of the current file is still the same. Show the chain is intact, you've got that part of it covered. Get some mathematician to explain to the sheep of the jury that these are better odds than DNA, hell, call it "Digital Fingerprint" or something, and get on with the case.
Demonstrate this, since they won't get it from the math guy, by taking an image, changing a single pixel, and recalculating the checksum showing that it changes entirely. Don't _tell_ them, _show_ them that if you change the digital information, the "Digital Fingerprint" changes drastically.
(referring to the parent post, not the grandparent): b b witch hunt.
ok, so the FBI raids someone's PC on suspicion of kiddie porn. Now, the PC has been out of the hands of the suspect. What's to stop the FBI from planting kiddie porn on the hard drive? And will it, in the end, even be neccessary to find porn on the hard drive? Links might be enough (links that might have resulted from IE's insecurities, for example?)I truly despise child pornographers, but are we heading for a police state in the name of anti-terrorism and anti-kiddie porn?
Maybe DRM actually makes sense in this context. I would rather be unable to get porn at all than be prosecuted for planted porn. (the OS could be programmed to reject any files that have porno-like meta-data in their headers, or however DRM works). Granted, this solution would keep all porn (including "legal" porn) out, but it would solve the problem.
So let's say someone breaks into the MegaCorp computer and causes billions of dollars in damage and causes a few powerplants to go off line in the East Coast of the US during a heatwave causing many people to die.
Now let's say that the person who did this is found because he forgot to modify/erace the system logs and a criminal trial begins.
Now let's also say he hires Jacky Childs as his lawyer who asks the system admins, under oath, if the system logs are nothing more than common text files. Then he asks if it is possible that any of the admins could log on and edit that text file log. Unless they got the logs being directed to a line printer an constantly printed out, Jacky Childs just found his reasonable doubt. Good luck with the civil suits!
Seriously though, this could be a real problem one day soon.
Losing faith in humanity one person at a time.
I was told by a lawyer to get photographic evidence , not in digital, or film but Instant film format.
/developed.
Jury's, and judges consider the instant developed photos of the instamatic camera are considered unalterable because of how they are made
usually the oldest technology is the most accepted in the court of law.
at BrightNoise Inc that works with IP based cameras and video "servers" to stream images and detect motion, alarms, etc in sensitive areas . One of the biggest concerns I have had is tampering with jpegs or avi files exported from these softwares. AFAIK none has been challenged in a court of law here in the states, but we have had several schools and companies use it as proof of guilt for thieving and extortion!! The approach Milestone took was to make it exceedingly difficult to tamper with the original recording but allow exports. I train users to immediatly remove the original drives or enter server when there is an event of serious enough magnitude, lets face it whats a few thousand dollars when your talking about firing someone or worse? Personally I would like to see water marks or some embedded checksum in the images.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Um, yeah. Well, if they're encrypted, you either:
I think what he meant to say was checksummed and encrypted. While this does provide a reasonable degree of security against tampering, it in no way establishes that the pictures were real in the first place. It is a very trivial matter to write a CD today with a date of 01/01/1998.
Yes, checksumming does provide a reasonable degree of security provided other safegaurds are taken. However, defeating this scheme is still too simple. Consider:
- Murder takes place in 1998. Detective has a hunch that suspect X has done it, but can't prove it.
- It's 2004 - suspect X is arrested on an unrelated charge, and fingerprinted.
- Said detective takes pictures of X's fingerprints.
- He then sets the clock on his PC back to 1998, a few days after the murder.
- Then he downloads the fingerprints he's just photographed to the machine, and burns the photos to CD. When he's done, he sets the PC's date back to the current date.
- Said detective files the freshly minted CD in the 1998 storage locker.
A few days later, the detective suggests to his subordinate that he run X's fingerprints against the crime-scene database. Lo and behold! - suspect X's fingerprints match those found at the crime scene!Tell me I'm more secure now. Evidence fakery has been around since mankind learned to lie. The digital age just makes it more convenient.
The society for a thought-free internet welcomes you.
NIST has a test spec for drive imaging software for forensic use.
m
http://www.cftt.nist.gov/documents/Atlanta.pdf
They have been testing a bunch of programs, and so far dd on Free BSD has performed best:
http://www.ojp.usdoj.gov/nij/pubs-sum/203095.ht
"As God is my witness, I thought turkeys could fly." A. Carlson
The media could always be replaced though, if someone had access to the device it was contianed within. Of course, some sort of tamper detection could be inscluded within the device itself. Since it would all come down to cost however, I beleive it would be extremely unlikely that any of these ideas ever get put into practice. Manufactures wouldnt take part unless required by law. The best solution would be to require a 3rd party observer (or someone representing the defence if possible) wheneever digital evidence is recorded.