Slashdot Mirror
Worried about Digital Evidence Tampering?
2marcus writes "As digital technology continues to improve and is used in more and more applications, the ease of tampering with digital files becomes more pertinent. This is especially important in the field of criminal justice, where even the appearance of possible impropriety can sway a jury. CNN has an article on the issues with digital photos being used for fingerprints and other forensics evidence."
There has always been the possibility that the evidence could have been tampered with before. Since it is digital this only makes it slightly easier to do. It shouldn't matter however because it is always based on the honesty of the law enforcement official to do what is right.
Any form of physical evidence can be tampered with. That's why the chain of custody is such an important concept. Everybody who had control of that evidence from the point it was discovered to the courtroom needs to testify that they didn't nothing funny, and they saw to it that nobody else did anything funny. That makes tampered evidence just as bad as any other lie to the court, somebody's on the hook for perjury.
Ahh, digital evidence tampering, where would I be without you! I was quite good a creating doctors office letterhead for getting out of school. :)
Heck, where I come from not even regular (=non-digital) photos et al. are admitted as evidence in court - because they are too easily tampered with.
Basically only human intel is admitted as evidence (witnesses) - if you want to admit other evidence (such as footprints etc.) you show photos (as an illustration, not as the proof) of course, but _always_ backed up by witnesses (fellow officers, forensics guy) who could be called to testify under oath.
Yes, but then the question of "what is tampering".
There are actually cases of people photoshopping fingerprints to "bring them out".
Is that evidence tampering?
What if they just use a large burn/dodge tool? what if they just use a small one?
Where is the line?
If tampering is possible, even if it's unlikely, there will always be an out for people who don't want to believe evidence.
In practice, the rejection of valid evidence will probably be a bigger problem than the creation of invalid evidence.
Simply require all digital evidence to be encrypted. That way anybody who has a thought of tampering would have to consider the wrath of DMCA.
Nobody would tamper with digital evidence given THAT outcome.
My second-to-last year of college, I had signed a lease for a house just off campus for the next school year. It was looking forward to it because it was a nice house and I'd be rooming with my closest buddies.
Unfortunately, when we went to move in, the place was trashed and grossly out of code for the city/county. In an effort to be released from the lease, I took a bunch of photographs of everything that was wrong with the house, but I took them on my digital camera. I even brought my camera to a developer and had the photos professionally developed.
Nevertheless, I brought my pictures to a lawyer (school-subsidized, provided for student lessor/lessee problems) and he said that if I wanted to use them in any practical way, I had to go take the pictures again with a real camera (and you could _barely_ tell it was digital).
Fortunately, we had enough evidence that the landlord caved (and we all learned many valuable lessons about leasing, and the law in that time period).
A huge swarth of people who get convicted for life or death are poor and stupid minorities who are sentenced with usually little more than one person saying "I swear I saw the defendent...sure it was dark but I swear it!" The criminal justice system in the country (U.S.) is in such a poor state that I don't see how digital evidence is such a huge step backwards. Do you really think it would have been easier to free (or convict) O.J. if the photos of the crimescene were digital?
There has always been the possibility that the evidence could have been tampered with before. Since it is digital this only makes it slightly easier to do. It shouldn't matter however because it is always based on the honesty of the law enforcement official to do what is right.
... the fact that the jury recognized (and weighed most heavilly) was that the honesty of the law enforcement offical(s) was in serious doubt ... and quite frankly, often is.
... indeed, we even know of at least one case where the FBI insured that an innocent man was convicted of murder and sent to prison in order to protect their own informant.
... unless you want a scenerio where any Jury with any technical knowhow whatsoever will always vote to acquit, on the grounds that digital evidence is no more valuable than a he-said/she-said argument.
Bullshit.
This should matter a lot.
Mark Furman's bigotry was enough to create the appearance of "reasonable" doubt as to the veracity of the DNA evidence that unequivocably linked O.J. Simpson to the murder of his ex wife and her friend. Nevermind that the evidence was almost certainly NOT tainted or modified
Digital evidence is as fleeting as the wind. I can copy a file to your hard drive, make a phone call, and the assumption will be you're guilty. Or a cop could walk in with a CD, do the same thing, and convict you.
Gnupg and similiar encryption tools, combined with date and time stamping (perhaps even authenticated date and time stamping via ntp servers) could be deployed relatively simply and make data tampering virtually impossible (e-mails are certain to be real, and have been created on such-and-such a date, etc).
Similiar schemes might be applicable to preserving the integrity of digital imagry, video, etc., and it is very important that these issues be addressed.
We know that the police and the FBI do tamper with evidence. We know that they bear false witness in court
Law enforcement will tamper evidence on occasion, and making it easier for them to do so virtually insures that it will be tampered more often. In order to maintain (or even improve) the integrity of our justice system, we need to make modifying digital evidence as difficult (or impossible) as is possible, and we have numerous tools already to do so.
Dismissing this issue is foolish
The Future of Human Evolution: Autonomy
So technology has answered, its back in the hands of law enforcement to present their case properly.
modify ONLY copies
originals all go onto read-only media
checksum religiously
WRITE GOOD POLICY for maintaining digital evidence...and post it before you start using digital media. Review it once a year, or more often to revise for unforeseen issues. Educate your detectives, and your Asst. DA's.
Rinse, later, repeat.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
I work in the field, I create and deploy records management systems for police.
There's always an auditable chain of custody with all eveidence, digitally the product i use accomplishes it with encryptions and checksums. If an officer takes a pic out to alter it (they have to crop/lighten/darken mugshots so they look consistent for use in a lineup), his actions are logged, and a copy of the original is always kept. Just like checking stuff in and out of any CVS.
There are some digicams out there specially designed for the task which create special checksums and hashes to prove, mathematically that the image on a disk is the same one the camera took.
This is all tied to the officer who took the picture and entered it into the system, and ultimately would be held accountable for it.
If needed, I could be called on to swear an affidavid that the file hadn't been altered since taken/entered.
Now, for the most part, the agencies I've dealt with only use digital imagine for mugshots, and a few take digital shots of traffic accidents. But more and more are expanding the use of technology. 911 calls, and police radio chatter, being encoded to mp3 and permanently attached to the case file, stills from dashboard cameras, crime scene photos.
Frankly, you can prove mathematically with some simple tech these days that not even a single pixel in a digital photograph had been altered. It'd much easier to fake an old-fashioned analog photograph.
Of course, sleazy lawyers will wow clueless jury members with how easy it is to change things in photoshop, which they'll understand. And those jury members will be asleep when the mathemetician demonstrates that there's only a 1 in 400 kajillion chance of altering time image without changing the checksums...
I don't need no instructions to know how to rock!!!!
oh brave new world, that has such people in it!
I think anyone who knows ANYTHING about computers would tell you that there is no guarantee of security or stability.
Lawmakers should take this into account and require the prosecution or plaintiff show beyond a reasonable doubt that the data can in fact be reasonably trusted and has not been handled by an untrusted or malicious party.
Overall, this question raises a lot of issues. But I feel the courts need to decide on a set of guidelines that can be used to assure the jury and the defense that the evidence presented to support accusations can in fact be trusted.
Because who's to say an overzaelous prosecuter didn't hire someone to "put" something on the suspect HD?
But even then the courts might have a hard time ahead. Already we've seen cases that raise this question in which there can be no "safe-guard" and in fact the defense relies upon the exploitablity of software. This was demonstrated in the kiddie porn trial in the UK in which the defendant got aquitted because his lawyers successfully argued that a virus planted the porn on his PC.
Ulitmately, it is double-sided issues such as this that are leading us down the path of Microsofts Secure Computing initiative. But that is a mission that is doomed from the start... history shows us that no matter how secure they make it, some one will break it.
Witnesses credibility has been under debate for years. Witnesses can be influenced by suggestive questioning, their own backgrounds and prejudices, or the amount of sleep they have had on a given day. And how do you quantify or qualify that kind of tampering? Witness testimony has been used for millenia. No evidence is foolproof. The problem is 1. to know what kind of tampering can be done and be aware and wary of it and 2. to get the trust of the public in that type of evidence so it can be admitted, falible or not.
Do something about world hunger. Click here
Uhhhhh...you just made it next to impossible to prosecute a lot of crimes. Take kiddie porn for example - you're saying that a hard drive full of kiddie porn images shouldn't be admissable?
Please clarify your point, because you either didn't think your comment through, or meant something entirely different than what you wrote.
No, law enforcement officers are required to maintain strict control and tracking of evidence now ("Chain of Evidence") to try and prove the evidence has not been tampered with. The mutability of digital records adds extra considerations, in some cases.
One way of hardening the chain is to burn the digital record onto a CD-R, with a least two witnesses and recording the serial number of the CD-R onto the evidence log.
that CNN is publishing this story; back in the late 1990s, they stole a frame from one of my computer generated animations of a pulsating star, and put it in a story on their website. They tweaked the colourmap a little, but apart from that the image is identical to my original animations.
They even had the gall to claim the copyright for themselves. Bastards.
Tubal-Cain smokes the white owl.
We've already seen a few kiddie-porn cases in Great Britain thrown out because the machines had been compromised, thus making it impossible to conclusively prove that the individual arrested was responsible for the crime.
But this points up a scary possibility, one which has already been hinted at in various places, which is that there's no robust trace of events. Once there's a backdoor in your system, there are a lot of things that can happen:
- secrets can be observed.
- "evidence" can be planted.
- activities can be spoofed.
Say you live under a repressive government, and somehow offend someone with 'l33t h@x0r skillz. You may find, for example, that you published a series of articles critical of the leadership. Yup, it came from your personalized copy of Word, and was sent from your IP address. If they've planted a keylogger, it could even be digitally signed with your PGP key. In a less oppressive environment, you might discover that you just mailed a collection of kiddie porn to the FBI.
Now the person screwing you could be some vicious script kiddie, but there's also the potential for abuse in the political world. Like the case in Malaysia, where an opposition leader was tarred with a faked sex scandal, political operatives can be neutralized by opponents through these means (please don't let Karl Rove read this posting!).
Scary stuff...
Eloi, Eloi, lema sabachtani?
www.fogbound.net
With our society relying on more digitized information all the time, it is not practical to make it all inadmissable as evidence. There's no way in the world that you could prosecute computer crime or for that matter almost any fraud without digital evidence. As for the photo example, non digital photos can be doctored as well. For example, you could doctor a photo digitally, recapture the picture with film and develop the non-digital photo of the digitally altered image. If its done well, it would be very hard to detect. Bottom line is, we need better evidence authentication, not exclusion of all digital evidence.
Possibly, here's one expensive solution. Some solid state memory card company should start making write once memory that would work in a digital camera. Along with the image would be an md5 sum.
Then the images could be copied to cdrom along with the md5 sums. If the defense feels that the images have been tampered with, they can always be verified against the md5sum and then if so, the archived memory card.
Yes Francis, the world has gone crazy.
(referring to the parent post, not the grandparent): b b witch hunt.
ok, so the FBI raids someone's PC on suspicion of kiddie porn. Now, the PC has been out of the hands of the suspect. What's to stop the FBI from planting kiddie porn on the hard drive? And will it, in the end, even be neccessary to find porn on the hard drive? Links might be enough (links that might have resulted from IE's insecurities, for example?)I truly despise child pornographers, but are we heading for a police state in the name of anti-terrorism and anti-kiddie porn?
Maybe DRM actually makes sense in this context. I would rather be unable to get porn at all than be prosecuted for planted porn. (the OS could be programmed to reject any files that have porno-like meta-data in their headers, or however DRM works). Granted, this solution would keep all porn (including "legal" porn) out, but it would solve the problem.
So let's say someone breaks into the MegaCorp computer and causes billions of dollars in damage and causes a few powerplants to go off line in the East Coast of the US during a heatwave causing many people to die.
Now let's say that the person who did this is found because he forgot to modify/erace the system logs and a criminal trial begins.
Now let's also say he hires Jacky Childs as his lawyer who asks the system admins, under oath, if the system logs are nothing more than common text files. Then he asks if it is possible that any of the admins could log on and edit that text file log. Unless they got the logs being directed to a line printer an constantly printed out, Jacky Childs just found his reasonable doubt. Good luck with the civil suits!
Seriously though, this could be a real problem one day soon.
Losing faith in humanity one person at a time.
I was told by a lawyer to get photographic evidence , not in digital, or film but Instant film format.
/developed.
Jury's, and judges consider the instant developed photos of the instamatic camera are considered unalterable because of how they are made
usually the oldest technology is the most accepted in the court of law.
It's not hard for experts to detect Photoshop fakery, even if amateurs can be fooled. If you move objects around in the picture, you'll never be able to get every cast shadow right, or get the lighting of the removed objects right. The analysis process that the experts use is analogous to ray tracing run backwards: given the images, figure out where the lighting is. Then boundaries between regions that have been altered and regions that have not come out clearly.
Furthermore, as its name implies, many of the Photoshop tools correspond to tricks that photographers have traditionally played in darkrooms, it just makes it easier.
Your solution is entirely too concise, simple, and complete. Law enforcement will never go for it.
Um, yeah. Well, if they're encrypted, you either:
I think what he meant to say was checksummed and encrypted. While this does provide a reasonable degree of security against tampering, it in no way establishes that the pictures were real in the first place. It is a very trivial matter to write a CD today with a date of 01/01/1998.
Yes, checksumming does provide a reasonable degree of security provided other safegaurds are taken. However, defeating this scheme is still too simple. Consider:
- Murder takes place in 1998. Detective has a hunch that suspect X has done it, but can't prove it.
- It's 2004 - suspect X is arrested on an unrelated charge, and fingerprinted.
- Said detective takes pictures of X's fingerprints.
- He then sets the clock on his PC back to 1998, a few days after the murder.
- Then he downloads the fingerprints he's just photographed to the machine, and burns the photos to CD. When he's done, he sets the PC's date back to the current date.
- Said detective files the freshly minted CD in the 1998 storage locker.
A few days later, the detective suggests to his subordinate that he run X's fingerprints against the crime-scene database. Lo and behold! - suspect X's fingerprints match those found at the crime scene!Tell me I'm more secure now. Evidence fakery has been around since mankind learned to lie. The digital age just makes it more convenient.
The society for a thought-free internet welcomes you.
The thing is, if someone can tamper with the image, they can tamper with the md5sum as well. In your solution, the md5sum is useless, it's the write only memory on the camera that is actually providing your security.
I read the internet for the articles.
It's not hard for experts to detect Photoshop fakery, even if amateurs can be fooled.
I work in wholesale justice -- I do a lot of court-appointed work. There is no way that an expert will be approved in every case to authenticate or detect alterations of digital images. At the basic level of the legal system, the people who most need this sort of protection (accused criminals) will not be able to afford it.
I like the idea of digital photographs with some sort of cryptographic self-authentication. It would reduce the risk of cowboy cops faking evidence and putting it over on juries and judges. Someone needs to police the police, and this might help.
GF.
Lots of petrified grits