Hi Robert, thanks for your message. On 5/29/07, Robert Turner <[EMAIL PROTECTED]> wrote:
It seems as all the evidence found could have been spoofed or faked. Email addresses and IPs and time stamps on files can be changed to both hide the original sender as well as implicate a third party. Additionally, there are known worms that can pull text from a computer and add it to an automated email. Is there a possibility that the suspects computer is infected, therefore raising the possibility that the message was sent by someone else, from the suspects computer?
I did not inspect the computer of the suspect, but I also said all this. I want to visit the guy in the next days so I can test the machine for virus, worms, etc.
The IP numbers in the apartment are not false. They look as though they are a DHCP assignments from an internal range of addresses. Either the DSL modems are acting as the DHCP server for each computer or they are being assigned addresses by a server at the Internet Service Provider.
Here we use to call this IP numbers (198.162.?.?, 10.0.0.?) as false IPs. I know it is not correct but it is usual to do so here.
I did not read about any evidence handling practices that were used to ensure data integrity, such as taking images of hard drives, keeping the original hard drives as evidence, examining only 3rd copies of hard drives. This would be important as any defense lawyer could raise the question of appropriate forensic techniques and whether or not the original data was modified. If you simply list a file, it will have been modified.
Yes, the expert took copies of all disks from the 12 apartments using DD. But all disks were sent back to the owners after the copies. The expert used these copies to do the analysis. The original contents were not preserved.
It sounds like you can also challenge the credentials of the expert, but that might be a problem if they were appointed by the judge. An indictment of this technician will essentially be an indictment of the judge.
Yes, this is a problem. I don't want to advise the defence counselor to do so, but it is a possibility of course. Thank you again! Regards Flavio
