Hello Flavio,
without being a professional in the area here are my 5 reals. :)
You task is to prove that the guy is innocent and not to perform an
investigation, correct. I'm also assuming that in Brazil the person
is innocent until proven otherwise.
Even if it is proven that the email has originated from S's computer
is the prosecution able to prove that S sent the email? This is
crucial because computer and human are two different things. You said
there are 12 other people in the apartment, it could be anybody (and
btw. you do not need to find which of the other people did it, you
just have to prove it was not S).
You mentioned S works a lot and studies a lot. If the email was
received in certain time by the recipient and their mail system
registered the incoming mail. Where was S at that time? (It is
possible to argue that the email was delayed during the relay BUT it
is the OTHER party's responsibility to prove so ( i.e. they have to
go and find the logs). If they do so you can then ask the question
again where was the person when they sent the email.
If they are able to get to any logs and especially to the logs from
hotmail then they should be able to also trace [EMAIL PROTECTED]
account. They ALSO have to prove that this account is fake (or used
by S). This again means that they have to tie time of logins to this
account to the time the person is working on his computer (at home
because until that point it is assumed that he sent the email from there).
So see it is really important for the PROSECUTION to prove he was
sitting in front of the computer. Also it is not needed any of the
other people to be an IT wiz so break in to his computer and send the
email. All it takes is to call in a buddy that can do that.
Also another avenue (already mentioned in the thread) is
trojans/viruses, even crosssite scripting...
From a forensic point of view. It is true that you cannot trust the
clock of a computer but you can trust causality. How are the
timestamps of those two files relating to the timestamps of other
files that were positioned (physically on the disk) around them?
Windows tends to write files sequentially and unless somebody run
some disc defragmenting software (and even in this case you may be
lucky) most likely you can find if the timestamp was altered and
approximately when the files were really created. This can really
easily make S innocent (or bury them deeper). Just see if the files
were created before or after the reception of the email.
The two files can be explained by the word processing software making
a temporary copy (or autosave). Btw. are the files identical or are
there missing things from one of them? Maybe S indeed sent the email
and did some editing?
Last thing you can do to tie S to the message is language analysis.
There is a lot of research done regarding English (and I hope the
message is in English or the techniques are applicable to Portuguese)
but you can compare files the person really wrote (and admits it) to
the text that was sent. I think if possible this is the best way to do it.
Last but not least. Who was the forensic expert working for? I.e. who
signs his paycheck? If it is not the police or some other government
organizations (or other trusted source) you can easily argue that the
chain of custody of the evidence was broken and as a result the
forensic analisys (or for that matter any further forensics based on
that data) are not admissible in court. In simple words. If I was the
expert and you ware paying me for the right amount I can craft
ANYTHING on his HDD :)
I hope this helps or at least brings ideas that can help you swing
either way. And don't be partial. You never know what happened. If
could have been S that sent the email with a gun pointed to his head
by the CEO of the company, right? :)
Krassi
At 10:32 AM 5/31/2007, Roland Dobbins wrote:
On May 29, 2007, at 6:42 PM, Flavio Silva wrote:
It sounds like you can also challenge the credentials of the
expert, but
that might be a problem if they were appointed by the judge. An
indictment
of this technician will essentially be an indictment of the judge.
IANAL, and I've no knowledge of or interests in the particulars of
this case. That being said:
There's also the possibility of MITM (via routing or ARP or proxying
or what-have-you), and then there's the issue of tracing an email
back to a particular -computer system- does not equate to tracing it
back to a particular -person- (i.e., did anyone else have physical
access to the computer, was the computer trojanned/botted so that
others could remotely control the computer and send email without the
owner's knowledge, etc.).
Nonrepudiation simply isn't a property of the vast majority of
ordinary, consumer-grade Internet email systems (assuming that's what
you're dealing with, in this instance). This should be quite easy to
demonstrate in everyday language which a nontechnical person can
understand.
------------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
You may not be interested in strategy, but strategy is interested in
you.
-- Leon Trotsky
