I was reading a news report this morning on an assault in London and it lead me to this quote:
Keep in mind though in a court of law you are either acquitted or found guilty. An acquittal doesn’t mean you’re innocent, it just means there’s not enough evidence to convict you.
I am wondering if this is actually true? Logically it makes sense it would be this way – which would means if you are charged with an offense, you are never really innocent of it in the eyes of the law.
Several years ago I was hired to assist with an internal investigation. The client, a large company had some concerns about an employee and wanted to covertly gather information and data on what this employee was doing while at work. For about a week, I sat passively on the network, monitoring the subjects connections to servers, internet systems, e-mail, instant messaging and any other network connection. There was not the selection of automated software there is today to accomplish this, so most of it was done with packet sniffers. I would gather the data, use scripts to extract specific types of data and run it through statistical analysis, look for data that was ‘different’ or ‘suspect’ in some way. Basically the goal was to profile the user, compare his activities to other users. Then using this profile, identify and focus on things that didn’t fit. Personally, I found it a little creepy. Looking into the details of someone’s private life is not really fun, a part of me felt like I was being invasive, not respecting their privacy — and technically that is true. But it was the job, what I was asked to do. Sometimes doing things one would prefer not to do is necessary.
One thing I had identified to the client was that the subject was using a type of VoIP software. They asked if it was possible to listen in on the voice conversations. I told them it was, and that I could probably get them a copy of the voice conversations the subject previously had during the time I was monitoring. I had packet captures, most non-encrypted so it was just work and time. At the clients request, I extracted the VoIP conversations into wmv files using date and time of the call as a file name.
At the end of the job, I was having a conversation with the CTO. He was wondering if there was an automated way to keep audio conversations of all the employees. At the time, this technology was not as prevalent, cheap, and available to the general public as it is today. I asked him if he thought that was really appropriate. I explained that I had just listened in on someones private conversations. Maybe it wasn’t any of the companies business. Maybe there were legalities if they were to do that (yes, I was annoyed). His response was very quick. “The company has a right to view all data, monitor activity that its equipment or network is used for, period”. He told me all the employees know this and sign a document to that effect. I said that made sense. I asked him what he would think if he was in a confidential conversation on the phone with someone in a different province and Bell had listened in on his conversation? I said that I assume he didn’t have problem with it, after all it is their network, their devices. Aside from the angry facial expression, he said that was ‘different’ and they shouldn’t be allowed to do that.
Fast forward to now. Everyone has a video camera or picture camera on them as a result of mobile phones. If you are serious about it, you can find all kinds of tiny spy cameras. Rob Spence has implanted a camera in his eye. It amuses me when law enforcement gets all concerned about citizens taking their picture and video taping them. I guess they feel that they should be able to watch and monitor us, but we shouldn’t be able to watch and monitor them. Of course if they are not doing anything wrong, then they should have nothing to worry about right? (that statement is an entire topic in and of itself).
Everyone has reasons why a particular person or group of people should or should not be monitored. It really comes down to the basic premise that we as humans don’t want to be monitored, but we want the ability to monitor others, especially if we deem them as a threat. Government wants the ability to covertly monitor their citizens but do not want organizations covertly monitoring them. Police want cameras everywhere so they can monitor what is going on and use it to assist with their job, but they don’t want to be video taped in case they get caught doing something controversial, such as Robert Dziekanski being killed by officers at Vancouver airport. The video once released on the Internet, forced police to change their story. Businesses feel they have a right to monitor their employees, but would have concerns if employees were monitoring some of their activities.
Personally, I think it is futile to attempt to stop one group from monitoring another, especially in public places. It will never be successful. Who do you feel should be able to monitor who? Under what circumstances and conditions is video or audio surveillance appropriate?
I had the privilege yesterday of speaking to some law enforcement personnel and forensics experts. The topic was on DNS forensics, the SSL server_name option, and working with service providers. I enjoyed the opportunity. I really like talking about network forensics, and being surrounded by smart people that are experts in their field. It also allows me to practice my public speaking which is always good.
The DNS section of the presentation was based on my earlier two posts on DNS analysis which are here and here. The SSL server_name option was based on my post that is here. The “Working with service providers” I have never really posted about yet, but have been engaged with service providers all over the world for almost 5 years consistently, so I spoke about my experiences, and thoughts.
The presentation slides are here.
Title of this article doesn’t really do it justice. It is a good article that gives a high-level understanding of the concept of Trusted Booting of a device. Good read for individuals in or working with law enforcement and digital forensics. As this type of technology becomes more and more mainstream, it will become much more difficult to surreptitiously obtain access to or data from devices without the owners cooperation.
I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.
Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.
I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”
I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.
One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.
A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.
Essay written by Bruce Schneier that I really like. Discusses why we focus on security procedures that are useless and put the investment in security into the wrong things (CYA). I post it here, so I have a reference to it for future.
