Framing someone by planting evidence

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”


  1. Duane A. Webb says

    I’ve wondered about this myself. Any other type of evidence can be planted in any other scenario – but I have yet to find any documentation or case material discussing this. The RCFL ( actually offers courses that instruct law enforcement how to break into personal computers – so if they’re able to do that wouldn’t it be just as easy to break in remotely through an ISP or just install a thumb drive temporarily during the examination of the system? Are you still working on this?

  2. Clear2Go says

    @Duane A. Webb
    Hi Duane. Thanks for your comment. In Canada at this point and time law enforcement has to have a warrant in order to break into a personal computer.

    The point I was trying to get across in the post was that typically now a days people immediately jump to conclusions when suspect data is found. The person is charged, systems are confiscated for examination. While I understand why this happens, I believe it opens the possibility up if I was a bad guy to frame someone by planting evidence on their computer. Even if law enforcement determines it is not the suspect that is at fault, they still face the ridicule, social stigma, potential loss of employment and stigma around getting new employment regardless of the outcome.

    Here is one example, and there are others.

  3. says

    I have one for you…imagine a cloned machine or two or even more of that all pinned on one individual.  Imagine an IT shop that employed many IT senior administrators all with the same level of access as well as root accounts with the same level of access as all the admins.  Well imagine that this shop, as all do, which supports hundreds of builds.  Many of the user machines all match (an effort to standardize and ease support).  Anyway, one particular users machine(s) had been cloned using Ghost all without the accused knowing for sure yet still bears the consequences of someone that did this intentionally.

    Ever hear of that?  Someones machine(s) being possibly cloned to conceal the identity of the true culprit.  This is happening now and is an active case.  

    Would love to hear if you had heard of this or believe yourself that it would indeed be very easy to do.


Leave a Reply