Smoke and Mirrors: Fabrication and Alteration of Electronic Evidence
By Sharon Nelson and John Simek
Welcome to the Digital Fun House, where we can alter things electronic in amazing ways. As Arthur C. Clarke wrote, "Sufficiently advanced technology is indistinguishable from magic." But maybe the magic isn't so fun when it affects your case.
Does some jerk at NBC want Katie Couric to look 20 pounds slimmer? A wave of his electronic wand makes it so. Does a freelance photographer want his photos of violent explosions in Beirut to have a greater "shock and awe" factor? No sweat, he uses a graphics program to darken the explosions and presto, change-o, it is so.
In truth, the digital alteration of things can actually be charming. Witness its use in the movie Forrest Gump to make the protagonist a part of history. Absolutely inspired. Then look again—say, at Time magazine's bizarre editorial decision to artificially darken O.J. Simpson's face on its cover. Dispiriting how far we, as a society, have not come.
In another widely known example, someone (presumably not a John Kerry fan) stitched together two separate photos to make a composite allegedly showing Kerry speaking with Jane Fonda at an anti-war rally. Once the original separate photos were revealed in the press, you could see how the composite was a fake. But barring that, one's eyes would likely believe what they saw—and therein lies the great danger of accepting things electronic as real.
How do the pros spot digital alteration? Often they do so by blowing things up. When viewed at the pixel level, doctored photos don't "fit." Rarely does anyone doctor photos with so much precision that the doctoring can't be seen when enlarged. What is not apparent to the naked eye becomes readily apparent when looking at a photo under the equivalent of a microscope. Today, there are even mathematical algorithms to help determine whether a photo has been altered.
But there are other types of electronic alterations—and many, like photo doctoring, have grave uses, as well as criminal implications. The most common one, by a country mile, is e-mail spoofing.
E-mail Spoofing: Who Will You Be Today?
Faking people's identities by using their e-mail addresses occurs all the time. Look at the spam that you receive each day, where messages appear to come from someone you know or from what appear to be otherwise legitimate sources. Viruses and worms are also known to gather e-mail addresses from an infected machine and send messages appearing to come from one of the newly harvested addresses.
Unfortunately, there is nothing you can do to stop someone else from sending an e-mail appearing to come from you. Even if you do succeed in identifying the villains, they are often in foreign countries where the incentive to cooperate with U.S. authorities is nonexistent. Imagine the authors' embarrassment several years ago when pornographic spammers were sending rather risqué e-mail messages, complete with images, with made-up addresses from our domain name. You can not imagine our relief when they moved on to some other hapless victim.
Although you can't directly stop falsified transmissions, there are means to determine whether the e-mail is authentic or spoofed. First, if you are involved in a case where an e-mail is at issue, do not accept the presentation of the message on paper. Anybody can use a typical word processor to create a document that looks like a printed e-mail. Get the message in electronic form so that you can investigate the headers.
An e-mail header is electronically stored information that shows values such as the message sender, recipient, ID number, routing information (the servers and devices that transmitted the message along its path), priority level and similar information. Ways to view the header information vary depending on the e-mail client that is used. As an example, to view the header data in an open message using Microsoft Outlook, select View and then Options, which will bring up the information in a dialog box.
How do you read a header or even understand it? Probably one of the most popular software tools for decoding headers is a product called Sam Spade. You read e-mail message headers from the bottom up. Figure 1 (below) shows a sample of a recently received message.
FIGURE 1. EXAMPLE OF AN E-MAIL MESSAGE HEADER
Received: from mail126c25.carrierzone.com ([22.214.171.124]) by ffx3975.senseient.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 18 Dec 2006 15:02:23 -0500
Received: from intern (static-68-236-214-31.nwrk.east.verizon.net [126.96.36.199]) (authenticated bits=0) by mail126c25.carrierzone.com (188.8.131.5260614/8.13.1) with ESMTP id kBIJo28u026412; Mon, 18 Dec 2006 19:50:04 GMT
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-OriginalArrivalTime: 18 Dec 2006 20:02:23.0636 (UTC) FILETIME=[6EDCBD40:01C722DF]
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: Your Nomination for The E-Discovery Special Master and Expert Witness Directory
Date: Mon, 18 Dec 2006 14:50:03 -0500
Thread-Topic: Your Nomination for The E-Discovery Special Master and Expert Witness Directory
From: "Mark Szep" <email@example.com>
To: "Mark Szep" <firstname.lastname@example.org>
As you read the header from the bottom up, go until you reach the first "Received:" information (marked in red in Figure 1). In our example, the originating e-mail server is named "intern" and has an IP address of 184.108.40.206. This is the first point to determine whether the message is spoofed. Spammers normally bounce their messages off of an unsecured server. In those cases, the transmitting server has no relationship to the originating domain. As you can see, decoding headers can get very complicated—but it is absolutely essential in determining the message's authenticity. Is this a do-it-yourself proposition? Probably not, unless you're pretty tech-savvy.
In the typical case we see, angry ex-spouses or significant others spoof the e-mail of their former loved one to "prove" that the ex wrote hateful or threatening messages to them. We've even seen an angry supervisor pretend to be his own employee writing threatening e-mails to the supervisor for the purpose of laying the groundwork for that employee's firing. It's a wacky world out there.
Phishing: Fabrication That Pays Handsomely
We've all received those fraudulent e-mails that purport to be from our bank or credit card company, asking us to kindly verify our financial information. The poor saps who are taken in click on "their bank's" link, only to find themselves in a clever imitation of their bank's site, where they obligingly fill out the requested financial data form and thereby ensure their real bank account will soon be substantially lightened.
The number of new phishing sites has spiked dramatically—from 4,367 in October 2005 to 37,444 in October 2006, according to the Anti-Phishing Working Group. Just as bad, the hishers have been honing their tactics. Gone are the days when the e-mail was clearly written by someone for whom English was a distant second language. Gone, too, are the clumsy attempts to replicate graphics. Now phishing e-mails are so clever that even the experts sometimes have trouble discerning the fakes.
The best of these bogus sites are a real tribute to the ingenuity of the criminal mind—and a continual thorn in law enforcement's side because the sites are shifted from server to server in a matter of days, making these operations nearly impossible to track and shut down.
Metadata: Who's Really Behind the Curtain?
More and more lawyers are becoming familiar with metadata, especially as it relates to word-processor documents and spreadsheets. Generally, metadata refers to "data about data," which isn't a very helpful definition. When referring to a Word document, metadata would be information such as the author's name, date last printed, date of file creation, number of words, tracked changes and the like.
So how do you tell if an electronically produced document is authentic or falsified? Viewing its metadata can determine if there's cause for suspicion. Let's say you receive a Word document that's a contract supposedly drafted by the president of a client company. However, when you look at the metadata, it reveals that the author is a competitor and, further, that the document was created several years earlier. Your radar should light up like a Christmas tree.
The simplest way to view the document's metadata is to go to File and then Properties. This method doesn't show all the available metadata, but it's enough for many purposes. Another alternative is to use a product—such as Metadata Assistant, Workshare Protect or iScrub—that allows you to remove metadata but also shows you metadata in documents you receive from other parties.
We've had many a case where metadata was important, but here's one in particular that lawyers should heed. An attorney up on disciplinary charges for mishandling a case suddenly produced a letter to his client, which stated that, on her instructions, he would do nothing further in the case. The problem? The metadata proved conclusively that the letter had been created after the disciplinary proceedings had been filed. This brings to mind the old adage about going from the pot into the fire.
The attorney's license was suspended, to no one's surprise.
Windows Metadata: Toying with the Fourth Dimension
There is also metadata for the operating system. We'll address Microsoft Windows here, since it is the most widely used operating system.
Windows metadata is the information that a user can observe by selecting File and then Properties. The most commonly known metadata values are known as MAC (modified, accessed, created) dates. These times/dates can be used to identify when files were created, or perhaps accessed. They can also be used to track Internet searching activity on a computer, which may have great significance when, for example, dealing with child-custody cases and determining the fitness of a parent, particularly where there are allegations of pornography addiction or searching for child pornography.
Be aware that authentication of the MAC values assumes that the computer's clock was accurate at the time the files were created or accessed. This can be problematic because a computer's clock is so easy to change. Before you get paranoid about the file dates on your client's computer, however, note that clock manipulation is not normally seen in the "real world" and those who attempt it usually get caught.
There are several ways to determine if an intentional clock change has occurred. The simplest is to look at the system logs using the Event Viewer function in Windows. You can do this in two steps:
1. Go to the Administrative Tools group to access the Event Viewer.
2. When the Event Viewer is opened, observe the entries in the System and Application logs.
Entries in these logs are written in a sequential fashion—therefore, the date and time entries should be consistently decreasing as you read down the entries. There will be an obvious gap or jump in the dates if the computer clock has been intentionally modified. There are other methods to determine clock manipulation, but those are best left to forensic technologists. The good news is that the Windows MAC values are typically what they purport to be.
We've rarely seen clock manipulation, but there was a case in which a computer-savvy wife planted child pornography on her husband's computer, changing the clock so the created dates would indicate only times when he was home and she was not. She got caught. She obviously hadn't read our preceding paragraphs.
Law Enforcement's Black Eye
Lastly, despite a concerted effort by law enforcement to teach first responders how to properly seize electronic evidence, we still see instances where the last access dates of files have been altered by officers looking at the evidence post-seizure. It appears to be particularly alluring to "take a peek" at anything involving sex, but trampling on the evidence in their eagerness to see what they have provides (for the ardent defense counsel) a happy result in which proper forensic procedures were not followed and the defendant's dates of last access are now unknown.There are hundreds of other examples of digital alteration—and stay tuned, because they are appearing more and more often in the courts. The good news is that the ability to detect such alterations has gotten better and better. Also, most people who try to alter evidence aren't the brightest bulbs in the chandelier and are easy to catch. The bad news is that there is a cadre of unprincipled criminals who remain doggone good at evidence alteration and they're often a step ahead of the good guys.