I had to perform the same investigation recently on two students. A lecture had accused these students of submitting an identical assignment; of course both students claimed the other had plagiarised their work. I asked both students to present their home computers that were allegedly used to write the MS Word document. I had hoped to discover the relevant document GUID on one computer and use this as evidence in interrogating the other student. Police investigators and interrogators often use this technique to produce a confession. By presenting some tangible evidence I had hoped to debunk the fraudulent party. (Note: "tangible" evidence is often more implied than actual.) Unfortunately, in both cases, it was shown that copies of Microsoft Word had been pirated from university computers. Both students were immediately expelled and the forensics investigation was changed to software piracy, fraud and plagiarism charges. I would have felt sorry for at least one of the students but I suspect that they actually wrote the document in collusion. They were also probably friends until someone accused them of plagiarism. Prior to this incident I was asked to investigate claims of "hackers" remotely controlling a university staff member's computer and altering MS Word documents. This accusation, coincidentally, came from a staff member (probably her lawyer) who was being investigated on fraud charges. The suspect reported someone "controlling her mouse and typing over her documents". I immediately thought a "Sub Seven" or "Back Orifice" type Trojan could be the culprit if this claim was substantive. The suspect presented many versions of documents (with various time stamps and content changes). These documents would otherwise have been used in evidence against her. It was impossible to say one way or the other if these changes were done by her or a third party. They were all modified during working hours, saved from her computer and stored on her c:\ drive. Tape backups were not available because the suspect didn't know about the "mysterious network drive mappings" used for network backups. Upon further investigating it was discovered that her computer was running Windows 98, without a password screen saver activated. Virus software was installed, but the automatic update service had expired over a year ago. No "known" Trojan was discovered currently installed on the system, nor was any virus found (much to my amazement). I had to try to establish the credibility of the suspect by using tangible evidence. I installed a host based intrusion detection program, Black Ice Defender, and checked Snort logs on her subnet for any "known" Trojan activity in the past 6 months. This of course did not prove that a Trojan had never been used to change the MS Word documents, but it did give me a reasonable argument that the alleged compromise was unlikely to have occurred. When presenting this argument to the suspect, after explaining what Snort and Black Ice Defender do, I suggested that the probability of a hacker compromising her computer was unlikely. To this she immediately broke into tears and agreed that an intrusion was "extremely unlikely". Her lawyer quickly revoked the "hacker" argument/ploy too. What I am trying to relate to security professionals reading this is that when collecting digital forensic evidence you do not necessarily have to find the smoking gun to assist in a conviction. Work closely with the investigating police and offer them arguments that suspects will prove difficult to negate. This will often lead a guilty suspect into providing additional leads or even a confession. A guilty suspect will often try to justify their actions, or invent other lies to bolster their argument. The innocent suspect will usually either assist you in proving their innocence, or persist in being "outraged at the accusations" and insist, unrelentingly of their innocence. If you have digital forensic evidence to support your accusations, that may not provide a conviction alone, you can put this to good use when determining the probable suspect. Your evidence, a single MS Word document, is only the tip of the iceberg if you look closely enough. Paul Nevin -----Original Message----- From: Bruce P. Burrell [mailto:bpbat_private] Sent: Saturday, 22 September 2001 5:16 PM To: forensicsat_private Subject: Re: Forensics on Word Documents In Forensics Digest 20 Issue 53, Nicole Haywood <N.Haywoodat_private> writes: [snip] > For those that are interested I am investigating a case of academic > misconduct. Basically two students handed in the same assignment, and > one is claiming the other student stole it, so I was trying to work > out if there was any evidence in the word document itself which might > indicate which student is telling the truth. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 09:46:10 PDT