DFIR Training Blog



Computer owner as victim or suspect?

 We have decision-making in every aspect and at every step of a forensic analysis.  When we find something important, such as a user created file, we have decisions to make as to what to do next.  We follow the clues in order to determine what happened on the machine. 

“What ‘bad’ things happened?”
“When did the bad things happen?”
“How did the bad things happen?”
“Who did the bad things?”

For the most part, we had it easier back in the early days of forensics.  If evidence was found on the hard drive, then it was the person who possessed the computer that was the suspect.  At a certain point in time, physical control of computers did not necessarily mean that the possessor of the computer was the suspect.  Remote access via any number of methods (pick your method of installing malware) meant that not only do you know how to find the evidence, but you also have to find a suspect that potentially may not be the owner of the computer.  At the very least, you need to ensure that the owner of the computer is not the suspect if that is the case.

As simplistic as this sounds, it is not. 

Without getting into the pitfalls of investigative work (including forensic analysis), one of the best methods to avoid falling into a rabbit hole is to keep asking yourself questions as you find evidence in data.  Finding a LNK file of importance may be critical in a case, but for all the wrong reasons.  Perhaps the LNK file shows that a user physically clicked to view a ‘bad’ website, which might imply intention and knowledge.  Or perhaps the LNK was an attack vector , which caused the computer to be compromised and controlled by someone else.  In one scenario, the computer owner is the suspect , but in the other, the computer owner is the victim .  The consequences for getting this wrong will be devastating for you and the victim.

This is the crux of any investigation.  Catch the right person.  Don’t pursue the innocent person.

Identifying the crime is step 1.  Finding evidence is step 2.  Finding the right person is step 3.  There is a huge and varied range between #2 and #3. Sometimes it is easy and sometimes it is not.  When it is really difficult, the worst result is actually not not finding the bad guy but believing the victim to be the bad guy.  As an example, finding evidence on a computer that was committed by a remote malicious actor, but blamed on the computer owner, is worse than not being able to identify the suspect at all.  This can happen in any type of case, but the risk in computer crime can be so much easier to do.

The point.

As you dig your way through data and find tidbits of clues and evidence, you have to figure it out.  

  • Is the computer owner a suspect or a victim?
  • Is the computer itself the suspect (eg. did the OS or other software naturally manipulate time stamps?)
  • What happened on the computer?
  • How did it happen?
  • Who made it happen?
  • Why did it happen? (Important, but not necessary to know the ‘why’)

Don’t assume.  If you plant a seed in your head at any point in an analysis, it will grow.  Pigeon-holing your theory during an analysis will result in your assumptions being your end result regardless of what may have really happened on the computer.  You will see facts fit preconceived beliefs more than letting the facts show you the truth.  You have decisions to make when following the evidence, so base the decisions on you what actually see as evidence.  In order to make good decisions, you have to do a thorough job, and keep questioning the evidence you see and the manner in how you see it.  You want to get cases right.  You have to get cases right.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="19"}