Law enforcement fabricating evidence is probably a much bigger issue. No matter how well you verify the accurarcy of your own evidence, if the system is corrupt, then it doesnt matter. Digital media is only one small part of that problem. Server logs, message logs, existence of files on your confiscated devices, call logs, etc. can all be fabricated by police. Fabricating images is just a cherry on top.
Cops can just raid your house, confiscate your drives, carefully plant CP on them and claim that you were in posession of CP. Im pretty sure this has happened before.
Cops can just raid your house, confiscate your drives, carefully plant CP on them and claim that you were in posession of CP. Im pretty sure this has happened before.
See, this is why I hate the typical social media (yes, including reddit and lemmy) bandwagon of always sideing against the accused for any sex-related charges. Like… c’mon, it hasn’t even been proven in court. If they “find CSAM” or has a random person making SA claims against a democratic socialist candidate running for high office, I’m gonna be very skeptical of the claims. Could’ve been falsified to derail a campaign.
yes, and when a forensic expert does their check on the system and see a file existing that the audit log says was never written by windows how can prosecution say it was on the drive when they cloned it?
In our made up scenario here I have a couple of thoughts. First, they make an entry in the log since they can write to the drive. Or find out the retention period of the logs, and date the file before any existing log entries and then just state that it has been on there long enough for the logs to roll off. My point is that you cannot trust these logs when a drive can be written to externally. Another option, remove the logs, install them on a windows machine not connected to any network. Change the date/time to something you want, boot windows and drop the file on the machine, making a log entry. Maybe resort the logs, or just copy the log entry back over to the original machine. There are plenty of ways these logs could be faked or modified. When someone has physical access, all bets are off and everything becomes suspect.
Btw, 20 years ago I had to testify in court as a photographer that the images I had, that were introduced as evidence to the court, were the originals and that is what I saw through my viewfinder. So none of this is new, and courts have always needed to have provenance.
A. That would require the courts to be capable of having actual technical understanding which they absolutely do not if you look at the kind of rulings there have been for IT related stuff in the recent past.
B. Of course you can fake any kind of log in undetectable ways. Police has all sorts of deals with zero day software vendors these days. So even if it were so magically foolproof (which it isnt, nothing is) then you can never be sure.
C. Doesnt need to be “found” on a windows computer, they can just put it on a random USB drive and that would most likely hold up in court.
Which are then ignored usually. If courts actually listened to experts we wouldnt have climate change, governments spying on their citizens, countries supporting israels genocide, big tech privacy violations, etc.
Law enforcement fabricating evidence is probably a much bigger issue. No matter how well you verify the accurarcy of your own evidence, if the system is corrupt, then it doesnt matter. Digital media is only one small part of that problem. Server logs, message logs, existence of files on your confiscated devices, call logs, etc. can all be fabricated by police. Fabricating images is just a cherry on top.
Cops can just raid your house, confiscate your drives, carefully plant CP on them and claim that you were in posession of CP. Im pretty sure this has happened before.
See, this is why I hate the typical social media (yes, including reddit and lemmy) bandwagon of always sideing against the accused for any sex-related charges. Like… c’mon, it hasn’t even been proven in court. If they “find CSAM” or has a random person making SA claims against a democratic socialist candidate running for high office, I’m gonna be very skeptical of the claims. Could’ve been falsified to derail a campaign.
You know there are Windows audit logs that can show tampering like adding files after the equipment has been confiscated.
And before you say well they can edit/remove the logs, it tracks that stuff too.
You know I can read and write to a “Windows” machine without ever booting up Windows? It can’t track anything if it hasn’t been booted.
yes, and when a forensic expert does their check on the system and see a file existing that the audit log says was never written by windows how can prosecution say it was on the drive when they cloned it?
In our made up scenario here I have a couple of thoughts. First, they make an entry in the log since they can write to the drive. Or find out the retention period of the logs, and date the file before any existing log entries and then just state that it has been on there long enough for the logs to roll off. My point is that you cannot trust these logs when a drive can be written to externally. Another option, remove the logs, install them on a windows machine not connected to any network. Change the date/time to something you want, boot windows and drop the file on the machine, making a log entry. Maybe resort the logs, or just copy the log entry back over to the original machine. There are plenty of ways these logs could be faked or modified. When someone has physical access, all bets are off and everything becomes suspect.
Btw, 20 years ago I had to testify in court as a photographer that the images I had, that were introduced as evidence to the court, were the originals and that is what I saw through my viewfinder. So none of this is new, and courts have always needed to have provenance.
A. That would require the courts to be capable of having actual technical understanding which they absolutely do not if you look at the kind of rulings there have been for IT related stuff in the recent past.
B. Of course you can fake any kind of log in undetectable ways. Police has all sorts of deals with zero day software vendors these days. So even if it were so magically foolproof (which it isnt, nothing is) then you can never be sure.
C. Doesnt need to be “found” on a windows computer, they can just put it on a random USB drive and that would most likely hold up in court.
Why would the courts need to understand? That is why technical experts are called to support evidence
Which are then ignored usually. If courts actually listened to experts we wouldnt have climate change, governments spying on their citizens, countries supporting israels genocide, big tech privacy violations, etc.
But courts don’t call on experts in these cases, they are called by the prosecution or defence to support or pick away evidence.