Worried about Digital Evidence Tampering?

2marcus writes "As digital technology continues to improve and is used in more and more applications, the ease of tampering with digital files becomes more pertinent. This is especially important in the field of criminal justice, where even the appearance of possible impropriety can sway a jury. CNN has an article on the issues with digital photos being used for fingerprints and other forensics evidence."

Only solution

[Anonymous Coward]

make digital evidence inadmissable. Photoshopping/gimping/email fraud/video editing is becoming too easy and too difficult to trace.

This shouldn't change anything

[Anonymous Coward]

There has always been the possibility that the evidence could have been tampered with before. Since it is digital this only makes it slightly easier to do. It shouldn't matter however because it is always based on the honesty of the law enforcement official to do what is right.

Chain of custody

[LostCluster]

Any form of physical evidence can be tampered with. That's why the chain of custody is such an important concept. Everybody who had control of that evidence from the point it was discovered to the courtroom needs to testify that they didn't nothing funny, and they saw to it that nobody else did anything funny. That makes tampered evidence just as bad as any other lie to the court, somebody's on the hook for perjury.

DIGITAL evidence ?

[cwernli]

Heck, where I come from not even regular (=non-digital) photos et al. are admitted as evidence in court - because they are too easily tampered with.

Basically only human intel is admitted as evidence (witnesses) - if you want to admit other evidence (such as footprints etc.) you show photos (as an illustration, not as the proof) of course, but _always_ backed up by witnesses (fellow officers, forensics guy) who could be called to testify under oath.

Tamper vs Analyse

[nuggz]

Yes, but then the question of "what is tampering".

There are actually cases of people photoshopping fingerprints to "bring them out".

Is that evidence tampering?
What if they just use a large burn/dodge tool? what if they just use a small one?

Where is the line?

Fear of false tampering claims

[astrashe]

If tampering is possible, even if it's unlikely, there will always be an out for people who don't want to believe evidence.

In practice, the rejection of valid evidence will probably be a bigger problem than the creation of invalid evidence.

Re:Chain of custody

[swoebser]

What if the chain of custody is interrupted by a cracker who messes with the fingerprints (or any other images) just for fun? Any evidence stored on a computer on the net is succeptible to this kind of tampering. It would be much easier to crack into a police computer than to break into the police station and mess with things.

Seems kinda funny

[onyxruby]

Seems kinda funny, the more you know about technology, the less trusting of it you are. Seems a bit like long time cops that remain paranoid for years after leaving the job. Witness electronic voting regularly get scoured here, as do other forms of tech that are supposed to be accepted as "unquestionable".

It's only a matter of time

[DRUNK_BEAR]

Currently, digital imaging may be considered a "new technology". It is obviously not known as well as traditional photography and it is a good thing that people question themselves as to regard the possible issues of such technology, especially if this technology is used in cases where it could make a difference between a guilty verdict and a non-guilty.

At first, photography wasn't accepted right away, and it shouldn't have been. I mean, if I were to persuade you in trying my new revolutionary kind of car, which could put your life at risk, wouldn't you want to have enough details about the risks involved before making the decision of buying the vehicule? I sure would.

partial answers to issues raisedin articles

[mrhandstand]

changelogs

modify ONLY copies

originals all go onto read-only media

checksum religiously

WRITE GOOD POLICY for maintaining digital evidence...and post it before you start using digital media. Review it once a year, or more often to revise for unforeseen issues. Educate your detectives, and your Asst. DA's.

Rinse, later, repeat.

Market opportunity...

[BigBadBri]

I see an opportunity of an enterprising digital camera manufacturer here - Sony already do a DV camera that records to DVD - adding some tagging information (GPS coordinates + date/time + operators security code) to each image should be feasible, and given that one PD was saving $6000 per month in Polaroid costs, I'd have thought that even at $10K per throw, a high quality camera could be produced that would provide adequate traceability of the images taken.

Precedent Set by Common Sense?

[l0ungeb0y]

I think anyone who knows ANYTHING about computers would tell you that there is no guarantee of security or stability.

Lawmakers should take this into account and require the prosecution or plaintiff show beyond a reasonable doubt that the data can in fact be reasonably trusted and has not been handled by an untrusted or malicious party.

Overall, this question raises a lot of issues. But I feel the courts need to decide on a set of guidelines that can be used to assure the jury and the defense that the evidence presented to support accusations can in fact be trusted.
Because who's to say an overzaelous prosecuter didn't hire someone to "put" something on the suspect HD?

But even then the courts might have a hard time ahead. Already we've seen cases that raise this question in which there can be no "safe-guard" and in fact the defense relies upon the exploitablity of software. This was demonstrated in the kiddie porn trial in the UK in which the defendant got aquitted because his lawyers successfully argued that a virus planted the porn on his PC.

Ulitmately, it is double-sided issues such as this that are leading us down the path of Microsofts Secure Computing initiative. But that is a mission that is doomed from the start... history shows us that no matter how secure they make it, some one will break it.

Re:Only solution

[metallicagoaltender]

Uhhhhh...you just made it next to impossible to prosecute a lot of crimes. Take kiddie porn for example - you're saying that a hard drive full of kiddie porn images shouldn't be admissable?

Please clarify your point, because you either didn't think your comment through, or meant something entirely different than what you wrote.

Re:Seems kinda funny

[rewt66]

No, it's because as you learn more about the technology, you learn that it isn't perfect. And this is a good thing.

We need people who will look at the computers output and say, "That can't be right. I don't care if it came from the computer, it can't be right!" Like especially the doctor who is just about to remove a cancerous lymph node, and the computer is telling him/her to amputate your leg.

Also, "ownership" of events

[angst_ridden_hipster]

We've already seen a few kiddie-porn cases in Great Britain thrown out because the machines had been compromised, thus making it impossible to conclusively prove that the individual arrested was responsible for the crime.

But this points up a scary possibility, one which has already been hinted at in various places, which is that there's no robust trace of events. Once there's a backdoor in your system, there are a lot of things that can happen:

- secrets can be observed.
- "evidence" can be planted.
- activities can be spoofed.

Say you live under a repressive government, and somehow offend someone with 'l33t h@x0r skillz. You may find, for example, that you published a series of articles critical of the leadership. Yup, it came from your personalized copy of Word, and was sent from your IP address. If they've planted a keylogger, it could even be digitally signed with your PGP key. In a less oppressive environment, you might discover that you just mailed a collection of kiddie porn to the FBI.

Now the person screwing you could be some vicious script kiddie, but there's also the potential for abuse in the political world. Like the case in Malaysia, where an opposition leader was tarred with a faked sex scandal, political operatives can be neutralized by opponents through these means (please don't let Karl Rove read this posting!).

Scary stuff...

Re:Only solution

[gcaseye6677]

With our society relying on more digitized information all the time, it is not practical to make it all inadmissable as evidence. There's no way in the world that you could prosecute computer crime or for that matter almost any fraud without digital evidence. As for the photo example, non digital photos can be doctored as well. For example, you could doctor a photo digitally, recapture the picture with film and develop the non-digital photo of the digitally altered image. If its done well, it would be very hard to detect. Bottom line is, we need better evidence authentication, not exclusion of all digital evidence.

Re:DRM?

[onyxruby]

Actually, I found and read the article before slashdot posted a link to it. I also happen to know how tempting it could be for a lab tech to be told that the bad guy of the month could get off, and by the way just how clear can you make that photo with photoshop? It's ok to enhance a photo to give the cops a pointer on what direction to go in a case, as long as the enhanced photo isn't used for evidence. If you read the article you'll see they were talking specificly about enhancing photos that were to be used as evidence in trials. You did read the article, right?

Someone who is highly skilled in photoshop can easily manipulate an image well enough that even people in the image can't quite tell what if anything is different. This is quite common with photos used for magazine covers, advertising and the like.

Your Honor, the prosecution submits...

[The I Shing]

Your Honor, the prosecution submits to the court Exhibit B, a photograph of the shark in question attacking a man dangling from the helicopter.

And here is Exhibit C, film footage where President Kennedy can clearly be seen saying "Congratulations, how does it feel to be an All-American?" to Forrest Gump.

Re:DRM?

[Apreche]

It seems like it except for one thing. This isn't a digital rights management issue. While the technologies may be similar they are not for the same purpose. DRM is used to make sure that people who do not have a right to a piece of data are unable to access it. This is an issue of information assurance. You want to assure that the image originally taken by the digital camera is the same one that you are looking at in the courtroom. One possible way to do this is to apply DRM to the image, but that isn't necessarily a perfect solution. Someone who has the right to alter the image just might do it. If nobody has the right, what happens when somebody needs to enlarge it or change the color or something?

Re:Nothing new here. Move along.

[Ungrounded Lightning]

Every time science comes up with a new form of evidence (or even a new way of analysing old techniques), someone gets convicted because of a persuasive argument which blinds the jury with science.

It's happened with DNA, fingerprints, computer cracking.... Hopefully the technology is eventually ironed out such that this stops happening.]

Meantime, this is cold comfort to victims of such miscarriages of justice, or their families.

But it's two edged:

DNA evidence is now being used to clear people who have spent decades in prison for crimes they didn't commit.

At least if you have the death penalty the vctim of the miscarriage of justice (eventually) isn't in too much of a position to care.

And it puts them beyond reach of ANY correction, when technology advances to the point where it can discover and prove their innocence, winning them release (and millions in restitution for the false imprisonment).

See The Innocence Project for more.

I, at least, am totally opposed to the death penalty. Not because the crooks don't deserve it - most of 'em do. But because it's administered by a government, with at least the usual levels of incompetence, corruption, and misuse for oppression of any government project.

Mandatory life without parole has the advantage that you CAN bring somebody back if it turns out they were innocent. It's really hard to do that once they're dead. Also: It's cheaper, since you don't get as many appeals. And you don't get so many innocents plea-barganing themselves into long jail terms rather than risk death for a crime they didn't commit but can't prove it.

Re:Only solution

[Mysticalfruit]

Possibly, here's one expensive solution. Some solid state memory card company should start making write once memory that would work in a digital camera. Along with the image would be an md5 sum.

Then the images could be copied to cdrom along with the md5 sums. If the defense feels that the images have been tampered with, they can always be verified against the md5sum and then if so, the archived memory card.

Re:Digital sound evicence

[djh101010]

If you think digital photos are easily tampered with, think about how easy it is to tamper with a WAV file. "I did not do it," can become "I did do it" with the flip of wrist.

And yet, with a simple md5 checksum or any other of dozens of other techniques, such a change is impossible to make undetectable. The chain of evidence would need to show that at time of recording the md5 checksum of the file was 258c2891488526d239077559ae4fabab, and that the md5 checksum of the current file is still the same. Show the chain is intact, you've got that part of it covered. Get some mathematician to explain to the sheep of the jury that these are better odds than DNA, hell, call it "Digital Fingerprint" or something, and get on with the case.

Demonstrate this, since they won't get it from the math guy, by taking an image, changing a single pixel, and recalculating the checksum showing that it changes entirely. Don't _tell_ them, _show_ them that if you change the digital information, the "Digital Fingerprint" changes drastically.

Re:Wrong

[angst_ridden_hipster]

Gnupg and similiar encryption tools, combined with date and time stamping (perhaps even authenticated date and time stamping via ntp servers) could be deployed relatively simply and make data tampering virtually impossible (e-mails are certain to be real, and have been created on such-and-such a date, etc).

Ah, but they were written by someone who broke into your machine, used a keylogger to get your passphrase, and were sent by this other individual while you were out having a beer with your buddies.

Sure, you have a good record that the email was sent at 8:30pm, but, then you can't really prove that you were at the corner bar at that time. After all, will the jury believe the testamony of your drinking buddies, or a cold, cryptographically-secure computer log?

(Admittedly, this is less likely to be an issue in investigating a crime that has already been committed... but if it's a computer-related crime, the probability goes up.)

Do you trust the system administrator?

[MrNybbles]

So let's say someone breaks into the MegaCorp computer and causes billions of dollars in damage and causes a few powerplants to go off line in the East Coast of the US during a heatwave causing many people to die.

Now let's say that the person who did this is found because he forgot to modify/erace the system logs and a criminal trial begins.

Now let's also say he hires Jacky Childs as his lawyer who asks the system admins, under oath, if the system logs are nothing more than common text files. Then he asks if it is possible that any of the admins could log on and edit that text file log. Unless they got the logs being directed to a line printer an constantly printed out, Jacky Childs just found his reasonable doubt. Good luck with the civil suits!

Seriously though, this could be a real problem one day soon.

That's why

[Anonymous Coward]

I'm surprised the RIAA managed to settle so many of their lawsuits with little more than an IP address as evidence.

If DNA wasn't enough to convict OJ Simpson of murder then how can some digital numbers on a piece of paper be enough to find anyone guilty of sharing a file?

After all, the numbers could be forged, spoofed, mistranlated....and the burden of proof is with the plaintiff.

The scary part...

[gillbates]

...original pictures of fingerprints and other evidence are encrypted so they can't be changed, and burned onto a CD, giving the lab the equivalent of a film negative to reference later.

Um, yeah. Well, if they're encrypted, you either:

• have the key and can change the image, or
• don't have the key, and you can't see the image

I think what he meant to say was checksummed and encrypted. While this does provide a reasonable degree of security against tampering, it in no way establishes that the pictures were real in the first place. It is a very trivial matter to write a CD today with a date of 01/01/1998.

Yes, checksumming does provide a reasonable degree of security provided other safegaurds are taken. However, defeating this scheme is still too simple. Consider:

• Murder takes place in 1998. Detective has a hunch that suspect X has done it, but can't prove it.
• It's 2004 - suspect X is arrested on an unrelated charge, and fingerprinted.
• Said detective takes pictures of X's fingerprints.
• He then sets the clock on his PC back to 1998, a few days after the murder.
• Then he downloads the fingerprints he's just photographed to the machine, and burns the photos to CD. When he's done, he sets the PC's date back to the current date.
• Said detective files the freshly minted CD in the 1998 storage locker.

A few days later, the detective suggests to his subordinate that he run X's fingerprints against the crime-scene database. Lo and behold! - suspect X's fingerprints match those found at the crime scene!

Tell me I'm more secure now. Evidence fakery has been around since mankind learned to lie. The digital age just makes it more convenient.

Re:The scary part...

[Idarubicin]

Tell me I'm more secure now. Evidence fakery has been around since mankind learned to lie. The digital age just makes it more convenient.

Oy! The parent poster has described a delightfully paranoid scenario--that the system is already designed to guard against. It's already supposed to be difficult to tamper with physical evidence. Chain of custody must always be carefully maintained. Checking out and then replacing a CD full of evidence? Nonsense. You can't just sneak a CD into a storage locker and expect it to be allowed anywhere near a jury. If you could do that, you might as well just plant a hair from the suspect on an old piece of clothing, or something similar--except you can't do that either, because the evidence bag is signed and sealed.

The CD would be harder to tamper with, because there would likely be multiple copies in secure locations. You can't do that with physical evidence. Further, there would be no reason for anyone to be allowed to take the CD with them--any investigator who wanted to look at the evidence could have a copy burned for their use, leaving the original safely stored away.

Yes, some sort of evidence tampering could in principle take place before the CD was burned, but tampering after the fact is going to be more difficult than with 'conventional' evidence.

Re:Only solution

[chadjg]

I am not sure that manipulation in post is, or ever will be the biggest threat from a dishonest cop. The biggest threat is what the person chooses to put in the video or image, and what is framed out. But everyone knows this, right?

My job is editing video. the only tool I have is Final Cut Pro. Sometimes a person on a program will say something wrong, make a mistake, or I just need to cut for time. I have to make choices all the time about what to cut, and the most difficult thing is often preserving good grammar and the original sense of what the person was saying. Gatekeeping and simple editing are huge, and can't be detected at all if everyone keeps their mouth shut.

More on point, seamless, untraceable sound editing can be done right now and cheaply. I have made someone "say" they were in one town, when they originally said they were in another. I wasn't sure if I had it right until I ran the edit past my boss and he said "what edit?" That's with the primitive sound editing tools built into FCP. That's today!

Obviously it's going to be difficult to put an AK-47 into the hands of a person that really was carrying a beach ball. Manipulation doesn't have to be that obvious. What about changing a single letter on a license plate, or making painting an inconvenient bullet hole out of a wall? I submit that stuff like that can and is being done. Take Hollywood, for instance. OK, they put out 90% crap, but their fakery skills are unmatched, and they are for hire.

It isn't difficult to notice low grade Photoshop chicanery. My brother showed me some of his work in a printed magazine and said to point out the fake. It took me just seconds. He had put a guy in a group photo that was never in that room. That was a rush job in a low resolution printed picture, but it got past his bosses and the audience. Photoshop isn't my area, (yet, hopefully,) but I bet an expert could blow simple manipulations past anyone, everytime.

This ignores your more cryptographic honesty helpers, somebody else is probably going to talk about that at length.

The above, parent post is right, I think. Dot it right and nobody will notice. If you don't notice, what's the chance of doubting it?

Personally, I only trust pictures and audio to the degree that I trust the person that made them and everyone downstream from the creator. Luckily most people are too lazy to make a really good fake.

Re:Do you know nothing about Technology?

[HybridJeff]

The media could always be replaced though, if someone had access to the device it was contianed within. Of course, some sort of tamper detection could be inscluded within the device itself. Since it would all come down to cost however, I beleive it would be extremely unlikely that any of these ideas ever get put into practice. Manufactures wouldnt take part unless required by law. The best solution would be to require a 3rd party observer (or someone representing the defence if possible) wheneever digital evidence is recorded.

Re:Only solution

[vDave420]

Uhhhhh...you just made it next to impossible to prosecute a lot of crimes. Take kiddie porn for example - you're saying that a hard drive full of kiddie porn images shouldn't be admissable?

Damn Straight!!!

When it is not possible to prove that a crime was committed, how can it be reasonable to advocate prosecution of said "crime"?

Isn't that just asking for abuse?

Disassociate the REAL issue (lack of provability) with the EMOTIONAL plea (save the children, stop kiddy porn).

-dave-

PS:
Do you advocate Illegalizing the Hollywood movie industry? After all, since "consuming Kiddyporn leads to child abuse" (hence its need to be illegalized), doesn't consuming visual violence, abuse, and nudity do the same, leading to physical and mental abuse?

If not, you are as hypocritical as everyone else who arbitrarily supports "save the kids"-style legislation. The same rationalization applies in both cases.
I bet you think the USA-PATRIOT act is a good idea, too! =)

Those who would trade essential freedoms for temporary, illusory, "children's safety" will receive neither, and deserve naught!!

Re:Do you trust the system administrator?

[MrNybbles]

First of all, I don't support the US Patriot act.

Second, you seem a bit upset. Calm down. You got the point of the whole thing although you seem to be upset that in my scenario they cought the guy that did it. I only made the crime a severe one to give the trial importance. You seem to think I am saying something that I am not.

Interesting that you bring up DNA. If enough criminals figure out how to harvest dna from like hospital medical waste or such and leaving it at crime scenes I could see Lawyers trying to get DNA inadmissible in court.

About that last part you wrote Dave. How did we get from is the system admin trustworthy to evidence of an assassination on somebody's machine? Through worms and rooting machines files get dumped places all the time. However in court the word of a system admin and his logs is considered truth. This will likely change. Maybe it should change. Actually I probably should have brought this up in my origonal post. My bad.

What if the admin used his job to alter the logs himself to hide a crime he committed? I have yet to meet an evil sys admin, but it could happen.

Mrhandstand brought up some interesting software and ideas on how to do things, but a lawyer doesn't need to prove the system is flawed; he just needs to get one person on a jury to think it might be flawed.

Re:This shouldn't change anything

[Lord Kano]

So what you're saying is that one of the most powerful governments on the planet (30 years ago) could do things that lay people such as myself can do today...

Re:having porn is not against law

[MrResistor]

Nope. We were talking technology. Not specifying country.

No, we're talking about the legalities of digital evidence under US law.

However i was talking this example to my friend, US based psychologist who is working for as an officially appointed expert. She said i would be probably OK. But she may be wrong, of course.

There are a lot of viriables to consider, but here's the basic situation:

If you never show those pictures to anyone else you would certainly be OK. Even if you did allow someone else to see them, you would probably still be OK, unless that person were EXTREMELY uptight and reported you. If you were to make them publicly available, like on the web for example, you would quite likely be arrested.

If it went to trial, I'd say you'd have an even chance in general, but it would depend very much on the community from which the jury was drawn and the laws of that area. Standards and laws regarding decency, obsenity, pornography, etc vary wildly from state to state. Indeed, the legal definition of obscenity is based on the standards of the community.

Age of consent is 15 in Czech and it is going to be lowered. It is as low as 12 in some European countries, including catholic Vatican. However it is OK to have sex if both partners are under this limit. I would bet, however I do not know any official statistic, that average age to lose virginity for a czech girl is under 15 these days, at least in large cities and certainly counting non coital sex pratices.

As I said, age of consent is determined by state law, not federal law. Here in California I believe it's 16, I know there are some states where it is 14, and there may be states where it is 12, though I don't know that for sure. 16 or 17 is always a safe bet, though if the age difference is more than 4 years it could still be statutory rape. Again, though, that varies by state.

Perhaps I should also note that it was illegal to produce pornography at all in California until less than 30 years ago (I don't know the exact date), when that law was challenged and struck down by the court.

That said, the average age when an American girl loses her virginity is probably also about 15.

The age for creating porn is however 18 but again, it is not used (or may be even does not apply) if people are taking pictures of themselves for their personal usage.

I've heard of people being prosecuted for child porn for having pictures of their infant taking a bath. That's an extreme case, and most of the time those pictures would be perfectly OK, but one always has to remember that it's based on the standards of the community as represented by the 12 people on the jury, and that the jury consists of 12 people who're too dumb to get out of jury duty.

it is either a country of hypocrites or a country of ascetics.

I wouldn't say we're any more hypocritical than the people of any other nation, just in our own particular way. The first colonists were Puritans, who known for being extremely uptight, and our laws still reflect that to a large extent, even though our society in general is rapidly degenerating into vulgar hedonism.