Posted on 04/29/2015 8:15:40 PM PDT by grumpygresh
Question for all freeper computer experts. I have a case where I have reason to believe that my opponent has faked the date and content of a website as it appeared in January through April 2011. I have used the way back machine and found that my opponent did not the information that they claimed to have had on the website between January to April 2011. I have not yet received any paperwork or computer file from my opponent. But when I do get the computer file, could it be faked with respect to the date and content? What would be the best course of action to reveal the fraud?
Pretty much anything can be changed.
For example, I’m a photojournalist and one tool I regularly use can change every bit of metadata in photos, from date and time to the camera used and GPS coordinates. Now, I don’t change the data, but I often strip it all out, which is essentially changing all the values to zero.
There are steps that can be taken to ensure files are unchanged — checksums and the like. ...but that really needs to be done as an active thing and can’t really be done ex post facto except to compare a known older file and a current copy. For example, you can compare the submitted version of a file with one extracted from an old backup tape.
...but all this is best left in the hands of competent forensic specialists rather than internet pajamahadin.
Right now, I have saved (print & digital) the website info from the way back machine. My opponent will claim that their own archiving system is correct and the way back machine is wrong or not admissible. The info on the website would have been there for a long time, at least 6 months, so way back must have sampled it.
“Would the changes leave a trail?”
Not really, since they only have the files that sent you.
However, if you had access to the computer that the web site was developed on and it was on a Windows 7 system, you could obtain various backup copies of the folders these files were kept in via Properties -> Previous Versions of the folders, and then restoring the backup folders VIA COPYING THEM (NOT RESTORING THEM), and then examining the modification dates of the files and what they contain relative to the faked files you received via differencing.
Short of this,it seems to me your best evidence is from the wayback machine.
if it’s a file you can change any thing. especially a text file. but others as well. Even live in memory stuff. We used to edit the CICS region while it was running, in extreme cases i the editor was called omegamon. not for the faint hearted. if you wanted to change a table entry without an IPL . you can change anything that digital.
from a wiki description.
When OMEGAMON was released by Candle in 1977, it was recognized as the first MVS* real-time monitor. It also provided the system programmers with tools to immediately perform common tasks that normally required the MVS OS to be IPLed.
This is very vague. Please give more details.
What you really want to do is go after the backup tapes (plural) since you mentioned a website I assume they are backing up offsite. Get after them as they will back up the attributes of files (creation, updates, deletions, etc..). Depending on the OS, it may show far, far more such as who had access, extended attributes and depending on the backup type who accessed the files last.
But without more info on “who” the opponent is (i.e., what kind of files and from where), it is hard to answer. For all we know, it was a virtual machine in Amazon’s cloud that has been deleted once and recreated with ACL’s reset across the board.
Won't the actual meta-data in the computer drive show when the fabricated document or file was really created?
I don’t have the files yet, but I should ask for backup copies, previous versions?
Domain names leave a trail too. Whois records, which servers are used, etc.
Here are a couple archival sites, I am sure there are many more.
http://www.domaintools.com/
http://toolbar.netcraft.com/site_report/
A hacker could probably get some interesting info, even without actually hacking They are probably good at finding metadata.
Thanks for the info. I can’t be specific right now but I can say opponent is non security/ domestic US fed government agency.
Yes, simply change the clock time of your computer going back as much as needed. Then copy original files to new names. Finally copy from new names to original file names. Original files files will be stamped with the date you had set on the computer.
But much easier method is to acquire software which can alter dates directly.
It IS possible to change the file date. I don’t know if there is a way to tell that it has been changed though.
Depends on the environment, but in general, if I modified something and didn’t want you to know - you wouldn’t.
But, what about a website? Others would have previously acessed the site and also could have archived it.
Does your “opponent” have [or did he have at any time] unrestricted physical access to the computers on which these files were stored?
No.
Yes and no...
It is easy to ‘touch’ a file, changing the creation/modified date. Some types of files also contain metadata -Internal invisible tracking of editing, which could expose such a fraud - most methods of touching a file would not alter said metadata. But, it is also easy to wipe or alter metadata, if a file does contain it. There can also be change logs in the OS the files were modified on, or on the internet server they were uploaded to. However, these too are easy to change/wipe providing one has access and authority. One can also determine how the file was saved to the drive - But this too is easy to fix, by defragging the drive and mft, and wiping free space.
What you are trying to do is catch somebody who doesn’t know how to change these things... If it is professional IT with full control, you are probably boned.
One way or another, you need a lawyer and a forensic computer specialist to find out. lots of bucks to chase this bet... Better be worth it.
“I don’t have the files yet, but I should ask for backup copies, previous versions?”
Won’t do any good. Anything they “give” you can be faked. Aside from the wayback machine, you would have to have access to the PC itself that they developed the website on AND have someone perform a forensic analysis on it, AND that PC would have to be obtained BEFORE they knew what you were up to so they couldn’t cover their tracks on the PC before they handed it over to you.
Since it’s a domestic government website, I wonder if other copies are archived at Library of Congress, National Archives. WB machine supports my contention, but it is sometimes inadmissible. I wish I could be more specific, but if there’s a settlement, there could be non-disclosure.
I would have to say that all the comments have been quite good, and I’m impressed.
Most gvt websites are backed up offsite, and non-security sites are usually backed up to secondary private vendors - Though the nature of the backup is beyond my ken. However, there are lawyers that do this sort of thing, and they will know how to proceed... Again, lawyers and computer forensics...
Good luck.
Yes.
I was involved in an IP court case. Someone claimed to own a design and had back dated files to show they had the idea first. BUT this person didn’t understand that the creation date, computer info, and username were all stored in the file. I showed this info in a sworn deposition. He dropped the claims when he was warned he is guilty of perjury.
Open the files in question in a txt editor and you can sometimes find the creation dates.
Goodluck
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.