My Road to Digital Forensics Excellence

Avoid the Alibi Defense

Posted by Paul Bobby on November 4, 2008

In my world of Corporate investigations, the employee more often than not confesses to the inappropriate behavior. After all, it’s their livelihood at stake, and for the most part people fall on their sword and beg forgiveness. However there have been a few belligerent individuals, that despite showing absolute positive proof (Spector Pro), they continue to deny.

The problem? It’s not convincing the employee – the problem lies with HR. They want to be sure that the employee really did do what I claim to have occurred. These folks in HR aren’t as tech-savvy as I would hope they could be, and even though our continuous work is slowly making them aware of forensic technique and work-product, when it comes time for the occasional "I didn’t do it" case, they lose all confidence. After all, they don’t want a law suit.

How to avoid the alibi defense and provide data to convince the requestor from HR.

Who has physical access to the device?

During the timeframe in question, who had access to the computer. This does not imply logon capability, it means physical access only. Is it a shared asset? Does the employee allow his family to use it?

Is it reasonable that the employee, and employee alone, is responsible for the evidence.

If, during the timeframe being analyzed, inappropriate web activity occurred, is it reasonable to assume that the employee caused that activity?

Is Remote Access possible?

The malware made me do it. My Machine is being remote controlled. That helpdesk guy is out to get me. Look for the those artifacts that would indicate remote control or remote access.

Determine Method of Entry of the Evidence

Pornographic images in the Internet History cache? It’s plausible that these images were written to the drive as a result of drive-by web surfing. Pornographic movies in the Internet History cache? Drive-by surfing the cause? I’m not aware of any accidental web surfing that dumps a 5meg .FLV on to a hard drive by accident.

Graphical Timelines are very helpful in convincing the HR rep.

Website Redirect?

REDR or redirect will show in the cached HTML file and is helpful to show drive-by versus deliberate web site visit.

Website Pop-ups?

Javascript is the most common method for creating a pop-up.

My preferred approach to answering the redirect/pop-up question is to visit the site yourself and record what happens. Take the timeline of website activity, start at the top, and see what happens. Use Firefox, with NoScript and Firebug to protect yourself (and of course up to date AV).


Haven’t encountered P2P yet in my investigations, but it is a possibility. Typically, the employee searches for the desired file prior to downloading; this shows a committed action.

I welcome your comments and suggestions. My world of investigations is Corporate and different to the criminal alibi defense law enforcement encounters every day. Still, what else should the investigator consider?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: