yes, and when a forensic expert does their check on the system and see a file existing that the audit log says was never written by windows how can prosecution say it was on the drive when they cloned it?
In our made up scenario here I have a couple of thoughts. First, they make an entry in the log since they can write to the drive. Or find out the retention period of the logs, and date the file before any existing log entries and then just state that it has been on there long enough for the logs to roll off. My point is that you cannot trust these logs when a drive can be written to externally. Another option, remove the logs, install them on a windows machine not connected to any network. Change the date/time to something you want, boot windows and drop the file on the machine, making a log entry. Maybe resort the logs, or just copy the log entry back over to the original machine. There are plenty of ways these logs could be faked or modified. When someone has physical access, all bets are off and everything becomes suspect.
Btw, 20 years ago I had to testify in court as a photographer that the images I had, that were introduced as evidence to the court, were the originals and that is what I saw through my viewfinder. So none of this is new, and courts have always needed to have provenance.
A. That would require the courts to be capable of having actual technical understanding which they absolutely do not if you look at the kind of rulings there have been for IT related stuff in the recent past.
B. Of course you can fake any kind of log in undetectable ways. Police has all sorts of deals with zero day software vendors these days. So even if it were so magically foolproof (which it isnt, nothing is) then you can never be sure.
C. Doesnt need to be “found” on a windows computer, they can just put it on a random USB drive and that would most likely hold up in court.
Which are then ignored usually. If courts actually listened to experts we wouldnt have climate change, governments spying on their citizens, countries supporting israels genocide, big tech privacy violations, etc.
You know there are Windows audit logs that can show tampering like adding files after the equipment has been confiscated.
And before you say well they can edit/remove the logs, it tracks that stuff too.
You know I can read and write to a “Windows” machine without ever booting up Windows? It can’t track anything if it hasn’t been booted.
yes, and when a forensic expert does their check on the system and see a file existing that the audit log says was never written by windows how can prosecution say it was on the drive when they cloned it?
In our made up scenario here I have a couple of thoughts. First, they make an entry in the log since they can write to the drive. Or find out the retention period of the logs, and date the file before any existing log entries and then just state that it has been on there long enough for the logs to roll off. My point is that you cannot trust these logs when a drive can be written to externally. Another option, remove the logs, install them on a windows machine not connected to any network. Change the date/time to something you want, boot windows and drop the file on the machine, making a log entry. Maybe resort the logs, or just copy the log entry back over to the original machine. There are plenty of ways these logs could be faked or modified. When someone has physical access, all bets are off and everything becomes suspect.
Btw, 20 years ago I had to testify in court as a photographer that the images I had, that were introduced as evidence to the court, were the originals and that is what I saw through my viewfinder. So none of this is new, and courts have always needed to have provenance.
A. That would require the courts to be capable of having actual technical understanding which they absolutely do not if you look at the kind of rulings there have been for IT related stuff in the recent past.
B. Of course you can fake any kind of log in undetectable ways. Police has all sorts of deals with zero day software vendors these days. So even if it were so magically foolproof (which it isnt, nothing is) then you can never be sure.
C. Doesnt need to be “found” on a windows computer, they can just put it on a random USB drive and that would most likely hold up in court.
Why would the courts need to understand? That is why technical experts are called to support evidence
Which are then ignored usually. If courts actually listened to experts we wouldnt have climate change, governments spying on their citizens, countries supporting israels genocide, big tech privacy violations, etc.
But courts don’t call on experts in these cases, they are called by the prosecution or defence to support or pick away evidence.