Friday, May 07, 2010


Defense lawyers, in a cybercrime case, usually ask the wrong questions. If stolen credit card data is discovered in a suspect’s laptop, the most likely query directed to the prosecution is whether the said data was actually found in the suspect’s laptop. This is the wrong question because the answer is invariably yes.

What should be of more concern to any defense lawyer is how the data got into the laptop and of paramount importance – when did it get there. When data got into a computer is a very crucial part of the forensic computing evidence chain. If, for instance, those stolen credit card details got there before the accused owned the laptop, then it is unlikely that he/she knew that incriminating data was there.

To be able to determine when a file was saved in the computer, when it was last accessed and when it was last modified, you would need to examine timestamps. A timestamp is the date and time a file was last changed.

Most timestamps are generated from the computer’s internal clock or from the clock of another computer that the file may have been transferred from. Timestamps are however open to manipulation and can be unreliable at best. A desktop in Nairobi will be adjusted for the local time zone of Kenya. A laptop that belongs to a globe-trotting marketing executive will travel the world and time zone adjustments will be made.

Determining the timestamps from internet activity is also fraught with inconsistencies. The internet history file, for example, exists as a daily, weekly and full history file. Each however records the time somewhat differently. For instance the full history file uses the local time zone as its base point, whereas the daily history file uses daylight saving time as its base point.

It then becomes crucial to tie file timestamps with secondary evidence. For example if the laptop was legitimately purchased from a computer shop on Moi Avenue, then a receipt indicating the date of purchase can be used as additional evidence that can help recreate a timeline.

Timestamp evidence is not the silver bullet of forensic evidence. But if effectively used in conjunction with secondary physical evidence, it can build or destroy a prosecution’s case.

No comments: