Forensics – Proving a Negative

Note: I am going to try and keep this as non-political as possible.

Just weeks before the presidential election a New York newspaper published documents that they claimed belonged to Hunter Biden and documented supposedly potentially illegal business dealings he had in China and Ukraine (article here).

I grew up in New York and even when I was a kid, the New York Post was not exactly considered a newspaper of record, if you get what I mean. That by itself, raises alarm bells.

As the story goes, Hunter supposedly took some Macbooks, full of incriminating documents, to a Mac repair shop in Wilmington, DE, did not provide any identification and then abandoned them there. I have never claimed to be the brightest light bulb in the chandelier, but if I had a couple computers full of sensitive stuff, would I just take them to the local computer store and say fix them? And then abandon them?

The New York Post claims that the repair shop gave them a copy of the hard drive that Hunter abandoned at the repair shop (why?) and they gave it to Rudy Giuliani who gave it to the feds. Credit: Slate

One possibility is that everything in these stories are 100% true. Another possibility is that the Post was set up by someone, say, maybe the Russian GRU spy agency.

In any case, as often happens after a breach or a leak, forensics experts are called in to try and validate what happened.

They have to figure out if the documents are real or they are forged. With some of today’s technology, that can be hard to figure out.

For example, one of the most explosive emails released by the Post curiously was published in a way that hid one important verification tool called Domain Keys or DKIM. Also, the metadata that was displayed questions whether the file was the original or a doctored copy. If it was doctored, who doctored it – the Russians? Some middleman? The Post? Unknown.

“You’re trying to prove a negative,” said Mike Weber, vice president of innovation at Coalfire. “It’s hard to prove data was never on your network.”

Is it possible digitally sign documents? Sure, for example, many of us have used the company Docusign to digitally sign a document. However, out of the tens of thousands of documents (including emails, text messages and computer files) that you have touched, say in the last year, how many were digitally signed by Docusign or a competitor? I bet it is a tiny percentage – bordering on zero.

Even organizations like the Defense Department don’t sign everything.

The average person probably has no idea how any of that works and certainly isn’t going to spend a lot of money trying to use that. And if the documents were incriminating, might you encrypt them so that, say, a random computer repair person couldn’t read them.

It is true that companies like Best Buy work closely with the FBI, but they are looking for more obvious crimes like child porn, not memos that only make sense to someone with a lot of context.

Weber continues: Even in diligently designed systems, hackers could use access to a network to plant a document to meet the non-repudiation checks, cryptographic keys might fall out of a company’s control, and hackers could claim damaging leaked documents came from a vendor outside the encryption system.

And that, Weber says, assumes the most expensive, best implemented system of signatures and back-ups and evidence building is in place.

In this case, the Post did not make the DKIM signatures available. While they are not perfect and can be spoofed in a number of ways, especially by an organization like the GRU, they are a first line of confirmation.

This is the process that forensics experts get to deal with every day. Whether they are working for a company that got breached, or as part of a lawsuit or, as in this case, as part of a political campaign.

I am not going to make an assessment about this other than my previous comment about the Post; that is not the point of this post. What I am trying to point out is that attribution and validation is hard under the best of conditions.

In this case, since Rudy gave the disk, supposedly, to the FBI, they have access to some of the best forensics resources in the world if they think that is appropriate. In the case of the FBI, they likely have access to the resources of the National Security Agency, probably some of the best security experts in the world.

But there is another problem. Anyone who has watched a cop show on TV knows that the defense attorney gets his client off by claiming that the chain of evidence was not maintained. Between some computer repair shop in Delaware to someone to the Post to Rudy to whoever – there is no valid chain of custody. That makes things very difficult to validate.

We also need to be careful not take everything we read at face value. Maybe something is valid, and maybe it is not.

This does not mean that the Post is lying. I don’t know. It is certainly possible that they were set up. After all, the reporters at the Post are likely not security experts. If a reporter is presented with a potentially prize winning story or wanting to beat out the competition, he or she has to decide whether to run a story or not (along with his/her editor). Anyone remember the “Dewey Defeats Truman” newspaper headlines in 1948? Being first is not always best. But if you are first and right, that could be a career maker.

Forensics is part science and part art and it usually operates in less than optimal conditions. For more details see this article.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code