Arnold
Cleared for Takeoff
I sure hope someone can help with this. The background is somewhat lengthy, so if you want to just see what the technical issues are then please feel free to scroll down to that section:
BACKGROUND
I have a client who stands accused of using his college's computer lab to hack and crack a bit. The college initially expelled him after a one hour interrogation (well that is an insult to those who interrogate for a living - it was a dean yelling at him for an hour and telling him to confess - I think she must watch way too much TV). After some strongly worded correspondence they agreed to allow him to take advantage of the appeal process - a process which they had initially and on three seperate occassions denied existed - "as a courtesy."
We had a "guilty until proven innocent" hearing on Wed. with a decision promised within 24 hours. For those of you who don't know what one of these GUPI things is like I'll give a brief explanation. First, this is the most common (in my experience) method for companies and colleges (and often parents) to conduct themselves when they are angry at someone and want to get rid of them. Second, it is also what life would be like without Article III and the 4th, 5th, 6th, 7th and perhaps 8th amendments to the constitution.
We were told that my client was guilty, that he could appeal to a committee hand picked by the people who expelled him. The committee included an administrator who had no job security, a student who was there on at least a partial athletic scholarship and a professor who thankfully had tenure. So we had one member who could safely rule against the administration. We were told that the student must present his defense before he saw any of the evidence against him, he could not examine or cross examine witnesses, he could not have anyone testify in his defense, his attorney could be present but could not speak (and that was an accomodation) and if anyone said anything the attorney for the administration did not want to hear there was a security guard outside the door to throw the offender out. (I thought the security guard was a nice touch - most institutions are not so creative as to come up with that bit of intimidation).
We presented our case which included a brief opening statement by the student, an affidavit from the guilty student who actually admitted to doing the hacking and admitted that he stole my clients login info since it was easy to do as they were roommates, and the letter the real hacker had written to the administration at the time of the expulsion explaning that he had done this on his own, and pretty much that was all we had - no I didn't do it, here's the confession from the guy who did. I also had about a five page pre-hearing brief which they accepted.
The college then presented their witness the director of IT, who happens to be married to the college's president (a little additional intimidation for the board - the subtle do what I want or I'll have my husband fire you undercurrent) who provided some xls docs she had cobbled together that purported to show that unauthorized activity took place under my clients log in (we knew that) and that my client was at the computer when the activity took place (we denied that) and that was their case. We were not allowed to ojbect to the evidence, nor were we allowed to directly question the official about the evidence, nor were we allowed to question the people who created the document. We have no idea if the document is at all accurate or where it came from.
TECHNICAL QUESTION
If you read to here congrats, if you scrolled to here thanks.
There is a document that purports to be a log of all file modification events taking place during a specified time frame and includes a column marked name, a column marked folder, a column maked size, a column marked type and a column marked Date modified (containing date and time). This is a Windows O/S machine (I believe xp) connected to the network.
So I have a few questions - First, is there anyway to tell if the file access was a routine windows o/s event or had to be directed by the user. Second, is there anyway to say if any particular file is NEVER UNDER ANY CIRCUMSTANCES accessed by either windows, or a legitimate program, or a web infiltration and therefore it COULD ONLY HAVE BEEN DONE BY THE STUDENT from the keyboard at the moment the file was accessed. Lastly, is there any way to say that the file COULD NEVER be accessed by a malicious program placed while the user was away and running in the background, such that the user did not know it was running while the user was working.
In other words their case is strictly circumstantial, they have no evidence that he was the malicious user (no prohibited programs in his .ftp directory or anything like that) they only have the coincidence of time and their position is - he was in the room, his login was being used, he must have done it.
If anyone can help please PM me and we'll talk about where we go from here. Thanks for your patience.
BACKGROUND
I have a client who stands accused of using his college's computer lab to hack and crack a bit. The college initially expelled him after a one hour interrogation (well that is an insult to those who interrogate for a living - it was a dean yelling at him for an hour and telling him to confess - I think she must watch way too much TV). After some strongly worded correspondence they agreed to allow him to take advantage of the appeal process - a process which they had initially and on three seperate occassions denied existed - "as a courtesy."
We had a "guilty until proven innocent" hearing on Wed. with a decision promised within 24 hours. For those of you who don't know what one of these GUPI things is like I'll give a brief explanation. First, this is the most common (in my experience) method for companies and colleges (and often parents) to conduct themselves when they are angry at someone and want to get rid of them. Second, it is also what life would be like without Article III and the 4th, 5th, 6th, 7th and perhaps 8th amendments to the constitution.
We were told that my client was guilty, that he could appeal to a committee hand picked by the people who expelled him. The committee included an administrator who had no job security, a student who was there on at least a partial athletic scholarship and a professor who thankfully had tenure. So we had one member who could safely rule against the administration. We were told that the student must present his defense before he saw any of the evidence against him, he could not examine or cross examine witnesses, he could not have anyone testify in his defense, his attorney could be present but could not speak (and that was an accomodation) and if anyone said anything the attorney for the administration did not want to hear there was a security guard outside the door to throw the offender out. (I thought the security guard was a nice touch - most institutions are not so creative as to come up with that bit of intimidation).
We presented our case which included a brief opening statement by the student, an affidavit from the guilty student who actually admitted to doing the hacking and admitted that he stole my clients login info since it was easy to do as they were roommates, and the letter the real hacker had written to the administration at the time of the expulsion explaning that he had done this on his own, and pretty much that was all we had - no I didn't do it, here's the confession from the guy who did. I also had about a five page pre-hearing brief which they accepted.
The college then presented their witness the director of IT, who happens to be married to the college's president (a little additional intimidation for the board - the subtle do what I want or I'll have my husband fire you undercurrent) who provided some xls docs she had cobbled together that purported to show that unauthorized activity took place under my clients log in (we knew that) and that my client was at the computer when the activity took place (we denied that) and that was their case. We were not allowed to ojbect to the evidence, nor were we allowed to directly question the official about the evidence, nor were we allowed to question the people who created the document. We have no idea if the document is at all accurate or where it came from.
TECHNICAL QUESTION
If you read to here congrats, if you scrolled to here thanks.
There is a document that purports to be a log of all file modification events taking place during a specified time frame and includes a column marked name, a column marked folder, a column maked size, a column marked type and a column marked Date modified (containing date and time). This is a Windows O/S machine (I believe xp) connected to the network.
So I have a few questions - First, is there anyway to tell if the file access was a routine windows o/s event or had to be directed by the user. Second, is there anyway to say if any particular file is NEVER UNDER ANY CIRCUMSTANCES accessed by either windows, or a legitimate program, or a web infiltration and therefore it COULD ONLY HAVE BEEN DONE BY THE STUDENT from the keyboard at the moment the file was accessed. Lastly, is there any way to say that the file COULD NEVER be accessed by a malicious program placed while the user was away and running in the background, such that the user did not know it was running while the user was working.
In other words their case is strictly circumstantial, they have no evidence that he was the malicious user (no prohibited programs in his .ftp directory or anything like that) they only have the coincidence of time and their position is - he was in the room, his login was being used, he must have done it.
If anyone can help please PM me and we'll talk about where we go from here. Thanks for your patience.