how exactly is it used in court? ive heard of people getting in trouble for posting online, but how will you possibly present any accurate evidence on court day if it can be photoshopped one way or the other both prosecution and defense.

[This message has been edited by DanDamage (edited 06-05-2014).]

Ask Obama's birth certificate!

Boom!
First in!

A picture is worth a thousand words,
A Photoshop picture ain't worth Sh!t in a court of law, if they find out its Photoshoped. IF they find out!

Steve

------------------
Technology is great when it works,
and one big pain in the ass when it doesn't



Detroit iron rules all the rest are just toys.

Internet posts I would think are tracked better than just screen shot. Possibly tracking if someone hacked an account to make a post would be more difficult, maybe they can use IP addresses , etc?

I could be wrong but I believe there are experts out there that can tell if a picture has been manipulated.

quote Originally posted by DanDamage: how exactly is it used in court? ive heard of people getting in trouble for posting online, but how will you possibly present any accurate evidence on court day if it can be photoshopped one way or the other both prosecution and defense.

Photoshopped images easily fail a digital test that shows color and light smoothing around the edges of the new and implanted picture... so that's very simple.

As far as date / time... Windows makes a log of absolutely EVERYTHING you do.

When you click a single file, that is immediately recorded in about a dozen places. It's much harder if you simply take an image, put it on a CD and then hand it over... generally you'll want to look at the forensics as a whole, where did it come from (IE: the drive it was produced on or copied onto) and what programs opened it? Many programs create a cache or a recovery file. There's also the remnants that are created (layers) that are saved in temp files while you're modifying the image. All of those can be deleted, but may still show up in the MFT. If you run a defragment on your drive, those old files will still show up in the $LogFile which is a back-up of the MFT... so they can see all your deleted files. Even thumbs.db (in earlier Windows) will still show backups of your images.

Of course, the NEWER the operating system, the more it records, but the more secure you are. There is far less of a Forensic footprint in a Windows 2000 NTFS environment than there is in a Windows 8.1 environment. The thing is... Windows doesn't do this to be sneaky, it literally has a purpose for every single recording feature it has. Usually it's to improve recall performance, or something like that.

From a forensic standpoint, you still have so many things that tracks what you do... everything from SuperFetch, PreFetch, ShimCache, Sparce, MRUs, file table forensics, and that's not even looking at all the temp, logs, and history created by the application that you used to open / run those files. You can do all that stuff in a VM and think you're being quiet, but you're really only conveniently pre-packaging your entire OS and disk on a single file.

[This message has been edited by 82-T/A [At Work] (edited 06-06-2014).]