Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that the article brings up a few questions and assumptions to think about on any legal matter.
<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">This should be a mandatory read for every IT person who thinks they’re suddenly a forensics expert ready to judge facts. Inability to present preserved traces and timeline, along with impossible knowledge they can’t explain? 🥴 don’t know what’s going on <a href="https://t.co/sK1DbCWIaC">https://t.co/sK1DbCWIaC</a></p>— SwiftOnSecurity (@SwiftOnSecurity) <a href="https://twitter.com/SwiftOnSecurity/status/1104189457069236224?ref_src=twsrc%5Etfw">March 9, 2019</a></blockquote>
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
The short version of the story is that Tuft’s University accused a student of altering her grades by hacking the school’s system and subsequently expelled her. I’m not going to case-study the article since there isn’t any signed statement of perjury as there would be in an affidavit, other than the expulsion letter.
There are a lot of unanswered questions in the article, and without having the reports that surely had to be written, I see this article as a friendly reminder that ‘investigating’ an incident (crime, policy violation, etc…) should be done by those with experience to back up the findings, as well as having no hesitation in releasing the evidence and findings to the suspected party. The facts are what the facts are, but if you can’t refute the facts, it is only allegations and not facts.
The topic of attribution is a favorite of mine. I like it enough to have written a book on it. Actually, two books. These types of cases are cool because I love to find out whodidit and prove it that they did it (or disprove a false allegation). Articles like this are teases, because we’ll never know unless the facts of the case are produced showing what was done, how it was done, and what evidence was found. Implications one way or another only incite readers to believe one thing or another. The subtitle to the article ,'You're guilty unless you can prove it", sort of shows this, although I think the writer meant "You're guilty unless you can disprove it".
As to my opinion on what happened in this Tuft's matter, that is a risky proposition to even start. Too many 'experts' are asked their opinion on a cyber-related topic, and if the answer is not something to the effect of "Well, practically anything is possible", then the expert may get dug into a position that may not have been the best to dig into. The best opinions are those when you have complete and unfettered access to all available information, and based on your training and experience coupled with the evidence at hand, your opinion holds legal weight.
Side note: Don't forget that the "F" in DFIR stands for "forensics", defined as being part of the legal process, meaning that there are rules and procedures to follow to identify, validate, and admit evidence in legal proceedings. It's not just willy-nilly-I-found-an-IP-address!