Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Tuesday, July 2, 2019

Yep! They Did It Again.

I've been teaching classes on multimedia analysis for a while now. Almost a decade ago, I created a curriculum and began teaching classes for Amped Software, Inc. in the US and elsewhere. One of the things I made sure to focus on was the specific use case for my students. If I was in Georgia, I would focus on Georgia law. Likewise for Ontario Provence or South Africa.

In taking a walk through the program, I would point out the Program Options within FIVE (View>Program Options), and we'd spend the better part of the morning going over each setting and it's implications for the analyst's work.

What took the most time to explain was the Log Files option. By default, Amped SRL's FIVE creates a log file that records every step from the moment you launch the program to the time you shut it down. It has since Build 4376, as I noted in this old post from 2012.

Amped SRL's Marco Fontani explains, in this recent blog post, what a wonderful thing the log files are - in his opinion. It's important to remember that Marco is in Italy, where the rules and laws are quite different from elsewhere in the world.

What is a log file? What's in it? Marco explains:

We open the file and find an impressive amount of information. The file begins with the product info: release number and build date, info about the computer and operating system, info about installed applications that may influence report creation (Microsoft Word in this case). Then, we have a full history log of every move we made while using Amped FIVE: which filter we added, how we configured (and possibly re-configured) it, which filter we deleted, and so on.

Wait. What?

You read that right. In case you missed my 2012 blog post, everything about your operating environment. Every single step. The time each step was performed. Everything. Recorded.

Did you know that FIVE was doing that?

If you have been to one of my classes, you do. If you're a long time reader of this blog, you do. I'm the one that told you to turn off this feature and only activate it under one of two very specific situations.

  1. If you were having an issues with FIVE and you were specifically told by an Amped Software, Inc, employee to activate it in order to step through the problem.
  2. Outside of troubleshooting - if you have specific permission from your chain of command to generate / create this type of potentially exculpatory information for your case work
If you received a discovery request for any / all files related to the case in which you were a part, and you didn't disclose this information (that you didn't know existed). Once created, they have to be saved with the case. Please don't delete potentially exculpatory or other case related info unless specifically directed to by your chain of command (or by statute). This isn't legal advice as such, it's just my experience as an analyst in government service who also served as a Union Rep & Shop Steward.

The other little Jack-in-the-Box to Marco's post, the one he hints at but doesn't say explicitly, is that the log is a record of everything from Open of FIVE to Close. Why would that be important?

If you've been in my classes, you'll remember me saying (rather regularly) to shut down FIVE after processing your case and restart it to begin a new case. Yes. I told you about the log files. But, just in case you forgot later, and FIVE resets itself or you move to a different computer, I wanted to get you in the habit of refreshing FIVE between cases. Why?

Because if the log is a record of everything done, every step accepted or rejected, from Open of FIVE to Close, AND don't shut FIVE down between cases, you've just mixed cases on the same log file.

Yes, you did that and you didn't know it.  

Now, each case gets the record of what you did on the other case(s). Did you just work 30 cases without closing FIVE. Surprise, all 30 cases are on the same log file. All 30 cases' attorneys get to know what you did or didn't do on the other cases. Can you imagine the cross examination nightmare?

In case you're wondering what this might look like, here's a peek from 2009 - FRE Rule 26 and the History Log.

Before you say it, I'm not suggesting you hide anything. What I am saying is that you should, you must, seek your chain of command's counsel before activating that feature. When I did, I was told very frankly to shut it off. You see, at the LAPD, someone of my rank/pay grade did not have permission to create a new "form," which is essentially what the log file is.

No comments: