[funsec] Police blotter: Web cookies become defendant's alibi

Dr. Neal Krawetz hf at hackerfactor.com
Fri Oct 27 12:00:07 CDT 2006

Hi Richard,

On Fri Oct 27 07:07:56 2006, Richard M. Smith wrote:
> A few quick comments. a). An IE cookie files contains an internal time stamp
> which is much harder to fake than file timestamps.  b).  Regardless of the
> timestamp of the cookie files, it is unknown who was at the keyboard whent
> the cookies files were made or accessed.  c).  A more complete investigation
> may have found other files on the hard drive in the timeframe of interest.
> Richard
>   _____  
> http://news.com.com/Police+blotter+Web+cookies+become+defendants+alibi/2100-
> 1047_3-6129993.html?tag=nefd.top

Granted, I only know what I read in the news article.  (And we know how
thorough and accurate news reporters generally are...  No offense Larry. ;-)
Based on what I read, this seems pretty shoddy as far as defense goes.

  - Cookies have lots of timestamps.  Some are set by the browser, some
    (e.g., expiration) are set by the server, and some can be embedded in
    the cookie itself.
    Since servers usually use a static expiration offset (e.g., expire in
    30 minutes or in 7 days), they can use that to correlate the date.
    (Still can be forged, but not as well known.)

  - I agree with you -- why not get the web logs?

  - He said he was shopping online.  Did he buy anything?
    If so, then his credit card transaction will have a timestamp that he
    cannot forge.  (Does not mean "he" used the credit card, but does
    lend credibility.)

  - Was his car engine warm?  Driving 27 miles has a warm engine; parked
    for 30 minutes (reportedly according to timestamps) is a cool engine.
    Then again, he said he doesn't own that type of car.  Did they check
    if any of his friends have that kind of car?

  - Most major traffic intersections have cameras.  Did any camera pick
    up the vehicle?  Can you see the driver -- is it him?

  - Was the entire conviction based on witness accounts?  Witnesses are
    known to be unreliable and inconsistent.  And a police officer said
    he saw nobody in the area matching the description -- was "anybody"
    seen in the area (regardless of match)?
    Was there any physical evidence showing he was there?

Way too many holes...  At least from the news report.
However, if the court case actually addressed these items, then maybe the
ruling was accurate.

Neal Krawetz, Ph.D.
Hacker Factor Solutions
Author of "Introduction to Network Security" (Charles River Media, 2006)

More information about the funsec mailing list