What can you find out from a saved image?

[worriedtohell]

Difficult situation at work in which im currently suspended for an ' indecent' image of which i have never seen being found on my pc.

I am a pc user, not a technical person, i think the pc is being looked at, but, for my own knowledge i woiuld like to know:

Can they tell from a saved image, where it came from - ie work spam, FB, deliberatley downloaded?

How reliable are the ' created dates and times' and can they be tampered with?

How does an image end up in the downloads, if it hasnt been downloaded?

Why is none of my actual work in the downloads file, because i do download/ open attachements, but no actual work is in this file.

Thanks

Just to emphasise - you need a forensic professional, not just an IT guy. Seriously.

It'd be worth talking to a union to see if they'd pay for an expert and/or solicitor. They're generally desperate for members these days

No, it's literally just an image of a flacid penis.
Not even erect.

I don't understand the term ' forensic copy' what do you mean?

Also someone from another thread said they would be able to tell from the network, and again, I'm not sure what they.mean.

Forensic copy = they should have created an exact copy of your hard drive when the picture was first found. As your computer has been used since, there is no way of investigating it in it's original state.

Don't worry about the network thing - by the sounds of it you aren't on one, so that is irrelevant.

When doing a forensic examination, the first action is to take an exact copy of the entire hard drive - this isn't the same as copying off all the files and folders, or even the same as 'ghosting', but it preserves all the forensic goodies that a user never sees but that can be vital to the investigation. The analyst works on the forensic copy in a way that doesn't alter it in any way, and the original exhibit is left in a 'pristine' state. If your employer has just been working on the original exhibit then they'll have trampled all over the dates and times and potentially destroyed evidence that they never knew existed. Is it a big company with IT policies etc? If so they should have had a 'forensic readiness plan' in place to ensure the sage handling of evidence in exactly this sort of case.

It's a small charity. One manager, 5 part time staff, run by a board of directors.

We have internet/ email policy. I'm.not sure about it policy, but don't think so.

The image was found after I had finished work, and had done extra hours that day, finishing at 4:30. So, if it was found after that, and the pc was in use, as normal, the following day, would this be enough time to have done a forensic copy? Would itneed to be Done by someone official? And the fact that it.doesn't look like it was done, is that enough to further void any evidence?

The pc set up is I'm the main pc. Im connected to the internet via a cable. I hold the generic email and host Yhe shared area of files that everyone can access, but noone can save in, bar the manager.

The pc's aren't connected in any other way, they aren't networked together as it was deemed too expensive.

Everyone else is on laptops, wirelesy connected to the internet.

Or, is.there a way of checking from the ISP??

So the image is thought to have been created about 6 months ago, and the computer was taken away for 'examining' the day after you'd been using it?

All that matters really is the events on the computer around the time of the image being created (and any subsequent use of the image that might indicate knowledge of its existence). This isn't even as simple as looking at what other files and folders were created at that time,there are a thousand other indicators of what was going on on the computer at that time and most of them are out of the realm of even a good IT guy - no offence to them, it's just a different field of expertise.

Some forensic firms offer a free 'chat' where you can discuss the options. If you're 100% sure you didn't cause the image to come into being, why not advise your boss to phone one, so that they're at least aware of how weak their case is, while you show that you have nothing to hide and are trying to help resolve the situation.

You wouldn't be able to check via the ISP.

No, the pc hadn't Been taken away, was still in place, and being used by everyone, on Wednesday.

Sorry, you'd asked other questions too - I'm doing this on my phone.

Overnight would be plenty of time for a forensic copy if the hard disk isn't huge. The fact that it wasn't done is unprofessional and if it was a criminal investigation, would raise valid arguments about the admissibility of the evidence. It should be done by a competent person who's aware of the forensic implications of the actions he may be taking. Generally, the more a computer is used after an incident (the creation of the image), the less recoverable evidence there will be. If the image has now been poked and prodded on the computer itself by whoever's looking into it, that's going to make it worse.

There are more knowledgeable people on here....but...

I thought that the dates created for any file were literally the date that the file was first created in any location.

So, when I download my lecture notes of the uni server the date created remains as 3years ago when the lecturer first wrote the presentation, even though I have only just saved it to my PC.

Or maybe I am thinking of the info in the metadata....

This is all good info. Thanks.

I think the key points for me are going to be the fact that the ' properties' showing date and time, can be changed. And since my login is used by everyone, then essentially the ' proof' isnt valid.

When I get sent the evidence, I shall no doubt have more questions to ask

The metadata would record when your lecturer created it, the file's created date is when it was created on a storage medium. So even if the created date is 6months ago, this could be when someone created it on a USB stick, months before it went onto that computer. Dates and times are often tricky and there are a lot of variations in what happens when.

Use of time-mangling software is pretty unusual, but there are plenty of ways that a computer does it all by itself. If they're looking at dismissal then they need a damn sight more than the word of the bloke who changes the printer ink. Feel free to PM if you need to.

Haha, I change the printer ink.
We have no it dept.
I'm, and I know this might be hard to believe, the second most technical person that works there!!!

I'm presuming they will hire someone too look at the pc? And maybe that's whats happening now.

unpacking a ZIP file can put the file on disk and re-create the date/time info

I think that 'mangling' the date/time info is less likely than just copying the file on to the machine (eg from a USB stick) knowing (from the date/time of saving the image) that it could be tied to a time when only the OP was there.

Sounds like someone (manager?) is framing the OP and presumably the only 'evidence' is the date/time info on the computer for that image, and a diary showing who was working that day.

Manager, if bearing some grudge, could easily insert a USB stick, copy the file to the PC hard drive, on Tuesday/Wednesday (whenever she examined it) and make the claim it was found by chance the next day.

Tying file date/time to 'who was in' is presumably going to be 'the evidence' but the fact OP had never seen the image, and downloads are generally direct to desktop, make it look all the more suspicious that it is a frame up job. Unfortunately, depending on how bossy confident the manager is, the directors may just take her word for it and know no better.

It will be essential to put enough doubt into their minds, and if it comes to some internal 'investigation' then ask that you be heard without the manager present. Clearly you need to know what you are accused of (given the vague letter, when it seems only this image was mentioned to you) but you will need to point out that if the manager 'has it in for you' then she could have planted the file on the PC, having found it and downloaded it 6 months prior, on a date only you were working - then if downloaded on another PC and copied via USB stick, it could be placed on 'office' PC at any time.

Given the fact that everyone has the user login details, you may prefer to be vague about whether it was the manager that did it, but put it in more general terms, that anyone who knows a little about PCs could have done this, and as the login details were widely known to staff, anyone else might have copied the file onto the PC. That gets around direct attack on the manager, someone the directors appointed, so their decision comes under attack if you make a direct attack on her (suitability).

(I would not even refer to the login details as 'your' login details, if you can find ways to phrase them simply as 'login details', or if you are pushed, explain how the need for anyone else to access the PC was determined and that in practice it means anyone there can login using 'your' login details.)

I think any 'forensic investigation' is out of the league of a small charity, as they cannot isolate that PC from being used for day-to-day work, especially if it has files for access by other staff via the network.

You should do the exam then! I think you're entitled to be told what's going on.

NetworkGuy - bit early to chuck around accusations - that's what caused the trouble in the first place

Getting a forensic examination done now is going to be a lot cheaper than an examination, tribunal and payout later. We're talking about someone's livelihood here, they can't just bumble about because they're a charity.

Gosh you poor thing. Many years ago I worked for a small charity where the boss hated me. Only after wanting to be my best pal and claiming to be 'like a mother' to me She accused me of all sorts to get rid of me during a sociopathic moment. I was young and stupid and should have gone for constructive dismissal but left and found something else. You appear to be in a similar situation.

Small charities can be a breeding ground for empire-building megalomaniacs masquerading as kind, lovely people who want to make the world a better place IMO (and I know a few).

They have nothing on you but I would get out quick if I were you and I agree with Network Guy....

YBW - the OP stated "my line manager who dislikes me intensly" (although the latter part was intended to be struck out), so there is some chance of being a frame up, in my view.

I was putting forward a 'what if' because this seems to be hinging on the download 'taking place' when the OP is said to have been the only person at the office. The fact it is 6 months ago means that everyone's memory is now more cloudy and only diaries or timesheets can be used, but all it would need would be for someone (manager or not!) to have a grudge and download some 'unsuitable' images such that one would match up with a time when only the OP was at the office, to be able to make this claim of downloading appear valid.

Odd, also, how only now has the image 'come to light' in an unprecedented check of the PC by the manager. Other images could have been copied out of the browser cache and kept on a USB stick to 'confirm' 'unacceptable use'.

It does look like some personal dislike has escalated to a level where the job is made to appear at risk - whereas in larger organisations, if the accusation was true, the most likely course of action would be a written warning, nothing more.

Seems the volunteers who are the 'directors' are acting in a hostile and less than ideal way as they (presumably) do not have the experience. Mention (on another thread) of advice from their insurers, sounds like they are anxious not to be taken to an Employment Tribunal for unfair dismissal, yet the way they are going about this whole investigation / suspension etc, leaves them open to exactly that.

The OP is extremely concerned because it of this poor handling where a written warning could have been the immediate outcome (with an understanding that if the OP had done it, it was an accident, not to be repeated, and if OP had not done it [given how many people have access] then a formal apology given for having put her through this in the first place).
OP could then have less 'hanging over her' while they tried to work out what had happened, but without isolating the PC from day-to-day use, there's very little that can be claimed as 'evidence' (and I strongly doubt how much could be determined about whether the file was downloaded, or copied onto the PC, under whatever a 'forensic examination' might cover!)

Why does your manager hate you op? Do you think he or she would be that malicious?

Oh I agree it sounds very,very stinky indeed but it's still just speculation.

I haven't read the other thread btw, just going on what's been posted here.

Even after 6 months of use a proper forensic examination could show a great deal about where the file came from and, if it came from a USB stick, potentially give an idea of who the stick belonged to. Happens every day in labs everywhere, including the one I work in. Or then again it could show nothing. No lab would knock it back on grounds of it being unlikely to contain evidence though.

Do you have legal expenses insurance as an option on your household policy?

update - called for disiplinary - gross misconduct.

evidence: screen shot of penis

Secondary accusation of internet use in work time, evidenced by a 15 min time slot ( in the whole 2.8 years of being there) of internet use, prior to going home time. captured by screen shot.

FB has somehow been hacked also. While i was in the original investagatory meeting..... i went into work that day at 9am, the meeting was at 9.15 am. I had time to check the work emails, had a wee, spent some mins having a coughing fit in the loo ( was unwell) according to the handwritten note from my boss i had left FB logged in. I WOULD HAVE BEEN INSANE TO HAVE LOGGED ONTON THE INTERNET WHILE UNDER INVESTATION. not counting the fact that i was only at my desk for about 5 mins. My FB activity log has been printed off, and they have high lightted from my activity log any posts that may have happened in work time.
Of course these dont say if they are from the PC or phone. So, essentially count for nothing as mobile phone use is allowed.

An independed IT consultant has done a testomiomal, of which i have not as yet seen.

My boss who found the image has done a witness statement. The date she has put on the witness statement is two days later than the date form the orignal letter, and the date that i was told the image was found. ALSO, she says she found the image at 4pm. When, if you look at the signing in book, it shows that i was in the office till 4:20 pm that day.

And this is their only evidence for gross misconduct.

It sounds as if they think they aren't going to get anywhere with the image so are now trying to get you for Facebook use.
I would demand to see the IT report.