Using screenshots to prove an illegal data breach?

InaDaise

Limp Gawd
Joined
Dec 13, 2016
Messages
128
Can screenshots or some other media that the public can view be used to prove cases of illegal hacking? Mainly about data breaches into companies and government organizations. If security officials only say they personally saw the hacking on a screen or on another device then many of us may not believe such testimony.

Maybe screenshots and similar evidence is already being shown in court cases. If so then I guess this thread is nothing to be concerned about. Anyway could those screenshots or other digital evidence be easily edited to make false claims of illegal hacking like faking routing output?
 
Yes to all questions. Screenshots are regularly used as evidence, and they are also trivial to fake.
 
Faking routing output ... what exactly is that?

Now that asked ... If this is a case of hacking then law enforcement must be involved the machines in question would need to be secured and most likely imaged as part of the evidence chain. Along with that is a secure chain of custody to show that the evidence has not been tampered with. Absent these what you have is a lot of nothing. Rather than asking here you should be talking to law enforcement, legal and security experts. edit ( to be clear paid legal and security experts) :)
 
Can screenshots or some other media that the public can view be used to prove cases of illegal hacking?
If I were "judge", you need at least a secondary witness affidavit stating the screenshot is factual. Why? Screenshots are easily faked. Of course, people can also lie, but greater liability. Just me I suppose.
 
I imagine a digital paper trail of the screenshot's metadata to the originating computer along with discerning whether any metadata-altering software ever existed on the system in question would all be taken into account.
 
You would have flowlog data you can drill down bc I'd assume in a real environment there was a response triggered to set a nacl, revoke access, snapshot & isolate affected resources in a forensic subnet, etc according to whatever runbook the org adheres to.

Screenshot isn't going to cut it.
 
We had a client once who lied about not receiving an invoice before we terminated their contract for repeated non-payment.

Microsoft 365 e-discovery showed that the Director and their bookkeeper had both received the invoice email, and read it.

Rather than use screenshots, I took a video showing me logging in to the tenant - retrieving the information - and displaying it. End to end. All while talking through the process.

This of course can be supplemented by the CSV exports from Microsoft, etc.

Needless to say, they didn't fight it.

In the absence of screen capture software, an iPhone video could have been taken by someone standing nearby (for example).

The challenge really is that in 2020 we have many resources available to us for digital evidence from screenshots to screen capture to videos to exported audit logs etc.

Likewise, the qualifications of the person presenting the evidence will lend it more weight.

For example. you would want a qualified cyber security engineer speaking on your behalf and not Jimmy from marketing.

If you rock up to a major breach court case with nothing but a screenshot copy/pasted in to Word that's pretty LOLcore.

I doubt this is happening. If an organisation got to the stage they're in court, they're going to hire professionals to collate and provide various items of evidence.
 
Back
Top