How to Forge a Digital Alibi on Mac OS X

  • Aniello Castiglione
  • Giuseppe Cattaneo
  • Roberto De Prisco
  • Alfredo De Santis
  • Kangbin Yim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7465)


Digital evidence is increasingly being used in court cases. It consists of traces left on digital devices from which one can infer information about the actions performed on those digital devices. Digital evidence can be on computers, phones, digital cameras belonging either to an alleged offender or to third parties, like servers operated by ISPs or by companies that offer web services, such as YouTube, Facebook and Gmail. Digital evidence can either be used to prove that a suspect is indeed guilty or to prove that a suspect is instead not guilty. In the latter case the digital evidence is in fact an alibi.

However digital evidence can also be forged giving an offender the possibility of creating a false digital alibi. Offenders can use false digital alibi in a variety of situations ranging from ordinary illegal actions to homeland security attacks.

The creation of a false digital alibi is system-specific since the digital evidence varies from system to system. In this paper we investigate the possibility of creating a false digital alibi on a system running the Mac OS X 10.7 Lion operating system. We show how to construct an automated procedure that creates a (false) digital alibi on such a system.


Virtual Machine Automate Procedure Python Script Real User Digital Device 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Albano, P., Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A.: On the Construction of a False Digital Alibi on the Android OS. In: Proceedings of the Third International Conference on Intelligent Networking and Collaborative Systems (INCoS 2011), Fukuoka Institute of Technology, Fukuoka, Japan, November 30-December 2, pp. 685–690. IEEE (2011)Google Scholar
  2. 2.
    Carvey, H.: Windows Forensics Analysis, 2nd edn. Syngress (2009)Google Scholar
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys 41(3) (July 2009)Google Scholar
  4. 4.
    Craig, W., Dave, K., Shyaam, S.R.S.: Overwriting Hard Drive Data: The Great Wiping Controversy. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 243–257. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Castiglione, A., Cattaneo, G., De Santis, A., De Maio, G.: Automatic and Selective Deletion Resistant Against Forensics Analysis. In: Proceedings of the 2011 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA 2011), Barcelona, Spain, pp. 392–398. IEEE (2011)Google Scholar
  6. 6.
    De Santis, A., Castiglione, A., Cattaneo, G., De Maio, G., Ianulardo, M.: Automated Construction of a False Digital Alibi. In: Tjoa, A.M., Quirchmayr, G., You, I., Xu, L. (eds.) ARES 2011. LNCS, vol. 6908, pp. 359–373. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    De Maio, G., Castiglione, A., Cattaneo, G., Costabile, G., De Santis, A., Epifani, M.: The Forensic Analysis of a False Digital Alibi. In: Proceedings of the Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS 2012), Palermo, Italy, July 4-6, IEEE (2012)Google Scholar
  8. 8.
    Fierer, N., Lauber, C.L., Zhou, N., McDonald, D., Costello, E.K., Knight, R.: Forensic identification using skin bacterial communities. Proceedings of the National Academy of Sciences, Abstract (March 2010),
  9. 9.
    Gutmann, P.: Data Remanence in Semiconductor Devices. In: 2001 Usenix Security Symposium, Washington DC (August 2001),
  10. 10.
    Gutmann, P.: Secure Deletion of Data from Magnetic and Solid-State Memory. In: Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25 (1996)Google Scholar
  11. 11.
    Mee, V., Tryfonas, T., Sutherland, I.: The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage. Digital Investigation 3, 166–173 (2006)CrossRefGoogle Scholar
  12. 12.
    Poisel, R., Tjoa, S., Tavolato, P.: Advanced File Carving Approaches for Multimedia Files. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 2(4), 42–58 (2011)Google Scholar
  13. 13.
    Salem, M.B., Stolfo, S.J.: Combining Baiting and User Search Profiling Techniques for Masquerade Detection. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 3(1/2), 13–29 (2012)Google Scholar
  14. 14.
    Shelton, D.E.: The ’CSI Effect’: Does It Really Exist? National Institute of Justice Journal (259) (March 17, 2008)Google Scholar
  15. 15.
    Silberschatz, A., Galvin, P.B., Gagne, G.: Operating System Concepts, 7th edn. Wiley (2004)Google Scholar
  16. 16.
    Internet world stats (June 30, 2010),
  17. 17.
    U.S. Legal, Inc. Legal Definitions and Legal Terms Dictionary,
  18. 18.
    The New York Times, I’m Innocent. Just Check My Status on Facebook (November 12, 2009),
  19. 19.
    CNN, Facebook status update provides alibi (November 12, 2009),
  20. 20.
    Xomba: A Writing Community. Garlasco, Alberto Stasi Acquitted (December 2009),
  21. 21.
    U.S. Department of Defense, DoD Directive 5220.22, National Industrial Security Program (NISP) (February 28, 2010)Google Scholar
  22. 22.
    Merriam-Webster online dictionary,
  23. 23.
  24. 24.
    NIST Special Publication 800-88: Guidelines for Media Sanitization, p. 7 (2006)Google Scholar
  25. 25.
    The Erb Law Firm, Facebook Can Keep You Out of Jail (November 2009),
  26. 26.
  27. 27.
    U.S. Government House of Representative, Federal Rules of Evidence (December 2006),

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Aniello Castiglione
    • 1
  • Giuseppe Cattaneo
    • 1
  • Roberto De Prisco
    • 1
  • Alfredo De Santis
    • 1
  • Kangbin Yim
    • 2
  1. 1.Dipartimento di InformaticaUniversità di SalernoFiscianoItaly
  2. 2.Dept. of Information Security EngineeringSoonchunhyang UniversityAsanKorea

Personalised recommendations