Interesting debate guys, I thought this article may interest you both Security: Forensic Tools in Court http://www.unixreview.com/documents/s=9943/ur0512i/ur0512i.html
cheers Ivan On 12/21/05, J.A. Terranson <[EMAIL PROTECTED]> wrote: > > On Wed, 21 Dec 2005, Jason Coombs wrote: > > > Come now, my friend, you know very well that there is no such thing in > > computing unless you happened to be monitoring all internal and external > > I/O of the computing device in question at the time the alleged 'data' > > were allegedly 'processed' by that computing device. > > For the sake of the audience, allow me to clarify something that's > probably not obvious to them as observers: > > Our discussion here is based upon the premise of "Expert Witness" > rules under the FRCP (federal rules). Under this system, a > so-called "Expert Witness" may provide "evidence" which would > otherwise be impermissable, as this testimony is by it's very > definition, an opinion. Clearly, evidence provided under the > Expert Witness rules are very dangerous, as they are easily > (and often, in both my opinion and I believe in Jason's > opinion as well) abused. In fact, this is where the famous > "Dueling Experts" tales come from. > > I will firmly agree that no expert should EVER testify that they are > offering up raw facts for digestion - the law is quite clear that this > isn't even (in theory) allowed. Nevertheless, it does sneak in, and yes, > it does need to die - both in the computer forensics cases and in every > other case where any form of Expert Witness is utilized. > > That said, an expert opinion may have real evidentiary value, as you know > (or you wouldn't be making your living as another Expert For Hire, like > the rest of us ;-) The trick is to practice honestly and within the scope > of what is possible, rather than just making it all up as you go along. > > > You put on a hat labeled 'computer forensic examiner' as a necessary > > matter of business practice, in order for other people to understand > > what you are when you are serving that role in some forensic situation. > > No. I put on my "Expert Witness hat" because the Court requires it for me > to offer testimony. I often offer evidence without needing to be an > "expert" - in those cases I am providing evidence of a physical nature > which is not reasonably open to dispute. > > > But by wearing such title, and by engaging in such business, you are > > forced to make gigantic leaps of imagination in order to offer opinions > > as to your finding of 'accurate and completely supporting information' > > after your forensic tools and your knowledge of software give you a > > glimpse of the past that is beyond the capability of mere mortals. > > I think you are confusing me with another so-called examiner. I forget > his name at the moment, but I *think* it had a W in it? ;-) > > I do not offer evidence that approaches fantasy, or that requires leaps of > faith. I can provide the framework, such as "At the time I examined the > computer in question, I checked the BIOS and found it to be accurate > within 14 seconds of a known reference time." And evidence like "I found > evidence that certain programs were installed on this computer, i.e., > <long list goes here>", and "I found remnants of photographic images in > the browser cache which are known to me to be pictures of a pre-teen child > named...". You will not EVER hear ME testifying that an image was put on > a computer by a specific person. I may testify that a certain login was > in use at the time the program was installed, but, as you so correctly > point out, I cannot possibly KNOW who loaded that program. > > This is Ethical Practice. This is how we practice here, and it is the > reason we are now the largest forensic form in the midwest. > > > > The problem, and the reason the entire industry needs to die, is that > > this creates a situation in which the side with the best imagination > > wins. > > Again, wrong. A competent attorney (often guided by someone like you or > me), can make mincemeat out of one of these sleazy > make-up-what-they-want-to-hear "practicioners". > > Obviously, there is nothing I can do to help a client who has incompetent > counsel (rare but it does happen), nor is there anything I can do to > assist on a case I don't know about - but I can make big differences in > those cases I work - and I *do*. Often! This is why I support what you > are *trying* to do, although I believe you are misguided in your approach. > > > It doesn't help the discovery of truth for people with forensic tools > > and talent to suggest that their imagination is superior and therefore > > can prove conclusively what happened in the past. > > I agree. And ANYONE who claims (1) to be a competent forensic > computer examiner, and (2) claims outrageous things like your postulate > above, should be not only prohibited from practicing anything at all > (especially any kind of forensics!), but they should be forced to be on > the receiving end of this kind of malpractice! > > > No matter what safeguards you or the rest of the computer forensics > > industry develop, I will still be able to defeat your imagination > > because yours is limited by budgets and time constraints, whereas I am > > only limited by the lengths to which I am willing to go to deposit fake > > evidence and secretly control other people's computers. > > The deliberate planting of evidence is a problem universally, and is not > peculiar to the computer forensics industry by any means. I am not even > going to bother addressing that point here, as it's a completely unrelated > issue, and you *know* this. > > > Given the desire to do so, any motivated adversary could cause your > > computers to contain 'accurate and completely supporting information' of > > their choosing, without possibility of detection after-the-fact. > > ABSOLUTELY CORRECT! And the competent computer examiner will make > absolutely certain that this is communicated to all parties at all times. > > > It is > > only badly-executed intrusions or intruders caught-in-the-act that > > result in the owner of a computer system discovering that their security > > has been compromised. > > While I won't go quite that far, your basic premise is sound. > > > This is the end result of the ability to execute arbitrary code or gain > > unauthorized physical or logical access to vulnerable computer systems. > > Absolutely. > > > When the 'computer forensics' industry requires of each practitioner a > > written and spoken caveat to this effect before and after every report > > that an examiner delivers to a client, that's when there might be some > > justification for the industry to exist at all. > > Again, you are doing the Republican Knee Jerk Jason :-) > > Just because the industry has unscrupulous practitioners does not mean the > whole industry is better off dead. If you extended this argument to every > other industry with similar situations (lawyers, doctors, etc.), there > would be NO "practitioners" of any kind, anywhere at all. > > No Jason, competent examiners have a very solid future, as there is a lot > of work for us. We make a difference in peoples lives *every day* - and I > am very proud to be in that position! We make bad divorces end faster, > with less pain and trauma to all involved. We occasionally prevent bad > prosecutions for things we wish didn't happen, and yes, sometimes we find > ourselves pushing for a prosecution even though you wish it were not so. > > The simple truth is that anyone with a conscience will find themselves > alternately torn and proud by whatever they do - nothing is without > consequences. We "sell" our service by pointing out that we save a LOT of > money on civil litigation. We don't see a lot of criminal defense work > yet, for two reasons: (1) In the 8th circuit at least (not so in many > other courts though), the prosecutions labs were both trained by _us_, and > (b) therefore understand the limitations of the technology. They are not > likely to prosecute a CP case that isn't completely cut and dried: hell, > Ive personally seen them deep six cases that _I_ would have gone forward > on. They are responsible here, and it shows. > > For those cases that do go forward, defense attorneys are just now > learning about this, and have not yet really gotten comfortable with it - > this is slowly changing. Lastly, we have a company policy that very > strongly discourages criminal defense work: we let the lawyers know that > we will not work defense cases where the defendant is guilty. And that > opinion is ours to make alone. After all that, criminal defense is > unusual for us - but if we _do_ take a criminal case, the defendant is in > good hands: we believe they are innocent (or we wouldn't be there to start > with), and they have an examiner who can make the very arguments we're now > discussing, and who was responsible for a large portion of the training of > the other side. It works. > > > Until then, we're all a bunch of self-serving glory hounds who can't > > find anything better to do with life, and who don't mind putting other > > people at risk for our own short-term benefit. > > Speak for yourself - clearly, this is not the premise we work on. We take > the responsibility of this tremendously seriously. We have regular > (weekly) Ethic Meetings to discuss all cases and possible implications, we > have multiple layers of safeguards built into the entire system at every > conceivable place something could go wrong. Does that mean we're perfect, > and that we will never have a case "go south"? No. But it does mean that > if the case goes south, it won't be because we just "made something up"! > > > We absolutely must be stopped. But that doesn't mean I will be turning > > away jobs myself. > > Yes. I note that you are as busy as we are - in spite of wanting the > "entire system to die" :-) > > > As long as this booming market keeps making me rich, I'll keep doing my > > job to the best of my ability. > > So, you're just in it for the money? Maybe thats why you're so adamant > about this? We turn down work all the time. Good paying work. We want > to be able to sleep at night. > > > But I won't be happy > > about it until the nonsense stops and people start thinking rationally > > about how silly it is to trust computer data and call it 'evidence' -- > > it is digital dumpster diving, and the hard drive are garbage cans. > > You won't be happy - but you'll still do it? Just for the money? Wow! > I'm sorry jason! Really. I thought you were above that - I really did. > We've talked any number of times offline, and I thought you were > completely on the same page we were. > > > Be careful which garbage can you stand next to, because proximity to the > > garbage is now effectively a crime thanks to flawed computer forensics. > > We are all at risk unnecessarily, and full disclosure of the true nature > > of that risk is our only protection against persons of superior > > imagination. > > > No. Not due to the flawed forensics. Due to incompetent prosecutors. > And occasionally due to incompetent assistance from an incompetent > examiner. > > Like us, you have a personal responsibility to see to it that these > injustices are not perpetuated. That you would take work knowing it was > feeding evidence in support of the wrong side troubles me greatly Jason. > > > Regards, > > > Jason Coombs > > [EMAIL PROTECTED] > > //Alif > > [EMAIL PROTECTED] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
