| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Dec 21 05:22:55 2005 From: measl at mfn.org (J.A. Terranson) Subject: Re: Guidance On Wed, 21 Dec 2005, Jason Coombs wrote: > Come now, my friend, you know very well that there is no such thing in > computing unless you happened to be monitoring all internal and external > I/O of the computing device in question at the time the alleged 'data' > were allegedly 'processed' by that computing device. For the sake of the audience, allow me to clarify something that's probably not obvious to them as observers: Our discussion here is based upon the premise of "Expert Witness" rules under the FRCP (federal rules). Under this system, a so-called "Expert Witness" may provide "evidence" which would otherwise be impermissable, as this testimony is by it's very definition, an opinion. Clearly, evidence provided under the Expert Witness rules are very dangerous, as they are easily (and often, in both my opinion and I believe in Jason's opinion as well) abused. In fact, this is where the famous "Dueling Experts" tales come from. I will firmly agree that no expert should EVER testify that they are offering up raw facts for digestion - the law is quite clear that this isn't even (in theory) allowed. Nevertheless, it does sneak in, and yes, it does need to die - both in the computer forensics cases and in every other case where any form of Expert Witness is utilized. That said, an expert opinion may have real evidentiary value, as you know (or you wouldn't be making your living as another Expert For Hire, like the rest of us ;-) The trick is to practice honestly and within the scope of what is possible, rather than just making it all up as you go along. > You put on a hat labeled 'computer forensic examiner' as a necessary > matter of business practice, in order for other people to understand > what you are when you are serving that role in some forensic situation. No. I put on my "Expert Witness hat" because the Court requires it for me to offer testimony. I often offer evidence without needing to be an "expert" - in those cases I am providing evidence of a physical nature which is not reasonably open to dispute. > But by wearing such title, and by engaging in such business, you are > forced to make gigantic leaps of imagination in order to offer opinions > as to your finding of 'accurate and completely supporting information' > after your forensic tools and your knowledge of software give you a > glimpse of the past that is beyond the capability of mere mortals. I think you are confusing me with another so-called examiner. I forget his name at the moment, but I *think* it had a W in it? ;-) I do not offer evidence that approaches fantasy, or that requires leaps of faith. I can provide the framework, such as "At the time I examined the computer in question, I checked the BIOS and found it to be accurate within 14 seconds of a known reference time." And evidence like "I found evidence that certain programs were installed on this computer, i.e., <long list goes here>", and "I found remnants of photographic images in the browser cache which are known to me to be pictures of a pre-teen child named...". You will not EVER hear ME testifying that an image was put on a computer by a specific person. I may testify that a certain login was in use at the time the program was installed, but, as you so correctly point out, I cannot possibly KNOW who loaded that program. This is Ethical Practice. This is how we practice here, and it is the reason we are now the largest forensic form in the midwest. > The problem, and the reason the entire industry needs to die, is that > this creates a situation in which the side with the best imagination > wins. Again, wrong. A competent attorney (often guided by someone like you or me), can make mincemeat out of one of these sleazy make-up-what-they-want-to-hear "practicioners". Obviously, there is nothing I can do to help a client who has incompetent counsel (rare but it does happen), nor is there anything I can do to assist on a case I don't know about - but I can make big differences in those cases I work - and I *do*. Often! This is why I support what you are *trying* to do, although I believe you are misguided in your approach. > It doesn't help the discovery of truth for people with forensic tools > and talent to suggest that their imagination is superior and therefore > can prove conclusively what happened in the past. I agree. And ANYONE who claims (1) to be a competent forensic computer examiner, and (2) claims outrageous things like your postulate above, should be not only prohibited from practicing anything at all (especially any kind of forensics!), but they should be forced to be on the receiving end of this kind of malpractice! > No matter what safeguards you or the rest of the computer forensics > industry develop, I will still be able to defeat your imagination > because yours is limited by budgets and time constraints, whereas I am > only limited by the lengths to which I am willing to go to deposit fake > evidence and secretly control other people's computers. The deliberate planting of evidence is a problem universally, and is not peculiar to the computer forensics industry by any means. I am not even going to bother addressing that point here, as it's a completely unrelated issue, and you *know* this. > Given the desire to do so, any motivated adversary could cause your > computers to contain 'accurate and completely supporting information' of > their choosing, without possibility of detection after-the-fact. ABSOLUTELY CORRECT! And the competent computer examiner will make absolutely certain that this is communicated to all parties at all times. > It is > only badly-executed intrusions or intruders caught-in-the-act that > result in the owner of a computer system discovering that their security > has been compromised. While I won't go quite that far, your basic premise is sound. > This is the end result of the ability to execute arbitrary code or gain > unauthorized physical or logical access to vulnerable computer systems. Absolutely. > When the 'computer forensics' industry requires of each practitioner a > written and spoken caveat to this effect before and after every report > that an examiner delivers to a client, that's when there might be some > justification for the industry to exist at all. Again, you are doing the Republican Knee Jerk Jason :-) Just because the industry has unscrupulous practitioners does not mean the whole industry is better off dead. If you extended this argument to every other industry with similar situations (lawyers, doctors, etc.), there would be NO "practitioners" of any kind, anywhere at all. No Jason, competent examiners have a very solid future, as there is a lot of work for us. We make a difference in peoples lives *every day* - and I am very proud to be in that position! We make bad divorces end faster, with less pain and trauma to all involved. We occasionally prevent bad prosecutions for things we wish didn't happen, and yes, sometimes we find ourselves pushing for a prosecution even though you wish it were not so. The simple truth is that anyone with a conscience will find themselves alternately torn and proud by whatever they do - nothing is without consequences. We "sell" our service by pointing out that we save a LOT of money on civil litigation. We don't see a lot of criminal defense work yet, for two reasons: (1) In the 8th circuit at least (not so in many other courts though), the prosecutions labs were both trained by _us_, and (b) therefore understand the limitations of the technology. They are not likely to prosecute a CP case that isn't completely cut and dried: hell, Ive personally seen them deep six cases that _I_ would have gone forward on. They are responsible here, and it shows. For those cases that do go forward, defense attorneys are just now learning about this, and have not yet really gotten comfortable with it - this is slowly changing. Lastly, we have a company policy that very strongly discourages criminal defense work: we let the lawyers know that we will not work defense cases where the defendant is guilty. And that opinion is ours to make alone. After all that, criminal defense is unusual for us - but if we _do_ take a criminal case, the defendant is in good hands: we believe they are innocent (or we wouldn't be there to start with), and they have an examiner who can make the very arguments we're now discussing, and who was responsible for a large portion of the training of the other side. It works. > Until then, we're all a bunch of self-serving glory hounds who can't > find anything better to do with life, and who don't mind putting other > people at risk for our own short-term benefit. Speak for yourself - clearly, this is not the premise we work on. We take the responsibility of this tremendously seriously. We have regular (weekly) Ethic Meetings to discuss all cases and possible implications, we have multiple layers of safeguards built into the entire system at every conceivable place something could go wrong. Does that mean we're perfect, and that we will never have a case "go south"? No. But it does mean that if the case goes south, it won't be because we just "made something up"! > We absolutely must be stopped. But that doesn't mean I will be turning > away jobs myself. Yes. I note that you are as busy as we are - in spite of wanting the "entire system to die" :-) > As long as this booming market keeps making me rich, I'll keep doing my > job to the best of my ability. So, you're just in it for the money? Maybe thats why you're so adamant about this? We turn down work all the time. Good paying work. We want to be able to sleep at night. > But I won't be happy > about it until the nonsense stops and people start thinking rationally > about how silly it is to trust computer data and call it 'evidence' -- > it is digital dumpster diving, and the hard drive are garbage cans. You won't be happy - but you'll still do it? Just for the money? Wow! I'm sorry jason! Really. I thought you were above that - I really did. We've talked any number of times offline, and I thought you were completely on the same page we were. > Be careful which garbage can you stand next to, because proximity to the > garbage is now effectively a crime thanks to flawed computer forensics. > We are all at risk unnecessarily, and full disclosure of the true nature > of that risk is our only protection against persons of superior > imagination. No. Not due to the flawed forensics. Due to incompetent prosecutors. And occasionally due to incompetent assistance from an incompetent examiner. Like us, you have a personal responsibility to see to it that these injustices are not perpetuated. That you would take work knowing it was feeding evidence in support of the wrong side troubles me greatly Jason. > Regards, > Jason Coombs > jasonc@...ence.org //Alif alif@...tedforensics.com
Powered by blists - more mailing lists