Date: Wed, 6 Jun 2007 04:36:08 +0000
From: "Jason Coombs" <jasonc@...ence.org>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Fw: [IACIS-L] Statement by Defense Expert


Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Jason Coombs" <jasonc@...ence.org>

Date: Wed, 6 Jun 2007 04:13:33 
To:dave@...ekleiman.com
Cc:iacis-l@...s.org,az_core@...mail.com
Subject: RE: [IACIS-L] Statement by Defense Expert


Dave_on_the_run <dave@...ekleiman.com> wrote:
> Is you D expert by any chance Jason Combs?
> That is a typical statement by him.
> I have an entire public dialogue from
> him on various security lists where
> he makes many outrageous claims
> similar to that.


Dear Dave,

Are you aware that your comment, above, has been reproduced by the Maricopa County Attorney in a 92-page document that details the completely absurd statements that were made by Tami Loehrs in the Matt Bandy case? See

http://www.maricopacountyattorney.org/Press/PDF/bandy_case_20070107.pdf

Your statement has been used as part of this publication in an effort to discredit Ms. Loehrs, and to respond formally to the deceptive and manipulative tactics of the Bandy family as they waged a political war to 'defend' their son, Matt, so that he would not be required to register as a sex offender.

As you may know, the television program 20/20 did a story about the Bandy case, and it reportedly failed to present the prosecution side of the story. I have not seen it, personally.

I would be glad to discuss in detail anything at all that I have written or spoken that you or others deem to be outrageous.

My experience with criminal computer forensics goes back almost as far as yours does, and my experience with expert witness testimony in civil court most likely predates the start of your forensics career.

It may be outrageous from your perspective, but there is no doubt in my mind that computer forensic examiners are not expert witnesses.

There is no such thing as 'computer forensics' as a field of forensics. It is a misnomer to refer to it as 'forensics' in the same way that it is improper to refer to a sworn law enforcement officer as an expert in the field of law.

LEOs possess neither academic background nor work experience in principles or practices of law, as a distinct field of skilled human endeavor.

Attorneys, judges and others who are likely to possess true expertise in law are the ones that we rely on for expert testimony on the subject of the law, including interpretation thereof, whether that testimony is given before congress, for instance, or in court, or on our own behalf when we need legal advice. Anyone who takes legal advice from a cop is probably an idiot.

LEOs may possess many hours of work experience in a field of work related to the law, but they are not legal experts and the nature of their skilled work cannot ever result in the sort of expertise that would properly qualify a person to render expert opinions or give well-informed interpretations or advice in complex legal matters.

The skill that a LEO has with law is the sort of job-oriented skill that a trained computer forensic examiner possesses with respect to computers. Knowing how to do what you're told and learning from your mistakes so that you advance in your career is fine if you're an honest cop, but that does not qualify a LEO to program computers or prepare them to educate a jury or a judge in the truly intricate and technically-complex subject of computer science.

Experience recovering data from all manner of data storage devices does not qualify anyone as a computer expert. Ability to operate software that was programmed by somebody else is not expertise as anything other than a computer operator.

What is outrageous is that we are giving forensic certifications to trained computer operators. Every time a certified forensic examiner or an EnCase- or FTK-certified examiner performs an examination, authors a report, and renders flawed opinions it is an outrage and an affront to justice and common decency.

Until and unless a person has worked for years as a software engineer, and has studied technical details of information security including the creation and exploitation of software bugs to force software to do things that it was never designed to do, there is no way that a person can imagine the precise technical implications of the sort of scenarios that we encounter in the real world when law enforcement computer examiners and prosecutors collaborate to transform a particular bit of data into forensic evidence of guilt to be used against a person who stands accused of a crime.

In 1997 I was offered the opportunity to author the book Foundations of Computer Forensic Science which would have been published by John Wiley & Sons.

I refused, on the grounds that such a work required far more expertise to write than I possessed as a result of my mere ten years of programming experience.

In the ten years since 1997, I have acquired enough additional experience and skill that authoring such a book today would at least not do more harm than good, but still I refuse to author it.

The reason now is that I do not believe there will ever be such a thing as computer forensic science, and anyone who claims otherwise is an idiot.

My excuse for continuing to use the term 'computer forensics' in certain marketing literature and conversation, or even when giving expert testimony, is that this phrase has a non-technical meaning to laypersons (including to judges and attorneys) and it is possible to possess expertise enough to know what people who claim to be computer forensic examiners are actually doing.

Just because I have no other way to communicate the fact that I have experience with 'computer forensics' and just because I do work in 'computer forensics ' does not mean that I am advocating its existence as a legitimate field of forensic science by using the term out of necessity. It is clearly neither forensic nor science.

Frankly, I would prefer that the industry pick a different name for itself. My suggestion, some years ago, was 'computer investigations' rather than 'computer forensics' and I wanted all of you to be referred to as 'computer investigators' -- go get your private investigators' licenses if you intend to do this sort of work. Be a hi-tech sleuth if that makes you happy. It would make me happy for you.

But what are the chances that everyone will listen to my ideas on the subject, now that I have willingly passed up the opportunity to be considered one of the founders of 'computer forensics' by having written the first Foundations Of book on the subject?

I would like to invite you, and anyone else on this law enforcement-only mailing list, to review the Maricopa County Attorney's 92-page forensic report on the Matt Bandy case and tell me how anyone who knows anything about so-called 'computer forensics' can ever write the following statements:

'The viruses relate to spyware and adaware. They are not back door Trojans.' (bandy_case_20070107.pdf page 10)

or,

'The virus "instsrv.exe" is the "bargain buddy" adware program which is not capable of remotely controlling a computer.' (bandy_case_20070107.pdf page 11)

At this very moment I am in control of thousands of other people's computers via software that is not considered to be a 'back door Trojan' -- how many certified computer forensic examiners have this sort of real-world experience?

Nobody who understands how software is written and disseminated would ever say such things as the excerpts above from the Bandy forensic report, at least not if they are making any attempt to be precise, scientific, and objective.

Instead of explaining exactly how it might have been possible in the past for an intruder to have taken control of Matt Bandy's computer, even by way of the adware that was found to have persistently infected it, the law enforcement computer forensic examiner in the Bandy case did as every such examiner always does: they ignored all of the real-world possibility as though they truly believed that it was impossible for anyone other than Matt Bandy to have controlled Bandy's Windows computer.

The proper computer scientific explanation of how such remote control would have been accomplished, together with demonstrations showing how it could be accomplished similarly today, would in no way have diminished the fact that it was very unlikely that anyone other than Matt Bandy was responsible for the contraband in question.

However, instead of telling the whole truth and nothing but the truth, Maricopa County insists on doing what every other jurisdiction across the country is doing: perpetrate an outrageous fraud by positioning certified 'forensic experts' (who are frequently also sworn LEOs) to tell lies about how computers work in order to convince the jury that there is no doubt that the person who stands accused is guilty as charged.

Computer forensics, in practice today, is a lot like DNA fingerprinting technology and DNA forensics would be if its trained criminologists and lab technicians were to ignore all possible exculpatory explanations for genetic material to be present at a crime scene so they could focus only on pointing the finger at the accused just because a gel electrophoresis assay showed assay-labeled DNA fragments in the right places to match up with the suspect. Such behavior would obviously be against common sense and forensic experts would be tarred-and-feathered by angry mobs if they started getting on the witness stand and proclaiming 'this DNA evidence is the hand of God pointing the finger at the defendant.' in cases where the defendant's DNA is found to have been located in some mundane place such as on their very own toothbrush.

Unfortunately, computer forensics is able to deceive just about everyone because only the minority of computer programmers truly understand how software is written and how it executes on a microprocessor, along with comprehending the real-world chaos that has resulted from decades of programming effort by people of varying skill levels, most of whom never needed to understand computers in depth in order to write software and have a productive and economic career.

It is for this reason, the scale of the resulting decades of programming chaos created under the influence of the free market drive for profits, that software bugs and information security vulnerabilities are rampant in every computing platform and every software product, including EnCase and FTK or any other software used in computer forensics.

Computer forensics testimony from law enforcement always contains the sort of outrageously absurd mistakes like those Bandy excerpts above. This fact alone makes computer forensics worse than unreliable, it makes the whole computer forensics industry nothing short of a continuing criminal enterprise. Though one does wonder whether it is very organized.

Computer forensics professionals should be prosecuted to the fullest extent possible under law for the outrageous and damaging things they are doing to other people's lives by their act of pretending to be capable of discovering proof of things they clearly do not comprehend in the first place.

Computer forensics must be removed from court. Use it for investigations and when the limits of usefulness of computer forensics is reached, go do some electronic intercepts and conventional investigations to fill in the missing pieces of the case against the suspect.

To do anything else is uncivilized.

(Please forward my email to the IACIS mailing list, as I am not a subscriber)

Sincerely,

Jason Coombs
jasonc@...ence.org

P.S. No, I had nothing at all to do with the Matt Bandy case. Observant investigators may note that my dad wrote a silly manifesto about child pornography and computer forensics that the Bandy supporters reproduced on Justice4Matt.com -- let me just say that my dad is a better artist than he is a computer forensic examiner, but he does have a lot of professional experience and his clients value him for the same reasons your clients, or your government employers, value you: he works hard, knows how to operate a computer, and he produces something. That's all I have to say about that.

Sent from my Verizon Wireless BlackBerry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists