[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20051220200649.H37487@ubzr.zsa.bet>
Date: Tue, 20 Dec 2005 20:16:02 -0600 (CST)
From: "J.A. Terranson" <measl@....org>
To: Jason Coombs <jasonc@...ence.org>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
computerforensics@...ensicfocus.com
Subject: Re: Re: Guidance
On Tue, 20 Dec 2005, Jason Coombs wrote:
> It is not just defects in EnCase features that cause computer forensic
> examiners who use Guidance Software's products and training to produce
> incorrect and misleading expert testimony or fact evidence.
>
> Guidance Software simply doesn't understand, and doesn't care to
> understand, information security.
>
> It would be bad for sales of EnCase if Guidance admitted that they have
> no way to know whether anything discovered on a hard drive by EnCase is
> reliable circumstantial evidence.
Jason,
As one forensic "expert" to another - while I understand your
frustrations with the improper use that is often made of this type of
evidence - you are throwing the gasoline on the wrong fire.
You and I both know that whether something appearing on a hard
drive is "reliable circumstantial evidence" depends on the whole picture,
and not on whether something was "discovered by Encase". A competent
examiner will take in the whole picture: BIOS dates, battery levels, NTP
running/not/etc., before offering any opinion as to time of origin. A
competent examiner will not testify to things that they do not or cannot
know, regardless of whether some program says something is there or not.
While you are busy trying to destroy the entire "computer
forensics practice", you are ignoring the good that comes from this
technology as well. Most of us are familiar with cases where these tools
were exculpatory rather than inculpatory - a very common situation.
You need to be railing againt *incompetent* practice, not practice
in general. There ARE honest, reliable, and competent examiners out here
you know. ;-)
You know me personally, and I think you would agree my positions
are not taken either without knowledge, nor without accurate and
completely supporting information. And you also know the "standard
warnings" I give to all customers regarding forensic evidence - these are
part of "competent practice". Wouldn't your time be better served by
trying to encourage responsible and competent practice, possibly by using
examples, than by trying to just destroy a whole industry (which isn't
gonna happen either jason - as long as the honest and accurate ones are
out here, the industry will continue to thrive).
--
Yours,
J.A. Terranson
Alif@...tedForensics.com
0xBD4A95BF
Just once, can't we have a nice polite discussion about
the logistics and planning side of large criminal enterprise?
- Steve Thompson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists