| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42C9DB85.8090803@science.org> Date: Tue Jul 5 01:59:30 2005 From: jasonc at science.org (Jason Coombs) Subject: [Fwd: Returned post for forensics@...urityfocus.com] I'm sick and tired of the stupid securityfocus.com mailing list moderators who keep refusing to allow the truth to be added to the discussions that they moderate. Boycott Symantec. They're a bunch of arrogant exploiters of other people's stupidity, and they attract those who are like-minded. Symantec profits through suppressing truth and encouraging delusion. May every person who supports the suppression of full disclosure go to prison for crimes they didn't commit based solely on digital evidence. Hooray for modern American-prisoner-industrial-slavery capitalism. Regards, Jason Coombs jasonc@...ence.org -------- Original Message -------- Subject: Returned post for forensics@...urityfocus.com Date: 4 Jul 2005 23:18:20 -0000 From: forensics-help@...urityfocus.com To: jasonc@...ence.org Hi! This is the ezmlm program. I'm managing the forensics@...urityfocus.com mailing list. I'm working for my owner, who can be reached at forensics-owner@...urityfocus.com. I'm sorry, the list moderators for the forensics list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. Subject: [Fwd: Re: Tools accepted by the courts] From: Jason Coombs <jasonc@...ence.org> Date: Wed, 29 Jun 2005 11:25:33 -1000 To: Forensics <forensics@...urityfocus.com> For those who asked to read my original post ... See below. I propose that we do two things: 1) Add an impartial peer-review step to every submission of 'digital evidence' in court; 2) Publish all expert/analysis reports and transcripts of testimony given by forensic examiners; 3) Build a mechanism (an automatic appeal, perhaps, on the grounds that computer forensics was used to assist in the conviction) whereby careful scrutiny can be performed after-the-fact of every criminal conviction that was obtained through the involvement of 'computer forensics'. 4) Require law enforcement computer forensic examiners to do work on behalf of the defense. I have witnessed unreasonable law enforcement and prosecution behavior and technical mistakes that causes me to believe that courts are being systematically misled with respect to the reliability of computer forensic evidence. Believe it or not, people have been convicted of crimes based on computer evidence alone in cases where the fact of their computer having been acquired used, or frequently operated by multiple users, or outright owned by a warez or porn distributor, or hijacked and forced to be a P2P file sharing hub, or massively infected with spyware and Trojans, gets completely ignored. The only case I have ever seen in which prosecution/law enforcement computer forensics even bothered to look into such issues of information security was a UCMJ court martial where the DODCFL took care to locate and report the existence of the presence of a Trojan and a keylogger on the suspect's computer. Considering that this UCMJ case was a direct result of the FBI's "operation site key" child porn investigation, where nothing more than the suspect's credit card number having been found in the "site key" database of online child porn customers led to the charges in question, and the keylogger and Trojan probably did result in a third party being in possession of the suspect's credit card information, a failure of the DODCFL to search for such evidence would have itself been criminal. Fortunately, the DOD computer forensic lab staff appear quite skilled, and they are available to do work on behalf of the accused service member. The fact that the HTCIA has a written policy against any law enforcement forensic examiner ever doing work on behalf of a defendant is disgusting and offensive in light of the DOD's more enlightened procedures. We allow 'digital evidence' to have meaning and we give it weight in court, but we do so by ignoring how easy it is for anyone to obtain whatever information they need to steal another person's identity, and we do so by ignoring the fact that it is impossible to know what happened in the past to a digital computer. (heck, it is nearly-impossible in practice to know what a digital computer is doing RIGHT NOW) This issue goes far beyond simply 'fixing' the broken system that exists today. For the better part of the last two decades computer forensics has been in use by law enforcement in real-world investigations. From my experience as an instructor of CCE "boot camp" courses I learned that John Mellon claims to have invented computer forensics twenty years ago when he was at the IRS. If he is correct that some of the first uses of computer forensics in criminal investigations occurred in connection with IRS enforcement of the tax code against U.S. citizens, then the entire field is even more badly contaminated with government conflict of interest than I had previously imagined. We must stop any government from misusing 'digital evidence' as an institutionalized method to transform free citizens into economic or political fuel that enriches those who believe that it is proper to imprison as many people as possible. Computer forensics provides a very slippery slope whereby widespread imprisonment of persons can be manufactured merely by devoting more of society's resources to the task. The fact that people who fear this outcome do not, out of choice, work in positions of authority where they might be able to stop it from happening or explain its dangers should give us all pause to reflect on that which we are creating and encouraging when we make 'computer forensics' more important than it should be. Regards, Jason Coombs jasonc@...ence.org -------- Original Message -------- Subject: Re: Tools accepted by the courts Date: Thu, 16 Jun 2005 07:24:54 -1000 From: Jason Coombs <jasonc@...ence.org> Reply-To: jasonc@...ence.org To: Robert Larson <robert.j.larson@...il.com> CC: forensics@...urityfocus.com References: <fdbad77605061514155fbd6da8@...l.gmail.com> Robert, It is not the tool that gets thrown out, but the forensic examiner's use of it. In the very first case that Guidance Software worked on where Guidance consultants conducted a forensic examination of digital evidence and then authored an examination report, an associate of PivX Solutions (http://www.pivx.com) proved that Guidance failed to notice that the date/time stamps on the files in question pre-dated the dates on nearly all other files, and pre-dated the date that the OS was first installed. The strong implication being that the files were actually created on a different computer, not on the computer in question. Because that was material to the case, the judge threw out Guidance (the company, not the EnCase product) and refused to allow them to supply expert analysis or fact testimony concerning the evidence. No 'forensic' tool will ever be excluded from court. If a skilled technical person with credentials and experience doing this work deems a particular tool useful for a particular purpose, then the court allows the work product to speak for itself or the court allows the person who used the tool to give an informed interpretation. In nearly every case the computer examiner offers expert testimony, not fact testimony. The court does not impose requirements on how experts apply their expertise, and the court must, in almost every case where computer forensics is employed, not allow anyone involved to misrepresent computer data as being 'fact'. All computer data is circumstantial. Regards, Jason Coombs jasonc@...ence.org Robert Larson wrote: > I'm involved in a discussion with some co-workers concerning forensic > tools and the fact that evidence acquired with some tools is going to > be more accepted in court than others. > > Has anyone encountered a situation where evidence extracted with a > particular tool was not accepted? > > For example, an examiner using a "homemade" script to carve > information from unallocated space versus a commercial carving tool. > > Robert > >
Powered by blists - more mailing lists