lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY104-DAV481F5C91403C21B82AC8AD0E60@phx.gbl>
Date: Tue Jul  5 23:00:35 2005
From: pingywon at hotmail.com (pingywon)
Subject: RE: Tools accepted by the courts

I have heard on more then one ocassion that Microsoft Event files (.evt) are 
admissible.

can anyone comment yes or not through experience ?

~pingywon

----- Original Message ----- 
From: "Craig, Tobin (OIG)" <tobin.craig@...gov>
To: <jasonc@...ence.org>; "Evidence Technology" <le@...dencetechnology.net>
Cc: <full-disclosure@...ts.grok.org.uk>; <forensics@...urityfocus.com>
Sent: Tuesday, July 05, 2005 8:36 AM
Subject: [Full-disclosure] RE: Tools accepted by the courts


Jerry,

I have to disagree with Jason on this, I think you're on the right
track; Computer forensics needs to be regarded in the same light as
other forensics fields and held to the same standards to maintain any
credibility in the future.

Jason:

I apologize on behalf of the rest of the community who are trying to
find a way forward in this.  Obviously by the tone of your previous
contributions, you have the whole field sewn up.  Perhaps when you
publish your definitive work, we'll all be able to enjoy the view from
your vantage point.  But until then, I for one don't appreciate the
belligerence and the patronizing.

Perhaps in my 20 years of international forensic science in 8 different
disciplines I've missed something fundamental concerning forensic
investigation or evidence handling.  If so, then please be sure to
include a chapter, I'd love to see where I've been going wrong over the
last two decades.

If you are waiting for witnesses to paint a worst case scenario every
time they hit the stand, then don't hold your breath.  Our job is to
make this stuff understandable in an impartial way.  It doesn't matter
how much you know or how much you understand if you cannot impart that
information in a meaningful way to your audience, be it a judge, jury,
or your granny.

This is just my opinion folks.

Respectfully yours,

(unprejudiced, because that's how we are supposed to be professionally,
trying to find the correct answer in place of the easy answer, knowing
that yes there are those who would exploit this field like any other,
but also knowing the way to see the standards increased is by doing my
best to ensure that I've done my job to the best of my ability, -- I
would like to hope you are more interested in finding the right way
forward over promoting your own agenda, although sadly I'm seeing much
of the good you have to say get lost in overly aggressive verbage.....)

Please think twice about your delivery, you're only hurting yourself,

Tobin Craig
___________________________
Tobin Craig, MRSC, CISSP, SCERS, EnCE
IT Forensic Director, Computer Crimes and Forensics
Department of Veterans Affairs
Office of Inspector General
801 I Street NW
Washington DC 20001

Tel: 202 565 7702
Fax: 202 565 7630
___________________________
-----Original Message-----
From: Jason Coombs [mailto:jasonc@...ence.org]
Sent: Tuesday, July 05, 2005 8:04 AM
To: Evidence Technology
Cc: Craig, Tobin (OIG); forensics@...urityfocus.com;
full-disclosure@...ts.grok.org.uk
Subject: Re: Tools accepted by the courts

Evidence Technology wrote:
> That era is quickly fading. Going forward, I think we'll see more
> and more digital evidence rendered inadmissible via failure to
> adhere to established evidentiary standards.

Jerry,

No way. What 'evidentiary standards' are you talking about here?

I'm sorry but that's just absurd. How will there ever be 'evidentiary
standards' on the contents of my filing cabinet and my personal
pornography collection?

The police find the data where they find it. That's called
'circumstantial evidence' and digital evidence will always be treated
exactly as such no matter who we successfully convince of the flaws
inherent in the filing cabinet or printed document/glossy photograph
analogy.

What I demand to hear spoken by law enforcement, and what I insist
prosecutors compel law enforcement to speak if they don't volunteer
these words out of their own common sense, is the following:

"Yes, that's what we found on the hard drive but there's little or no
reason for us to believe that the defendant is responsible for placing
it there just because the hard drive was in the defendant's possession.
We often see cases where hard drives are installed second-hand and data
from previous owners remains on the drive, we can't tell when the data
in question was written so it's important to be aware that hundreds of
other people could have placed it there. We also see cases where
software such as spyware or Web pages full of javascript force a
suspect's Web browser to take actions that result in the appearance that

the owner of the computer caused Internet content to be retrieved when
in fact the owner of the computer may not have known what was happening,

malicious Web site programmers know how to use techniques such as
pop-unders and frames to hide scripted behavior of Web pages.
Furthermore, once the Web browser is closed and its temporary files are
deleted, every bit of data that was saved 'temporarily' to a file by the

browser becomes a semi-permanent part of the hard drive's unallocated
space and we have no way to tell the difference between data that was
once part of a temporary file created automatically by a Web page being
viewed or scripted inside a Web browser and the same data placed
intentionally on the hard drive by its owner without the use of the
Internet. Also ..."

Disrespectfully Yours,

  (with extreme prejudice born of intense frustration due to the fact
that nobody cares about getting this stuff right when it's so much
easier just to collect a forensic paycheck and move on to the next
victim -- I would like to think you are part of the solution rather than

being part of the problem but you're talking nonsense and so is nearly
everyone else in the computer forensics field, most especially the
computer forensics vendors who need people to love them in order to make

their businesses grow. They do not deserve respect and they most
certainly fail the 'lovable' test, but television shows like CSI and
visions of fat bank accounts have deceived everyone temporarily...)

Please get a clue before you hurt somebody.

Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists