lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed Dec 21 02:16:21 2005
From: measl at mfn.org (J.A. Terranson)
Subject: Re: Guidance


On Tue, 20 Dec 2005, Jason Coombs wrote:

> It is not just defects in EnCase features that cause computer forensic
> examiners who use Guidance Software's products and training to produce
> incorrect and misleading expert testimony or fact evidence.
>
> Guidance Software simply doesn't understand, and doesn't care to
> understand, information security.
>
> It would be bad for sales of EnCase if Guidance admitted that they have
> no way to know whether anything discovered on a hard drive by EnCase is
> reliable circumstantial evidence.

Jason,


	As one forensic "expert" to another - while I understand your
frustrations with the improper use that is often made of this type of
evidence - you are throwing the gasoline on the wrong fire.

	You and I both know that whether something appearing on a hard
drive is "reliable circumstantial evidence" depends on the whole picture,
and not on whether something was "discovered by Encase".  A competent
examiner will take in the whole picture: BIOS dates, battery levels, NTP
running/not/etc., before offering any opinion as to time of origin.  A
competent examiner will not testify to things that they do not or cannot
know, regardless of whether some program says something is there or not.

	While you are busy trying to destroy the entire "computer
forensics practice", you are ignoring the good that comes from this
technology as well.  Most of us are familiar with cases where these tools
were exculpatory rather than inculpatory - a very common situation.

	You need to be railing againt *incompetent* practice, not practice
in general.  There ARE honest, reliable, and competent examiners out here
you know. ;-)

	You know me personally, and I think you would agree my positions
are not taken either without knowledge, nor without accurate and
completely supporting information.  And you also know the "standard
warnings" I give to all customers regarding forensic evidence - these are
part of "competent practice".  Wouldn't your time be better served by
trying to encourage responsible and competent practice, possibly by using
examples, than by trying to just destroy a whole industry (which isn't
gonna happen either jason - as long as the honest and accurate ones are
out here, the industry will continue to thrive).

--
Yours,

J.A. Terranson
Alif@...tedForensics.com
0xBD4A95BF


	Just once, can't we have a nice polite discussion about
	the logistics and planning side of large criminal enterprise?

	- Steve Thompson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ