[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9463806.1135137244295.JavaMail.teamon@bda055-cell00.bisx.prod.on.blackberry>
Date: Wed Dec 21 03:54:22 2005
From: jasonc at science.org (Jason Coombs)
Subject: Re: Guidance
J.A. Terranson wrote:
...
> accurate and completely
> supporting information
...
Alif,
Come now, my friend, you know very well that there is no such thing in computing unless you happened to be monitoring all internal and external I/O of the computing device in question at the time the alleged 'data' were allegedly 'processed' by that computing device.
You put on a hat labeled 'computer forensic examiner' as a necessary matter of business practice, in order for other people to understand what you are when you are serving that role in some forensic situation. But by wearing such title, and by engaging in such business, you are forced to make gigantic leaps of imagination in order to offer opinions as to your finding of 'accurate and completely supporting information' after your forensic tools and your knowledge of software give you a glimpse of the past that is beyond the capability of mere mortals.
The problem, and the reason the entire industry needs to die, is that this creates a situation in which the side with the best imagination wins.
It doesn't help the discovery of truth for people with forensic tools and talent to suggest that their imagination is superior and therefore can prove conclusively what happened in the past.
No matter what safeguards you or the rest of the computer forensics industry develop, I will still be able to defeat your imagination because yours is limited by budgets and time constraints, whereas I am only limited by the lengths to which I am willing to go to deposit fake evidence and secretly control other people's computers.
Given the desire to do so, any motivated adversary could cause your computers to contain 'accurate and completely supporting information' of their choosing, without possibility of detection after-the-fact. It is only badly-executed intrusions or intruders caught-in-the-act that result in the owner of a computer system discovering that their security has been compromised.
This is the end result of the ability to execute arbitrary code or gain unauthorized physical or logical access to vulnerable computer systems.
When the 'computer forensics' industry requires of each practitioner a written and spoken caveat to this effect before and after every report that an examiner delivers to a client, that's when there might be some justification for the industry to exist at all. Until then, we're all a bunch of self-serving glory hounds who can't find anything better to do with life, and who don't mind putting other people at risk for our own short-term benefit.
We absolutely must be stopped. But that doesn't mean I will be turning away jobs myself. As long as this booming market keeps making me rich, I'll keep doing my job to the best of my ability. But I won't be happy about it until the nonsense stops and people start thinking rationally about how silly it is to trust computer data and call it 'evidence' -- it is digital dumpster diving, and the hard drive are garbage cans.
Be careful which garbage can you stand next to, because proximity to the garbage is now effectively a crime thanks to flawed computer forensics. We are all at risk unnecessarily, and full disclosure of the true nature of that risk is our only protection against persons of superior imagination.
Regards,
Jason Coombs
jasonc@...ence.org
Powered by blists - more mailing lists