Date: Wed Dec 21 23:36:34 2005
From: ivanhec at gmail.com (Ivan .)
Subject: Re: Guidance

Interesting debate guys, I thought this article may interest you both

Security: Forensic Tools in Court
http://www.unixreview.com/documents/s=9943/ur0512i/ur0512i.html

cheers
Ivan

On 12/21/05, J.A. Terranson <measl@....org> wrote:
>
> On Wed, 21 Dec 2005, Jason Coombs wrote:
>
> > Come now, my friend, you know very well that there is no such thing in
> > computing unless you happened to be monitoring all internal and external
> > I/O of the computing device in question at the time the alleged 'data'
> > were allegedly 'processed' by that computing device.
>
> For the sake of the audience, allow me to clarify something that's
> probably not obvious to them as observers:
>
>         Our discussion here is based upon the premise of "Expert Witness"
>         rules under the FRCP (federal rules).  Under this system, a
>         so-called "Expert Witness" may provide "evidence" which would
>         otherwise be impermissable, as this testimony is by it's very
>         definition, an opinion.  Clearly, evidence provided under the
>         Expert Witness rules are very dangerous, as they are easily
>         (and often, in both my opinion and I believe in Jason's
>         opinion as well) abused.  In fact, this is where the famous
>         "Dueling Experts" tales come from.
>
> I will firmly agree that no expert should EVER testify that they are
> offering up raw facts for digestion - the law is quite clear that this
> isn't even (in theory) allowed.  Nevertheless, it does sneak in, and yes,
> it does need to die - both in the computer forensics cases and in every
> other case where any form of Expert Witness is utilized.
>
> That said, an expert opinion may have real evidentiary value, as you know
> (or you wouldn't be making your living as another Expert For Hire, like
> the rest of us ;-)  The trick is to practice honestly and within the scope
> of what is possible, rather than just making it all up as you go along.
>
> > You put on a hat labeled 'computer forensic examiner' as a necessary
> > matter of business practice, in order for other people to understand
> > what you are when you are serving that role in some forensic situation.
>
> No.  I put on my "Expert Witness hat" because the Court requires it for me
> to offer testimony.  I often offer evidence without needing to be an
> "expert" - in those cases I am providing evidence of a physical nature
> which is not reasonably open to dispute.
>
> > But by wearing such title, and by engaging in such business, you are
> > forced to make gigantic leaps of imagination in order to offer opinions
> > as to your finding of 'accurate and completely supporting information'
> > after your forensic tools and your knowledge of software give you a
> > glimpse of the past that is beyond the capability of mere mortals.
>
> I think you are confusing me with another so-called examiner.  I forget
> his name at the moment, but I *think* it had a W in it? ;-)
>
> I do not offer evidence that approaches fantasy, or that requires leaps of
> faith.  I can provide the framework, such as "At the time I examined the
> computer in question, I checked the BIOS and found it to be accurate
> within 14 seconds of a known reference time."  And evidence like "I found
> evidence that certain programs were installed on this computer, i.e.,
> <long list goes here>", and "I found remnants of photographic images in
> the browser cache which are known to me to be pictures of a pre-teen child
> named...".  You will not EVER hear ME testifying that an image was put on
> a computer by a specific person.  I may testify that a certain login was
> in use at the time the program was installed, but, as you so correctly
> point out, I cannot possibly KNOW who loaded that program.
>
> This is Ethical Practice.  This is how we practice here, and it is the
> reason we are now the largest forensic form in the midwest.
>
>
> > The problem, and the reason the entire industry needs to die, is that
> > this creates a situation in which the side with the best imagination
> > wins.
>
> Again, wrong.  A competent attorney (often guided by someone like you or
> me), can make mincemeat out of one of these sleazy
> make-up-what-they-want-to-hear "practicioners".
>
> Obviously, there is nothing I can do to help a client who has incompetent
> counsel (rare but it does happen), nor is there anything I can do to
> assist on a case I don't know about - but I can make big differences in
> those cases I work - and I *do*.  Often!  This is why I support what you
> are *trying* to do, although I believe you are misguided in your approach.
>
> > It doesn't help the discovery of truth for people with forensic tools
> > and talent to suggest that their imagination is superior and therefore
> > can prove conclusively what happened in the past.
>
> I agree.  And ANYONE who claims (1) to be a competent forensic
> computer examiner, and (2) claims outrageous things like your postulate
> above, should be not only prohibited from practicing anything at all
> (especially any kind of forensics!), but they should be forced to be on
> the receiving end of this kind of malpractice!
>
> > No matter what safeguards you or the rest of the computer forensics
> > industry develop, I will still be able to defeat your imagination
> > because yours is limited by budgets and time constraints, whereas I am
> > only limited by the lengths to which I am willing to go to deposit fake
> > evidence and secretly control other people's computers.
>
> The deliberate planting of evidence is a problem universally, and is not
> peculiar to the computer forensics industry by any means.  I am not even
> going to bother addressing that point here, as it's a completely unrelated
> issue, and you *know* this.
>
> > Given the desire to do so, any motivated adversary could cause your
> > computers to contain 'accurate and completely supporting information' of
> > their choosing, without possibility of detection after-the-fact.
>
> ABSOLUTELY CORRECT!  And the competent computer examiner will make
> absolutely certain that this is communicated to all parties at all times.
>
> > It is
> > only badly-executed intrusions or intruders caught-in-the-act that
> > result in the owner of a computer system discovering that their security
> > has been compromised.
>
> While I won't go quite that far, your basic premise is sound.
>
> > This is the end result of the ability to execute arbitrary code or gain
> > unauthorized physical or logical access to vulnerable computer systems.
>
> Absolutely.
>
> > When the 'computer forensics' industry requires of each practitioner a
> > written and spoken caveat to this effect before and after every report
> > that an examiner delivers to a client, that's when there might be some
> > justification for the industry to exist at all.
>
> Again, you are doing the Republican Knee Jerk Jason :-)
>
> Just because the industry has unscrupulous practitioners does not mean the
> whole industry is better off dead.  If you extended this argument to every
> other industry with similar situations (lawyers, doctors, etc.), there
> would be NO "practitioners" of any kind, anywhere at all.
>
> No Jason, competent examiners have a very solid future, as there is a lot
> of work for us.  We make a difference in peoples lives *every day* - and I
> am very proud to be in that position!  We make bad divorces end faster,
> with less pain and trauma to all involved.  We occasionally prevent bad
> prosecutions for things we wish didn't happen, and yes, sometimes we find
> ourselves pushing for a prosecution even though you wish it were not so.
>
> The simple truth is that anyone with a conscience will find themselves
> alternately torn and proud by whatever they do - nothing is without
> consequences.  We "sell" our service by pointing out that we save a LOT of
> money on civil litigation.  We don't see a lot of criminal defense work
> yet, for two reasons: (1) In the 8th circuit at least (not so in many
> other courts though), the prosecutions labs were both trained by _us_, and
> (b) therefore understand the limitations of the technology.  They are not
> likely to prosecute a CP case that isn't completely cut and dried: hell,
> Ive personally seen them deep six cases that _I_ would have gone forward
> on.  They are responsible here, and it shows.
>
> For those cases that do go forward, defense attorneys are just now
> learning about this, and have not yet really gotten comfortable with it -
> this is slowly changing.  Lastly, we have a company policy that very
> strongly discourages criminal defense work: we let the lawyers know that
> we will not work defense cases where the defendant is guilty.  And that
> opinion is ours to make alone.  After all that, criminal defense is
> unusual for us - but if we _do_ take a criminal case, the defendant is in
> good hands: we believe they are innocent (or we wouldn't be there to start
> with), and they have an examiner who can make the very arguments we're now
> discussing, and who was responsible for a large portion of the training of
> the other side.  It works.
>
> > Until then, we're all a bunch of self-serving glory hounds who can't
> > find anything better to do with life, and who don't mind putting other
> > people at risk for our own short-term benefit.
>
> Speak for yourself - clearly, this is not the premise we work on.  We take
> the responsibility of this tremendously seriously.  We have regular
> (weekly) Ethic Meetings to discuss all cases and possible implications, we
> have multiple layers of safeguards built into the entire system at every
> conceivable place something could go wrong.  Does that mean we're perfect,
> and that we will never have a case "go south"?  No.  But it does mean that
> if the case goes south, it won't be because we just "made something up"!
>
> > We absolutely must be stopped. But that doesn't mean I will be turning
> > away jobs myself.
>
> Yes.  I note that you are as busy as we are - in spite of wanting the
> "entire system to die" :-)
>
> > As long as this booming market keeps making me rich, I'll keep doing my
> > job to the best of my ability.
>
> So, you're just in it for the money?  Maybe thats why you're so adamant
> about this?  We turn down work all the time.  Good paying work.  We want
> to be able to sleep at night.
>
> > But I won't be happy
> > about it until the nonsense stops and people start thinking rationally
> > about how silly it is to trust computer data and call it 'evidence' --
> > it is digital dumpster diving, and the hard drive are garbage cans.
>
> You won't be happy - but you'll still do it?  Just for the money?  Wow!
> I'm sorry jason!  Really.  I thought you were above that - I really did.
> We've talked any number of times offline, and I thought you were
> completely on the same page we were.
>
> > Be careful which garbage can you stand next to, because proximity to the
> > garbage is now effectively a crime thanks to flawed computer forensics.
> > We are all at risk unnecessarily, and full disclosure of the true nature
> > of that risk is our only protection against persons of superior
> > imagination.
>
>
> No.  Not due to the flawed forensics. Due to incompetent prosecutors.
> And occasionally due to incompetent assistance from an incompetent
> examiner.
>
> Like us, you have a personal responsibility to see to it that these
> injustices are not perpetuated.  That you would take work knowing it was
> feeding evidence in support of the wrong side troubles me greatly Jason.
>
> > Regards,
>
> > Jason Coombs
> > jasonc@...ence.org
>
> //Alif
>
> alif@...tedforensics.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists