[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B5DE664.9070505@csuohio.edu>
Date: Mon, 25 Jan 2010 13:43:48 -0500
From: Michael Holstein <michael.holstein@...ohio.edu>
To: Bipin Gautam <bipin.gautam@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Disk wiping -- An alternate approach?
> You are telling me "Modern forensic" examiners DRAW CONCLUSIONS
> without look it ALL possible evidence and by shifting just a few bytes
> of possible "related keywords" and draw insufficient conclusions?
No, they find the keyword in a file (or fragment thereof) and examine
the resulting file or reconstruct the fragments to see if it's relevant
to their investigation. Putting YOUR bomb plot amidst thousands of news
articles about OTHER bomb plots won't fool them, and it'll make you look
sufficiently guilty that you'll sit in jail while they waste their time.
> it like, when an forensic incident happens you take fingerprint from
> the whole house skipping a few rooms thinking there are sooooo many
> rooms to look for.....?
>
>
Depends on what they're trying to prove. In a burglary case, they might
see prints on the stereo cabinet and lift those. No need to fingerprint
the entire house when they've got a clear print, although they usually
grab a few others just to be sure.
Apparently you've never sat through a trial .. find an interesting case
and go attend, it's highly educational. Basically a jury is 12 people of
the general population (in actuality, an in-depth knowledge of the
subject matter at hand is likely to get you dismissed as a juror by one
or both sides). The jury, having watched CSI and such will listen with
utter fascination at the State's expert in computer forensics talk about
how he extracted the data and it will paint a VERY convincing picture
for 12 people that know nothing about computers.
> On top of that, the keywords they fish-out that way is by no guarantee
> belonging to the OWNER OF THE COMPUTER instead as leftover chunks from
> the internet written by someone and lands on your computer's in
> disk-fragments as free-space as browser cache is flushed ?
>
Possession is 9/10ths of the law. You can try and float your "wikipedia
did it" theory at trial, but ultimately it's a matter of which theory
sounds more plausible to the jury :
1. defendant had illegal stuff on his computer.
2. defendant says illegal stuff on his computer was an effort to hide
any potential illegal stuff by putting articles about related illegal
stuff he didn't do on there.
Quit trying to re-invent the wheel and get your crypto on and lawyer up
when asked about it.
Cheers,
Michael Holstein
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists