[Full-disclosure] [Fwd: Returned post for forensics@securityfocus.com]
From: Jason Coombs (jasonc_at_science.org)
Date: 07/05/05
- Previous message: Stefan Esser: "[Full-disclosure] Advisory 06/2005: Geeklog SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 04 Jul 2005 14:59:49 -1000 To: full-disclosure@lists.grok.org.uk
I'm sick and tired of the stupid securityfocus.com mailing list
moderators who keep refusing to allow the truth to be added to the
discussions that they moderate.
Boycott Symantec. They're a bunch of arrogant exploiters of other
people's stupidity, and they attract those who are like-minded.
Symantec profits through suppressing truth and encouraging delusion.
May every person who supports the suppression of full disclosure go to
prison for crimes they didn't commit based solely on digital evidence.
Hooray for modern American-prisoner-industrial-slavery capitalism.
Regards,
Jason Coombs
jasonc@science.org
-------- Original Message --------
Subject: Returned post for forensics@securityfocus.com
Date: 4 Jul 2005 23:18:20 -0000
From: forensics-help@securityfocus.com
To: jasonc@science.org
Hi! This is the ezmlm program. I'm managing the
forensics@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at forensics-owner@securityfocus.com.
I'm sorry, the list moderators for the forensics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.
--- Enclosed, please find the message you sent.
Subject: [Fwd: Re: Tools accepted by the courts]
From: Jason Coombs <jasonc@science.org>
Date: Wed, 29 Jun 2005 11:25:33 -1000
To: Forensics <forensics@securityfocus.com>
For those who asked to read my original post ... See below.
I propose that we do two things:
1) Add an impartial peer-review step to every submission of 'digital
evidence' in court;
2) Publish all expert/analysis reports and transcripts of testimony
given by forensic examiners;
3) Build a mechanism (an automatic appeal, perhaps, on the grounds that
computer forensics was used to assist in the conviction) whereby careful
scrutiny can be performed after-the-fact of every criminal conviction
that was obtained through the involvement of 'computer forensics'.
4) Require law enforcement computer forensic examiners to do work on
behalf of the defense.
I have witnessed unreasonable law enforcement and prosecution behavior
and technical mistakes that causes me to believe that courts are being
systematically misled with respect to the reliability of computer
forensic evidence.
Believe it or not, people have been convicted of crimes based on
computer evidence alone in cases where the fact of their computer having
been acquired used, or frequently operated by multiple users, or
outright owned by a warez or porn distributor, or hijacked and forced to
be a P2P file sharing hub, or massively infected with spyware and
Trojans, gets completely ignored.
The only case I have ever seen in which prosecution/law enforcement
computer forensics even bothered to look into such issues of information
security was a UCMJ court martial where the DODCFL took care to locate
and report the existence of the presence of a Trojan and a keylogger on
the suspect's computer.
Considering that this UCMJ case was a direct result of the FBI's
"operation site key" child porn investigation, where nothing more than
the suspect's credit card number having been found in the "site key"
database of online child porn customers led to the charges in question,
and the keylogger and Trojan probably did result in a third party being
in possession of the suspect's credit card information, a failure of the
DODCFL to search for such evidence would have itself been criminal.
Fortunately, the DOD computer forensic lab staff appear quite skilled,
and they are available to do work on behalf of the accused service
member. The fact that the HTCIA has a written policy against any law
enforcement forensic examiner ever doing work on behalf of a defendant
is disgusting and offensive in light of the DOD's more enlightened
procedures.
We allow 'digital evidence' to have meaning and we give it weight in
court, but we do so by ignoring how easy it is for anyone to obtain
whatever information they need to steal another person's identity, and
we do so by ignoring the fact that it is impossible to know what
happened in the past to a digital computer. (heck, it is
nearly-impossible in practice to know what a digital computer is doing
RIGHT NOW)
This issue goes far beyond simply 'fixing' the broken system that exists
today. For the better part of the last two decades computer forensics
has been in use by law enforcement in real-world investigations. From my
experience as an instructor of CCE "boot camp" courses I learned that
John Mellon claims to have invented computer forensics twenty years ago
when he was at the IRS. If he is correct that some of the first uses of
computer forensics in criminal investigations occurred in connection
with IRS enforcement of the tax code against U.S. citizens, then the
entire field is even more badly contaminated with government conflict of
interest than I had previously imagined.
We must stop any government from misusing 'digital evidence' as an
institutionalized method to transform free citizens into economic or
political fuel that enriches those who believe that it is proper to
imprison as many people as possible. Computer forensics provides a very
slippery slope whereby widespread imprisonment of persons can be
manufactured merely by devoting more of society's resources to the task.
The fact that people who fear this outcome do not, out of choice, work
in positions of authority where they might be able to stop it from
happening or explain its dangers should give us all pause to reflect on
that which we are creating and encouraging when we make 'computer
forensics' more important than it should be.
Regards,
Jason Coombs
jasonc@science.org
-------- Original Message --------
Subject: Re: Tools accepted by the courts
Date: Thu, 16 Jun 2005 07:24:54 -1000
From: Jason Coombs <jasonc@science.org>
Reply-To: jasonc@science.org
To: Robert Larson <robert.j.larson@gmail.com>
CC: forensics@securityfocus.com
References: <fdbad77605061514155fbd6da8@mail.gmail.com>
Robert,
It is not the tool that gets thrown out, but the forensic examiner's use
of it. In the very first case that Guidance Software worked on where
Guidance consultants conducted a forensic examination of digital
evidence and then authored an examination report, an associate of PivX
Solutions (http://www.pivx.com) proved that Guidance failed to notice
that the date/time stamps on the files in question pre-dated the dates
on nearly all other files, and pre-dated the date that the OS was first
installed. The strong implication being that the files were actually
created on a different computer, not on the computer in question.
Because that was material to the case, the judge threw out Guidance (the
company, not the EnCase product) and refused to allow them to supply
expert analysis or fact testimony concerning the evidence.
No 'forensic' tool will ever be excluded from court.
If a skilled technical person with credentials and experience doing this
work deems a particular tool useful for a particular purpose, then the
court allows the work product to speak for itself or the court allows
the person who used the tool to give an informed interpretation.
In nearly every case the computer examiner offers expert testimony, not
fact testimony. The court does not impose requirements on how experts
apply their expertise, and the court must, in almost every case where
computer forensics is employed, not allow anyone involved to
misrepresent computer data as being 'fact'.
All computer data is circumstantial.
Regards,
Jason Coombs
jasonc@science.org
Robert Larson wrote:
> I'm involved in a discussion with some co-workers concerning forensic
> tools and the fact that evidence acquired with some tools is going to
> be more accepted in court than others.
>
> Has anyone encountered a situation where evidence extracted with a
> particular tool was not accepted?
>
> For example, an examiner using a "homemade" script to carve
> information from unallocated space versus a commercial carving tool.
>
> Robert
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Stefan Esser: "[Full-disclosure] Advisory 06/2005: Geeklog SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
