RE: Where are greater risks?

From: James Holley (jholleyat_private)
Date: Thu Jun 28 2001 - 07:33:03 PDT

Next message: John.Curranat_private: "RE: wipe utilities"

Previous message: Obert, Jack E.: "RE: keyboard logging questions"
In reply to: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Next in thread: Bob Johnson: "Re: Where are greater risks?"
Next in thread: mpepe CM: "Re: Where are greater risks?"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Reply: Bob Johnson: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

I respectfully disagree with you on these 2 points:

> ... the purpose is to make use of a tool which does only one 
> job and is so transparently simple that it can be accepted by
> non-technical  people in court as valid for legal purposes. After
> all this *is* 
> forensics!

There really is no requirement for a forensic tool to be
"transparently simple". Ghost, SafeBack, EnCase, Maresware, The
Forensics Tool Kit, The Coroner's ToolKit, etc, are far from simple.
The folks at Guidance Software have published that EnCase has over
300,000 lines of source code. But all these tools, when used properly
by someone who understands to some level of detail what the tools are
doing can be used to get evidence into court.

> No way could you defend a complex system like Linux on this basis, 
> particularly taking into account the way is has been developed.

Linux is just an operating system. From one perspective it is no
different than any other operating system: it gives users access to
resources to get a job done. Of course it is vastly different from a
number of other perspectives, but if a user knows how to leverage the
built in tools of the operating system, they can forgo buying many of
the commercial forensic tools available. Linux is a powerful forensic
platform. 

It is really a matter of training, knowledge, skills and experience.
And those same qualities are what qualify an individual to testify in
court as an expert. The real issues are knowing your tools, knowing
what they can and what they can't do, testing them to validate their
functionality and using them properly to conduct you work. The
court's will not argue about that and will not impose upon the
forensic examiner that any particular tool must or should be used.

Respectfully,

James

*********************************************
James O. Holley
Advanced Research Projects Team
Fiderus Strategic Security & Privacy Services
(w)  703.684.3140           (p)  888.620.5275
jholleyat_private   or   6205275at_private

Emergency 24 hour response: 1-877-595-8491
*********************************************

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOztAHavnU17EydfvEQKExQCfQ8sTm/rGiKOre138qtpcxnxL/DwAn0Oz
MTsoPFqqOyk1+BATtbX6IHLe
=HK5Z
-----END PGP SIGNATURE-----


-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: John.Curranat_private: "RE: wipe utilities"
Previous message: Obert, Jack E.: "RE: keyboard logging questions"
In reply to: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Next in thread: Bob Johnson: "Re: Where are greater risks?"
Next in thread: mpepe CM: "Re: Where are greater risks?"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: Where are greater risks?"
Reply: Bob Johnson: "Re: Where are greater risks?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 16:45:47 PDT