Hi all, I would like to briefly brush on the topic of forensic computing tools and admissibility etc. There are a lot of tools out there, most you have to pay for some such as dd and md5sum are free and source code is available. Most will produce a bit stream image and in a lot of procedures they specify using a bit stream backup where possible and do not say "use ghost to backup drive". As Michael stated, know your tools and know them well. If you are more comfortable writing your own tools then so be it. The police agency I have talked to have a person whom is there only to write tools. But you should know your program well. You should also know your programing language and how ide works etc.. very well. Should know that scanf is dodgy and buffer over flows bite, and all that crud. I personally would feel more comfortable backing tools like dd and even encase as they are tools used in our community and they are documented and open for peer review. Of course encase is not totally documents due to proprietary formats but how about we let that slide this time round. I know what a bitstream backup is, i know how md5 checksums work, so regardless of what tool it is as long as it follows its standards (protocols), documented and are open for review (that is what cfttat_private is for) I am willing to use it. If it is dd or some other variant as long as i can verify their checksums at the end they all is sweet. BTW number on rule for a forensic tool. Must be read only. The broad range of skills required by an investigator/examiner is the reason i have stated to become very interested in this field. They must be able to investigate, plan, speak in public, manage people, have high technical skills, research skills, writing/reading, legal knowledge and that is just to name a few. - Daniel [ http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm ] Traditional forensic analysis can be controlled in the laboratory setting and can progress logically, incrementally, and in concert with widely accepted forensic practices. In comparison, computer forensic science is almost entirely technology and market driven, generally outside the laboratory setting, and the examinations present unique variations in almost every situation. ... These dissimilarities aside, both the scientific conclusions of traditional forensic analyses and the information of computer forensic science are distinctive forensic examinations. They share all the legal and good laboratory practice requirements of traditional forensic sciences in general. They both will be presented in court in adversarial and sometimes very probing proceedings. Both must produce valid and reliable results from state-of-the-art procedures that are detailed, documented, and peer-reviewed and from protocols acceptable to the relevant scientific community (ASCLD/LAB 1994). ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 07:53:47 PDT