FYI: dd/grep/find/mount/etc. = Tool Linux/BSD/Windows/etc. = Operating System Before you start worrying about "virtual memory systems" and "disk buffers" you might want to be sure you have a good understanding of the basic concepts you're testifying about. This is a key that many people who are interested in the field of digital evidence seem to miss. Based on your comments, I'd almost expect you to have a @guidancesoftware or @microsoft e-mail address. You seem to have bought into all the anti- Unix hype without really thinking through the issues that are at stake when discussing evidential integrity and expert witness testimony. In particular, your statement that Although Linux can be used successfully as a forensic tool in many cases simply because the defense wouldn't have the money or the expertise to attack it, you should be very cautious about using it as an evidentiary tool in a big money case. It would be better to use a tool that is easier to explain to a jury. is nothing but mindless FUD, without any evidence to back it up. I'm not sure what you consider "big money", but I've successfully used and defended the use of Linux (the OS) and various Unix tools (dd, grep, find, etc.) in cases involving tens of millions of dollars as well as the fate of an entire company. In both cases I went against large law firms with "big gun" expert witnesses and large budgets, and in both cases the digital evidence I provided and presented in court was key to winning huge settlements. Mr. Warfield presented a VERY thourogh rebuttal of the other points you raise, so I'm not going to waste time or space here going over them again, I'll just close with this quote from his post, I highly reccomend you read his entire post to get the context. "you probably have no business in court in any case (pun intended)." -j ---------- Forwarded message ---------- Date: Fri, 29 Jun 2001 09:00:58 -0400 Subject: Re: Where are greater risks? From: Bob Johnson <bobat_private> To: James Holley <jholleyat_private> Cc: forensicsat_private James Holley wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike, > > I respectfully disagree with you on these 2 points: > > > ... the purpose is to make use of a tool which does only one > > job and is so transparently simple that it can be accepted by > > non-technical people in court as valid for legal purposes. After > > all this *is* > > forensics! > > There really is no requirement for a forensic tool to be > "transparently simple". Ghost, SafeBack, EnCase, Maresware, The > Forensics Tool Kit, The Coroner's ToolKit, etc, are far from simple. > The folks at Guidance Software have published that EnCase has over > 300,000 lines of source code. But all these tools, when used properly > by someone who understands to some level of detail what the tools are > doing can be used to get evidence into court. The evidence you present must be able to stand up to a defense attorney asking you to explain exactly how linux moves the data from one disk to another, and how you know that nothing could have gone wrong with that process. How do you know that the data that ends up on the target drive isn't stuff that was already there from a previous investigation, instead of his client's data? Have you reviewed the code personally? Are you an expert on operating system design? Can you explain why Linux has a history of introducing new file systems because of problems with the old ones? How about the virtual memory system? Have you reviewed the code for it? How do you know the VM system didn't overwrite the disk buffers with old data from unused sectors on its own boot drive, inserting stuff that was actually left over from an old investigation that the old drive had been used in? Yes, all of these questions _can_ be answered, but will you have the answers ready when you are faced with them in court? The advantage of a simple tool is that the answers are simple. "Well, it doesn't have a VM system, so that couldn't have happened." > > > No way could you defend a complex system like Linux on this basis, > > particularly taking into account the way is has been developed. > > Linux is just an operating system. From one perspective it is no > different than any other operating system: it gives users access to > resources to get a job done. Of course it is vastly different from a > number of other perspectives, but if a user knows how to leverage the > built in tools of the operating system, they can forgo buying many of > the commercial forensic tools available. Linux is a powerful forensic > platform. It may be powerful for analyzing data, but how will you defend it in front of a jury? "No, I don't know if this particular version of Linux has ever had a complete code audit. No, I don't know if the people who wrote that code knew what they were doing." (given the security history of Linux, the answer is: they probably didn't) > > It is really a matter of training, knowledge, skills and experience. > And those same qualities are what qualify an individual to testify in > court as an expert. The real issues are knowing your tools, knowing > what they can and what they can't do, testing them to validate their > functionality and using them properly to conduct you work. The > court's will not argue about that and will not impose upon the > forensic examiner that any particular tool must or should be used. In most U.S. jurisdictions, at least, it isn't the court that will argue with you. The judge is obligated by law to accept the testimony of an expert witness as reliable. It is when the defense presents their own expert witness who explains to the jury why the tools you used are unreliable that you will have problems. Once there are two expert witnesses in conflict, the judge has discretion about whom to believe. And the defense only has to insert a little bit of doubt in the jury's minds to win the case. When the defense hires their own expert on operating system design who explains how Linux was developed by a bunch of hobbyists, and challenges you to produce documentation that proves it was designed by a process that meets industry "best practices", you will have a problem. Because in court, a defense attorney isn't really interested in the truth. His goal is to get the jury to have just a little bit of doubt about what happened. If he can do that, he wins. Although Linux can be used successfully as a forensic tool in many cases simply because the defense wouldn't have the money or the expertise to attack it, you should be very cautious about using it as an evidentiary tool in a big money case. It would be better to use a tool that is easier to explain to a jury. - Bob > > Respectfully, > > James > > ********************************************* > James O. Holley > Advanced Research Projects Team > Fiderus Strategic Security & Privacy Services > (w) 703.684.3140 (p) 888.620.5275 > jholleyat_private or 6205275at_private > > Emergency 24 hour response: 1-877-595-8491 > ********************************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Free, encrypted, secure Web-based email at www.hushmail.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 09:32:35 PDT