Forensic procedures need not be standardized in order to be valid. In fact, standards of forensic procedure can be harmful when a method is found to fool the procedure -- we can show that the procedure as standardized is potentially fallible but we can almost never prove that the specifics of the case in question constitute an occurrence of exploitation of any such fallibility, and this calls into question the sensibility of allowing the standard to exist in the first place. Do not be fooled by the provability of computer algorithms. Regardless of the digital evidence found that appears to match the expectations of a particular algorithm or forensic procedure, the events that occur in reality do not always correspond to the forensic evidence. This is why we have juries and place our trust in them for both civil and criminal court proceedings. The real questions are: 1) Will a jury accept computer evidence that is always circumstantial as reliable evidence in spite of its inherent fallibility? 2) Will the judge instruct the jury to question computer evidence more thoroughly than they would other types of evidence because it is not as reliable? Will the court provide an information security primer to each juror before they go into deliberations so that the jurors have the proper level of skepticism about what they just witnessed unfold before them in court? The answers are 1) yes, 2) no; and worse yet is the fact that the inherent fallibility of digital evidence is almost never discussed in front of the jury even by experts who offer testimony. When it is necessary to argue that a virus might have been responsible for the condition of the computer evidence as it was found by law enforcement or the opposing party's experts, the jury is almost never inclined to believe this argument as reasonable -- even when it's objectively true. There are no checks and balances in practice when it comes to computer evidence, there are only two things that protect the accused or counterbalance the civil court action brought by the plaintiff for the benefit of the defense: 1) An agreement as to the nature of the conflict -- i.e. plaintiff is suing defendant for X because of Y and defendant disputes every element of the plaintiff's complaint. 2) All parties must make themselves understood to the jury -- the defense maintains that in spite of what the computer evidence appears to show, the following set of circumstances and evidence should cause the jury to disregard what the computers have to say and consider more reasonable evidence offered for consideration in the case by the defense. It's often a waste of time and money to overanalyze computer evidence. In the real world a fingerprint lineup doesn't even occur objectively with double-blind protections, law enforcement take a latent print from the crime scene and direct prints from a suspect and they compare the two. If you've ever seen examples of this process unfold in practice, you know that it's not hard to see what you're looking for and convince yourself that you would be willing to testify that you see a match between the smudge on the latent print tape and the suspect's direct print card... But if you were not given the two and asked to compare them, if instead you were given a dozen latent print samples and a dozen direct print cards and asked to pair them up you'd be unable to do so with enough accuracy to allow ANY latent print fingerprint evidence into court in the first place. We must be extremely careful not to confer objective truth to everything we see in computer evidence simply because of the mathematical beauty of the machinery and algorithms that make it all possible. Do not think for a moment that improving the standards of forensic analysis change the basic fact that computers are fallible and they can be compromised and reprogrammed in such a way that zero residual evidence of the execution of malicious code remains. Anyone who has a working knowledge of the vulnerabilities and exploits that occur in practice in the real world of computer use has seen ample evidence to convince them to never base truly important decisions on computer evidence alone. In many ways one could argue that computer evidence should not even be allowed into court as circumstantial evidence because the true circumstances of the executable program code that controlled the operation of any computer at any point in the past is nearly always unknown and unknowable. Jason Coombs jasoncat_private -----Original Message----- From: adminat_private [mailto:adminat_private] Sent: Wednesday, January 15, 2003 1:03 AM To: forensicsat_private Subject: Re: CRC32 vd MD5 Firstly, a big (and belated) thank you for all the replies, both on and off list, to my original post on this issue. >From what I gather from these responses, I think my original gut feeling that CRC32 by itself was probably not "enough" for forensic purposes seems to be sound. That being so, I'm unsure why an experienced team investigating such a high profile case would use MD5 only at a later stage in response to opposing counsel's comments (but I don't know the full facts of the case so won't comment further). Of equal interest, though, has been the broader discussion of the distribution of MD5 hashes once created, chain of custody procedures and the integrity/credibility of forensic professionals. I was particularly interested in one idea concerning the initial imaging/hashing of evidence in the presence of the defence/defendant/other party and providing the resultant hash to them at this early stage in some kind of secure (digitally signed?) form (I guess for this procedure to have any value it becomes crucial to establish that the evidence could not have been altered by either side before the imaging/hashing process). Nevertheless, is anyone using this type of procedure or are the checks and balances of modern criminal systems sufficient to render it unnecessary? Equally, are those of us working in the corporate arena satisfied that enough is done with regard to establishing the integrity of the evidence we examine or produce? Jamie -- Jamie Morris Forensic Focus Email: adminat_private Web: http://www.forensicfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 03:41:27 PST