[Fwd: Returned post for forensics () securityfocus com]

[Jason Coombs <jasonc () science org>]

I'm sick and tired of the stupid securityfocus.com mailing list 
moderators who keep refusing to allow the truth to be added to the 
discussions that they moderate.

Boycott Symantec. They're a bunch of arrogant exploiters of other 
people's stupidity, and they attract those who are like-minded.

Symantec profits through suppressing truth and encouraging delusion.

May every person who supports the suppression of full disclosure go to 
prison for crimes they didn't commit based solely on digital evidence.

Hooray for modern American-prisoner-industrial-slavery capitalism.

Regards,

Jason Coombs
jasonc () science org


-------- Original Message --------
Subject: Returned post for forensics () securityfocus com
Date: 4 Jul 2005 23:18:20 -0000
From: forensics-help () securityfocus com
To: jasonc () science org

Hi! This is the ezmlm program. I'm managing the
forensics () securityfocus com mailing list.

I'm working for my owner, who can be reached
at forensics-owner () securityfocus com.

I'm sorry, the list moderators for the forensics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.

Subject: [Fwd: Re: Tools accepted by the courts]
From: Jason Coombs <jasonc () science org>
Date: Wed, 29 Jun 2005 11:25:33 -1000
To: Forensics <forensics () securityfocus com>

For those who asked to read my original post ... See below.

I propose that we do two things:

1) Add an impartial peer-review step to every submission of 'digital 
evidence' in court;

2) Publish all expert/analysis reports and transcripts of testimony 
given by forensic examiners;

3) Build a mechanism (an automatic appeal, perhaps, on the grounds that 
computer forensics was used to assist in the conviction) whereby careful 
scrutiny can be performed after-the-fact of every criminal conviction 
that was obtained through the involvement of 'computer forensics'.

4) Require law enforcement computer forensic examiners to do work on 
behalf of the defense.

I have witnessed unreasonable law enforcement and prosecution behavior 
and technical mistakes that causes me to believe that courts are being 
systematically misled with respect to the reliability of computer 
forensic evidence.

Believe it or not, people have been convicted of crimes based on 
computer evidence alone in cases where the fact of their computer having 
been acquired used, or frequently operated by multiple users, or 
outright owned by a warez or porn distributor, or hijacked and forced to 
be a P2P file sharing hub, or massively infected with spyware and 
Trojans, gets completely ignored.

The only case I have ever seen in which prosecution/law enforcement 
computer forensics even bothered to look into such issues of information 
security was a UCMJ court martial where the DODCFL took care to locate 
and report the existence of the presence of a Trojan and a keylogger on 
the suspect's computer.

Considering that this UCMJ case was a direct result of the FBI's 
"operation site key" child porn investigation, where nothing more than 
the suspect's credit card number having been found in the "site key" 
database of online child porn customers led to the charges in question, 
and the keylogger and Trojan probably did result in a third party being 
in possession of the suspect's credit card information, a failure of the 
DODCFL to search for such evidence would have itself been criminal.

Fortunately, the DOD computer forensic lab staff appear quite skilled, 
and they are available to do work on behalf of the accused service 
member. The fact that the HTCIA has a written policy against any law 
enforcement forensic examiner ever doing work on behalf of a defendant 
is disgusting and offensive in light of the DOD's more enlightened 
procedures.

We allow 'digital evidence' to have meaning and we give it weight in 
court, but we do so by ignoring how easy it is for anyone to obtain 
whatever information they need to steal another person's identity, and 
we do so by ignoring the fact that it is impossible to know what 
happened in the past to a digital computer. (heck, it is 
nearly-impossible in practice to know what a digital computer is doing 
RIGHT NOW)

This issue goes far beyond simply 'fixing' the broken system that exists 
today. For the better part of the last two decades computer forensics 
has been in use by law enforcement in real-world investigations. From my 
experience as an instructor of CCE "boot camp" courses I learned that 
John Mellon claims to have invented computer forensics twenty years ago 
when he was at the IRS. If he is correct that some of the first uses of 
computer forensics in criminal investigations occurred in connection 
with IRS enforcement of the tax code against U.S. citizens, then the 
entire field is even more badly contaminated with government conflict of 
interest than I had previously imagined.

We must stop any government from misusing 'digital evidence' as an 
institutionalized method to transform free citizens into economic or 
political fuel that enriches those who believe that it is proper to 
imprison as many people as possible. Computer forensics provides a very 
slippery slope whereby widespread imprisonment of persons can be 
manufactured merely by devoting more of society's resources to the task.

The fact that people who fear this outcome do not, out of choice, work 
in positions of authority where they might be able to stop it from 
happening or explain its dangers should give us all pause to reflect on 
that which we are creating and encouraging when we make 'computer 
forensics' more important than it should be.

Regards,

Jason Coombs
jasonc () science org

-------- Original Message --------
Subject: Re: Tools accepted by the courts
Date: Thu, 16 Jun 2005 07:24:54 -1000
From: Jason Coombs <jasonc () science org>
Reply-To: jasonc () science org
To: Robert Larson <robert.j.larson () gmail com>
CC: forensics () securityfocus com
References: <fdbad77605061514155fbd6da8 () mail gmail com>

Robert,

It is not the tool that gets thrown out, but the forensic examiner's use
of it. In the very first case that Guidance Software worked on where
Guidance consultants conducted a forensic examination of digital
evidence and then authored an examination report, an associate of PivX
Solutions (http://www.pivx.com) proved that Guidance failed to notice
that the date/time stamps on the files in question pre-dated the dates
on nearly all other files, and pre-dated the date that the OS was first
installed. The strong implication being that the files were actually
created on a different computer, not on the computer in question.

Because that was material to the case, the judge threw out Guidance (the
company, not the EnCase product) and refused to allow them to supply
expert analysis or fact testimony concerning the evidence.

No 'forensic' tool will ever be excluded from court.

If a skilled technical person with credentials and experience doing this
work deems a particular tool useful for a particular purpose, then the
court allows the work product to speak for itself or the court allows
the person who used the tool to give an informed interpretation.

In nearly every case the computer examiner offers expert testimony, not
fact testimony. The court does not impose requirements on how experts
apply their expertise, and the court must, in almost every case where
computer forensics is employed, not allow anyone involved to
misrepresent computer data as being 'fact'.

All computer data is circumstantial.

Regards,

Jason Coombs
jasonc () science org


Robert Larson wrote:

> I'm involved in a discussion with some co-workers concerning forensic
> tools and the fact that evidence acquired with some tools is going to
> be more accepted in court than others.
>
> Has anyone encountered a situation where evidence extracted with a
> particular tool was not accepted?
>
> For example, an examiner using a "homemade" script to carve
> information from unallocated space versus a commercial carving tool.
>
> Robert
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/