Re: Re: Guidance

["Jason Coombs" <jasonc () science org>]

J.A. Terranson wrote:
...
> accurate and completely
> supporting information
...

Alif,

Come now, my friend, you know very well that there is no such thing in computing unless you happened to be monitoring 
all internal and external I/O of the computing device in question at the time the alleged 'data' were allegedly 
'processed' by that computing device.

You put on a hat labeled 'computer forensic examiner' as a necessary matter of business practice, in order for other 
people to understand what you are when you are serving that role in some forensic situation. But by wearing such title, 
and by engaging in such business, you are forced to make gigantic leaps of imagination in order to offer opinions as to 
your finding of 'accurate and completely supporting information' after your forensic tools and your knowledge of 
software give you a glimpse of the past that is beyond the capability of mere mortals.

The problem, and the reason the entire industry needs to die, is that this creates a situation in which the side with 
the best imagination wins.

It doesn't help the discovery of truth for people with forensic tools and talent to suggest that their imagination is 
superior and therefore can prove conclusively what happened in the past.

No matter what safeguards you or the rest of the computer forensics industry develop, I will still be able to defeat 
your imagination because yours is limited by budgets and time constraints, whereas I am only limited by the lengths to 
which I am willing to go to deposit fake evidence and secretly control other people's computers.

Given the desire to do so, any motivated adversary could cause your computers to contain 'accurate and completely 
supporting information' of their choosing, without possibility of detection after-the-fact. It is only badly-executed 
intrusions or intruders caught-in-the-act that result in the owner of a computer system discovering that their security 
has been compromised.

This is the end result of the ability to execute arbitrary code or gain unauthorized physical or logical access to 
vulnerable computer systems.

When the 'computer forensics' industry requires of each practitioner a written and spoken caveat to this effect before 
and after every report that an examiner delivers to a client, that's when there might be some justification for the 
industry to exist at all. Until then, we're all a bunch of self-serving glory hounds who can't find anything better to 
do with life, and who don't mind putting other people at risk for our own short-term benefit.

We absolutely must be stopped. But that doesn't mean I will be turning away jobs myself. As long as this booming market 
keeps making me rich, I'll keep doing my job to the best of my ability. But I won't be happy about it until the 
nonsense stops and people start thinking rationally about how silly it is to trust computer data and call it 'evidence' 
-- it is digital dumpster diving, and the hard drive are garbage cans.

Be careful which garbage can you stand next to, because proximity to the garbage is now effectively a crime thanks to 
flawed computer forensics. We are all at risk unnecessarily, and full disclosure of the true nature of that risk is our 
only protection against persons of superior imagination.

Regards,

Jason Coombs
jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/