RE: Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides

["dave kleiman" <dave () isecureu com>]

Inline....

> -----Original Message-----
> From: THORNTON Simon [mailto:Simon.THORNTON () swift com]
> Sent: Tuesday, October 04, 2005 05:59
> To: Stefano Zanero; jasonc () science org; dave kleiman
> Subject: RE: [Full-disclosure] Re: Careless Law Enforcement
> Computer Forensics Lacking InfoSec Expertise Causes Suicides
>
> Hi,
>
> The issues you've raised are very common, the reasons why
> there are so many "misuses" of forensic data are varied.
>
> 1) The Computer Crime Units (CCU) of most police forces often
> lack the technical skills to investigate. They are familiar
> with conventional evidence gathering but less so with
> Digital. For them, if they raided someones house and found
> glossy photographs present, there is little reason to seek
> for an alternative cause ("my neighbour planted it?"). If
> they seize a hard disk and there are images then they apply
> (wrongly) the same assumption that the person downloaded.
>
> > From my own work, I now of CCUs where the officer
> investigating loads a
> standard piece of s/w onto the disks and scans for images; he
> does not (and is unable to) look for anything else.


All the LEA's I work with have gone through FLETC, maybe you should
encourage those to do the same, or as I do VOLUNTEER to help them and if
necessary teach them!!


> In many countries the Computer Crime units spend 90% or more
> of there time dealing with Child pornography; anything else
> is often way beyond them. If the case is major enough, they
> may, in very exceptional cases, pass the evidence to a 3rd
> party for detailed analysis.


It is not beyond them by any means. They are overwhelmed with CP cases. That
is why they formed the ECTF, the ECTF has taken on the task of helping all
levels of LEA's with other types of electronic crimes.


> 2) Most people can cope with physical security; they lock
> their doors/windows when they go out. When you are talking
> about computers Joe Public is generally clueless; they do not
> realise the risk or what can happen.
>
> 3) The court system has a difficult time dealing with
> complicated forensic evidence, whatever the source, be it
> physical or digital. Try explaining to a group of
> non-technical jurors, the judge and often council, the ins
> and outs of the digital evidence in a way they can
> understand. I've seen so-called "expert" witnesses unable to
> answer even simple questions about where a program (such as
> encase) extracted a set of file names and time stamps from.


That it is why I act as or enlist a court preparation technician.

This is one who is:

Responsible for preparing the examined evidence submitted, interpreting the
findings, writing the report and providing evidence of fact and opinion for
the court.
Is proficient in preparing documentation and visual aides, and articulate
these findings in a court/jury comprehensible format.
Is be able understand the evidentiary findings of the forensic specialists.


> 4) Many jurors, based on programs such as CSI think that you
> can prove innocence or guilty SOLELY on the forensic
> evidence. In reality it requires a lot more than just a hard
> disk analysis to make a strong case.


Many jurors do not even no how to spell computer, it is our job to break it
down for them.

Can case be proven solely on physical and direct evidence?????????


> 5) Security professionals involved in Digital Forensic work ("expert
> witnesses") also bear a large responsibility to make sure
> that they present the data correctly and document all avenues
> explored.




> 6) The laws and the requirements on evidence gathering vary
> enormously across different countries. What is illegal in one
> can be perfectly legal in another.  For instance;

Yes they do but they are attempting to unify many things throughout various
countries, but it is not going to happen overnight:


Interpol official site - International Criminal Police Organization - ICPO
https://www.interpol.int
IT Crime - Regional working parties:
https://www.interpol.int/Public/TechnologyCrime/WorkingParties/Default.asp
European Working Party on Information Technology Crime
American Regional Working Party on Information Technology Crime
African Regional Working Party on Information Technology Crime
Asia-South Pacific Working Party on Information Technology Crime
Steering Committee for Information Technology Crime
Virtual Global Taskforce http://www.virtualglobaltaskforce.com/




> I agree with Jason that evidence is often misused, by both
> sides, defense and prosecution. I often dispair at the (lack)
> of comptenance of state agencies and the weaknesses in the
> legal systems.
>
> What many people fail to realise is that there is a lot more
> to the investigation carried out by agencies than just
> digital forensics. The "public" information reported on cases
> is often diluted (by court ignorant reporters) or
> disinformation intended to protect the sources or victims.
> The last thing you want to do is tell the bad guys how you
> collected all your evidence and who might have given it to you.
>
> I've seen people who are guilty as charged get off with the
> "Trojan Defense", even when the forensic analysis showed
> conclusively that there were no backdoors or other reason why
> the data could have been on a machine.
>
> It is very regrettable that someone commits suicide as the
> result of being charged or convicted of a crime but it is not
> confined to cases involving digital evidence. Anyone entering
> a prison is often put on a "suicide" watch when they first
> enter; especially those with long sentences or offences
> involving sex, children or treason. In the larger perspective
> there are miscarriages of justice in our legal systems; we
> are not going to resolve these easily except by being
> vigiliant and questioning what happens.
>
>
> Rgds,
>
> Simon


Dave


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/