Full Disclosure mailing list archives
RE: Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
From: "dave kleiman" <dave () isecureu com>
Date: Tue, 4 Oct 2005 12:29:31 -0400
Inline....
-----Original Message----- From: THORNTON Simon [mailto:Simon.THORNTON () swift com] Sent: Tuesday, October 04, 2005 05:59 To: Stefano Zanero; jasonc () science org; dave kleiman Subject: RE: [Full-disclosure] Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides Hi, The issues you've raised are very common, the reasons why there are so many "misuses" of forensic data are varied. 1) The Computer Crime Units (CCU) of most police forces often lack the technical skills to investigate. They are familiar with conventional evidence gathering but less so with Digital. For them, if they raided someones house and found glossy photographs present, there is little reason to seek for an alternative cause ("my neighbour planted it?"). If they seize a hard disk and there are images then they apply (wrongly) the same assumption that the person downloaded.From my own work, I now of CCUs where the officerinvestigating loads a standard piece of s/w onto the disks and scans for images; he does not (and is unable to) look for anything else.
All the LEA's I work with have gone through FLETC, maybe you should encourage those to do the same, or as I do VOLUNTEER to help them and if necessary teach them!!
In many countries the Computer Crime units spend 90% or more of there time dealing with Child pornography; anything else is often way beyond them. If the case is major enough, they may, in very exceptional cases, pass the evidence to a 3rd party for detailed analysis.
It is not beyond them by any means. They are overwhelmed with CP cases. That is why they formed the ECTF, the ECTF has taken on the task of helping all levels of LEA's with other types of electronic crimes.
2) Most people can cope with physical security; they lock their doors/windows when they go out. When you are talking about computers Joe Public is generally clueless; they do not realise the risk or what can happen. 3) The court system has a difficult time dealing with complicated forensic evidence, whatever the source, be it physical or digital. Try explaining to a group of non-technical jurors, the judge and often council, the ins and outs of the digital evidence in a way they can understand. I've seen so-called "expert" witnesses unable to answer even simple questions about where a program (such as encase) extracted a set of file names and time stamps from.
That it is why I act as or enlist a court preparation technician. This is one who is: Responsible for preparing the examined evidence submitted, interpreting the findings, writing the report and providing evidence of fact and opinion for the court. Is proficient in preparing documentation and visual aides, and articulate these findings in a court/jury comprehensible format. Is be able understand the evidentiary findings of the forensic specialists.
4) Many jurors, based on programs such as CSI think that you can prove innocence or guilty SOLELY on the forensic evidence. In reality it requires a lot more than just a hard disk analysis to make a strong case.
Many jurors do not even no how to spell computer, it is our job to break it down for them. Can case be proven solely on physical and direct evidence?????????
5) Security professionals involved in Digital Forensic work ("expert witnesses") also bear a large responsibility to make sure that they present the data correctly and document all avenues explored.
6) The laws and the requirements on evidence gathering vary enormously across different countries. What is illegal in one can be perfectly legal in another. For instance;
Yes they do but they are attempting to unify many things throughout various countries, but it is not going to happen overnight: Interpol official site - International Criminal Police Organization - ICPO https://www.interpol.int IT Crime - Regional working parties: https://www.interpol.int/Public/TechnologyCrime/WorkingParties/Default.asp European Working Party on Information Technology Crime American Regional Working Party on Information Technology Crime African Regional Working Party on Information Technology Crime Asia-South Pacific Working Party on Information Technology Crime Steering Committee for Information Technology Crime Virtual Global Taskforce http://www.virtualglobaltaskforce.com/
I agree with Jason that evidence is often misused, by both sides, defense and prosecution. I often dispair at the (lack) of comptenance of state agencies and the weaknesses in the legal systems. What many people fail to realise is that there is a lot more to the investigation carried out by agencies than just digital forensics. The "public" information reported on cases is often diluted (by court ignorant reporters) or disinformation intended to protect the sources or victims. The last thing you want to do is tell the bad guys how you collected all your evidence and who might have given it to you. I've seen people who are guilty as charged get off with the "Trojan Defense", even when the forensic analysis showed conclusively that there were no backdoors or other reason why the data could have been on a machine. It is very regrettable that someone commits suicide as the result of being charged or convicted of a crime but it is not confined to cases involving digital evidence. Anyone entering a prison is often put on a "suicide" watch when they first enter; especially those with long sentences or offences involving sex, children or treason. In the larger perspective there are miscarriages of justice in our legal systems; we are not going to resolve these easily except by being vigiliant and questioning what happens. Rgds, Simon
Dave _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides dave kleiman (Oct 04)