Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Free/Open Source Disk Imaging Tools

From: Bill Moylan <wmoylan () jjay cuny edu>
Date: Fri, 07 Feb 2003 15:43:25 -0500
cta () hcsin net wrote:

"Those in computer forensics must understand....."

"those who are responsible....must employ...."

That's a lot of "musts" in one email.
I am relatively certain that criminal court judges in this neck of the woods would dismiss your argument unless you could show more than a possibility that exculpatory data could be hidden by the extraordinary means that you suggest. That a thing is "possible" is used all the time at trial to raise doubt in the minds of the jury, but one would have to demonstrate that relevant data was in fact missed in the imaging process in order to get the image thrown out. Otherwise, one would likely simply be given the opportunity to raise the issue at trial, by which time the forensic examiner will have explored the issue that was raised, assuming that he had the original hard drive. It is, however, an argument to make to those judges who won't allow the police to seize systems, and instead order the imaging to be done on-site. We can now argue that we need the original drives in case issues such as yours are raised by defense counsel. 
        In California, however, all bets are off....
and I would try not to say "positional entropy", it will just make the judge mad. 

        Bill

Det. Bill Moylan CNE, CFCE, CISSP
Nassau County, New York PD
New York Electronic Crimes Task Force
Previous By Date Next
Previous By Thread Next

Current thread: