Honeypots mailing list archives
Re: Free/Open Source Disk Imaging Tools
From: "Bernie, CTA" <cta () hcsin net>
Date: Sun, 9 Feb 2003 14:43:00 -0500
In response to:
That's a lot of "musts" in one email... Posted: On 7 Feb 2003, at 15:43, Bill Moylan wrote:
First let me say I am not an attorney, my expertise is in computer and communications security and soup to nuts software programming, specifically writing drivers and kernel modules in assembly language. I do however have first hand knowledge of the issues surrounding the acquisition, preservation and presentment of computer information stored on hard drives as evidence in criminal cases. For a moment lets agree that one can prove that data could be hidden in out-of-band areas of a hard drive, and therefore methods should be practiced by the expert / forensics examiner to probe these areas. Albeit, this fact could be strongly established by actual tests / demonstrations, documented incidents, and expert testimony. There is plenty of Federal case law concerning expert testimony were evidence was suppressed when it was established that the expert was possibly incompetent, or simply failed to perform a test/procedure which he knew or should of known would have disclosed additional information, exculpatory or not. Lets make some other assumptions: Considera crime has taken place and that information stored a computer hard drive, owned by a third party, which is central to establishing clear and convincing evidence of the crime. Authoritiestherefore image the hard drive and return them to the owners. A forensic examiner is employed to evaluate the image and report on his findings. However, the examiner did not employ any method to probe these out-of-band areas. Now the defendants attorney gets wind of the prosecution intent to admit the report describing the contents of the drive prepared by the forensics examiner. What could the defense do? Well, given that the forensic examiner failed to examine the out-of- band zones, the attorney could effectively argue that information in such areas would establish evidence of tampering, that is data being removed or injected after the drives were sized by authorities. The defense attorney could further argue that prosecutions failure to obtain the entire contents of the drive, including the out-of-band data, was either an attempt to conceal exculpatory evidence, or that the examiner was knowingly negligent for not revealing that he/she lacked the expertise to conduct such probes. In either case, one of the strategies would likely be to establish grounds for bad faith on the part of the authorities violating his defendants right to due process. [Give a look at the Arizona v. Youngblood standard, California v. Trombetta, 467 U.S. 479 (1984) and Lisenba v. California, 314 U.S. 219, 236 (1941)] I therefore believe that an aggressive criminal defense attorney could succeed in quashing such testimony and the admittance of the disk image as evidence in a criminal case, or possibly at the Grand Jury level, at least under the Federal rules. With that being said, I also strongly agree that judges should allow the police to seize systems provided that: thereis a full audit trail thatthe drives are not examined without either the owners permission or a court order thatsuch examination is done in a way which would probe and/or preserve out-of-band data. As for all my MUSTS I say that to get these individuals to consider that they could and most likely will be held accountable for any adverse outcome involving flaws vulnerabilities in their methods, or the depth of their expertise or lack there of. Please take this constructively, as all I am saying is that there is a vulnerability that needs to be fixed. The bottom line is if you want a good and honest picture of what happen, pay attention to the fine details. - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- Re: Free/Open Source Disk Imaging Tools, (continued)
- Re: Free/Open Source Disk Imaging Tools Mel (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Seth Arnold (Feb 06)
- RE: Free/Open Source Disk Imaging Tools Hudak, Tyler (Feb 06)
- RE: Free/Open Source Disk Imaging Tools george chamales (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Volker Tanger (Feb 07)
- RE: Free/Open Source Disk Imaging Tools george chamales (Feb 06)
- Re: Free/Open Source Disk Imaging Tools William Salusky (Feb 06)
- RE: Free/Open Source Disk Imaging Tools crazytrain.com (Feb 07)
- Re: Free/Open Source Disk Imaging Tools George Bakos (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Bernie, CTA (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Bill Moylan (Feb 07)
- Re: Free/Open Source Disk Imaging Tools George Bakos (Feb 07)
- Re: Free/Open Source Disk Imaging Tools Mel (Feb 06)
- Re: Free/Open Source Disk Imaging Tools Bernie, CTA (Feb 09)