Re: Free/Open Source Disk Imaging Tools

["Bernie, CTA" <cta () hcsin net>]

In response to:
> That's a lot of "musts" in one email...
> Posted: On 7 Feb 2003, at 15:43, Bill Moylan wrote:

First let me say I am not an attorney, my expertise is in computer 
and communications security and soup to nuts software 
programming, specifically writing drivers and kernel modules in 
assembly language. I do however have first hand knowledge of the 
issues surrounding the acquisition, preservation and presentment of 
computer information stored on hard drives as evidence in criminal 
cases. 

For a moment lets agree that one can prove that “data” could be 
hidden in out-of-band areas of a hard drive, and therefore methods 
should be practiced by the “expert” / forensics examiner to probe 
these areas.  Albeit, this fact could be strongly established by actual 
tests / demonstrations, documented incidents, and expert testimony. 
There is plenty of Federal case law concerning expert testimony 
were evidence was suppressed when it was established that the 
“expert” was possibly incompetent, or simply failed to perform a 
test/procedure which he knew or should of known would have 
disclosed additional information, exculpatory or not.

Lets make some other assumptions:

Considera crime has taken place and that information stored a 
    computer hard drive, owned by a third party, which is central to 
    establishing clear and convincing evidence of the crime.
    
Authoritiestherefore image the hard drive and return them to 
    the owners.
    
A   forensic examiner is employed to evaluate the image and 
    report on his findings. However, the examiner did not employ 
    any method to probe these out-of-band areas.
    
Now the defendant’s attorney gets wind of the prosecution 
    intent to admit the report describing the contents of the drive 
    prepared by the forensics examiner. 

What could the defense do?
Well, given that the forensic examiner failed to examine the out-of-
band zones, the attorney could effectively argue that information in 
such areas would establish evidence of tampering, that is data being 
removed or injected after the drives were sized by authorities. The 
defense attorney could further argue that prosecution’s failure to 
obtain the entire contents of the drive, including the out-of-band 
data, was either an attempt to conceal exculpatory evidence, or that 
the examiner was knowingly negligent for not revealing that he/she 
lacked the expertise to conduct such probes. In either case, one of 
the strategies would likely be to establish grounds for bad faith on 
the part of the authorities violating his defendants right to due 
process. [Give a look at the Arizona v. Youngblood standard,  
California v. Trombetta, 467 U.S. 479 (1984) and Lisenba v. 
California, 314 U.S. 219, 236 (1941)]  

I therefore believe that an aggressive criminal defense attorney 
could succeed in quashing such testimony and the admittance of the 
disk image as evidence in a criminal case, or possibly at the Grand 
Jury level, at least under the Federal rules. 

With that being said, I also strongly agree that judges should allow 
the police to seize systems provided that:
thereis a full audit trail
thatthe drives are not examined without either the owners 
    permission or a court order
thatsuch examination is done in a way which would probe 
    and/or preserve out-of-band data.

As for all my MUSTS… I say that to get these individuals to 
consider that they could and most likely will be held accountable 
for any adverse outcome involving flaws vulnerabilities in their 
methods, or the depth of their expertise or lack there of.  Please 
take this constructively, as all I am saying is that there is a 
vulnerability that needs to be fixed. 

The bottom line is if you want a good and honest picture of what 
happen, pay attention to the fine details.


-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************