Brian,
Something is "forensically sound" when it is 1) reproducible, 2)
transparent, 3) well-documented, 4) agreed by those involved to be the
best representation of the facts.
You do not need to achieve perfection in forensic procedure from point
of origin to point of analysis in order for something to be of forensic
value. The point of origin is usually outside of forensic controls, and
your first opportunity to influence the forensic quality of data is when
you become involved in a forensic investigation.
If the best tools available to you to perform an analysis include a CD
burner and a subsequent copy from the CDR/CDRW to a forensic
workstation, simply record the apparent date/time for Creation, Last
Access, and Last Written using a recursive directory listing:
dir /s /tc
dir /s /ta
dir /s /tw
and redirecting output of the dir commands to separate files. This
becomes your forensic log of time stamps on the files you've copied.
A utility that will read the output of each dir command and modify each
file and folder's time stamps to return them to original condition is
just as forensically sound as using dd or ftk or encase to acquire a
forensic image of the same files.
Where you run into trouble is if you have no choice but to take your
forensic log and your file copy from a live system using the programs
that are on that system. You can do so, and still end up with data that
is valuable for forensic analysis, but you must disclose to anyone who
comes after you looking at the work that you have done that you presumed
the system that was the source of the data was not compromised by
malware or malfunction that would have contaminated the data thus copied.
Remember that forensic procedures are often imperfect. It is more
deceptive to claim that you have a perfect procedure or a tool and
therefore you don't need to disclose the detailed steps of your
methodology (because everyone knows the forensic tool is perfect) or the
assumptions that you made than it is to claim that you used reasonable
care and diligence when making your copy but that it is possible that
the data are unreliable.
Most often we're dealing with data that comes from unreliable computers
to begin with, so a forensic analyst should be branded a liar if he or
she claims that the forensic evidence is somehow more reliable than the
computer from whence it came. Crude forensic techniques are acceptable
in all cases unless there is good reason to believe that the technique
itself caused a problem with the subsequent analysis, or was the
proximate cause of a third party's ability to tamper with the evidence.
Regards,
Jason Coombs
jasonc@science.org
http://www.forensics.org/jcoombs/
Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] wrote:
As far as forensics go, pretending that you know *anything*
about the last access time of a file on a CD would be deceitful
at best - so it's probably *best* that you don't even pretend
to do a 'fixup' of that field.
Brian May wrote:
Which is one reason why I asked the question to the list, I'd
rather not taint the data. I'm still learning the art of forensics
and keeping data forensically sound.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
