Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Forensic Copy of Files off a CD...

from [Jason Coombs PivX Solutions] Network Security [Permanent Link]
Subject: Re: Forensic Copy of Files off a CD...
Date: Tue, 5 Oct 2004 01:08:13 +0000 GMT 
The key is to ensure that work is well-documented so that it can be reproduced. 
Clearly, the intermediate files with the incorrect date/time stamps should be 
preserved, but if a forensic examiner chooses to reset date/time so that 
analysis of event chronology that rely on this information is not impossible to 
accomplish with the tools at-hand, it would be unreasonable to assert that 
anything of substance was altered in taking such a step - particularly because 
other analysts could easily verify the work or rely on the files from the CD 
directly (without timestamp reset).

You'll get nowhere in practice by making esoteric arguments of unreliability of 
evidence because of a step taken to make analysis of timestamps easier.

You would get more mileage out of an argument that metadata or stream storage 
was changed or lost in the copy to CD ... With proof to back it up. But even 
such arguments and proof are not likely to result in the evidence being tossed 
out of the case.

Computer forensics is not an exact science, despite claims by some people to 
the contrary. So long as the essence of the original is preserved, a copy is 
good enough for use in any forensic analysis and expert witness testimony, or 
fact witness investigation and reporting.

In an extreme scenario, if the format of the electronic evidence ends up being 
hardcopy printout by the time the computer expert gets involved or provides 
testimony, it really doesn't matter that the electronic copy may have 
disappeared for some reason, as a printout of computer data is treated as a 
copy of the original in most cases. To get a printout barred from the case you 
would have to show cause - and your hypothetical fear that a timestamp reset 
tool tampered with the essence of the data fails without proof that it did 
tamper with the data beyond timestamps.

This 'essence of the thing' test is used all the time, and it is, in the end, 
all that matters.

When there is dispute as to the accuracy or reliability of evidence, experts 
get to voice opinions and offer forensic arguments to influence the weight that 
is given to the evidence in dispute, but rarely is the evidence excluded 
outright.

Remember that this is all just circumstantial evidence, anyway. We have no 
direct evidence with which to contend when we do computer forensic examinations 
or investigations.

Attorneys and the courts are quite competent at dealing with circumstantial 
evidence and expert testimony.

Regards,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: "Jon O." <jono@microshaft.org>
Date: Thu, 30 Sep 2004 12:38:33 
To:Jason Coombs <jasonc@science.org>
Cc:Brian May <bmay@ACTLIT.com>, Valdis.Kletnieks@vt.edu,       
forensics@securityfocus.com
Subject: Re: Forensic Copy of Files off a CD...


On 28-Sep-2004, Jason Coombs wrote:

A utility that will read the output of each dir command and modify each 
file and folder's time stamps to return them to original condition is 
just as forensically sound as using dd or ftk or encase to acquire a 
forensic image of the same files.


Jason: 

With all due respect, I do not agree with this idea and hope 
others reject it as well. Not only is this evidence tampering, but you 
are introducing new variables to the system which should be as free
from modification as possible.

Any good opposing counsel would take this to town. How do you know
the tool didn't fail during the reset process, leaving some reset
and others unset? Is the evidence you are introducing reset or original? 
Could you be confused? Can you prove you reset these but not those? 

For example, here is one arguement against this type of manipulation:
http://ftimes.sourceforge.net/Files/Papers/baselining.pdf

Initially, it was thought that FTimes should actively restore timestamps 
as part of the baselining process. This idea, while it seemed like a 
reasonable approach, was abandoned due to our belief that evidence 
collection tools should not attempt to artificially alter system state,
such a capability could cast a shadow of doubt as to whether
or not the tool is actually collecting or creating evidence.


Thanks,
Jon

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Software signatures left on cd-r, Stormwalker
Next by Date:  RE: Encrypted Disks, Jim W
Previous by Thread:  RE: Forensic Copy of Files off a CD..., George M. Garner Jr.
Next by Thread:  RE: Forensic Copy of Files off a CD..., Jerry Shenk
Indexes:  [Date] [Thread] [Top] [All Lists]