Re: RE: Tools accepted by the courts

On 22 Jun 2005 07:21:27 -0000, hatzesberger@t-online.de wrote:
> EnCase from Guidance Software is widely accepted but its not only about
> using the right tool. The investigator needs to be trained appropriately and
> has to make sure, that the rules of evidence are not broken

And this is why you use a hardware write protect (dongle, etc) when taking
images from the original source drive,  using extreme care in preserving
the original, and the chain of evidence _for_the_original_.


> (fx: Only one chance to do it correctly).

Assuming the initial investigator follows accepted practices for taking a
forensic image (or three) from the actual physical evidence drive, does it
matter what tools I, as a private employee investigating an incident, use
to search through a *copy* of the evidence drive?


Given that I'm not law-enforcement nor am I acting as an agent of an LEO
or state agency, and I have been given a *copy* of the original drive for
examination.  Does it matter what tools I use to perform forensics on the
duplicate drive?

If a Ouija board points you, a private citizen to inspect sector 153,921 for the
ROT-13 text of an incriminating memo, more power to you, assuming
this exact data exists on the original untouched source drive, and that an
expert using a fresh image of the original is also able to extract the
same evidence, using a court-accepted tool and court-accepted methods
to "decrypt" the text (no fair using XOR against a one time pad of unknown
provenance).

Am I totally off base here?

Kevin Kadow