Agree with some of what Jerry Hatchett had to say, except the forensic
examiner "must" reinvest in new technologies, like tools to conduct remote
imaging if that is prudent right along with efficient tools for text
searching.
I think today's examiner needs to constantly improve the tool box, because
that will ultimately save on client fees as it takes you less time to get
the job done. But the reality is your client wants to win the case and are
you adequately doing is the job expected and avoiding malpractice is the
question you need to ask yourself?
My advice; listen to the client, cut to the chase by finding what is
important
to win and don't limit yourself to what you think you already know and that
perhaps needs to involve using new tools, becaue it's not 1999.
Jack Seward
----- Original Message -----
From: "Evidence Technology" <le@evidencetechnology.net>
To: "'Andre Protas'" <aprotas@eeye.com>; <forensics@securityfocus.com>
Sent: Thursday, June 23, 2005 9:20 PM
Subject: RE: Tools accepted by the courts
<< ANDRE SAID: For more advanced forensics, the best cert (certifications
are KEY for court cases) is the CFCE... >>
The CFCE is now available to law enforcement only, unless something has
recently changed. I'm comfortable in saying the CCE
(www.certified-computer-examiner.com) is now the dominant CF cert for the
private sector.
As for the tool debate in general, it's key to remember that the
competence
of the examiner is paramount. As is cross-validation. A point-and-click
examiner (someone with no training who buys EnCase or some other tool and
starts performing forensic exams) is IMHO vulnerable in court no matter
what
tools s/he may have used.
There are many great tools available, depending on the task at hand, and
as
long as an examiner knows what s/he's doing and can demonstrate that
satisfactorily to the court, AND if the evidentiary chain of custody has
been protected such that the original evidence is still available, from
which the probative evidence at issue can be demonstrably produced, I
think
the choice of tool is of little consequence.
Despite the implication in some marketing, there are no "stamps of
approval"
from courts for certain products. The phrase "court validated" when
referring to forensic software is IMHO pure smoke and mirrors. It's the
EVIDENCE that's declared admissible, not a tool, and it's the EXAMINER
deemed competent and/or credible, not a tool.
If an auto mechanic testifies as an expert witness in an auto-related
case,
is more weight given to his testimony because he chose a Craftsman ratchet
instead of a Snap-On? No. Weight is assigned because he convinces the
court
that he knows what he's doing.
Jerry Hatchett, CCE
Evidence Technology, LLC
Computer Forensics, Forensic Video/Audio, Data Recovery
Tupelo, Mississippi, USA
www.evidencetechnology.net
