Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [Fwd: Returned post for forensics@securityfocus.com]

from [Jason Coombs] Network Security [Permanent Link]
Subject: [Full-disclosure] [Fwd: Returned post for forensics@securityfocus.com]
Date: Mon, 04 Jul 2005 14:59:49 -1000
I'm sick and tired of the stupid securityfocus.com mailing list moderators who keep refusing to allow the truth to be added to the discussions that they moderate.

Boycott Symantec. They're a bunch of arrogant exploiters of other people's stupidity, and they attract those who are like-minded.

Symantec profits through suppressing truth and encouraging delusion.

May every person who supports the suppression of full disclosure go to prison for crimes they didn't commit based solely on digital evidence.

Hooray for modern American-prisoner-industrial-slavery capitalism.

Regards,

Jason Coombs
jasonc@science.org


-------- Original Message --------
Subject: Returned post for forensics@securityfocus.com
Date: 4 Jul 2005 23:18:20 -0000
From: forensics-help@securityfocus.com
To: jasonc@science.org

Hi! This is the ezmlm program. I'm managing the
forensics@securityfocus.com mailing list.

I'm working for my owner, who can be reached
at forensics-owner@securityfocus.com.

I'm sorry, the list moderators for the forensics list
have failed to act on your post. Thus, I'm returning it to you.
If you feel that this is in error, please repost the message
or contact a list moderator directly.

--- Enclosed, please find the message you sent.

Subject: [Fwd: Re: Tools accepted by the courts]
From: Jason Coombs <jasonc@science.org>
Date: Wed, 29 Jun 2005 11:25:33 -1000
To: Forensics <forensics@securityfocus.com>

For those who asked to read my original post ... See below.

I propose that we do two things:

1) Add an impartial peer-review step to every submission of 'digital evidence' in court;

2) Publish all expert/analysis reports and transcripts of testimony given by forensic examiners;

3) Build a mechanism (an automatic appeal, perhaps, on the grounds that computer forensics was used to assist in the conviction) whereby careful scrutiny can be performed after-the-fact of every criminal conviction that was obtained through the involvement of 'computer forensics'.

4) Require law enforcement computer forensic examiners to do work on behalf of the defense.

I have witnessed unreasonable law enforcement and prosecution behavior and technical mistakes that causes me to believe that courts are being systematically misled with respect to the reliability of computer forensic evidence.

Believe it or not, people have been convicted of crimes based on computer evidence alone in cases where the fact of their computer having been acquired used, or frequently operated by multiple users, or outright owned by a warez or porn distributor, or hijacked and forced to be a P2P file sharing hub, or massively infected with spyware and Trojans, gets completely ignored.

The only case I have ever seen in which prosecution/law enforcement computer forensics even bothered to look into such issues of information security was a UCMJ court martial where the DODCFL took care to locate and report the existence of the presence of a Trojan and a keylogger on the suspect's computer.

Considering that this UCMJ case was a direct result of the FBI's "operation site key" child porn investigation, where nothing more than the suspect's credit card number having been found in the "site key" database of online child porn customers led to the charges in question, and the keylogger and Trojan probably did result in a third party being in possession of the suspect's credit card information, a failure of the DODCFL to search for such evidence would have itself been criminal.

Fortunately, the DOD computer forensic lab staff appear quite skilled, and they are available to do work on behalf of the accused service member. The fact that the HTCIA has a written policy against any law enforcement forensic examiner ever doing work on behalf of a defendant is disgusting and offensive in light of the DOD's more enlightened procedures.

We allow 'digital evidence' to have meaning and we give it weight in court, but we do so by ignoring how easy it is for anyone to obtain whatever information they need to steal another person's identity, and we do so by ignoring the fact that it is impossible to know what happened in the past to a digital computer. (heck, it is nearly-impossible in practice to know what a digital computer is doing RIGHT NOW)

This issue goes far beyond simply 'fixing' the broken system that exists today. For the better part of the last two decades computer forensics has been in use by law enforcement in real-world investigations. From my experience as an instructor of CCE "boot camp" courses I learned that John Mellon claims to have invented computer forensics twenty years ago when he was at the IRS. If he is correct that some of the first uses of computer forensics in criminal investigations occurred in connection with IRS enforcement of the tax code against U.S. citizens, then the entire field is even more badly contaminated with government conflict of interest than I had previously imagined.

We must stop any government from misusing 'digital evidence' as an institutionalized method to transform free citizens into economic or political fuel that enriches those who believe that it is proper to imprison as many people as possible. Computer forensics provides a very slippery slope whereby widespread imprisonment of persons can be manufactured merely by devoting more of society's resources to the task.

The fact that people who fear this outcome do not, out of choice, work in positions of authority where they might be able to stop it from happening or explain its dangers should give us all pause to reflect on that which we are creating and encouraging when we make 'computer forensics' more important than it should be.

Regards,

Jason Coombs
jasonc@science.org

-------- Original Message --------
Subject: Re: Tools accepted by the courts
Date: Thu, 16 Jun 2005 07:24:54 -1000
From: Jason Coombs <jasonc@science.org>
Reply-To: jasonc@science.org
To: Robert Larson <robert.j.larson@gmail.com>
CC: forensics@securityfocus.com
References: <fdbad77605061514155fbd6da8@mail.gmail.com>

Robert,

It is not the tool that gets thrown out, but the forensic examiner's use
of it. In the very first case that Guidance Software worked on where
Guidance consultants conducted a forensic examination of digital
evidence and then authored an examination report, an associate of PivX
Solutions (http://www.pivx.com) proved that Guidance failed to notice
that the date/time stamps on the files in question pre-dated the dates
on nearly all other files, and pre-dated the date that the OS was first
installed. The strong implication being that the files were actually
created on a different computer, not on the computer in question.

Because that was material to the case, the judge threw out Guidance (the
company, not the EnCase product) and refused to allow them to supply
expert analysis or fact testimony concerning the evidence.

No 'forensic' tool will ever be excluded from court.

If a skilled technical person with credentials and experience doing this
work deems a particular tool useful for a particular purpose, then the
court allows the work product to speak for itself or the court allows
the person who used the tool to give an informed interpretation.

In nearly every case the computer examiner offers expert testimony, not
fact testimony. The court does not impose requirements on how experts
apply their expertise, and the court must, in almost every case where
computer forensics is employed, not allow anyone involved to
misrepresent computer data as being 'fact'.

All computer data is circumstantial.

Regards,

Jason Coombs
jasonc@science.org


Robert Larson wrote:

> I'm involved in a discussion with some co-workers concerning forensic
> tools and the fact that evidence acquired with some tools is going to
> be more accepted in court than others.
>
> Has anyone encountered a situation where evidence extracted with a
> particular tool was not accepted?
>
> For example, an examiner using a "homemade" script to carve
> information from unallocated space versus a commercial carving tool.
>
> Robert
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [Fwd: Returned post for forensics@securityfocus.com], Jason Coombs <=
Previous by Date:  Re: Tools accepted by the courts, Craig, Tobin (OIG)
Next by Date:  GrokEVT 0.1 Released, Tim
Previous by Thread:  Re: Tools accepted by the courts, Jason Coombs
Next by Thread:  GrokEVT 0.1 Released, Tim
Indexes:  [Date] [Thread] [Top] [All Lists]