Admissibility of ev...
 
Notifications
Clear all

Admissibility of evidence

8 Posts
5 Users
0 Likes
970 Views
(@sfairfield)
Posts: 4
New Member
Topic starter
 

I am in my senior year for Computer & Digital Forensics and will be writing a paper about Open Source forensic tools. I plan on writing about what tools are available as well as test some out myself. But, I also want to include the issues surrounding admissibility of evidence extracted using open source tools. Has anyone in the field found any barriers or issues when using open source tools in their cases? I would be eternally grateful for any information.

 
Posted : 20/02/2009 10:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"But, I also want to include the issues surrounding admissibility of evidence extracted using open source tools."

Specifically, what issues are you referring to?

If you have raw data…say, a Registry hive file or an INFO2 file…and you parse it with an open source tool, how is that any different from using a closed-source commercial application?

 
Posted : 20/02/2009 11:58 pm
(@sfairfield)
Posts: 4
New Member
Topic starter
 

That is my question "Is it different in the court's eyes to use an open source tool over a commercially available tool?" If I use autopsy instead of EnCase will it hold up in court as well? I honestly do not know if the courts care or not. Does it depend on whether it has been tested by NIST? Or is it strictly a Daubert test?

 
Posted : 21/02/2009 12:52 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

You would probably be better served asking an attorney these questions. I haven't seen where this has ever been an issue, per se…if you can clearly describe what you did, and (as I state in my books), if you have documented your analysis to the point where it can be replicated and verified, then what's the issue, really?

I would think that courts would be more concerned with the completeness, accuracy and integrity of your results. For example, did you assume that an intruder broke into a home and killed the family simply b/c you saw an open door, or did you examine things further?

Also, I think to some degree that this really comes down to the attorney you're working with. Is the prosecution familiar with presenting digital evidence?

 
Posted : 21/02/2009 1:50 am
(@seanmcl)
Posts: 700
Honorable Member
 

That is my question "Is it different in the court's eyes to use an open source tool over a commercially available tool?" If I use autopsy instead of EnCase will it hold up in court as well? I honestly do not know if the courts care or not. Does it depend on whether it has been tested by NIST? Or is it strictly a Daubert test?

Remember that Daubert applies a two-pronged approach to the admissibility of evidence

Is it relevant, i.e., do the facts to be presented fit the case?

Is it reliable, i.e., would an independent investigator using the same tools or methods achieve the same results? Also, would a method or tool which has been established to be reliabled achieve the same results?

Thus, whether it is a commercial tool or an open source tool is not an issue, per se (although I have seen "experts" attempt to make it such).

What is important is that the tool is used in the proper manner and that the expert's conclusions are supported by the data uncovered with the tool.

As for the NIST tests, typically these are applied to a specific function of the tool rather than the tool itself. For example, is the tool capable of making a true "bit-for-bit" copy (which is a misnomer since drives are not read or written in a bit-for-bit manner)? Does a write blocker effectively block all writes to the drive? Is an EnCase restore from an evidence file forensically identical to the source drive?

NIST does not say whether EnCase is better than FTK or ProDiscover or TSK.

So whether you use Autopsy is not so much an issue as whether you used it properly and your conclusions can be supported by the evidence that you obtained by using it.

 
Posted : 21/02/2009 8:22 pm
(@sfairfield)
Posts: 4
New Member
Topic starter
 

Thank you for your replies. They are extremely helpful. Looks like I may need to tweak my topic a bit since it is not as much of an issue as I thought it may be. Thanks again.

 
Posted : 27/02/2009 10:04 am
(@bgrundy)
Posts: 70
Trusted Member
 

A little dated, but still very applicable

http//www.digital-evidence.org/papers/opensrc_legal.pdf

Harlan is quite right, though. Everything we do derives from the acquisition. If that is verified, and the tools you use provide reproducible results, then who cares if it's open or closed source?

We all validate and cross verify our tools anyway, right?

 
Posted : 03/03/2009 11:08 pm
(@rlong)
Posts: 7
Active Member
 

I would say the most significant difference re closed vs. open source tools is in the value perceived by prospective clients. Many people in the business/legal realm have little direct experience with IT and a get-what-you-pay-for perception of quality. For private shops, it's often desirable to handle big, expensive cases with proprietary software. Known brands add value for the average consumer and the forensics industry is not so different.

Data Forensics & Security Consultant
TCS Forensics Ltd.

 
Posted : 17/03/2009 1:52 am
Share: