±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35755
New Yesterday: 0 Visitors: 117

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase question

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 22:09

Jonathan:

I was not trying to put too much weight on EnCase, rather, I was saying that in the US, various rules of evidence and civil procedure, clarified by case law, have become increasingly more specific about what constitues evidence. Just as Daubert, Frye and Kumho have raised the bar with respect to who can qualify as an expert, case law has also started to clarify the notion of what constitutes digital forensic evidence.

It is a fairly clear principle that if you use a tool for other than its intended, warranteed, purpose, the burden of proof is on you to show why the evidence gathered through the use of that tool should be admitted. Even if the court allowed me to present evidence obtained by using a software configuration which the vendor has explicitly stated is not supported, I would be sure to get a legal challenge and the result would be that my client would pay more in legal fees than they would have if I had just done it the way the vendor intended it.

Clients are not particularly happy to pay to defend arguments which could have been avoided if one had simply followed the instructions. Moreover, "experts" have been sued by their formed clients for malpractice, fraud and negligence for showing up in court with "evidence" that was subsequently declared inadmissible because the expert had not prepared or handled it in a way consistent with standard operating practice.

I'm not saying that these rules apply outside the US. What I am saying is that it is prudent to consider what the other side might throw at you when you are making your case. To give them something as simple as the fact that you used a product in a manner which the developer/vendor does not support is handing them an opportunity that they wouldn't, otherwise, have.  
 
  

Jonathan
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 22:36

- seanmcl

What I am saying is that it is prudent to consider what the other side might throw at you when you are making your case.


I certainly agree with you on this basic principle. I've had plenty of discussions with fellow examiners on things which could fall into this catergory, such as 'do you need to wipe clean a hdd before putting an image on it?'. The answer being no, but it can make things easier for you in court.

What it seems to come down to is that non-computer forensic people (i.e., lawyers) are deciding how we should work, what tools we should use and on what platform rather than us. Perhaps this is inevitable though?
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

seanmcl
Senior Member
 

Re: Encase question

Post Posted: May 05, 08 23:13

In that category comes "Why didn't you photograph the evidence?" Specifically, I received a Dell laptop with an internal hard drive. The drive had both a Toshiba and a Dell part number on it and I imaged it using EnCase. Since EnCase versions before 6 did not capture the drive serial number, I noted it on my log. Dell cannot identify by serial number what drives are shipped with what systems so I could only confirm that this was the original using circumstantial evidence and the testimony of the computer owner/user.

Opposing counsel wanted to know why I didn't photograph the drive and the computer so that the drive serial number and the computer serial number appeared simultaneously in the same picture? I pointed out that in ordfer to get the drive serial number I would have to remove it from the computer and, at that point, since it could be any drive appearing in the same picture, why was this "better" than my testimony and written records?

Unfortunately, truth sometimes takes a back seat to legal posturing.  
 

Page 2 of 2
Page Previous  1, 2