±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36228
New Yesterday: 2 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What Forensic Software do you recommend if buying personally

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 ... 9, 10, 11 
  

paul206
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Dec 31, 09 22:11

I realize nobody is going to see this because this thread ran it's course and got interrupted by the Christmas holidays. I have been taken to task and rightly so because I failed to make myself clear. I was in a hurry and was talking to reedsie in an attempt to show him the big picture which is that your opinion of your tools is irrelevant. The opinions that are important are that of the judge in whose court your case is being held and your client who is an attorney in that court. When I used the word certifiable I meant acceptable in court or admissible as evidence in a US court. I was not making it up and I offer this excerpt as explanation. It is a chapter from a 149 page pdf file that came with a copy of Encase in 2006. Obviously Guidance Software is making a case why you should use their product but it is based on case law. I read it back then and absorbed it. It just took me a while to remember from whence it came. The 2009 version of the document can be found at the following location.

Encase Legal Journal

§ 2.3 Commercial vs. Custom Forensic Software and Authentication Issues

Some computer forensic investigations utilize custom software tools developed by the investigating agency or a private company that are not commercially available to the general public. Courts have addressed issues concerning the type of software involved where computer-generated evidence is at issue. Such cases provide a presumption of authenticity for evidence resulting from or processed by commercially
available computer systems and software over customized systems and software. As noted by one respected treatise on the subject:

“Evidence generated through the use of standard, generally available
software is easier to admit than evidence generated with custom
software. The reason lies in the fact that the capabilities of commercially marketed software packages are well known and cannot normally be manipulated to produce aberrant results. Custom software, on the other hand, must be carefully analyzed by an expert programmer to ensure that the evidence being generated by the computer is in reality what it appears to be. Nonstandard or custom software can be made to do a host of things that would be undetectable to anyone except the most highly trained programmer who can break down the program using source codes and verify that the program operates as represented.”

In fact, courts in many jurisdictions actually require that any computer-generated evidence be a product of a “standard” computer program or system in order to admit such evidence. This body of authority would seem especially relevant to software used by law enforcement for computer forensic purposes, given the sensitive function of such software. A law enforcement agency that utilized customized proprietary software for computer forensic investigations could face various complications when seeking to introduce evidence processed with such software. Such actual or potential pitfalls could include the following:

1. The defense could seek to exclude the results of any computer investigation that utilized tools that were inaccessible to non-law enforcement. Federal courts are unanimous in holding that computer evidence generated by or resulting from a process is only admissible if the defense has access to such software in order to independently duplicate the results of that process and thus “is given the same opportunity to inquire into the accuracy of the computer system involved in producing such evidence.”

2. If the defense is provided with a copy of the proprietary software and all
evidentiary images, an expert retained by the defense will require substantial time to learn the software and recreate the process, resulting in substantial cost to the government in cases involving indigent defendants. The government will incur even further costs if the purchase of supporting operating systems and file servers is required to support the custom software.

While, as noted above, the source code for commercially available software is not required to be introduced into evidence in order to establish the authenticity of computer processed evidence, it is apparent that such presumptions of authenticity would not be afforded to customized software. Thus, the defense would seek to exclude the results of any computer investigation utilizing custom software tools, unless the source code was made available to the defense for testing and analysis.

Conversely, when questioned in court regarding the reliability of a commercially available software application such as EnCase, the proponent of the evidence would be able to testify that EnCase software is a widely used and commercially available software program and thus any member of the public can purchase, use and test the program. The defense could not claim prejudice by the use of EnCase software as any
reasonably skilled computer examiner would be able to examine the discovery copy of the evidence, nor would the government be subject to questions regarding its access to the source code of the program. The prosecution in the case of Logan v. State dealt with these types of issues directly, described by the Court of Appeals of Indiana as follows:

On August 14, 2003, Logan filed a motion for discovery requesting production of the computer program the State used to discover evidence on the computer. The State failed to produce the computer program, known as iLook, even after the trial court entered an order compelling production On January 20, 2004, Logan moved to dismiss the charges based upon First Amendment grounds. On February 20, 2004, the State dismissed the charges and refilled charges using a different forensic computer program, called EnCase. On April 6, 2004, approximately sixty days prior to trial, the State provided Logan with a copy of the EnCase program, thereby complying with the court’s discovery order.

As the Logan case illustrates, using software that is not commercially available can result in discovery conflicts. Resulting delays can even put the prosecution’s case at risk by impacting the right to a speedy trial.

Even in the civil litigation arena, using custom software can prove problematic. For instance, in the high-profile case of Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., which resulted in a jury verdict of $1.4 billion, Morgan Stanley was lambasted by the court because software it had written to collect electronic information has missed thousands of relevant emails.


I would venture to say that anyone who is not interested in the rules of evidence is either doing network forensics or human resource investigations or lives in a country where it doesn't apply.  
 
  

Beetle
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Jan 01, 10 01:44

- eyespy
I realize nobody is going to see this because this thread ran it's course and got interrupted by the Christmas holidays. I have been taken to task and rightly so because I failed to make myself clear. I was in a hurry and was talking to reedsie in an attempt to show him the big picture which is that your opinion of your tools is irrelevant. The opinions that are important are that of the judge in whose court your case is being held and your client who is an attorney in that court. When I used the word certifiable I meant acceptable in court or admissible as evidence in a US court. I was not making it up and I offer this excerpt as explanation. It is a chapter from a 149 page pdf file that came with a copy of Encase in 2006. Obviously Guidance Software is making a case why you should use their product but it is based on case law. I read it back then and absorbed it. It just took me a while to remember from whence it came. The 2009 version of the document can be found at the following location.

Encase Legal Journal

§ 2.3 Commercial vs. Custom Forensic Software and Authentication Issues

>>snip

I would venture to say that anyone who is not interested in the rules of evidence is either doing network forensics or human resource investigations or lives in a country where it doesn't apply.


Until very recently we used iLook as one of our tools. I would venture to say that the issue here may have been (at least partly) that a copy of the iLook image of the media was provided on disclosure. The problem is that iLook imager uses a proprietary format that isn't 'portable' to other software. The imager software has to be used to make a raw file from the iLook image. We ran into this problem quite early on and switched to EWF so we could use images in anything (iLook can read EWF, Safeback and other formats). The other issue with iLook was that it was funded by the US government and was very restrictive regarding licences. You had to be LE in the US our an ally country (primarily in the UK and Canada) to get a licence.

I can't see why commercial software would be any more 'accepted' than custom non-commercial software. If that was indeed the case then grep, dd, the custom Linux kernel - in the case of Helix for example - and such software would not be acceptable, when in fact they are. Anyone using their tools should be able to find the same evidence whether you use Encase, FTK, perl scripts or TSK. There is nothing 'magic' in commercial software. Custom software is fine as long as you know what it does and it's output can be verified with other software.

The proper defence here would have been to show that other software provided results that were inconsistent with the iLook output, thus calling into question the evidence in general. This case Guidance cites is almost saying that the defence should have the state provide the lab equipment and receive training to do their own DNA testing.

Two questions came to my mind when I read the excerpt. In the case cited, was the defendant hiring his own analyst who didn't have any kit, or was the lawyer trying to save money by using Encase himself to look at the evidence image files? I suspect the later and there probably is more to the story than Guidance has spun in their sales propaganda. I take grandiose claims by software manufacturers with a good dose of scepticism. It is marketing after all.  
 
  

douglasbrush
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Jan 01, 10 02:32

IMO it is a issue of transparency. Many of the well know tools have been through the court and legal scrutiny to be explained how they work. The designers of such software have testified to how they work so it is less of a black box technology and there is a track record for producing verified evidence. This simply allows a practitioner the ability to use a tool and testify "easier" as to how the results are produced. I only say easier because in the legal community there has been enough of a history use and greater understanding of the authenticity of the type of results. Also because of their wide spread and documented use someone else can produce the same results with greater ease. This creates a comfort level with these tools that some of the other less know or vetted tools may not provide to someone who would have to testify to explain how the tool of choice worked.

I would not say that EnCase or FTK are beginner tools but they do allow someone who is new to the field and testifying a firmer base to start with because of the openness and history to how have worked. As you become more technically skilled and knowledgeable about the legal implications of how results are produced then by all means use anything and everything with in your budget if you feel that you can confidently explain the results and methods you used.  
 
  

seanmcl
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Jan 01, 10 19:53

There are two issues in the reference to the EnCase Legal Journal neither of which applies to open source forensic tools.

The first issue, related to iLook, was the fact that because the software is restricted to LE and the format proprietary, the defense was not given the opportunity to verify the data in the form that the prosecution intended to present it.

The second issue is that of "custom" software. By "custom" it is meant that the software can be made to produce specific results via deliberate manipulation by the user and that these results may not be an accurate representation of the underlying data.

Neither of these points invalidates open source software as a valid tool in digital forensics, in fact, one might argue that open source tools have an edge because their operation can be validated via examination of the source code (as opposed to a proprietary product like EnCase).  
 
  

kovar
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Jan 01, 10 21:57

Greetings,

Also bear in mind that the EnCase Legal Journal is designed to promote one thing - EnCase. They're not going to include any cases that support the use of tools other than EnCase. It is a marketing resource.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 
 
  

Beetle
Senior Member
 

Re: What Forensic Software do you recommend if buying person

Post Posted: Jan 01, 10 22:08

- seanmcl
There are two issues in the reference to the EnCase Legal Journal neither of which applies to open source forensic tools.

The first issue, related to iLook, was the fact that because the software is restricted to LE and the format proprietary, the defense was not given the opportunity to verify the data in the form that the prosecution intended to present it.

>>snip


That's just what I thought it would be. A disclosure issue.

Your second point is well put. 'Custom' can mean many things but where you can actually manipulate the output to suit what you want the evidence to be is certainly walking the fine line or perjury if you insist the output is reliable and can be reproduced with other tools. I believe that Mark Menz at some point mentioned that he had to develop a bunch of custom tools back in the day because nothing was available to do the job . Other custom tools such as the Coroner's Tool Kit, were developed because a need existed and no tool was available for Unix. So when the court took exception with 'custom' tools it would seem that it was only saying that it wasn't going to put blind reliance on something that had unknown characteristics and could be manipulated to falsify results. I agree that the very nature of open source and the vetting it receives makes it reliable. I am not sure if you deal with TSK at all, but every time Brian tweaks it there is a lot of chatter on the mailing list of issues and bugs that show up, usually within hours of the new source code being posted. Open source tools such as TSK receive more scrutiny by people such as Simson Garfinkel, Eoghan Casey and the like, than any commercial packages.  
 
  

Patrick4n6
Senior Member
 

Re: What Forensic Software do you recommend if buying personally

Post Posted: Jan 01, 10 22:11

Yeah, I found it funny that EnCase/Guidance publishes a suggestion that a programmer is needed to verify a product when their own code isn't open for inspection by the general public. Now if they suggested that a forensic examiner is required to validate the tool, then they'd have a point, but Guidance always seems to go with the "trust us, don't trust them" approach rather than the "validate everything including us" approach which any honest tool vendor should suggest.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 
 

Page 11 of 11
Page Previous  1, 2, 3 ... 9, 10, 11