Ok, let me preface this by saying I'm aware of the homework policy and & the zero tolerance however, with that said I do have a general question that perhaps maybe some others on here could learn from as well. I'm writing a paper for a class & I'm fully aware of the Daubert challenge & how it works.
QUESTION **For ACTIVE Investigators based in the U.S.**
1. When using a tool off the Internet to assist in an examination do you apply & document your own Daubert standard practice?
2. Do you actively look for a NIST certification or Daubert white paper, if not why?
I do not believe any FI does a complete Daubert review on products they work with.
1. When using a tool off the Internet to assist in an examination do you apply & document your own Daubert standard practice?
I never use a software package that has a .0 version.
I limit software packages I use that are current version, i.e. I prefer a version prior then current, unless there is a serious bug in the product.
I limit packages to used products. If I do not hear from other FIs using it, I always double check the results with alternate software.
Any software that crashes or blue-screens more than usual on my forensic computers, is nixed.
If there is no manuals or instructions on how to use the package, I avoid the use.
I prefer developers that provide hashes and clear versioning of their products.
Do you actively look for a NIST certification or Daubert white paper, if not why?
No.
Thank you for the response. Are you concerned if you have to testify & the defense asks how you acquired & tested your evidence? I've heard more lawyers these days are challenging the results CFE's get in a more scientific way.
This topic comes up quite frequently, from my perspective, the answer is the same.
Daubert is about qualifying experts, not tools. In spite of what some vendors may claim, there is no real meaning to the claim that the tool has been accepted in a court of law. What may be accepted is the investigator's use of the tool to examine the evidence.
As far as I am concerned, there is no single way to discover evidence which cannot be replicated using a different tool. As an example, supposing that I find something using Access Data's Registry Viewer. I should be able to find the same evidence using regedit or regripper or EnCase. If I can't, then I can't trust the output of the primary tool.
So our rule is to independently verify every piece of evidence that we extract from a device or image and be able to document the underlying the underlying processes and methods used.
If you are only prepared to say "Using EnCase I discovered X" then you aren't prepared to testify.
As for jhup's comments, I agree with the release 0 remarks but not simply for the sake of reliability. The difficulty with using the latest and greatest is that between the time that you complete your report and you testify about it in court, there may have been uncovered a weakness in the tool which calls into question the validity of your conclusions (hence the use of redundant tools/methods to examine data).
More than once I have been asked by opposing counsel "Are you aware that a flaw was discovered in version X.X of Software Y which could lead to corruption of the data?" to which I am able to respond, "I didn't rely solely on Software Y but verified my findings using Z as well and Z is not known to be affected by the same flaw!"