I do it anyway. Maybe out of habit. But more because I don't know if the defense, through some crazy subpoena due to a technically-ignorant judge, will get that hard drive I've saved the image to, and find traces of other cases in unallocated space. And if you don't believe a technically-deficient judge will sign off on an unwarranted subpoena, you haven't been doing this very long.
Are you saying that those who pre-wipe their drives before using for anything are "ignorant of forensic file formats" - or did I misread that?
That wasn't my reading. I read Larry as saying that experts who say that not having sterilised a drive containing forensics images invalidates the results are ignorant.
Sterilization is for 2 reasons
1. For forensic cloning destination drives, to ensure that "slack" space after the size of the source drive doesn't contain data that could be improperly added to the case.
2. To prevent taking sensitive or confidential data out into the field with you.
Marcyu - So true. That alone is a good reason to do it.
Patrick4n6 - You read it right. It is ignorant experts who cause all of us the most problems, no matter what side we are on.
Wow. Pretty scary someone can become an "expert" and not know what an Encase image is. Just to be clear, you're referring to some bozo who claims to be an expert, not someone who has become an expert witness. Because if it's the later, then I'm scared. Really scared.
You should be scared. I had case in which the judge allowed the opposite person to qualify as an expert becuase he had "used data recovery software several times" and he "regularly fixed his friends' computers"
That's freaking nuts. I can't see how a judge could be so foolish; even if it was his first ever case involving digital evidence. Nor can I imagine some computer repair guy knowingly putting someone's freedom at stake by presenting himself as an DF expert. I guess it would look good on his resume. roll I know a bit about forensics, and there ain't no way I would do that. Heck, I don't even present myself as an expert on the internet. lol
This was a civil case so only money was involved. I could tell you some real horror stories of "defense experts", but not in a public forum.
While with the Police I regularly came up against a couple of self proclaimed experts. One was a university lecturer who touted himself as an expert and in fact lectured on Cyber forensics. His first case against me he spent most of the time on the phone to me trying to figure out how to use Xways and how to get the image I'd given him booted up in VMware.
Once he had the image booted he proceeded to compile a detailed report listing the hardware of the defendants computer…..only he never saw the defendants computer he was working from an image. The lightweight was reporting on his own system and the specs that the VM machine was set at. Very credible expert.
The other joker is an IT consultant who knows next to nothing about DF again.
One of the reasons I left the job was having to disprove the idiotic arguments these guys kept coming up with, I spent most of my time educating them and doing the defence work for them.
This was a civil case so only money was involved. I could tell you some real horror stories of "defense experts", but not in a public forum.
Ah, well that's still pretty bad… No, please no more horror stories. I need to be able to sleep tonight. lol
This was a civil case so only money was involved. I could tell you some real horror stories of "defense experts", but not in a public forum.
Actually this would be very interesting, and an useful aid to help newcomers refrain from doing the same mistakes.
Can you not post a few of them anyway, changing names to protect BOTH the innocent and the guilty? ?
jaclaz