The following article was submitted by one of our forum regulars and I thought it might make an interesting topic for debate here too. I've also included it in this month's newsletter with a link to this topic. Comments welcome.
Jamie
Why Take Offence at a Good Defence?
by Nick Furneaux, CSITech
nick@csitech.co.ukThe Police Officer had served his community excellently for over 15 years until one day, acting out of character, he hit a man that he had in his custody. The man had made verbal threats against the Officer's family, it had happened before, but family circumstances meant it struck a nerve and he broke the man's jaw and dislocated his shoulder. The Officer was charged.
Speaking after his acquittal the Officer spoke of his defence team. 'I had always treated defence lawyers with some disdain, as if they were just there to get the bad guys off, that they got in the way of justice. Now I've sat in the dock I realise how vital they are. They were professional, treated me with respect, engaged the help of excellent Expert Witnesses and I'm sat here now without a record'.
The Officer's previous attitude is common amongst Law Enforcement professionals and in fairness there are many defence lawyers who do act in the way the Officer described. However, the very basis of our free society comes from a legal system that gives every citizen the right to a fair and vigorous defence when charged with a crime. It is this Right that balances our way of life and ensures that those with the power to enforce law do not abuse the privilege. Our jury system which provides the opportunity for us to be judged by a peer group, which has heard all the evidence, is a demonstration of a free and democratic civilisation and many have fought with words and with arms to defend these freedoms.
So, why can't I get EnCase training at the same price as my Law Enforcement cousins? I run a small private digital investigation agency in the UK and I can supply many references to show that we are very good at what we do. In my last two cases I have uncovered evidence that prompted the defendant to plead guilty, saving the Courts time and money, and also found material in a fraud case that had the case thrown out by the Judge, without it an innocent man would have gone to prison. So why does my EnCase training cost a full 1/3 more than for my Police friends?
Let's take the 'EnCase Introduction to Computer Forensics' course. For me to attend the next course in the UK will cost a not insignificant £1440, however, the local police force will only have to find £960. Why? I just don't get it. Could the reason be that Police Forces are poorly funded? Perhaps, but as a small business we make a profit yet are hardly popping down to the yacht on the weekends. When I take a case I often put in a lot of extra time that is not charged for, as professionalism prompts me to do my best without always watching the clock. I believe that this stand by the software companies directly discriminates against the defence expert.
Now, I understand maybe having a higher rate for a corporate training program where three IT guys turn up in their company BMW's from XYZ Bank, but I am not in that league and should have the same treatment as Law Enforcement.
It is not limited to Guidance Software of course, numerous software and some hardware suppliers have exactly the same split rate. A lone figure in this crowd is Accessdata, makers of the FTK forensic suite. Their prices appear to be the same for anyone and that is refreshing to see.
It is not just prices of training; a quick search uncovered a number of courses that are Law Enforcement only. Why? I just don't understand why the defence of a person does not enable me to gain the same training as the prosecution. I use the word again…discrimination. Indeed, there is an argument that I do work within Law Enforcement. The law dictates that a defendant is entitled to a robust defence so in representing them am I not 'enforcing' the due process of law in exactly the same way as a Police or Intelligence Officer?
This is extremely interesting.
I recently presented at a conference, and prior to going, was asked about the conference by a local reporter. I asked the conference coordinator if the reporter could come along, and was told that he could do so, but only if he was willing to be escorted. I was told that this was because of the "operational nature" of some of the things that would be said at the conference.
In hindsight, this wasn't the case at all. Not all of the attendees were LEOs. I'm not. Yet I wandered around, unchecked, between presentations.
What's with the disparity? A very optomistic person might say that the LEOs need access to the specialized, classified stuff so they can keep up with the bad guys. A really cynical person might say that the LEOs don't want to be embarrassed by having everyone know what they *don't* know.
I took the EnCase intro course in '99. I was the only person in the room that didn't have a gun and a badge. The course started with (and I kid you not), "This is a mouse." [instructor holds up the mouse]
The reality is that LEOs are understaffed, undertrained, and overtasked. The cost of training is reduced for LEOs, because many organizations have a need/requirement for the training, but not enough resources (re money) to support it. Like many other public services, the police are constantly required to keep costs down, but then get their feet run over the coals if they weren't able to perform their function due to lack of resources.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
The reality is that LEOs are understaffed, undertrained, and overtasked. The cost of training is reduced for LEOs, because many organizations have a need/requirement for the training, but not enough resources (re money) to support it. Like many other public services, the police are constantly required to keep costs down, but then get their feet run over the coals if they weren't able to perform their function due to lack of resources.
While I understand the need for a vetting process in things like this, why don't PD's accept the help of people that offer it? For instance, I've offered to volunteer my services to the PD here on several occasions. They send their work to a lab nearby for processing but even that lab is understaffed( I know someone that works in it).
In terms of purchasing training and software, I've had to get sponsorship from a PD to get their pricing because let's face it..as a student, I don't have the money.
I have offered my services to local PD's who are backlogged for a long long time and they also said similiar things. In addition to that I have offered to help on kidnapping cases where a suspects computer has been seized.
This is a state by state, city by city, jurisdiction by jurisdiction decision and does not in any way characterize the entire world of LE as usually it is one person who is making the yes or no decision.
The cases that we all work fall into the "they are what they are" category. While you and I image a computer and get the same hashes, our methods of investigation beyond that may be totally different and we can arrive at the exact outcome. Are semantics played, sure but you owe it to the people of your area if you are working for LE and to your client if you are in the PS to do the very best you can to either prosecute or defend the person or people that you are working for.
I met an officer from this board (let's call him Matt H, from Evansville -) and as far as investigators go and knowledge of this thing we call computer forensics he is one of the smartest people I have come across. If he ever needed my help I couldn't be down there fast enough to help him. One thing that is easily forgotten is that while everyone starts on one side, at some point most everyone ends up in the private sector, maybe it is 10 or 20 years down the line but it happens.+
I've been on both sides of this one, particularly with Guidance Software. I think their decision to offer reduced rates to law enforcement is strictly business. In the US, Canada, and the UK anyway they are competing with NW3C who offers free training to LEO's. They know that law enforcement and government agencies need the training, I suppose they just can't get them in at the regular rates.
Despite the fact that I'm still a law enforcement examiner I bought my license for my private practice at the public price. I didn't (and couldn't) claim this discount by virtue of being in the club (like using AAA at a hotel). I don't think there's a valid complaint there, it's just a matter of deciding whether it's worth it for you.
Nick has contacted me to tell me that the second half of his article didn't make it through when he mailed it the first time. Here it is now
The next area is the treatment defence experts often receive from the Police. I am very fortunate in that I enjoy very good relationships with several Hi Tech Crime Units and this has resulted in cases progressing much more smoothly than they would otherwise. A recent case highlights this benefit.
I was helping the defence in a case involving the downloading of illegal images and due to administration issues I was only instructed to proceed with an examination of the data a week before trial was to begin. My local Hi Tech Crime Unit (HTCU) accommodated me the following day, briefed me on the issues and gave me access to a desk to work from. We were able to argue out several issues and agree on some fundamental points. This speeded up the case considerably as whole swathes of evidence were pre-agreed between prosecution and defence council ahead of time. During the case, both sides required further investigation on a point and that night the prosecuting expert and I worked together until late at the HTCU. Their attitude was, if he is not guilty then let’s find the evidence and we worked hard to prove various theories.
However, sadly, this is not always the case, other HTCU’s cannot be more unhelpful and go out of their way to make life as difficult as possible. Some have such stringent procedures that it is almost impossible to carry out a reasonable investigation. A good example of this is with illegal images cases. I strongly believe that further copies of images should be avoided at all costs and do not believe that an investigator should be driving down the motorway with a hard drive containing 50,000 illegal pictures. By far the best approach is to work on the original clone at the HTCU concerned but even this can be made difficult. One UK force recently said I could only work on their workstations with an Officer controlling the mouse. How can I construct a robust defence by ‘remote control’ with an increasingly irritated Officer pressing all the buttons? I need my own equipment and software configuration to be able to perform as the law requires. Also, if I find an area of evidence that may work against the prosecution they will simply go away and test my theories before I can finalise them.
Please do not conclude that I am against good procedures, quite the opposite, but the ‘demonisation’ of the defence and the ‘brick wall’ attitude of some Forces is simply not appropriate. As a Police expert who I get on with very well said to me recently when I called to say I would be defending a case, ‘Gone over to the Dark Side for this one have you?’; and he’s a friend!
Our task is certainly made harder by the many defence ‘experts’ who look at any evidence, write ‘A Trojan did it’ on a post-it note in crayon and submit it as a defence; don’t laugh - it happens all the time, well, maybe not the crayon bit but you get the picture. This brings me back to the first article I submitted to Forensic Focus "Is There a Need for Industry Control?" which certainly created some considerable comment in the resulting thread.
In conclusion, I believe that the current dual-pricing policy of many software and hardware companies should stop for experts working in a defence role. Secondly, procedures for all Forces working the UK should be standardised with a view to working together more effectively, realising that the defence is a critical part of our legal system and that anyone standing accused of a crime should be entitled to a defence conducted as professionally and robustly as the prosecution.
Good article.
I can say that I would never examine a drive at a HTCU office anywhere, anytime. If you are working for the defense you have the potential if not guarantee that you give away any points that you plan to attack or strategies that you have.
There is nothing wrong with making images of the drive and password protecting those images and then placing those images on an encrypted drive. Good luck breaking the encryption on the drive and then the password on the encase files then trying to figure out what program opens up .E01 extensions. Many times Judges have agreed that this is a perfectly acceptable protocol and provides well above the required security for any type of case.
Let's not just leave this at images, I know that there are plenty of companies that we all do work for who would hate to have their proprietary formulas, client list, etc floating out in the open and if the same measures aren't taken for civil cases and criminal cases than that could very well happen.
Mr .02 worth.