Forensically the data drives sat on a shelf for 2 years during trustee work and then was looked at by police AND the contracting company, so really I told the client that I could not verify that the data was forensically sound anymore since the supect computer was booted up and software used on it…I told the client from the get go that I would be using free open source AND trial commercial software to see if I could find deleted and "slack/unallocated space data" that may hold information linking events/activity that the trustees did not have access to over the last 2 years…this is a corporate bankruptcy investigation to find hidden assets and the police have given up on persuing it any further. It is the creditors who are paying the legal bills and asked for my forensic analysis of the data…
I hope this clears up some of your concerns about the ramifications of the use of my tools in court.
I hope this clears up some of your concerns about the ramifications of the use of my tools in court.
Your use in Court was only one concern (and still might be if the case is ever litigated and you are called as an expert). However, check the licensing for P2 Commander. I believe that the demo license is for non-commercial use, only, and that to use even the demo for commercial purposes, you need to pay a license fee.
If that is the case, then you'd be risking your professional reputation to save a few bucks. I would, instead, consider making sure that your total commission would pay for the license, buy the license, and then eat the cost through your commission. When I first started doing this, I lost money on my first few jobs but, in the process, built a small but functional lab and that was back when these jobs were few and far between.
Some very good advice there!
I do want to tip my hat to Rob (the OP) for bringing this subject up in the first place and sticking with it despite the hard ride, hopefully it's a useful debate for everyone.
Personally I'm very sympathetic to the situation small companies/start ups find themselves in with regard to some current pricing structures, it wasn't always this way…
Jamie
Hey guys/gals…thanks for all the Feedback…I am in email contact with a support engineering at Paraben and sent along your concerns about a license fee for the trial version for commercial use until I can buy their full version. I also posted here to buy a dongle for EnCase 3 or 4 to build up my toolchest and will be buying a write blocker…slow but sure I'll be set up with all the software/hardware I need. Thanks for guiding me along the legal path of all this and ramifications of not doing it right from the get go…
)
You're welcome. Let us know what they say.
Update…Paraben gave me a license key…not sure if it even has any time limit…just shows licensed to me. I won't be abusing their trust in me as a new client and will pay them for a license when I get more work and I now have a new business Mentor who may have more work for me ) Thanks everyone for your feedback.
I'll post some experience stuff on here from the work I do with my day job as I come across stuff I think might help newcomers…I'm new to my own part-time forensics business, but have been doing IT Security investigations for about 8 years now and IT forensics for almost a year with the Federal Government…
Practically any textbook, presentation, article on computer forensics makes it clear that using unlicensed software to perform an investigation is a no-no.
So that means there is no statutory provision, no rule and no standard, per se, merely a disparate range of guidance?
I am playing the opposite side of the argument here. I do so because I see this quite often where it is suggested that somehow someone is breaching disparate guidelines. You can breach stautuory provisions, you can break rules and you can fail standards. You can't breach disparate guidelines. You might not follow guidelines and then it requires the person to identify why the procedures they followed were equal to or safer than other guidelines.
In any civil case where I have ever gone to court, one of the first things that opposing counsel requests is documentation that I am the licensed user of whatever tools/devices I used for my investigation.
All things being equal with the examiners work and there being no problem with the technical side what value could counsel possibly gain, technically that is, by seeking copies of software licences?
If I were faced with that I would seek to demonstrate irrelevancy of the questions as the US courts have already adopted a position in many previous cases by accepting forensic computer evidence obtained using free tools that have been mentioned in other posts within this Forensic Focus discussion. So what is the distinction between trial tools (not paid for) and free tools (not paid for)?
Practically any textbook, presentation, article on computer forensics makes it clear that using unlicensed software to perform an investigation is a no-no.
So that means there is no statutory provision, no rule and no standard, per se, merely a disparate range of guidance?
At the very minimum, the unlicesed use of software constitutes copyright infringement under US law and under the Berne Convention. In the US, this can be both a civil and a criminal act since the passage of the No Electronic Theft Act.
In criminal and civil law, the admissibility of evidence which was obtained through illegal means can be challenged without regard to the veracity of the evidence. In addition, it goes to the character of the "expert" if he or she is willing to break the law or infringe on a copyright in order to make money.
You only need to be disqualified as an expert, once, to ruin your career. It isn't worth it.
In any civil case where I have ever gone to court, one of the first things that opposing counsel requests is documentation that I am the licensed user of whatever tools/devices I used for my investigation.
All things being equal with the examiners work and there being no problem with the technical side what value could counsel possibly gain, technically that is, by seeking copies of software licences?
If I were faced with that I would seek to demonstrate irrelevancy of the questions as the US courts have already adopted a position in many previous cases by accepting forensic computer evidence obtained using free tools that have been mentioned in other posts within this Forensic Focus discussion. So what is the distinction between trial tools (not paid for) and free tools (not paid for)?
As I said, the issue is not whether the license is a trial license, but whether it expressly forbids the product to be used commercially without a license. Trial software is fine. Many vendors provide time-limited fully functioning software with no restrictions on the use during the time-limit. But many others provide trial software only on the condition that it not be used for commercial purposes.
An example is Belarc Advisor, which is a nice little tool to determine intricate details of your hardware and OS configurations in a Windows environment. The license states, explicitly, that the program cannot be used for commercial purposes. To do otherwise is to violate the terms of the license.
I was in a case where I challenged the credibility of the expert because he had used Belarc Advisor in the preparation of his report. I didn't dispute the evidence but I did make it a point with respect to his character.
OK, if I have correctly understood seanmcl (hope you understand I do not work in the States), in the States the issues are
(a) if he used a Trial copy of a program without a Licence he is of a dodgy character, as opposed to
(b) using a program that he had paid for to get a Licence, but if the expert can
© get a Licence for a Trial copy you wouldn't suggest there is a stain on his character - but the program can still be a Trial copy?
So there is nothing there about whether the expert's work is wrong or inaccurate?
I am just wondering where computer forensics stops and personal vendetta starts. If I raised that against a prosecution expert in a criminal case in the UK the Judge could most likely come after me for potentially running a personal vendetta. That is because my job is not to cast doubt on the expert's integrity because of using licenced or unlicenced programs but to consider the expert's technical work and compliance with standards or rules (if relevant), but not to become a quasi-lawyer and see if I can put a stain on his character based upon my interpretation of what amounts to possession of a 'Licence'.
In part it has to do with the reasons for the Daubert standard. Prior to Daubert (and prior rulings such as Kumho), there were few qualifications for expert witnessess other than that you had a fancy title, or degree or worked for a prestigious organization. So-called "experts" were coming out of the woodwork and their testimony, often fallacious, was costing defendents dearly. Dow Corning filed for Chapter 11 bankruptcy protection in response to lawsuits over breast implants and autoimmune disease even though scientific reviews were unable to establish a link. Nonetheless, there were hundreds of cases in which pathologists, cell biologists, etc.. testified to the contrary.
In response to proliferation of experts the Courts established standards designed to limit the admissibility of experts and their testimony.
The issue is not whether the expert is testify as to facts. The issue is the opinion which the expert forms in relation to the facts, especially when that opinion is not something which is easily proven.
For example, consider the Trojan Defense. In the UK, this defense has been used, successfully, to acquit people even in cases where no Trojan was found because an "expert" testified that a Trojan "might" have been present at some time.
But in most cases, the Trojan defense is nothing more than a circumstantial argument.
In situations where the evidence is the expert's opinion, the other side has the right (if not the responsibility) to question the character of the expert. If an expert is willing to ignore the terms of a license agreement in order to make his or her case, could they not be willing to adjust their opinions to fit their case rather than the facts?
In criminal law, it is even "worse". The fruit of the poisonous tree doctrine, in most cases, excludes evidence obtained illegally, even if the evidence is correct. There are many who believe that this doctrine goes too far and that the remedy should be action against those who acted illegally to obtain the evidence but not against the evidence, itself, while others believe that the doctrine errs on the side of protecting Fourth Amendment rights.
As an opposing expert, I don't cross examine the other experts, so my job would not be to put a stain on the other expert's character. But, unless I am a Court-appointed special master, my job is to help my clients prepare their case and part of that preparation is to evaluate the claims of the other side's experts and their qualifications to make those claims and, yes, if they are asking the jury to believe their expert's conclusions, which I dispute, then the question of the expert's character is relevant.
We've had a related discussion, before, but the American court system is adversarial for a reason. The reason is that every hearing, trial, etc., should not only help to establish the truth, it should also help to further define the law. Most American law is defined, not by the language of the law, but by the way that the Courts interpret that language. The adversarial system helps to ensure that these interpretations are neither overly broad nor overly narrow.