Join Us!

What Forensic Softw...
 
Notifications
Clear all

What Forensic Software do you recommend if buying personally  

Page 5 / 6
  RSS
armresl
(@armresl)
Community Legend

Hi Patrick,

What law school did you attend?

As we learned in law school, the adversarial system is fine unless there is a substantial difference in ability to have access to the same quality of representation. My lecturer called it the "deep pockets principle" and there is a substantial statistical correlation between financial capacity and which side wins. Have a read of the NAS report on Strengthening Forensic Science in the US and their issues with equal access to resources for defendants. I'm not necessarily endorsing their suggestions on how to address it, but it's an interesting read.

I'm not saying that in practice a "Civil Law" system produces a better result in practice, my experience has been in two common law countries, but as a forensic practitioner, I can respect a system where the first responsibility of all lawyers is to the truth, rather than to any particular person or the state.

ReplyQuote
Posted : 21/12/2009 11:40 pm
seanmcl
(@seanmcl)
Senior Member

That's why I put my "in practice" comment. Because although the intent may be different, the practice doesn't necessarily follow. In my experience, many different legal systems tend to borrow from the good (and sometimes bad) aspects of other legal systems, so it wouldn't surprise me that lawyers in civil law systems are acting more adversarial than the system would seem to imply at a philosophical level.

I my experience as a witness in civil cases, I'd have to say that the primary role of the lawyer seems to be that of advocating for his/her client, not seeking the truth. I am not saying that this is a bad system, but I am suggesting that truth often takes a back seat when it comes to civil actions, which may be one reason why so many civil actions end up being settled out of court.

There are also "incentives" to bundle certain types of civil actions because the losing party has to pay the legal fees for the prevailing party.

ReplyQuote
Posted : 22/12/2009 12:02 am
armresl
(@armresl)
Community Legend

Where is it written that the losing party has to pay legal fees for the prevailing party?

It is frequently asked for, I wasn't aware of any rule which states that it has to be.

That's why I put my "in practice" comment. Because although the intent may be different, the practice doesn't necessarily follow. In my experience, many different legal systems tend to borrow from the good (and sometimes bad) aspects of other legal systems, so it wouldn't surprise me that lawyers in civil law systems are acting more adversarial than the system would seem to imply at a philosophical level.

I my experience as a witness in civil cases, I'd have to say that the primary role of the lawyer seems to be that of advocating for his/her client, not seeking the truth. I am not saying that this is a bad system, but I am suggesting that truth often takes a back seat when it comes to civil actions, which may be one reason why so many civil actions end up being settled out of court.

There are also "incentives" to bundle certain types of civil actions because the losing party has to pay the legal fees for the prevailing party.

ReplyQuote
Posted : 22/12/2009 12:15 am
Patrick4n6
(@patrick4n6)
Senior Member

I my experience as a witness in civil cases, I'd have to say that the primary role of the lawyer seems to be that of advocating for his/her client, not seeking the truth. I am not saying that this is a bad system, but I am suggesting that truth often takes a back seat when it comes to civil actions, which may be one reason why so many civil actions end up being settled out of court.

There are also "incentives" to bundle certain types of civil actions because the losing party has to pay the legal fees for the prevailing party.

I was talking about Civil Law legal systems, not about civil (non-criminal) cases under a common law system.

http//en.wikipedia.org/wiki/Civil_law_%28legal_system%29

ReplyQuote
Posted : 22/12/2009 12:30 am
 Anonymous

That's why I put my "in practice" comment. Because although the intent may be different, the practice doesn't necessarily follow. In my experience, many different legal systems tend to borrow from the good (and sometimes bad) aspects of other legal systems, so it wouldn't surprise me that lawyers in civil law systems are acting more adversarial than the system would seem to imply at a philosophical level.

To be honest I am not even sure they think about it this (deeper) way.. They are just trying to do their job, i.e. to help their client in whatever way they can.

The difference here is that computer forensics is very new to everyone. Lawyers are not used to that, they don't understand. Also we have only a few forensic experts in this field here.
So when I come to testify, lawyers usually start attacking me (who am I, what is my education/experience etc.), this takes 5-10 minutes, and then they just go through all parts of my expert statement wanting me to repeat everything again and all they are focusing on is just trying to catch me saying something stupid or illogical etc. Also they are paying attention if I say anything regarding to the legal questions (which is what we are not allowed to comment).
That's all. It's not adventurous or anything, it's just boring and annoying. I was never confronted with the opposite expert, that's happening very rarely. The defendant side usually don't have any expert at all.
Just once the court (not the defendant side, but the judge himself) invited another expert (I don't know for what exactly) in the same matter. We met at the hall waiting to be convened, we just said "hi" to each other and that was it. I went first, then him. No confrontation or anything.

Well, I have never personally witnessed any trial in U.S., so I can't compare. But based on what one can hear and what you indicated and what I just described, I guess you are probably right after all, here it's maybe not such dramatical/adversarial circus as in U.S. But I participate only in criminal cases, civil ones are probably more interesting.
In criminal, the state attorney decides to take the case to the court only if he/she believes that the defendant is guilty. And usually he is indeed found guilty. Their lawyers then usually try to build the defense rather on some procedural issues (someone did something wrong during the investigation etc.) than attacking directly the subject of the accusation.

Maybe it's related to our past. The communism ended here 20 years ago, but maybe people are still not used to fight for themselves with such a passion. It may also be that they don't care that much because even if they are sentenced, they may simply not show up at the prison (if they weren't held in custody) and stay free either here or move to some other country and no one will find them. Just a few days ago I discussed with the police investigators under what circumstances can the police break into the house of a fugitive. Unless they have some concrete evidences that he may be hiding there, they don't get the permission. Crazy?

Take Viktor Kozeny for example, our probably the most famous international criminal. He has stolen almost 1 billion of USD (recalculated) from the Czech people, he has done many other frauds in other countries and what happened? Nothing. He is laughing and no one really cares.

ReplyQuote
Posted : 22/12/2009 12:39 am
 Anonymous

I was talking about Civil Law legal systems, not about civil (non-criminal) cases under a common law system.

Probably the main difference is that while previous decisions of your courts (in common law system) are legally binding thus your judges in fact are making the law and every future court must stick to it, our courts (in civil law system) must stick only to the "real" codified written laws (issued by the lawmakers - the government). Previous court decisions may or may not be taken into account. In the reality the judges sometimes do, sometimes don't, it's really unpredictable.

So different people committing the identical crime may be judged and sentenced (or not sentenced at all) differently.

ReplyQuote
Posted : 22/12/2009 1:07 am
seanmcl
(@seanmcl)
Senior Member

I was talking about Civil Law legal systems, not about civil (non-criminal) cases under a common law system.

Sorry, misunderstood, however, I still assert that truth is often subjective, in matters of law and justice, and that the adversarial role exists in many common law societies as a means of protecting the individual against the power of the state. Such protections may be unavailable to the defense under a Civil Law society.

ReplyQuote
Posted : 22/12/2009 7:47 pm
 Anonymous

Sorry, misunderstood, however, I still assert that truth is often subjective, in matters of law and justice, and that the adversarial role exists in many common law societies as a means of protecting the individual against the power of the state. Such protections may be unavailable to the defense under a Civil Law society.

I wonder in what country in particular is the adversarial role prohibited.

ReplyQuote
Posted : 22/12/2009 8:10 pm
seanmcl
(@seanmcl)
Senior Member

I wonder in what country in particular is the adversarial role prohibited.

Quite a few, including the US. A grand jury, for example, is inquisitorial (non-adversarial), in that the defense is not allowed to ask questions or cross examine witnesses. In France, there is a similar process which is used to bring about indictments. There are many countries in the Middle East and South America where inquisitorial justice is the norm and the defense is limited in what it can do. In parts of Europe, for example, the defense is not allowed to question victims in child abuse cases.

In fact, the inquisitorial justice system is more prevalent, worldwide, than the adversarial system.

ReplyQuote
Posted : 22/12/2009 10:09 pm
 Anonymous


I wonder in what country in particular is the adversarial role prohibited.

Rather than say it is "prohibited," a more accurate statement is that the Adversarial System is not universal. France, most notably, uses the Inquisitorial System of justice.

Key differences Adversarial systems place the power to collect evidence and present witnesses in the hands of the attorneys. Inquisitorial systems place more power in the hands of judges, who are tasked with gathering evidence and questioning witnesses.

ReplyQuote
Posted : 22/12/2009 10:12 pm
paul206
(@paul206)
Member

I realize nobody is going to see this because this thread ran it's course and got interrupted by the Christmas holidays. I have been taken to task and rightly so because I failed to make myself clear. I was in a hurry and was talking to reedsie in an attempt to show him the big picture which is that your opinion of your tools is irrelevant. The opinions that are important are that of the judge in whose court your case is being held and your client who is an attorney in that court. When I used the word certifiable I meant acceptable in court or admissible as evidence in a US court. I was not making it up and I offer this excerpt as explanation. It is a chapter from a 149 page pdf file that came with a copy of Encase in 2006. Obviously Guidance Software is making a case why you should use their product but it is based on case law. I read it back then and absorbed it. It just took me a while to remember from whence it came. The 2009 version of the document can be found at the following location.

Encase Legal Journal

§ 2.3 Commercial vs. Custom Forensic Software and Authentication Issues

Some computer forensic investigations utilize custom software tools developed by the investigating agency or a private company that are not commercially available to the general public. Courts have addressed issues concerning the type of software involved where computer-generated evidence is at issue. Such cases provide a presumption of authenticity for evidence resulting from or processed by commercially
available computer systems and software over customized systems and software. As noted by one respected treatise on the subject

“Evidence generated through the use of standard, generally available
software is easier to admit than evidence generated with custom
software. The reason lies in the fact that the capabilities of commercially marketed software packages are well known and cannot normally be manipulated to produce aberrant results. Custom software, on the other hand, must be carefully analyzed by an expert programmer to ensure that the evidence being generated by the computer is in reality what it appears to be. Nonstandard or custom software can be made to do a host of things that would be undetectable to anyone except the most highly trained programmer who can break down the program using source codes and verify that the program operates as represented.”

In fact, courts in many jurisdictions actually require that any computer-generated evidence be a product of a “standard” computer program or system in order to admit such evidence. This body of authority would seem especially relevant to software used by law enforcement for computer forensic purposes, given the sensitive function of such software. A law enforcement agency that utilized customized proprietary software for computer forensic investigations could face various complications when seeking to introduce evidence processed with such software. Such actual or potential pitfalls could include the following

1. The defense could seek to exclude the results of any computer investigation that utilized tools that were inaccessible to non-law enforcement. Federal courts are unanimous in holding that computer evidence generated by or resulting from a process is only admissible if the defense has access to such software in order to independently duplicate the results of that process and thus “is given the same opportunity to inquire into the accuracy of the computer system involved in producing such evidence.”

2. If the defense is provided with a copy of the proprietary software and all
evidentiary images, an expert retained by the defense will require substantial time to learn the software and recreate the process, resulting in substantial cost to the government in cases involving indigent defendants. The government will incur even further costs if the purchase of supporting operating systems and file servers is required to support the custom software.

While, as noted above, the source code for commercially available software is not required to be introduced into evidence in order to establish the authenticity of computer processed evidence, it is apparent that such presumptions of authenticity would not be afforded to customized software. Thus, the defense would seek to exclude the results of any computer investigation utilizing custom software tools, unless the source code was made available to the defense for testing and analysis.

Conversely, when questioned in court regarding the reliability of a commercially available software application such as EnCase, the proponent of the evidence would be able to testify that EnCase software is a widely used and commercially available software program and thus any member of the public can purchase, use and test the program. The defense could not claim prejudice by the use of EnCase software as any
reasonably skilled computer examiner would be able to examine the discovery copy of the evidence, nor would the government be subject to questions regarding its access to the source code of the program. The prosecution in the case of Logan v. State dealt with these types of issues directly, described by the Court of Appeals of Indiana as follows

On August 14, 2003, Logan filed a motion for discovery requesting production of the computer program the State used to discover evidence on the computer. The State failed to produce the computer program, known as iLook, even after the trial court entered an order compelling production On January 20, 2004, Logan moved to dismiss the charges based upon First Amendment grounds. On February 20, 2004, the State dismissed the charges and refilled charges using a different forensic computer program, called EnCase. On April 6, 2004, approximately sixty days prior to trial, the State provided Logan with a copy of the EnCase program, thereby complying with the court’s discovery order.

As the Logan case illustrates, using software that is not commercially available can result in discovery conflicts. Resulting delays can even put the prosecution’s case at risk by impacting the right to a speedy trial.

Even in the civil litigation arena, using custom software can prove problematic. For instance, in the high-profile case of Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., which resulted in a jury verdict of $1.4 billion, Morgan Stanley was lambasted by the court because software it had written to collect electronic information has missed thousands of relevant emails.

I would venture to say that anyone who is not interested in the rules of evidence is either doing network forensics or human resource investigations or lives in a country where it doesn't apply.

ReplyQuote
Posted : 31/12/2009 10:11 pm
Beetle
(@beetle)
Active Member

I realize nobody is going to see this because this thread ran it's course and got interrupted by the Christmas holidays. I have been taken to task and rightly so because I failed to make myself clear. I was in a hurry and was talking to reedsie in an attempt to show him the big picture which is that your opinion of your tools is irrelevant. The opinions that are important are that of the judge in whose court your case is being held and your client who is an attorney in that court. When I used the word certifiable I meant acceptable in court or admissible as evidence in a US court. I was not making it up and I offer this excerpt as explanation. It is a chapter from a 149 page pdf file that came with a copy of Encase in 2006. Obviously Guidance Software is making a case why you should use their product but it is based on case law. I read it back then and absorbed it. It just took me a while to remember from whence it came. The 2009 version of the document can be found at the following location.

Encase Legal Journal

§ 2.3 Commercial vs. Custom Forensic Software and Authentication Issues

>>snip

I would venture to say that anyone who is not interested in the rules of evidence is either doing network forensics or human resource investigations or lives in a country where it doesn't apply.

Until very recently we used iLook as one of our tools. I would venture to say that the issue here may have been (at least partly) that a copy of the iLook image of the media was provided on disclosure. The problem is that iLook imager uses a proprietary format that isn't 'portable' to other software. The imager software has to be used to make a raw file from the iLook image. We ran into this problem quite early on and switched to EWF so we could use images in anything (iLook can read EWF, Safeback and other formats). The other issue with iLook was that it was funded by the US government and was very restrictive regarding licences. You had to be LE in the US our an ally country (primarily in the UK and Canada) to get a licence.

I can't see why commercial software would be any more 'accepted' than custom non-commercial software. If that was indeed the case then grep, dd, the custom Linux kernel - in the case of Helix for example - and such software would not be acceptable, when in fact they are. Anyone using their tools should be able to find the same evidence whether you use Encase, FTK, perl scripts or TSK. There is nothing 'magic' in commercial software. Custom software is fine as long as you know what it does and it's output can be verified with other software.

The proper defence here would have been to show that other software provided results that were inconsistent with the iLook output, thus calling into question the evidence in general. This case Guidance cites is almost saying that the defence should have the state provide the lab equipment and receive training to do their own DNA testing.

Two questions came to my mind when I read the excerpt. In the case cited, was the defendant hiring his own analyst who didn't have any kit, or was the lawyer trying to save money by using Encase himself to look at the evidence image files? I suspect the later and there probably is more to the story than Guidance has spun in their sales propaganda. I take grandiose claims by software manufacturers with a good dose of scepticism. It is marketing after all.

ReplyQuote
Posted : 01/01/2010 1:44 am
douglasbrush
(@douglasbrush)
Senior Member

IMO it is a issue of transparency. Many of the well know tools have been through the court and legal scrutiny to be explained how they work. The designers of such software have testified to how they work so it is less of a black box technology and there is a track record for producing verified evidence. This simply allows a practitioner the ability to use a tool and testify "easier" as to how the results are produced. I only say easier because in the legal community there has been enough of a history use and greater understanding of the authenticity of the type of results. Also because of their wide spread and documented use someone else can produce the same results with greater ease. This creates a comfort level with these tools that some of the other less know or vetted tools may not provide to someone who would have to testify to explain how the tool of choice worked.

I would not say that EnCase or FTK are beginner tools but they do allow someone who is new to the field and testifying a firmer base to start with because of the openness and history to how have worked. As you become more technically skilled and knowledgeable about the legal implications of how results are produced then by all means use anything and everything with in your budget if you feel that you can confidently explain the results and methods you used.

ReplyQuote
Posted : 01/01/2010 2:32 am
seanmcl
(@seanmcl)
Senior Member

There are two issues in the reference to the EnCase Legal Journal neither of which applies to open source forensic tools.

The first issue, related to iLook, was the fact that because the software is restricted to LE and the format proprietary, the defense was not given the opportunity to verify the data in the form that the prosecution intended to present it.

The second issue is that of "custom" software. By "custom" it is meant that the software can be made to produce specific results via deliberate manipulation by the user and that these results may not be an accurate representation of the underlying data.

Neither of these points invalidates open source software as a valid tool in digital forensics, in fact, one might argue that open source tools have an edge because their operation can be validated via examination of the source code (as opposed to a proprietary product like EnCase).

ReplyQuote
Posted : 01/01/2010 7:53 pm
kovar
(@kovar)
Senior Member

Greetings,

Also bear in mind that the EnCase Legal Journal is designed to promote one thing - EnCase. They're not going to include any cases that support the use of tools other than EnCase. It is a marketing resource.

-David

ReplyQuote
Posted : 01/01/2010 9:57 pm
Page 5 / 6
Share: