Thanks? Really? J/K!!! )
Again, I only wanted to respond to a couple of your points so this thread didn't "end there". I've had too many students in my classes cite things they've read and taken as fact without questioning.
As for the NirSoft applications on Helix … not all Linux boot CDs are created equally … 😉 That said, I would also say that the inclusion of non-commercial applications isn't a show stopper. As long as the user of the tool knows what they're using (how to use, when to use, including licensing agreements/restrictions) all should be well. Unfortunately too many "examiners" are unfamiliar with the tools they're using and are caught unaware. As in the case you've referenced.
Cheers!
farmerdude
Get SMART!
Unfortunately too many "examiners" are unfamiliar with the tools they're using and are caught unaware.
This is a bit scary as I get emails and PM's for assistance with using tools for the first time in live examinations. Practice makes perfect (or in our world mitigates risk wink ) and people should really be testing software, tools and procedures on lab machines with practice sources.
This is a bit scary as I get emails and PM's for assistance with using tools for the first time in live examinations. Practice makes perfect (or in our world mitigates risk wink ) and people should really be testing software, tools and procedures on lab machines with practice sources.
Absolutely. When I am preparing client counsel for deposition of the opposing "expert" one of the first questions I have them ask is "How many examinations of [describe] have you performed in the past?"
That is, usually, followed by a request for production of reports or testimony where the results of such examinations have been accepted by the courts.
There is a first time for everything. But the first time that you perform an examination should, hopefully, not be the first time that you testify as to your expertise.
Absolutely. When I am preparing client counsel for deposition of the opposing "expert" one of the first questions I have them ask is "How many examinations of [describe] have you performed in the past?"
That is, usually, followed by a request for production of reports or testimony where the results of such examinations have been accepted by the courts.
There is a first time for everything. But the first time that you perform an examination should, hopefully, not be the first time that you testify as to your expertise.
Let's not forget that many forensic examiners are not expert witnesses or are not working in law enforcement. There is also corporate environment where we shouldn't expect very capable examiners to be expert witnesses.
The objective of a forensic examination in a corporate environment and in law enforcement are different.
Let's not forget that many forensic examiners are not expert witnesses or are not working in law enforcement. There is also corporate environment where we shouldn't expect very capable examiners to be expert witnesses.
The objective of a forensic examination in a corporate environment and in law enforcement are different.
Just because you are not in LE does not mean you should not be prepared to be an expert witness.
As one of my early CF instructors said, "Treat every case as if it will end up in court."
As one of my early CF instructors said, "Treat every case as if it will end up in court."
That's what they say, and that's what I have been instructed to do from a training perspective.
In practice, that doesn't happen all the time in many corporations, because the legal counsels driving the investigations do not have in mind to go to litigation.
You are giving the impression (and also glamorizing) that anyone can be an expert witness, when in fact not everyone is cut to be one. Some people will not have the behavioral skills and the training to be one, and they shouldn't.
As one of my early CF instructors said, "Treat every case as if it will end up in court."
That's what they say, and that's what I have been instructed to do from a training perspective.
In practice, that doesn't happen all the time in many corporations, because the legal counsels driving the investigations do not have in mind to go to litigation.
You are giving the impression (and also glamorizing) that anyone can be an expert witness, when in fact not everyone is cut to be one. Some people will not have the behavioral skills and the training to be one, and they shouldn't.
Well what about this scenario
You find something that is illegal on a suspect computer in a corporate environment (child exploitation, counterfeit, etc.).
Now your part of an investigation that your actions can be called for testimony. Would you want to perform an action that could affect evidence?
You never know what your examination will reveal and you cannot assume that that it will not go down a path where you might be asked to testify to your findings. However slim the chances are - there is still a chance.
You are giving the impression (and also glamorizing) that anyone can be an expert witness, when in fact not everyone is cut to be one. Some people will not have the behavioral skills and the training to be one, and they shouldn't.
I disagree, not every "expert" is going to be at the same skill level, that does not mean a less skilled examiner will not be called to testify or considered an expert witness in the particular case where they are testifying. If an examiner works in a corporate environment, that is hardly an excuse to not be prepared to have your case end up in court.
There is really no glamor in being an expert witness.
Absolutely. When I am preparing client counsel for deposition of the opposing "expert" one of the first questions I have them ask is "How many examinations of [describe] have you performed in the past?"
That is, usually, followed by a request for production of reports or testimony where the results of such examinations have been accepted by the courts.
There is a first time for everything. But the first time that you perform an examination should, hopefully, not be the first time that you testify as to your expertise.
Let's not forget that many forensic examiners are not expert witnesses or are not working in law enforcement. There is also corporate environment where we shouldn't expect very capable examiners to be expert witnesses.
The objective of a forensic examination in a corporate environment and in law enforcement are different.
That rather misses my point. I do not think that anyone, whether in corporate practice or in preparation to be an expert witness, should attempt an examination that they have never, before, performed, in a real world setting.
Would you want to be the first person that your surgeon did a kidney transplant on?
My point is simple. If you are dealing with what is likely to be evidence, you should be sure that you know how it behaves in a forensic setting.
For example, cellphones are particularly problematic both because they differ in terms of their functionality and in terms of what techniques are available to recover evidence from them. If I had never, before, worked with a specific device, I would certainly want to practice with a non-evidentiary copy before I attempted to be an "expert" on the particulars of that device.
Clearly, there are principles that apply to all digital evidence. But there are also issues which are unique to specific kinds of digital evidence. Lack of knowledge of these issues can call into question the expertise of the examiner.
That rather misses my point. I do not think that anyone, whether in corporate practice or in preparation to be an expert witness, should attempt an examination that they have never, before, performed, in a real world setting.
It's the chicken and the egg.
Did you perhaps mean to say that an examiner should try out the technique in a training scenario or testing environment before unleashing it in the real world? There's always going to be a first time for everything, but I agree, you should test and validate your methodology before applying it to produce final results in a case.