Do clients, courts, "consumers of digital forensic services," require updated software, patches, &c.? There is probably lattitude (as long as it works…) but I could see a defense attorney hammering this point.
I think that there's too much focus on what a defense attorney *might* say or ask, and no consideration at all for what the prosecution would permit.
A forensic examiner working for the prosecution is not going to be questioned by a defense attorney unless the prosecution introduces evidence discovered and brought forth by the examiner into evidence in the case. If the prosecution does not feel that the examiner's evidence is strong enough to be brought forward and introduced as part of the case, they won't do so…and therefore, it's pretty much irrelevant what the defense attorney may or may not think about systems being updated.
With respect to that, why would a defense attorney "hammer this point" about systems not being updated? Is there some documented evidence stating that EnCase running on XP SP2 spontaneously generates CP in an image file, and therefore must be updated? There are LE examiners who have stated emphatically that they use EnCase 4.22, because for their purposes, it works.
Back to the original purpose for my post…defense attorneys do not get the opportunity to "hammer" a forensic examiner for anything unless the prosecution introduces that examiner's testimony into evidence.
From another perspective…if a defense attorney *were* able to "hammer" the point of a system not being updated from, say, EnCase 5.05 to EnCase 6.11.2, and won his argument, then ANY case that was tried using ANY version of EnCase other than 6.11.2 would be open to appeal and possibly retrial…regardless of whether the update was available or not - deficiencies in software are independent of whether an update or patch is available or not.
…From another perspective…if a defense attorney … won his argument, then ANY case that was tried … would be open to appeal and possibly retrial…
Which is exactly the point. The predicate is that DF work product has been entered into the evidence stream, or however one wishes to phrase it.
The toss-out re software which "spontaneously generates CP in an image file" is (let's be charitable here) a red herring. I had hoped for a more factual (vis flippant/emotional) response. Oh, well.
Negative consequences (from the People's POV, that is) should be irrelevant, no? DF is not out to make anyone's job easier nor to punish a "known" thief, drug dealer, purveyor of CP, but rather… support the truth. If the truth disappoints then, well, bummer. Devise methods which do NOT disappoint.
Perhaps an analogy exists in the virus protection field. Is not a standard mantra to "update your [defense methods, both hardware and software]?" No one who has worked on a professional network blows off updates. I am not sure why the field of digital forensics should be any different.
My two partners– both still recovering from BlackHat– and I see a real opportunity in ubber-technical forensics. Such as, shutting down the "unknown hacker" defense. But we also see more than a few weaknesses in current methods. (Again we are NOT LE nor are we forged in the crucible of battle– yet.) These are the areas we hope to address… and thereby minimize the potential for "retrials and appeals" in cases in which we were involved.
Thanks for the input.
The focus is not on the tools used, but on the evidence presented, if any. Prosecutors and Defense Attorneys really don't care what version of the tool was used. What they do care about is whether or not the evidence is admissible from a legal standpoint.
First of all, they would not even know to ask the question. Secondly, it does not matter. The tools are not in question, the examiner's findings are in question. Can the examiner support his findings under cross examination? If there is a rebuttal witness, i.e. an opposing expert, the focus is still on the evidence produced. Unless the opposing expert saw a huge flaw in the evidence production and could prove it, the issue is still on admissibility, not on the software used.
However, the expert, whether they are LE or defense, must be able to expalin their methods to the jury if needed to support their conclusions.
Do clients, courts, "consumers of digital forensic services," require updated software, patches, &c.? There is probably lattitude (as long as it works…) but I could see a defense attorney hammering this point.
I think that there's too much focus on what a defense attorney *might* say or ask, and no consideration at all for what the prosecution would permit.
I'm going to disagree with this point only because what is permitted in civil litigation is often much wider than what is permitted in criminal litigation. I have been in civil litigation where the opposing side has asked questions such as "What revision of the software/hardware did you use for your investigation?" "Were you aware that a problem was discovered in that version of Software/Hardware X which could have affected the reliability of the data and, consequently, your conclusions with respect to those data?"
In one case, the other side tried to raise the issue of my competence as an investigator because I had used EnCase 3 for acquisition when the case first started.
One of the reasons that software/firmware is updated is that problems are discovered in previous versions which need to be corrected. Tableau, for example, discovered a problem in its firmware which could (if memory serves me, correctly) have injected extra nulls in the data.
Having said that, I would agree with the statement that as long as you can show that the evidence upon which you based your conclusion is sound and accurate, the law is on your side. Extra nulls may have no forensic significance if you can show how they were created but that doesn't mean that your client won't spend extra money to have you prove that.
And, in my humble experience, if the judge is not particularly interested in being overturned on appeal, he/she may allow as much testimony as possible to be heard and let the jury decide how much weight to give the evidence, even if the issue fixed by Windows Hotfix XXXXXXX would have no bearing on the data presented.
The bottom line being that at least in civil litigation, where the truth often takes a back seat to costing your opponents as much time and money as possible, the issue of whether you should have use the most up to date software, OS, etc., can become a point of argument.
That having been said, I rarely switch boats in the middle of a stream unless I have to and if I do, I make sure to back everything up to unaffected media, first.
Sean makes a good point. I don't do a lot of civil work, but the evidence rules are quite different from criminal.