While this is a very interesting discussion topic, I find some of the
article's suggestions/conclusions problematic. One has to be extremely
careful about determining/deciding what constitutes evidence, potential
evidence, or the exact location of evidence. The decision re the trade off
between speed and imaging the entire drive is tricky. Part of the forensic
mind set is to be objective and look for both inculpatory and exculpatory
evidence. Consciously deciding not to include a certain number of sectors
can have a very negative impact on the admissibility and weight of the
evidence. Any legal arguments that address what exactly had been in those
non-included sectors would have a strong likelihood of introducing doubt or
at the very least, implying tunnel vision on the part of the investigator.
Unless there is an extremely pressing need that a well skilled attacker
(luckily the majority of attackers/criminals are not in this category - yet)
not be able to determine that a clandestine imaging process has been
conducted, completeness has to take precedent.
As Brian indicated the foundations of criminalistics and crime scene
analysis are based on the notion of "minimizing" the introduction of
changes. It is impossible to examine either a physical or digital scene
without introducing some kind of change, either at the quantum level or the
"physical" level. To date the justice system has accepted this minimization
standard, as opposed to the unrealistic "absolute" standard.
I am also concerned with investigators making modifications that could
potential damage/render the disk unreadable, or make material modifications
to the disk (crime scene).
--
Marc Rogers
http://www.cyberforensics.purdue.edu
rogersmk (at) exchange.purdue (dot) edu [email concealed]
"Those who fail to learn the lessons of history are doomed to repeat them."
(Santayana).
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
article's suggestions/conclusions problematic. One has to be extremely
careful about determining/deciding what constitutes evidence, potential
evidence, or the exact location of evidence. The decision re the trade off
between speed and imaging the entire drive is tricky. Part of the forensic
mind set is to be objective and look for both inculpatory and exculpatory
evidence. Consciously deciding not to include a certain number of sectors
can have a very negative impact on the admissibility and weight of the
evidence. Any legal arguments that address what exactly had been in those
non-included sectors would have a strong likelihood of introducing doubt or
at the very least, implying tunnel vision on the part of the investigator.
Unless there is an extremely pressing need that a well skilled attacker
(luckily the majority of attackers/criminals are not in this category - yet)
not be able to determine that a clandestine imaging process has been
conducted, completeness has to take precedent.
As Brian indicated the foundations of criminalistics and crime scene
analysis are based on the notion of "minimizing" the introduction of
changes. It is impossible to examine either a physical or digital scene
without introducing some kind of change, either at the quantum level or the
"physical" level. To date the justice system has accepted this minimization
standard, as opposed to the unrealistic "absolute" standard.
I am also concerned with investigators making modifications that could
potential damage/render the disk unreadable, or make material modifications
to the disk (crime scene).
--
Marc Rogers
http://www.cyberforensics.purdue.edu
rogersmk (at) exchange.purdue (dot) edu [email concealed]
"Those who fail to learn the lessons of history are doomed to repeat them."
(Santayana).
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]