mailing list archives
RE: Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
From: "dave kleiman" <dave () isecureu com>
Date: Tue, 4 Oct 2005 12:29:31 -0400
From: THORNTON Simon [mailto:Simon.THORNTON () swift com]
Sent: Tuesday, October 04, 2005 05:59
To: Stefano Zanero; jasonc () science org; dave kleiman
Subject: RE: [Full-disclosure] Re: Careless Law Enforcement
Computer Forensics Lacking InfoSec Expertise Causes Suicides
The issues you've raised are very common, the reasons why
there are so many "misuses" of forensic data are varied.
1) The Computer Crime Units (CCU) of most police forces often
lack the technical skills to investigate. They are familiar
with conventional evidence gathering but less so with
Digital. For them, if they raided someones house and found
glossy photographs present, there is little reason to seek
for an alternative cause ("my neighbour planted it?"). If
they seize a hard disk and there are images then they apply
(wrongly) the same assumption that the person downloaded.
From my own work, I now of CCUs where the officer
investigating loads a
standard piece of s/w onto the disks and scans for images; he
does not (and is unable to) look for anything else.
All the LEA's I work with have gone through FLETC, maybe you should
encourage those to do the same, or as I do VOLUNTEER to help them and if
necessary teach them!!
In many countries the Computer Crime units spend 90% or more
of there time dealing with Child pornography; anything else
is often way beyond them. If the case is major enough, they
may, in very exceptional cases, pass the evidence to a 3rd
party for detailed analysis.
It is not beyond them by any means. They are overwhelmed with CP cases. That
is why they formed the ECTF, the ECTF has taken on the task of helping all
levels of LEA's with other types of electronic crimes.
2) Most people can cope with physical security; they lock
their doors/windows when they go out. When you are talking
about computers Joe Public is generally clueless; they do not
realise the risk or what can happen.
3) The court system has a difficult time dealing with
complicated forensic evidence, whatever the source, be it
physical or digital. Try explaining to a group of
non-technical jurors, the judge and often council, the ins
and outs of the digital evidence in a way they can
understand. I've seen so-called "expert" witnesses unable to
answer even simple questions about where a program (such as
encase) extracted a set of file names and time stamps from.
That it is why I act as or enlist a court preparation technician.
This is one who is:
Responsible for preparing the examined evidence submitted, interpreting the
findings, writing the report and providing evidence of fact and opinion for
Is proficient in preparing documentation and visual aides, and articulate
these findings in a court/jury comprehensible format.
Is be able understand the evidentiary findings of the forensic specialists.
4) Many jurors, based on programs such as CSI think that you
can prove innocence or guilty SOLELY on the forensic
evidence. In reality it requires a lot more than just a hard
disk analysis to make a strong case.
Many jurors do not even no how to spell computer, it is our job to break it
down for them.
Can case be proven solely on physical and direct evidence?????????
5) Security professionals involved in Digital Forensic work ("expert
witnesses") also bear a large responsibility to make sure
that they present the data correctly and document all avenues
6) The laws and the requirements on evidence gathering vary
enormously across different countries. What is illegal in one
can be perfectly legal in another. For instance;
Yes they do but they are attempting to unify many things throughout various
countries, but it is not going to happen overnight:
Interpol official site - International Criminal Police Organization - ICPO
IT Crime - Regional working parties:
European Working Party on Information Technology Crime
American Regional Working Party on Information Technology Crime
African Regional Working Party on Information Technology Crime
Asia-South Pacific Working Party on Information Technology Crime
Steering Committee for Information Technology Crime
Virtual Global Taskforce http://www.virtualglobaltaskforce.com/
I agree with Jason that evidence is often misused, by both
sides, defense and prosecution. I often dispair at the (lack)
of comptenance of state agencies and the weaknesses in the
What many people fail to realise is that there is a lot more
to the investigation carried out by agencies than just
digital forensics. The "public" information reported on cases
is often diluted (by court ignorant reporters) or
disinformation intended to protect the sources or victims.
The last thing you want to do is tell the bad guys how you
collected all your evidence and who might have given it to you.
I've seen people who are guilty as charged get off with the
"Trojan Defense", even when the forensic analysis showed
conclusively that there were no backdoors or other reason why
the data could have been on a machine.
It is very regrettable that someone commits suicide as the
result of being charged or convicted of a crime but it is not
confined to cases involving digital evidence. Anyone entering
a prison is often put on a "suicide" watch when they first
enter; especially those with long sentences or offences
involving sex, children or treason. In the larger perspective
there are miscarriages of justice in our legal systems; we
are not going to resolve these easily except by being
vigiliant and questioning what happens.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- RE: Re: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides dave kleiman (Oct 04)