Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fw: [IACIS-L] Statement by Defense Expert
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 6 Jun 2007 04:36:08 +0000

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Jason Coombs" <jasonc () science org>

Date: Wed, 6 Jun 2007 04:13:33 
To:dave () davekleiman com
Cc:iacis-l () cops org,az_core () hotmail com
Subject: RE: [IACIS-L] Statement by Defense Expert

Dave_on_the_run <dave () davekleiman com> wrote:
Is you D expert by any chance Jason Combs?
That is a typical statement by him.
I have an entire public dialogue from
him on various security lists where
he makes many outrageous claims
similar to that.

Dear Dave,

Are you aware that your comment, above, has been reproduced by the Maricopa County Attorney in a 92-page document that 
details the completely absurd statements that were made by Tami Loehrs in the Matt Bandy case? See


Your statement has been used as part of this publication in an effort to discredit Ms. Loehrs, and to respond formally 
to the deceptive and manipulative tactics of the Bandy family as they waged a political war to 'defend' their son, 
Matt, so that he would not be required to register as a sex offender.

As you may know, the television program 20/20 did a story about the Bandy case, and it reportedly failed to present the 
prosecution side of the story. I have not seen it, personally.

I would be glad to discuss in detail anything at all that I have written or spoken that you or others deem to be 

My experience with criminal computer forensics goes back almost as far as yours does, and my experience with expert 
witness testimony in civil court most likely predates the start of your forensics career.

It may be outrageous from your perspective, but there is no doubt in my mind that computer forensic examiners are not 
expert witnesses.

There is no such thing as 'computer forensics' as a field of forensics. It is a misnomer to refer to it as 'forensics' 
in the same way that it is improper to refer to a sworn law enforcement officer as an expert in the field of law.

LEOs possess neither academic background nor work experience in principles or practices of law, as a distinct field of 
skilled human endeavor.

Attorneys, judges and others who are likely to possess true expertise in law are the ones that we rely on for expert 
testimony on the subject of the law, including interpretation thereof, whether that testimony is given before congress, 
for instance, or in court, or on our own behalf when we need legal advice. Anyone who takes legal advice from a cop is 
probably an idiot.

LEOs may possess many hours of work experience in a field of work related to the law, but they are not legal experts 
and the nature of their skilled work cannot ever result in the sort of expertise that would properly qualify a person 
to render expert opinions or give well-informed interpretations or advice in complex legal matters.

The skill that a LEO has with law is the sort of job-oriented skill that a trained computer forensic examiner possesses 
with respect to computers. Knowing how to do what you're told and learning from your mistakes so that you advance in 
your career is fine if you're an honest cop, but that does not qualify a LEO to program computers or prepare them to 
educate a jury or a judge in the truly intricate and technically-complex subject of computer science.

Experience recovering data from all manner of data storage devices does not qualify anyone as a computer expert. 
Ability to operate software that was programmed by somebody else is not expertise as anything other than a computer 

What is outrageous is that we are giving forensic certifications to trained computer operators. Every time a certified 
forensic examiner or an EnCase- or FTK-certified examiner performs an examination, authors a report, and renders flawed 
opinions it is an outrage and an affront to justice and common decency.

Until and unless a person has worked for years as a software engineer, and has studied technical details of information 
security including the creation and exploitation of software bugs to force software to do things that it was never 
designed to do, there is no way that a person can imagine the precise technical implications of the sort of scenarios 
that we encounter in the real world when law enforcement computer examiners and prosecutors collaborate to transform a 
particular bit of data into forensic evidence of guilt to be used against a person who stands accused of a crime.

In 1997 I was offered the opportunity to author the book Foundations of Computer Forensic Science which would have been 
published by John Wiley & Sons.

I refused, on the grounds that such a work required far more expertise to write than I possessed as a result of my mere 
ten years of programming experience.

In the ten years since 1997, I have acquired enough additional experience and skill that authoring such a book today 
would at least not do more harm than good, but still I refuse to author it.

The reason now is that I do not believe there will ever be such a thing as computer forensic science, and anyone who 
claims otherwise is an idiot.

My excuse for continuing to use the term 'computer forensics' in certain marketing literature and conversation, or even 
when giving expert testimony, is that this phrase has a non-technical meaning to laypersons (including to judges and 
attorneys) and it is possible to possess expertise enough to know what people who claim to be computer forensic 
examiners are actually doing.

Just because I have no other way to communicate the fact that I have experience with 'computer forensics' and just 
because I do work in 'computer forensics ' does not mean that I am advocating its existence as a legitimate field of 
forensic science by using the term out of necessity. It is clearly neither forensic nor science.

Frankly, I would prefer that the industry pick a different name for itself. My suggestion, some years ago, was 
'computer investigations' rather than 'computer forensics' and I wanted all of you to be referred to as 'computer 
investigators' -- go get your private investigators' licenses if you intend to do this sort of work. Be a hi-tech 
sleuth if that makes you happy. It would make me happy for you.

But what are the chances that everyone will listen to my ideas on the subject, now that I have willingly passed up the 
opportunity to be considered one of the founders of 'computer forensics' by having written the first Foundations Of 
book on the subject?

I would like to invite you, and anyone else on this law enforcement-only mailing list, to review the Maricopa County 
Attorney's 92-page forensic report on the Matt Bandy case and tell me how anyone who knows anything about so-called 
'computer forensics' can ever write the following statements:

'The viruses relate to spyware and adaware. They are not back door Trojans.' (bandy_case_20070107.pdf page 10)


'The virus "instsrv.exe" is the "bargain buddy" adware program which is not capable of remotely controlling a 
computer.' (bandy_case_20070107.pdf page 11)

At this very moment I am in control of thousands of other people's computers via software that is not considered to be 
a 'back door Trojan' -- how many certified computer forensic examiners have this sort of real-world experience?

Nobody who understands how software is written and disseminated would ever say such things as the excerpts above from 
the Bandy forensic report, at least not if they are making any attempt to be precise, scientific, and objective.

Instead of explaining exactly how it might have been possible in the past for an intruder to have taken control of Matt 
Bandy's computer, even by way of the adware that was found to have persistently infected it, the law enforcement 
computer forensic examiner in the Bandy case did as every such examiner always does: they ignored all of the real-world 
possibility as though they truly believed that it was impossible for anyone other than Matt Bandy to have controlled 
Bandy's Windows computer.

The proper computer scientific explanation of how such remote control would have been accomplished, together with 
demonstrations showing how it could be accomplished similarly today, would in no way have diminished the fact that it 
was very unlikely that anyone other than Matt Bandy was responsible for the contraband in question.

However, instead of telling the whole truth and nothing but the truth, Maricopa County insists on doing what every 
other jurisdiction across the country is doing: perpetrate an outrageous fraud by positioning certified 'forensic 
experts' (who are frequently also sworn LEOs) to tell lies about how computers work in order to convince the jury that 
there is no doubt that the person who stands accused is guilty as charged.

Computer forensics, in practice today, is a lot like DNA fingerprinting technology and DNA forensics would be if its 
trained criminologists and lab technicians were to ignore all possible exculpatory explanations for genetic material to 
be present at a crime scene so they could focus only on pointing the finger at the accused just because a gel 
electrophoresis assay showed assay-labeled DNA fragments in the right places to match up with the suspect. Such 
behavior would obviously be against common sense and forensic experts would be tarred-and-feathered by angry mobs if 
they started getting on the witness stand and proclaiming 'this DNA evidence is the hand of God pointing the finger at 
the defendant.' in cases where the defendant's DNA is found to have been located in some mundane place such as on their 
very own toothbrush.

Unfortunately, computer forensics is able to deceive just about everyone because only the minority of computer 
programmers truly understand how software is written and how it executes on a microprocessor, along with comprehending 
the real-world chaos that has resulted from decades of programming effort by people of varying skill levels, most of 
whom never needed to understand computers in depth in order to write software and have a productive and economic career.

It is for this reason, the scale of the resulting decades of programming chaos created under the influence of the free 
market drive for profits, that software bugs and information security vulnerabilities are rampant in every computing 
platform and every software product, including EnCase and FTK or any other software used in computer forensics.

Computer forensics testimony from law enforcement always contains the sort of outrageously absurd mistakes like those 
Bandy excerpts above. This fact alone makes computer forensics worse than unreliable, it makes the whole computer 
forensics industry nothing short of a continuing criminal enterprise. Though one does wonder whether it is very 

Computer forensics professionals should be prosecuted to the fullest extent possible under law for the outrageous and 
damaging things they are doing to other people's lives by their act of pretending to be capable of discovering proof of 
things they clearly do not comprehend in the first place.

Computer forensics must be removed from court. Use it for investigations and when the limits of usefulness of computer 
forensics is reached, go do some electronic intercepts and conventional investigations to fill in the missing pieces of 
the case against the suspect.

To do anything else is uncivilized.

(Please forward my email to the IACIS mailing list, as I am not a subscriber)


Jason Coombs
jasonc () science org

P.S. No, I had nothing at all to do with the Matt Bandy case. Observant investigators may note that my dad wrote a 
silly manifesto about child pornography and computer forensics that the Bandy supporters reproduced on Justice4Matt.com 
-- let me just say that my dad is a better artist than he is a computer forensic examiner, but he does have a lot of 
professional experience and his clients value him for the same reasons your clients, or your government employers, 
value you: he works hard, knows how to operate a computer, and he produces something. That's all I have to say about 

Sent from my Verizon Wireless BlackBerry
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]