mailing list archives
Fw: [IACIS-L] Statement by Defense Expert
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 6 Jun 2007 04:36:08 +0000
Sent from my Verizon Wireless BlackBerry
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 6 Jun 2007 04:13:33
To:dave () davekleiman com
Cc:iacis-l () cops org,az_core () hotmail com
Subject: RE: [IACIS-L] Statement by Defense Expert
Dave_on_the_run <dave () davekleiman com> wrote:
Is you D expert by any chance Jason Combs?
That is a typical statement by him.
I have an entire public dialogue from
him on various security lists where
he makes many outrageous claims
similar to that.
Are you aware that your comment, above, has been reproduced by the Maricopa County Attorney in a 92-page document that
details the completely absurd statements that were made by Tami Loehrs in the Matt Bandy case? See
Your statement has been used as part of this publication in an effort to discredit Ms. Loehrs, and to respond formally
to the deceptive and manipulative tactics of the Bandy family as they waged a political war to 'defend' their son,
Matt, so that he would not be required to register as a sex offender.
As you may know, the television program 20/20 did a story about the Bandy case, and it reportedly failed to present the
prosecution side of the story. I have not seen it, personally.
I would be glad to discuss in detail anything at all that I have written or spoken that you or others deem to be
My experience with criminal computer forensics goes back almost as far as yours does, and my experience with expert
witness testimony in civil court most likely predates the start of your forensics career.
It may be outrageous from your perspective, but there is no doubt in my mind that computer forensic examiners are not
There is no such thing as 'computer forensics' as a field of forensics. It is a misnomer to refer to it as 'forensics'
in the same way that it is improper to refer to a sworn law enforcement officer as an expert in the field of law.
LEOs possess neither academic background nor work experience in principles or practices of law, as a distinct field of
skilled human endeavor.
Attorneys, judges and others who are likely to possess true expertise in law are the ones that we rely on for expert
testimony on the subject of the law, including interpretation thereof, whether that testimony is given before congress,
for instance, or in court, or on our own behalf when we need legal advice. Anyone who takes legal advice from a cop is
probably an idiot.
LEOs may possess many hours of work experience in a field of work related to the law, but they are not legal experts
and the nature of their skilled work cannot ever result in the sort of expertise that would properly qualify a person
to render expert opinions or give well-informed interpretations or advice in complex legal matters.
The skill that a LEO has with law is the sort of job-oriented skill that a trained computer forensic examiner possesses
with respect to computers. Knowing how to do what you're told and learning from your mistakes so that you advance in
your career is fine if you're an honest cop, but that does not qualify a LEO to program computers or prepare them to
educate a jury or a judge in the truly intricate and technically-complex subject of computer science.
Experience recovering data from all manner of data storage devices does not qualify anyone as a computer expert.
Ability to operate software that was programmed by somebody else is not expertise as anything other than a computer
What is outrageous is that we are giving forensic certifications to trained computer operators. Every time a certified
forensic examiner or an EnCase- or FTK-certified examiner performs an examination, authors a report, and renders flawed
opinions it is an outrage and an affront to justice and common decency.
Until and unless a person has worked for years as a software engineer, and has studied technical details of information
security including the creation and exploitation of software bugs to force software to do things that it was never
designed to do, there is no way that a person can imagine the precise technical implications of the sort of scenarios
that we encounter in the real world when law enforcement computer examiners and prosecutors collaborate to transform a
particular bit of data into forensic evidence of guilt to be used against a person who stands accused of a crime.
In 1997 I was offered the opportunity to author the book Foundations of Computer Forensic Science which would have been
published by John Wiley & Sons.
I refused, on the grounds that such a work required far more expertise to write than I possessed as a result of my mere
ten years of programming experience.
In the ten years since 1997, I have acquired enough additional experience and skill that authoring such a book today
would at least not do more harm than good, but still I refuse to author it.
The reason now is that I do not believe there will ever be such a thing as computer forensic science, and anyone who
claims otherwise is an idiot.
My excuse for continuing to use the term 'computer forensics' in certain marketing literature and conversation, or even
when giving expert testimony, is that this phrase has a non-technical meaning to laypersons (including to judges and
attorneys) and it is possible to possess expertise enough to know what people who claim to be computer forensic
examiners are actually doing.
Just because I have no other way to communicate the fact that I have experience with 'computer forensics' and just
because I do work in 'computer forensics ' does not mean that I am advocating its existence as a legitimate field of
forensic science by using the term out of necessity. It is clearly neither forensic nor science.
Frankly, I would prefer that the industry pick a different name for itself. My suggestion, some years ago, was
'computer investigations' rather than 'computer forensics' and I wanted all of you to be referred to as 'computer
investigators' -- go get your private investigators' licenses if you intend to do this sort of work. Be a hi-tech
sleuth if that makes you happy. It would make me happy for you.
But what are the chances that everyone will listen to my ideas on the subject, now that I have willingly passed up the
opportunity to be considered one of the founders of 'computer forensics' by having written the first Foundations Of
book on the subject?
I would like to invite you, and anyone else on this law enforcement-only mailing list, to review the Maricopa County
Attorney's 92-page forensic report on the Matt Bandy case and tell me how anyone who knows anything about so-called
'computer forensics' can ever write the following statements:
'The viruses relate to spyware and adaware. They are not back door Trojans.' (bandy_case_20070107.pdf page 10)
'The virus "instsrv.exe" is the "bargain buddy" adware program which is not capable of remotely controlling a
computer.' (bandy_case_20070107.pdf page 11)
At this very moment I am in control of thousands of other people's computers via software that is not considered to be
a 'back door Trojan' -- how many certified computer forensic examiners have this sort of real-world experience?
Nobody who understands how software is written and disseminated would ever say such things as the excerpts above from
the Bandy forensic report, at least not if they are making any attempt to be precise, scientific, and objective.
Instead of explaining exactly how it might have been possible in the past for an intruder to have taken control of Matt
Bandy's computer, even by way of the adware that was found to have persistently infected it, the law enforcement
computer forensic examiner in the Bandy case did as every such examiner always does: they ignored all of the real-world
possibility as though they truly believed that it was impossible for anyone other than Matt Bandy to have controlled
Bandy's Windows computer.
The proper computer scientific explanation of how such remote control would have been accomplished, together with
demonstrations showing how it could be accomplished similarly today, would in no way have diminished the fact that it
was very unlikely that anyone other than Matt Bandy was responsible for the contraband in question.
However, instead of telling the whole truth and nothing but the truth, Maricopa County insists on doing what every
other jurisdiction across the country is doing: perpetrate an outrageous fraud by positioning certified 'forensic
experts' (who are frequently also sworn LEOs) to tell lies about how computers work in order to convince the jury that
there is no doubt that the person who stands accused is guilty as charged.
Computer forensics, in practice today, is a lot like DNA fingerprinting technology and DNA forensics would be if its
trained criminologists and lab technicians were to ignore all possible exculpatory explanations for genetic material to
be present at a crime scene so they could focus only on pointing the finger at the accused just because a gel
electrophoresis assay showed assay-labeled DNA fragments in the right places to match up with the suspect. Such
behavior would obviously be against common sense and forensic experts would be tarred-and-feathered by angry mobs if
they started getting on the witness stand and proclaiming 'this DNA evidence is the hand of God pointing the finger at
the defendant.' in cases where the defendant's DNA is found to have been located in some mundane place such as on their
very own toothbrush.
Unfortunately, computer forensics is able to deceive just about everyone because only the minority of computer
programmers truly understand how software is written and how it executes on a microprocessor, along with comprehending
the real-world chaos that has resulted from decades of programming effort by people of varying skill levels, most of
whom never needed to understand computers in depth in order to write software and have a productive and economic career.
It is for this reason, the scale of the resulting decades of programming chaos created under the influence of the free
market drive for profits, that software bugs and information security vulnerabilities are rampant in every computing
platform and every software product, including EnCase and FTK or any other software used in computer forensics.
Computer forensics testimony from law enforcement always contains the sort of outrageously absurd mistakes like those
Bandy excerpts above. This fact alone makes computer forensics worse than unreliable, it makes the whole computer
forensics industry nothing short of a continuing criminal enterprise. Though one does wonder whether it is very
Computer forensics professionals should be prosecuted to the fullest extent possible under law for the outrageous and
damaging things they are doing to other people's lives by their act of pretending to be capable of discovering proof of
things they clearly do not comprehend in the first place.
Computer forensics must be removed from court. Use it for investigations and when the limits of usefulness of computer
forensics is reached, go do some electronic intercepts and conventional investigations to fill in the missing pieces of
the case against the suspect.
To do anything else is uncivilized.
(Please forward my email to the IACIS mailing list, as I am not a subscriber)
jasonc () science org
P.S. No, I had nothing at all to do with the Matt Bandy case. Observant investigators may note that my dad wrote a
silly manifesto about child pornography and computer forensics that the Bandy supporters reproduced on Justice4Matt.com
-- let me just say that my dad is a better artist than he is a computer forensic examiner, but he does have a lot of
professional experience and his clients value him for the same reasons your clients, or your government employers,
value you: he works hard, knows how to operate a computer, and he produces something. That's all I have to say about
Sent from my Verizon Wireless BlackBerry
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Fw: [IACIS-L] Statement by Defense Expert Jason Coombs (Jun 06)