Re: [sleuthkit-users] RE: Sleuthkit install problem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] RE: Sleuthkit install problem
|
From: Brian C. <ca...@sl...> - 2004-05-27 05:14:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Where does one find out what has been tested and accepted as far as > linux forensics go? Where does one find out what has been tested and accepted as far as windows-based forensics goes? What does it mean to be accepted? What does it mean to not be accepted? What tools are not accepted? (I'm still waiting for someone to start making a list of tools that have been determined to be not accepted.) > I just intalled the 2.6 kernel, and have never thought that its use > might not be validated as of yet. (Good thing I am still only > "playing"). This brings up a good point that it is more than just the analysis software that needs to be "tested and validated". All software relies on the operating system, which changes with each service pack and patch. The version of libraries is also important. Is each version of Windows-based software "tested and validated" with each service pack and combination of patches? Is each version of Linux-based software tested with each patch and version of libc? There are some software companies that focus on court acceptance, but it is not clear (to me at least) what that means. If being accepted is difficult, then what tools have failed to pass the test? Where is the bar? If you look at the Daubert guidelines for entering technical evidence into a US court, I don't think any of the computer forensic tools can currently meet them. Error rates? Published procedures? What does it mean to test a tool for NTFS file systems? The lack of answers for these questions is partly why I have started to release the test images on dftt.sf.net so that there is some basic concept of tool testing. These images have found bugs in all of the popular Windows-based forensic tools, even though they were "accepted". I agree with you that in the short run, it could be safer to stick with the Windows-based tools because they have an impressive court record. I understand the concern, but I'm more worried about the bigger picture. If it is not clear where the acceptance bar is, who knows if the currently accepted tools will always be considered accepted? > People (I) have a tendency to go for the latest and greatest...but > sometimes it takes years for new practices or systems to become > accepted by the forensic community. Maybe. I think it takes a long time for a tool company to be accepted, but when the latest major version comes out, which may have included an entire rewrite of the internal code, people are fairly quick to accept it. > I don't want to be the guy on the stand explaining why I am the only > one who uses a particular practice. That may be a little extreme > since I am aware, and practice, personal validation of tools prior to > enlisting their use full time. Just humor me a little with some > ideas. It's easy to pay $2500 for a windows based utility with > corporate backing and full time courtroom experts who will fly out on > your behalf for a nominal fee. I can understand that and if that is what you are looking for, then the commercial tools (including the Linux-based SMART) are probably a better option. I would not phrase the support issue as Linux versus Windows, I would phrase it as free versus commercial. I think, that open source tools are the better option in the long run (even if they are commercial). It makes more sense to me that any person with programming and file system experience can read through the code and explain how it works to the court instead of relying on a vendor-sponsored expert. thanks, brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAtXlBOK1gLsdFTIsRApSrAJ91zC85Z9fEtcUoDHjuqeMp8HMM/QCfTf1G 22byiZ4fR+n8k2TO/5mGo2w= =KrNh -----END PGP SIGNATURE----- |
