RE: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit install problem)
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit install problem)
|
From: Chris P. <po...@na...> - 2004-05-27 20:47:42
|
So what it boils back down to is that you have to be comfortable with = your own techniques, methodology, and equipment (through personal = validation, experience, and overall knowledge of the tools you use). = When you get on the stand...and you will...you will have the appropriate = information to convince a judge or jury that 1) you are capable and = credible 2) your equipment is capable 3) your methods are sound 4) and = because of all of that, the evidence presented on your behalf is = credible, accurate, unbiased, and in its true form. Unfortunately I see law enforcement officers buy a one-stop forensic = tool such as encase (and that is NOT a problem by any means) and with = very little to no knowledge of what they are doing, put together a case = and present it for prosecution. They don't know how the program works = (not that they necessarily should know EVERYTHING) and if = challenged...only pray that the judge, jury, and defense know less than = they do so they dazzle them with big words. I don't know everything by = far...but I practice self-validation, and I try and learn everything I = can about the methods I use. I am not new to forensics...but I am new = to Linux forensics, hence my recent experience with TSK. I see alot of = potential in this area. Knowing what others have already validated and = tested helps shorten the learning curve. Knowing what others have been = called on the carpet with (where their methods have failed the = reliability and credibility test--whatever that is) also helps.=20 -- Regards,=20 Chris Poldervaart, Investigator Natrona County Sheriff's Office 201 N David St Casper, WY 82601 307-235-9282 po...@na... <mailto:po...@na...> =20 CONFIDENTIALITY NOTICE: This e-mail message including attachments, if = any, is intended only for the person or entity to which it is addressed = and may contain confidential and/or privileged material. Any = unauthorized review, use, disclosure or distribution is prohibited. If = you are not the intended recipient, please contact the sender by reply = e-mail and destroy all copies of the original message. If you are the = intended recipient but do not wish to receive communications through = this medium, please so advise the sender immediately.=20 -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Angus Marshall Sent: Thursday, May 27, 2004 2:17 PM To: Brian Carrier Cc: <sle...@li...> <sle...@li...> Subject: Re: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit install problem) On Thursday 27 May 2004 15:05, Brian Carrier wrote: > On May 27, 2004, at 3:52 AM, Angus Marshall wrote: > > As for acceptance - in English and Scots law (two different legal > > systems over > > here), the basic principle is that once a technique has been = accepted > > by one > > court in either legal system, it is accepted by all courts within = the > > same > > legal system of an equivalent or lower level (rulings in England = have > > no > > effect in Scotland and vice-versa). Thus acceptance in Crown Court > > implies > > acceptance in Magistrates court too. It doesn't mean that the = results > > or the > > technique were correct, but that the court accepts them as valid. > > But how does one show that the results are valid when there are no > standards to compare it with? You can show that the same result can = be > found with tool X, which is already accepted, but on what basis was = the > first tool accepted? Take NTFS for example. There is no official > specification for it and every tool may be using a different = technique. > Does that matter when it comes to court acceptance? > That's my whole point - in an adversarial system there is no concept of=20 absolute proof or correctness. Ultimately, it comes down to which side = has=20 the more believable witness, therefore most of the work, in court, for = an=20 expert witness is about proving their expertise before going on to = discuss=20 the evidence itself. By accepting the expert, the court accepts his/her=20 opinions and practices as used in the case. Law in a courtroom is all = about=20 precedents and interpretations of legislation. ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. = Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org __________________________________________________________________ << ella for Spam Control >> has removed Spam messages and set aside = Newsletters for me You can use it too - and it's FREE! http://www.ellaforspam.com |
