Re: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit install problem)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit install problem)
|
From: Angus M. <an...@n-...> - 2004-05-27 20:59:11
|
On Thursday 27 May 2004 21:44, Chris Poldervaart wrote: > So what it boils back down to is that you have to be comfortable with your > own techniques, methodology, and equipment (through personal validation, > experience, and overall knowledge of the tools you use). When you get on > the stand...and you will...you will have the appropriate information to > convince a judge or jury that 1) you are capable and credible 2) your > equipment is capable 3) your methods are sound 4) and because of all of > that, the evidence presented on your behalf is credible, accurate, > unbiased, and in its true form. > > Unfortunately I see law enforcement officers buy a one-stop forensic tool > such as encase (and that is NOT a problem by any means) and with very > little to no knowledge of what they are doing, put together a case and > present it for prosecution. They don't know how the program works (not > that they necessarily should know EVERYTHING) and if challenged...only pray > that the judge, jury, and defense know less than they do so they dazzle > them with big words. Absolutely - and that's what makes working as a defence expert so interesting. I learn a lot about what I should doing in my prosectuion work from the holes I find in other people's prosecution work when I act as a defence expert. > I don't know everything by far...but I practice > self-validation, and I try and learn everything I can about the methods I > use. I am not new to forensics...but I am new to Linux forensics, hence my > recent experience with TSK. I see alot of potential in this area. Knowing > what others have already validated and tested helps shorten the learning > curve. Knowing what others have been called on the carpet with (where > their methods have failed the reliability and credibility test--whatever > that is) also helps. Who said "the wise man knows that he does not know" ? > > -- > Regards, > > Chris Poldervaart, Investigator > Natrona County Sheriff's Office > 201 N David St Casper, WY 82601 > 307-235-9282 po...@na... <mailto:po...@na...> > > CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, > is intended only for the person or entity to which it is addressed and may > contain confidential and/or privileged material. Any unauthorized review, > use, disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all copies > of the original message. If you are the intended recipient but do not wish > to receive communications through this medium, please so advise the sender > immediately. > > > -----Original Message----- > From: sle...@li... > [mailto:sle...@li...]On Behalf Of Angus > Marshall > Sent: Thursday, May 27, 2004 2:17 PM > To: Brian Carrier > Cc: <sle...@li...> > <sle...@li...> > Subject: Re: [sleuthkit-users] Tool acceptance (was RE: Sleuthkit > install problem) > > On Thursday 27 May 2004 15:05, Brian Carrier wrote: > > On May 27, 2004, at 3:52 AM, Angus Marshall wrote: > > > As for acceptance - in English and Scots law (two different legal > > > systems over > > > here), the basic principle is that once a technique has been accepted > > > by one > > > court in either legal system, it is accepted by all courts within the > > > same > > > legal system of an equivalent or lower level (rulings in England have > > > no > > > effect in Scotland and vice-versa). Thus acceptance in Crown Court > > > implies > > > acceptance in Magistrates court too. It doesn't mean that the results > > > or the > > > technique were correct, but that the court accepts them as valid. > > > > But how does one show that the results are valid when there are no > > standards to compare it with? You can show that the same result can be > > found with tool X, which is already accepted, but on what basis was the > > first tool accepted? Take NTFS for example. There is no official > > specification for it and every tool may be using a different technique. > > Does that matter when it comes to court acceptance? > > That's my whole point - in an adversarial system there is no concept of > absolute proof or correctness. Ultimately, it comes down to which side has > the more believable witness, therefore most of the work, in court, for an > expert witness is about proving their expertise before going on to discuss > the evidence itself. By accepting the expert, the court accepts his/her > opinions and practices as used in the case. Law in a courtroom is all about > precedents and interpretations of legislation. > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > __________________________________________________________________ > << ella for Spam Control >> has removed Spam messages and set aside > Newsletters for me You can use it too - and it's FREE! > http://www.ellaforspam.com |
