Re: [sleuthkit-users] Autopsy...

[Frederick H. <fre...@gm...>]

Awesome.  Thank you so much Mr. Barry.

On Thu, Oct 16, 2014 at 10:07 AM, Grundy Barry J TIGTA <
Bar...@ti...> wrote:

> Greg's answer is dead on.
>
> I would add that 'cross verification' is always a good idea.  You can use
> a primary tool as much as you like.  Take your results and verify them with
> another tool.  That does not mean re-running the entire exam.  It can be as
> simple as taking a half dozen data points and comparing the various
> metadata (allocation and block status, attribution/ownership, temporal
> data, etc.).  Even then, keep in mind that different tools may show
> different results.  It's explaining these differences (if they exist) that
> makes your testimony stronger.  Understand the output.  Digital forensics
> is about interpreting results, not simply recovering data.  If you trust
> the output of a tool simply because 'everyone else is using it', then you
> are dead wrong.
>
> My $.02
>
> /*******************************************
> Barry J. Grundy
> Assistant Special Agent in Charge
> Digital Forensic Support Group
> Treasury Inspector General for Tax Administration
> (301) 210-8741 (desk)
> (202) 527-5778 (cell)
> Bar...@ti...
> ********************************************\
>
>
> > -----Original Message-----
> > From: Greg Freemyer [mailto:gre...@gm...]
> > Sent: Thursday, October 16, 2014 9:52 AM
> > To: Frederick Haggerty
> > Cc: sle...@li... users
> > Subject: Re: [sleuthkit-users] Autopsy...
> >
> > There is no such thing as a court approved tool.
> >
> > Testifying experts are approved.  Their choice of tools reflects on
> them, but
> > even then the tool is the minor player.
> >
> > For instance many think a Ghost image is unacceptable, but in the hands
> of
> > someone that knows how to use it and explain it, then Ghost Images can be
> > used as a tool by a testifying expert.
> >
> > On the hand, an untrained person using FTK or EnCase doesn't suddenly
> > become an expert just because they use a tool often used by testifying
> > experts.
> >
> > Greg
> >
> > On Thu, Oct 16, 2014 at 9:26 AM, Frederick Haggerty
> > <fre...@gm...> wrote:
> > > Hello,
> > >
> > > I have been using Autopsy (windows version) for about a year or so and
> > > I really enjoy it and I try to stay up-to-date by subscribing to this
> > > mailing list.  I was hoping to attend the Open Source Digital
> > > Forsensics Conference in November but due my schedule I don't think
> > > I'll make it but will look to take some Autopsy training in the near
> future.
> > >
> > > The question I want to ask the users is regarding using Autopsy on an
> > > actual case.
> > >
> > > Is Autopsy a recommended/allowable tool to use on an actual court case
> > > (in the eyes or the courts) if I am requested to help?
> > >
> > > If such a list exists can someone provide me point me in the direction
> > > of court approved tools that could be used?
> > >
> > > Thanks in advance for all your help.
> > >
> > > -Frederick
> > >
> > > ----------------------------------------------------------------------
> > > -------- Comprehensive Server Monitoring with Site24x7.
> > > Monitor 10 servers for $9/Month.
> > > Get alerted through email, SMS, voice calls or mobile push
> notifications.
> > > Take corrective actions from your mobile device.
> > > http://p.sf.net/sfu/Zoho
> > > _______________________________________________
> > > sleuthkit-users mailing list
> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > > http://www.sleuthkit.org
> > >
> >
> >
> ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> > http://p.sf.net/sfu/Zoho
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>