Re: [sleuthkit-users] Autopsy...
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy...
|
From: Grundy B. J T. <Bar...@ti...> - 2014-10-16 14:44:14
|
Greg's answer is dead on. I would add that 'cross verification' is always a good idea. You can use a primary tool as much as you like. Take your results and verify them with another tool. That does not mean re-running the entire exam. It can be as simple as taking a half dozen data points and comparing the various metadata (allocation and block status, attribution/ownership, temporal data, etc.). Even then, keep in mind that different tools may show different results. It's explaining these differences (if they exist) that makes your testimony stronger. Understand the output. Digital forensics is about interpreting results, not simply recovering data. If you trust the output of a tool simply because 'everyone else is using it', then you are dead wrong. My $.02 /******************************************* Barry J. Grundy Assistant Special Agent in Charge Digital Forensic Support Group Treasury Inspector General for Tax Administration (301) 210-8741 (desk) (202) 527-5778 (cell) Bar...@ti... ********************************************\ > -----Original Message----- > From: Greg Freemyer [mailto:gre...@gm...] > Sent: Thursday, October 16, 2014 9:52 AM > To: Frederick Haggerty > Cc: sle...@li... users > Subject: Re: [sleuthkit-users] Autopsy... > > There is no such thing as a court approved tool. > > Testifying experts are approved. Their choice of tools reflects on them, but > even then the tool is the minor player. > > For instance many think a Ghost image is unacceptable, but in the hands of > someone that knows how to use it and explain it, then Ghost Images can be > used as a tool by a testifying expert. > > On the hand, an untrained person using FTK or EnCase doesn't suddenly > become an expert just because they use a tool often used by testifying > experts. > > Greg > > On Thu, Oct 16, 2014 at 9:26 AM, Frederick Haggerty > <fre...@gm...> wrote: > > Hello, > > > > I have been using Autopsy (windows version) for about a year or so and > > I really enjoy it and I try to stay up-to-date by subscribing to this > > mailing list. I was hoping to attend the Open Source Digital > > Forsensics Conference in November but due my schedule I don't think > > I'll make it but will look to take some Autopsy training in the near future. > > > > The question I want to ask the users is regarding using Autopsy on an > > actual case. > > > > Is Autopsy a recommended/allowable tool to use on an actual court case > > (in the eyes or the courts) if I am requested to help? > > > > If such a list exists can someone provide me point me in the direction > > of court approved tools that could be used? > > > > Thanks in advance for all your help. > > > > -Frederick > > > > ---------------------------------------------------------------------- > > -------- Comprehensive Server Monitoring with Site24x7. > > Monitor 10 servers for $9/Month. > > Get alerted through email, SMS, voice calls or mobile push notifications. > > Take corrective actions from your mobile device. > > http://p.sf.net/sfu/Zoho > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
