@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #2: What I wish I knew when I was starting out

(This entry is part of the Daily Blog series! Click Here for the previous entry.)

Howdy Reader,
                    BTW I'm from Texas, so we say howdy sometimes. Not a lot mind you, but its just something fun to say. I'm taking topics to blog about from readers and Karen Palmer among others submitted some great ideas! One of Karen's questions was ' what do you wish you knew when you first started?'. It's a great question and something I hope will help a lot of people get over some basic fears. This will likely be a multipart series as I think about things, but here is the first.

There is no such thing as a 'court approved' tool. No really, seriously, there is absolutely no such thing. Now, courts have accepted the results of several tools and those tools can now cite case law (meaning past cases) which shows their tools being accepted. What was important though in those cases was not the tool, but the expert who presented the tool and its results to the court. A tool on its own is not admissible, it requires an expert who is knowledgeable in its operation and can explain its results while answering questions about its meaning.

It is the expert, not the tool that defines what will be admissible. Now, the federal rules of evidence do specify the guidelines for a judge to consider what is admissible. For instance here is a rule that was not written with digital evidence in mind but has been adapted to suit it:

Rule 1003 (http://www.law.cornell.edu/rules/fre/rule_1003)
"A duplicate is admissible to the same extent as the original unless a genuine question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate."
If that is not clear to you, any duplicate (and a forensic image is by definition a duplicate of the original evidence bit for bit) you create is admissible by rule 1003, unless there is a genuine question raised by either the opposing counsel or the judge.

So why do we have chain of custody? Well that goes to authenticating the evidence you are looking to get admitted. For a judge looking determine the admissibility of a challenged forensic image, his decision will be based on your testimony regarding the facts of how it came to be in your possession, what you did with it and how you know it is what you claim it to be:

Rule 901 (http://www.law.cornell.edu/rules/fre/rule_901)
(a) In General. To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.

(b) Examples. The following are examples only — not a complete list — of evidence that satisfies the requirement:
 (1) Testimony of a Witness with Knowledge. Testimony that an item is what it is claimed to be.
combined with the following which is detailed in the chain of custody and shows the identifying information of the original evidence you made the forensic image of:
(4) Distinctive Characteristics and the Like. The appearance, contents, substance, internal patterns, or other distinctive characteristics of the item, taken together with all the circumstances." 
For the admission of the results of forensic tools the following applies:
(9) Evidence About a Process or System. Evidence describing a process or system and showing that it produces an accurate result.
A report generated by a tool is admissible with the following:

Rule 1006 (http://www.law.cornell.edu/rules/fre/rule_1006)
"The proponent may use a summary, chart, or calculation to prove the content of voluminous writings, recordings, or photographs that cannot be conveniently examined in court. The proponent must make the originals or duplicates available for examination or copying, or both, by other parties at a reasonable time and place. And the court may order the proponent to produce them in court."
So the report summarizes the findings, for example of the registry or file system in an understandable form, but other parties are allowed to validate your summary by reviewing the data that was used to produced it.

So there you go, criminal or civil the rules are the same.

What is important in your evidence's successful admission is not the tool you use, although lets be honest; a well known tool may be challenged less than an unknown tool. It is your ability to explain how the tool works, what you did to create the forensic image from the original evidence, and why it is admissible that is important. So don't restrict your choice of tools to those that others tell you is 'court approved' or have great marketing, use the tool that you have the greatest understanding of and can provide the best description of so you can feel confident of its admissibility in the face of a challenge.

I will say that those tools that provide certifications can be very helpful in showing your training and knowledge of the usage of the tool, so if your tool maker provides one it can't hurt to have it.

Talk to you tomorrow!

(This entry is part of the Daily Blog series! Click Here for the next entry.)

admissibility, court approved, evidence, What I wish I knew, Daily Blog

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.