Last week I used a Windows based forensic package (probably the market leader) to do some analysis on a disk image. In fact it would be interesting to have a discussion with defence council about the reliability of the tools. If defence council were to question the reliability of any tool (Linux, Windows, proprietary or OSS) that I use, I would point to the evidence and say something along the lines of "I found piece of evidence X at physical sector(s) Y, if you look at that location with any forensic tool you will find it too". Ultimately the test comes down to this What piece of evidence you found and where it was on the disk. It doesn't really matter what tool you use (IMHO) as long as it is reliable, one way to determine reliability is to verify with another tool. My experience is that defence council don't question the tools, per se. In fact, I can't recall any court case when the tools were even discussed, maybe that is just a UK thing? I think another important thing here is that a pile of bits is a pile of bits, a link file is a link file, a jpeg is a jpeg, as long as your chosen tool correctly reports their state and location of those bits then the antecedents of the tool shouldn't be (and in my experience, aren't) an issue. However none have shot down a tool just because it does not have a big name. Out here in the sticks we have a couple of very progressive judges that are very receptive and some that are not so. I am sure that in more progressive courts there is more familiarity with different tools. Same thing the first time I used one of Harlan's tools. Same thing on the first case with ProDiscover. When I first used FTK, maybe 5 years ago, both judges and attorneys were only familiar with EnCase, so FTK took some explaining. Subsequent appearances not as lengthy a qualification explanation. The first time you appear before the Court you have to qualify yourself. However this is really no different than qualifying myself. EnCase has the advantage of name recognition. The only "problem" I ever have with OSS tools is explaining what they are and what they do. So, here's a question… Who HAS had a problem with OSS in court? Can we get a case site, please? Which beats the heck out of someone using a "commonly accepted tool" and relying on the fact that "it's good 'cause everyone else uses it". We test, we validate, and we cross verify. I know of a number of agencies that do the same. I'm in federal LE, and we use Linux and other OSS tools on a daily basis.
#Prodiscover basic specs trial#
Stumpy- you mention CP cases which I assume head to some sort of trial and you use Linux for examinations, so it looks like you haven't had this problem. It seems to be propagated by an ignorant academic community passing this stuff off as fact to students, or simple FUDD. Can someone (anyone) provide some insight into cases where this preference was established in court? In my experience, it does not exist. I've always been curious about where this originates. –Please excuse my lack of experience with the situation but…I was under the impression that the court systems frown upon analysis with Linux tools and tools like EnCase or FTK are more respected.
Do any of your perl scripts deal specifically with the two main problems that I have (.dbx files and internet history in unallocated space)? On the Windows side it tends to be a case of each process requiring user intervention to get to where you want to be. Obviously in Linux I can script these things out and let it run overnight if necessary. On most child abuse investigations I do, I know that there are certain tasks that I will need to perform on each analysis (internet history, link files, virus scan, file carving from unallocated etc). That whole unix and scripting ethos of taking a big task and breaking it down into simple components and doing those individually is one of the strengths of Linux (IMHO). My main issue with PyFlag is that it is not scriptable.
#Prodiscover basic specs how to#
I have used PyFlag, but I need to spend more time understand sql databases and how to search them effectively to get the most out of it. PyFlag provides a great deal of useful tools and functionality, and I've written Perl scripts that are easily ported to the Linux platform… I was wandering what other main issues people find themselves having to switch over to Windows for. dbx files and carving internet history from unallocated are the main things I find myself switching over to a Windows platform for. My preference would be to do all of my cases in Linux, the issues with. Besides what you've mentioned, what else are you interested in?
0 kommentar(er)
