tag:blogger.com,1999:blog-21633793.post5705778166265137484..comments2023-12-12T03:19:42.467-05:00Comments on CYB3RCRIM3: Best Evidence Rule and Digital CopiesSusan Brennerhttp://www.blogger.com/profile/17575138839291052258noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-21633793.post-4353663424182579072010-06-25T13:45:40.360-04:002010-06-25T13:45:40.360-04:00Professor Don said:
>>
Actually most forensi...Professor Don said:<br />>><br />Actually most forensic software (Encase in particular) uses hash keys and other checks that verify the copy is identical to the original.<br />>><br /><br />This is not technically accurate. EnCase never compares the content of a forensic image back to the "original" hard drive. You can imagine this is impossible where there are read errors on the original media and EnCase has replaced the bad data with \x00. There is no way to compare \x00 in the forensic image to the bad data on the original drive. What EnCase verification means is the content of the image has not changed since it was written. EnCase only compares the current content of the image to what EnCase initially wrote into the image. So if there are no read errors, what EnCase initially wrote into the image matched what was on the original drive (NIST testing has confirmed this). But where there are read errors on the original drive, what EnCase writes is \x00 (in compliance with NIST standards).<br /><br />An EnCase verification process only compares what is currently in the image to what EnCase wrote initially. It never ever compares back to the original media - nor could it because of the possibility of read errors.<br /><br />Perhaps a minor point, but in technical matters, sometimes minor is critical.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-20964911178082569382010-06-25T13:40:22.572-04:002010-06-25T13:40:22.572-04:00@Professor Don -
As I recall, technically the has...@Professor Don - <br />As I recall, technically the hashing function in EnCase is verifying that 'what it read is what it wrote,' not that it wrote what was on the hard drive with 100% precision. I believe this is why an image can have read errors and still verify. I'm admittedly a little rusty.<br /><br />What if the original computer was booted by someone after the bit-stream image was created by Ms. Scott? I would argue at that point the image *became* the best evidence. Surely if someone used the defendant's computer between the time it was seized and the time of the trial, and deleted all relevant pornographic images, one could not argue that this is 'best evidence...'? <br /><br />Sure the whole argument is a hail mary, but it is interesting.Karen Sweetlandhttps://www.blogger.com/profile/12469350293329378381noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-88000504303939836232010-06-25T10:58:44.956-04:002010-06-25T10:58:44.956-04:00If the defense argument was upheld by the courts, ...If the defense argument was upheld by the courts, the implications could have been far reaching. Would the camera’s memory card need to be presented as the original version of a crime scene photograph?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-12995715130010886082010-06-23T19:42:02.545-04:002010-06-23T19:42:02.545-04:00Great point about a copy being identical.
Here...Great point about a copy being identical.<br /><br />Here's the difference. The original is what the defendent possessed. It must be secured and protected with a chain of custody. It should never be subjected to a forensic examination because of the fragile nature of digital evidence.<br /><br />A copy however can be examined and, if something goes wrong, discarded and the process started over.<br /><br />A good forensic process will prove the the copy is identical to the original at the start and at the end of the examination.Professor Donhttps://www.blogger.com/profile/16267677947700230734noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-55609079338256694452010-06-21T03:54:02.051-04:002010-06-21T03:54:02.051-04:00If a copy is absolutely identical to the original,...If a copy is absolutely identical to the original, is it really a copy?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-31351689534898043532010-06-17T20:28:07.606-04:002010-06-17T20:28:07.606-04:00[He] advised the officers that he had `purchas[ed]...[He] advised the officers that he had `purchas[ed] memberships to child pornography websites’ and that child pornography was stored in `his computer.’ He told them where that computer was located in his house.<br /><br />He should have just said: please, please lock me up for a very long, long time as I am an idiot.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-50444195971401527442010-06-17T19:31:34.601-04:002010-06-17T19:31:34.601-04:00Actually most forensic software (Encase in particu...Actually most forensic software (Encase in particular) uses hash keys and other checks that verify the copy is identical to the original.<br /><br />Good forensic software also insures that the original is not written to by anyone including the operating system. In fact, after making a forensic copy, the original should never be accessed again and should be secured as evidence.<br /><br />If such protections are used, then there will be no difference between the copies and the original. There should be no problem with using copies as "best evidence" since it can be proven that there is no difference by any interested party.Professor Donhttps://www.blogger.com/profile/16267677947700230734noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-50781918601367314072010-06-16T17:54:54.606-04:002010-06-16T17:54:54.606-04:00It was a really good attack on the chain of custod...It was a really good attack on the chain of custody by the defense counsel... However, there may be enough digital rights legislation which has set precendent about digital media, such as mp3 and FLV files made of original content still holding intellectual property value. <br /><br />In my layman's terms, it seems to be apples to apples for any jury to understand that if a copy of music or video is considered good enough to take kids to court over, a copy of restricted material would hold the same value, no matter what minor degradation may take place. <br /><br />@ SeaDrive: The bit for bit copy is the standard set long agon - I've also heard it referred to as able to be validated through a 'binary comparison' to ensure the data is exactly the same as the original set. Variations of storage media, such as hard drive bad sectors may actually cause variation but I've not dived deeply enough into that to comment.Charles Jeterhttp://www.securingourecity.org/blog/about/about-charles-jeter/noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-9896369514884694332010-06-16T10:28:47.840-04:002010-06-16T10:28:47.840-04:00The court said the copies were OK because Ms. Scot...The court said the copies were OK because Ms. Scott said the copies were OK. But if it was a matter of fraud, Ms. Scott was the person in a position commit the fraud. It seems weak to me to rely on her assertions of good copies. I did not see that there was testimony that the final images were compared visually to images on the hard drive, and it should be easy enough to make the comparison.SeaDrivenoreply@blogger.com