Digital Forensic Law | SANS Computer Forensic Investigations and Incident Response

Category Archives: Digital Forensic Law

RSA 2010 – Digital Forensic Analyst Notebook

Posted by Ira Victor on March 8, 2010 – 7:37 pm

Filed under Digital Forensic Law, Evidence Acquisition, Evidence Analysis, Incident Response, Malware Analysis, Memory Analysis, USB Device Analysis, eDiscovery

The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.

Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.

Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant. He was an audience member in this session, and took to the mic to question whether the industry is preparing properly for incident response and evidence gathering in the event of a smart-grid related electrical disruption. I caught up with him right after the session, You can listen to that audio interview here, it’s about 7 minutes long.

Christopher Brown did a purely forensic talk on Thursday afternoon. He talked about the challenges of relying upon system time stamps for evidence collection. His talk was very informative, and he is a good speaker. Unfortunately, there were less than 30 people were attending the session. The forensics industry might still have a long way to go in making this area of infosec “sexy.” Brown wrote a book on forensic evidence collection, entitled, “Computer Evidence: Collection & Preservation.” Here is a guy that might shed some light on the issues that Gerry Brown brought up. After Chris’ talk, I caught up with him to get his take on the concern that Gerry Brown raised in the smart grid session about the challenges in forensic evidence collection as it relates to smart grid incident response. You can listen to that audio interview here, it’s about 7 minutes long.

Mariposa Botnet and Related Forensics
During the RSA Conference there was a major arrest and take down on a large EU botnet, called “Mariposa.” Panda Security worked with Spanish LE, and researchers at Georgia Tech on incident response, and information gathering for the arrests. The attackers used malware that is very difficult to detect. I interviewed Pedro Bustamante from Panda Security about the very stealthy nature of the malware used by the attackers. Pedro speculated that he might be giving an in-depth talk at a future conference about this botnet and the related attacks. You can listen to that audio interview here, and this interview is about 8 minutes long.

Cloud Computing Forensics
There was a dedicated legal session related to Cloud Computing, and the issues of forensics and ediscovery were a topic of that session. Too often executive decision-makers will rush in to buy a Cloud Computing solution, focusing only on the monthly savings. The members of this panel strongly recommended that legal and forensics specialists should be part of the pre-purchase process. Some of the issues that are not often brought up until after the data has moved into the cloud include data de-duplication. When a cloud provider de-dupes, he wipes out the original meta data. This could have a huge negative impact in the event of litigation. Many contracts do not have provisions to spell out mutually agreed upon procedures for incident response for data in the cloud. Too often these items come up long after the contracts are signed, giving the customer much less leverage in getting the vendor to change procedures.

Cryptome Spying guides as a Digital Forensic Resource

Posted by Steven on March 2, 2010 – 1:27 pm

Filed under Computer Forensics, Digital Forensic Law, Evidence Acquisition, eDiscovery

Since December 2009, Cryptome.org has been publishing the legal spying guides from a variety of services and Service Providers. There was publicity this past week when the Microsoft Legal Spying Guide was posted and a DMCA takedown notice was placed against Cryptome domain and its owner John Young. The DMCA restraint has since been lifted. This blog entry is not intended to defend or decry the DMCA notice. It is intended to provide Digital Forensic investigators a resource for appropriate contact and process logic contained in the Legal Spy guides published.

These documents were created to assist Law enforcement and appropriate investigators of what can be provided and the methodology for request. The guides were generally considered confidential in nature when distributed. It is not my intent to break confidentiality of the source or creator. It is intended to assist in digital forensic discovery. Many of these documents are strictly intended for Law Enforcement and not corporate investigations. This should not deter the reader in my opinion using the contact information provided.

The published documents contain appropriate process for requests and available detail from the source. Some links listed are example documents or public record examples of evidence gathered. The guides/handbooks were originally created and provided for informational purposes to all law enforcement and legal requests.

The following sources have been referenced and published from Cryptome.org:

There are three key elements found in each guide. These assist the investigator when conducting an authorized investigation and they are:

Contact address, Phone number, email address and hours of access for the Provider/Corporate Security
What detail can and cannot be delivered by the provider. This includes retention duration of the data available.
Description on the process and requirements for making a request. The capability of the provider response depends upon the authority of the request. A Statute or Judicial request is handled differently than a Law Enforcement inquiry as is a corporation’s legal request.

It should be understood; these requests do not come without cost. The cost to process a request may exceed $10,000 depending upon request and duration. Some requests cost much less. There are some providers that do not appear to have a charge associated with the service.

In many of the guides, there is also a template or form to use when making a request. It is useful to know these details when conducting an investigation. The same logic of Time Based Security can be applied to responding to evidence acquisition. The clock is ticking, the longer the delay, the greater the potential for lost evidence.

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) GSNA (2849) Silver and GCFA (#18) gold certifications.

Public Communications Are Critical to Computer Security Incident Response

Posted by benjaminwright on February 9, 2010 – 3:01 pm

Filed under Digital Forensic Law, Incident Response, eDiscovery

Law, Forensics and Public Relations

Historically IT security and incident response programs did not include much of a public communications component. Enterprises spoke little about attacks or breaches of security; they quietly focused on defense, investigation and remediation.

Law and politics have changed the game. Since 2003 many laws such as California’s Senate Bill 1386 have required data holders to notify constituents and sometimes government authorities when private data have been compromised. For many private and government organizations, their data security posture has become a subject of keen public import. Lawsuits and government investigations are becoming more common.

Today when security incident happens, public communications can be critical to an effective response.

A high profile example is Google’s announcement that it was the target of an attack allegedly from China. Google views the incident as much more than just a technical matter. It sees it in the context of a larger struggle over law, censorship and Internet freedom. On its official blog, the company . . . Read More »

Interview: Darrin Jones, Director of New Mexico RCFL

Posted by jarocki on July 27, 2009 – 1:31 pm

Filed under Computer Forensics, Digital Forensic Law

The Regional Computer Forensics Laboratory (RCFL) Program is a partnership between the FBI and local, state, and federal law enforcement agencies. The Program provides forensics resources and advanced techniques that can be brought to bear on cases being worked by participating agencies. The first RCFL was established in 1999 in San Diego, California. This successful partnership between FBI and Southern California law enforcement led to fifteen more centers over the ten years that followed. One of the most recent is in Albuquerque, New Mexico.

Supervisory Special Agent Darrin Jones is the Laboratory Director of New Mexico RCFL and was key to it’s establishment. I interviewed him recently to find out more about the Program.

Q: When and why did you get involved with the RCFL Program?

A: I’ve been in Albuquerque for about two years, prior to this assignment I worked at Quantico within the FBI’s Operational Technology Division (OTD). The national RCFL program is managed from within OTD. So, I’ve been familiar with the program for many years and have always been incredibly impressed with how successful the RCFL program has been. I starting trying to get an RCFL in New Mexico almost immediately when I arrived. It’s a long process, usually taking several years from start to finish.

Q: What does it take to start up a new RCFL?

A: As you would expect there are many requirements for starting an RCFL. The Director of the FBI makes the final selection from among submitted proposals. I will tell you though, I believe one of the most important factors is the demonstration of commitment from the proposed partnering agencies. In short, are the partnering agencies, in additional to the executive management of the local FBI office, willing to support the RCFL by detailing their personnel on a full-time basis and through management of the RCFL by participation on the local executive board.

Q: Do the RCFLs provide the same services, or do they have specialties?

A: All RCFLs are committed to providing examination of digital evidence at the highest possible standards. Each RCFL handles the types of digital evidence you would expect; computers, cellular telephones, etc. But, yes, some RCFL locations have developed centers of excellence for dealing with specific types of digital evidence. For example, if we encounter a particularly complicated case dealing with a niche technology we have the option to exploit the expertise located in another RCFL by requesting their assistance or simply transferring the evidence to that facility for processing.

Q: What sort of advanced techniques are used at the RCFLs?

A: We do employ sophisticated techniques at the RCFLs, in many cases we use tools that have been developed, tested and validated in-house for exclusive use by the FBI and within the RCFLs. However, I would suggest that what makes the RCFLs so successful is not super sophisticated technologies that may be used occasionally, instead it’s the rigorous adherence to the every day processing of digital evidence. From the moment the an item of evidence enters an RCFL facility it is processed according to strict protocols and requires extremely thorough documentation. Another reason I think the RCFLs have done so well over the years is the training ALL examiners must complete before becoming a certified examiner. This training includes hundreds of hours in both commercial and internal FBI classes at locations all over the United States. A typical RCFL examiner can expect to spend a minimum of 18 months in this training process, and that’s assuming some knowledge coming into the program.

Q: How can digital forensic analysts get involved with their nearest RCFL?

A: Generally speaking, the RCFLs don’t “hire” anyone, there are exceptions but normally a person must be detailed to an RCFL by their participating parent law enforcement agency. In New Mexico’s case examiners will be detailed from the FBI, the Albuquerque Police Department, the Bernalillo County Sheriff’s Office, and the New Mexico State Police.

Q: I’ve heard there are internships, what are the requirements for participation?

A: Most RCFL internships are managed via FBI Headquarters, for example, FBI Honors Interns (see fbijobs.gov for internship details) are selected via the national process then detailed to a specific RCFL. However, RCFLs can create localized internship programs. One of the most exciting things about the New Mexico RCFL is the fact that we are partnering with the University of New Mexico. There is only one other RCFL in the country to have such a relationship and we anticipate the NMRCFL will be able to offer several different internships to UNM students. We will be posting more details regarding these internships on the NMRCFL website, hopefully in the next several months.

Q: Are there any well known cases where the RCFL involvement was key?

A: Yes, there are several readily recognized cases that have hinged on digital evidence processed at RCFLs. The best thing to do is to take a look at the newsroom link on the national RCFL site, they post new cases there all the time.

References:

Introduction to RCFLs (Last Modified: 04/02/09), http://www.rcfl.gov/downloads/documents/intro_to_RCFLs.doc
National Program web site, http://www.rcfl.gov/
New Mexico RCFL web site, http://www.nmrcfl.org/

John Jarocki, GCFA Silver #2161, is an Information Security Analyst specializing in intrusion detection, forensics, and malware analysis. He also holds GCIA, GCIH, GCFW and GSEC certifications and the Treasurer of NM InfraGard.

The Death of Computer Forensics (on Web2.0 Sites)

Posted by bestitfriend on March 23, 2009 – 8:00 am

Filed under Digital Forensic Law, Evidence Acquisition

by Jack Bezalel

Computer Forensic…Computer Investigation…Forensic Cases…

It is always about some geek wearing old style clothes,

3-days beard (for a gentleman) OR undone hair (for a lady) , glazing eyes,

lots of half eaten pizza remains around, empty cans of beer scattered around

and a refrigerator that looks like the dump bucket.

And then a beautiful young client knocks on the door, asking for help

in an X-files type of investigation.

Our geek hero always knows how to get the critical data off the disks, camera

phone, printer, remote server, whatever.

Our hero knows how to break in, decrypt, analyze, summarize, save the client

in the last moment from a crashing car, and drink some more beer (or wine).

Computer Crime resolved. End of Forensic Case.

But these days information is much more in a new set of locations…

Facebook, linkedin, twitter, web hosting sites, wordpress.com and

a bunch of other social media sites and services.

“Well”, our Hero says, as he swallows another pizza,

“it is all out there! All the information is there…anyone can look into web2.0 data…that’s

the whole thing about Web2.0…”

Well…not sure about easy…that is why;

People can have many identities
Each Web 2.0 has a separate privacy policy
Each Web2.0 service maintains or backups data differently
It is easier to frame somebody innocent using Web2.0
Web 2.0 data changes, moves and morphs all the time
Web 2.0 data takes too much space to handle
There are traffic limitations in trying to extract data
Web 2.0 services are not stable in some cases
You are messing not only with the service provider…you could be messing with the community

And on top of all that .. imagine how a public persona Computer Crime investigation over

web2.0 properties would look like to the Web2.0 community and providers…they

might see it as a major risk to their own well being and existence…

Nevertheless, Web 2.0 Computer Forensics use against Computer Crime is a field

all of us should look into more carefully.

So what’s your take on this?

(based on my article on my blog at the IT Master Mind blog )

Jack Bezalel, GCFA #471, has roughly 25 years of successful experience running all IT operations supporting leading products development, marketing, sales, operations groups. He specializes in the complete life cycle for hundreds of Unix systems (Linux – Redhat/SuSE & more, Solaris, HPUX, AIX and more), Windows platforms and Novell.

Is MSFT Serious About It’s $250k Conficker Reward?

Posted by datasecurityblog on February 17, 2009 – 10:01 am

Filed under Digital Forensic Law, Evidence Acquisition, Incident Response, Malware Analysis, Windows IR

by Ira Victor

A few days ago, Microsoft made a big announcement about a $250,000 bounty to help catch the creators the Conficker Worm. I covered that bounty story in Data Security Podcast Episode #40. The only problem: Microsoft apparently didn’t tell anyone WHO to contact if you are a successful bounty hunter and have quality information from your investigation or incident response process.

According to the Microsoft’s press release, “Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm… Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code…”

And the press release talks on about how important it is for the security community to work together to fight these attacks. There are quotes from ICANN, and a link to where one can get information about the Conficker worm. There is even a blurb about Microsoft’s past efforts in putting up bounties to catch bad guys. And the world wide press has picked up this sexy story, since the bounty is payable to anyone, anywhere, due to international law, and the global scope of this, and other similar attacks.

The press release even gives links that one can follow to get Microsoft’s suggestions for protection from Conficker, and general “stay safe online” tips. There are even links to geting more information about the big software company based in Redmond, just in case you were wondering who this company Microsoft is.

But, here is the rub: There is no contact information provided for the would-be bounty hunter. Not a name, not an email address, not a web site, not even a name for the posse of supporters that have been assembled in the name of catching these malware writing varmints.

What part of customer service does Microsoft not understand?

I did a number of web searches, and read numerous press accounts of this bounty. But not one that I read gives any information on WHERE and HOW a bounty hunter collects his reward. Has journalism become so sloppy that the WHERE and the HOW is no longer asked by a reporter?

I invite any reader of this column to locate the information to help all those would-be bounty hunters. If you find it, let me know the information by posting it at DataSecurityPodcast.com, and the source of your research results.

Ira Victor, GCFA #2737, is an information security specialist, a sought-after expert on privacy and security, and Director of the Compliance Practice with Data Clone Labs, a Nevada-based information security and compliance firm.

PointSec Decryption – A Case for Decryption of the Original

Posted by jmbutler1 on January 23, 2009 – 10:41 am

Filed under Computer Forensics, Digital Forensic Law, Drive Encryption, Evidence Acquisition, Evidence Analysis

By J. Michael Butler

A while back, I posted about EnCase and PointSec — “Encase and PointSec – I’m Not Feeling the Love”. I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.

Since that post, it appears that the latest version of VMWare no longer natively recognizes a raw disk image. That means the process I outlined in the previous blog will not always work. I have had limited success using an application called “LiveView” to convert a raw image to a VMDK file.

While I am sure there are other virtual tools, the fact is that my previous procedure takes WAY too much time, anyway. So, I am making a case here for decrypting the original drive in the original hardware, when available. Now before everyone starts screaming about evidence integrity, let’s take a look at what I am proposing:

First, consider that the decryption process – while it changes every bit on the drive – really does not alter any of the original data OR METADATA during the process. To decrypt, here is the procedure:

1. Create a bootable floppy disk using the recovery file. The floppy will contain a decryption application built for the specific drive being decrypted.

2. Verify that the boot order goes to the floppy drive first.

3. Boot on the floppy and enter the ID and password requested and follow the prompts.

4. The drive is decrypted but does not reboot automatically.

5. After decryption, shut down and image the decrypted drive using normal imaging tools and processes.

I submit that this process, as long as it is well documented and followed carefully, will provide the investigator with the drive exactly as was the last time the user touched it, with the one exception that it has been decrypted. Every file will be just as it was, including the MAC times and other metadata. The unallocated space will be as the user left it. It is a win/win. And until PointSec (Checkpoint) and EnCase (Guidance Software) learn how to work things out, this is an easier process than one requiring imaging, then a virtual machine decryption, and another acquisition.

Of course, if one does not have the administrative password and the recovery file, then there are other issues to deal with. But as long as we are working in an organization that controls administrative access to PointSec encryption so that we have access to the administrative IDs and passwords, we are home free.

An image could be taken of the drive previous to decryption, although I am not convinced that has any value if we are going to be working with the decrypted drive from that point forward. It seems to me to be of more value to hash and image the drive after it is decrypted, then work – as always – with the image, not the original drive.

Just trying to make life easier…

J. Michael Butler, GCFA Gold #00056, is an Information Security Consultant employed by a fortune 500 application service provider who processes approximately half of the $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide security incident management plan and information security policies for his corporation. He can be reached at jmbutler_1 at hotmail dot com.

http://www.guidancesoftware.com/products/ef_index.aspx

http://www.checkpoint.com/pointsec/

http://blogs.sans.org/computer-forensics/2008/09/10/encase-and-checkpoint-pointsec-%E2%80%93-i%E2%80%99m-not-feeling-the-love/

http://www.vmware.com/

http://liveview.sourceforge.net/

http://www.law.com/jsp/legaltechnology/roadmapArticle.jsp?id=1158014995389&hubpage=Collection

http://en.wikipedia.org/wiki/Metadata

Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes

Posted by robtlee on January 7, 2009 – 8:18 am

Filed under Computer Forensics, Digital Forensic Law, eDiscovery

Another day… another hashing discussion:

On the SANS GIAC Alumni list the other day, the question popped up from one of the individuals on the list:

“I’m assuming that this group has had the pleasure to consume the latest research focused on MD5 hash collisions. Discussions about hash collisions seems to carry the same energy as religion and politics. My question is regarding digital evidence and the use of MD5 hashes to establish digital evidence integrity. The use of hashes to ensure digital evidence integrity has legal precedence. However, as more research companies introduce concerns related to MD5 hashes, the courts will at some point, no longer consider this as a valid technology to ensure integrity.

Has anyone heard of a successful attempt to dismiss evidence due to concerns that MD5 is no longer considered tamper proof?”

This topic pops up from time to time in our Computer Forensics classes at SANS (er… pretty much every time…)

The answer:

First off, as of today, using MD5 algorithm as a form of hashing for digital forensic work is completely acceptable.

You can use additional means of hashing, but honestly, choose which algorithm you feel is best. As long as you are accomplishing hashing of evidence you are fine and your evidence will usually see its day in court.

Why?

First off, admissibility guidelines do not differentiate between physical and electronic evidence. The Federal Rules of Evidence (FRE rules 901 and 902) guide authentication of evidence for admissibility (http://federalevidence.com/advisory-committee-notes). No where does it state that electronic evidence will be treated differently than physical evidence for authentication purposes.

Could you get electronic evidence admitted without hashing? Yep.
Will hashing help admissibility of my evidence? Certainly, but it is not legally required.
What if someone brings up collisions in court? Again, usually an attempt to confuse the jury. But you can turn this on them by stating that it is more likely that before showing up for jury duty, all the jurors randomly put the same 7 numbers into the Powerball Lottery and won. That has a much greater chance of happening than a naturally occurring collision. (Thanks to Scott Moulton for that great analogy). With folks being prosecuted on partial fingerprint matches or eye witness testimony from a guy driving by in a car at 30 MPH, do we really think this is a show stopper for courts?
Interesting Rob, but anyone with some legal credentials to back up what you are telling us? Yes, our very own author/senior instructor Richard Salgado for Computer Forensics at SANS wrote a wonderful paper on the topic several years ago for Harvard Law Review (http://www.harvardlawreview.org/forum/issues/119/dec05/salgado.pdf) that states “…there is more than reasonable assurance that two different inputs will not have the same hash value.” ( see footnotes 7 & 8 )
If hashing is not legally required to prove authenticity, why do we use hashing, chain of custody, and proper storage of evidence in case of pending litigation? Two point five reasons:

1. Expert Witness:

Best practices are tested if you are deposed as an expert. Hashing (any form) is considered a best practice for digital forensic practitioners. If you take yourself seriously in this line of work and you do not perform any type of hashing then you open yourself up for a cross examination as an expert that would not be fun to sit through. “The court is called upon to reject testimony that is based upon premises lacking any significant support and acceptance within the scientific community,” (http://federalevidence.com/advisory-committee-notes#Rule702). If you would like your testimony to hold greater weight, HASH. ’nuff said.

2. Tampering.

Tampering can only be brought up if the opposing council has a strong argument that the evidence has been deliberately modified. Tampering can not just be brought up because of it is digital evidence and easily modified… the opposing side has to prove it happened. The burden is on the side claiming that tampering happened not the side entering the evidence (see http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm and do a search for “Authenticity and the Alteration of Computer Records“). With hashing (even using an algorithm such as MD5), you can reduce the threat that someone will claim the evidence has been tampered with if you can prove over time it has not changed. Which in this case, collisions are really not a big deal at all as long as you get the same hash every time you calculate it against the evidence.

Why is MD5 still ok? From the cited website: “The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer-generated records; the party opposing admission would have to show only that a better security system was feasible.“

One last thought from Eoghan Casey on this topic: “On May 24, 2006, the DFRWS posted a challenge asking for anyone to produce actual files (or evidence) that have produced a collision and nobody has succeeded yet!”

2.5. Law Is Not A Science:

I tell students this regularly… We (you and I) are technical. We grew up loving math. We feel that if we add 1+1 we will always get 2. This is why it is a science. 1+1=2 Repeatable. 1+1=2 Satisfying. Feels good doesn’t it? 1+1=2

Well, lets take that same formula from our nice scientific world and put it in the legal world.

Court 1: 1+1=2

Court 2: 1+1=2

Court 3: 1+1=3

See what happened there? We ended up with some bizarre result. This drives us crazy. Well, in reality, this is not exactly what happens. What does happen? What if you take the SAME evidence, the SAME analysis, the SAME conclusions… you drop that into TEN separate courts, you will probably end up with the same verdict 9 times out of 10.

HOWEVER, (comma, space, pause for additional dramatic effect) there is always at least one jury/judge that will think differently and rule the other way given the SAME evidence, arguments, and testimony. We need to realize that we cannot force our mindset onto a system that is not a science, but rather, is an art. As a result, like the core question asks about MD5 hashing, we think we need to “fix” the courts or come up with a system that is FAIL proof.

In the instances where we might find that MD5 is attacked in court and subsequently not used for authentication in a courtroom, we can point to variety of reasons. In the several cases my peers and I have reviewed, it appeared that the prosecution failed to produce an expert to discuss hashing. Generally all the expert would need to accomplish is to discuss the true likelihood of a collision… which is far less likely than even a collision with DNA evidence. It isn’t whether the hashing standard has a fault, but whether it is GOOD enough… 1+1=3. DNA analysis, fingerprinting, and eye witness testimony all have their faults… but are they good enough to convict? YEP. Have criminals been let off due to the fact that the prosecution could not produce a DNA expert to discuss the likelihood of a false positive? Even worse, the judge/jury listens to the explanation and still reject it. You don’t have to dig far to find cases where individuals are not convicted despite the fact compelling scientific evidence points to the contrary. 1+1=3

And here is the kicker… even though one or two courts rule against the scientific facts such as DNA evidence (or countless others), it does not set precedence and invalidate DNA evidence for here to the end of time.

So… what do the lawyers think?

The best way to see why law and science do not mix well is to view it from a lawyer’s perspective. This is an excerpt from one of my favorite legal blogs on the subject written by Ralph Losey who has a wonderful book called e-Discovery Current Trends and Cases (worth a read if you deal with litigation and you work in IT). It is a rather long blog entry, but read it if you have the time. Doesn’t directly discuss MD5 hashing, but you will see why such a discussion about MD5 hashing being admissible or not due to collisions probably drives the lawyers crazy… just like it drives us crazy when we ended up with 1+1=3 in their world.

From the blog: (http://ralphlosey.wordpress.com/2008/08/24/tech-v-law-a-plea-for-mutual-respect/)

…the practice of law is an art, not a science, and the human element can never be replaced by technology.

Unlike computer code, the rules of law are malleable and there are always exceptions. This in turn is one of the key reasons the two cultures of Law and IT have such a hard time understanding one another. It is also the reason a few inexperienced engineer types are delusionary and arrogant enough to think that e-discovery can be “fixed” with the right software algorithms. It cannot because law is not a science, it is far too complex and chaotic for that. Or if it is a science, it is more like Quantum Physics, where electrons are unpredictable and can be in two places at once, not the orderly world of Newtonian Science that most engineers live in.

Yes, there are many computer programs that can be used as effective tools in the pursuit of justice. We lawyers need to wake up to that fact. But so too do the technologists who think the right software alone will fix everything. The human element is key in Law which is one reason that training is so important.

Rob Lee – (rlee@sans.org)

Rob Lee is a Principal Consultant for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 12 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.