OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Digital forensics of the physical memory

From: Harlan Carvey (keydet89yahoo.com)
Date: Sat Jun 18 2005 - 15:51:48 CDT


George and Ben,

> The original author does at one point use the term
> "image" to describe his
> evidence collection process. I think that use of
> this term was unfortunate
> because it invites comparison with classical
> approaches to evidence
> gathering and standards. It is not possible to
> "image" a reality that is constantly changing.

Could you suggest a suitable term to use?

> A "smear," on the other hand,
> is a pejorative term
> which assumes that a changing reality cannot
> therefore be measured accurately.

Perhaps you're correct about the use of the term
"smear"...but how would you go about accurately
measuring the changes that occur during the use of
dd.exe?

[snip]

> One of the things that concern me is that we have an
> emerging practice
> within the forensic and law enforcement community
> without any real
> reflection on its theoretical or hermeneutic
> underpinnings. The absence of
> free and open public reflection and debate on this
> matter is a serious
> obstacle to computer forensic aspirations of
> becoming a scientific discipline.

Agreed. However, what would suggest as a remedy to
the situation?

> Conventional forensic doctrine places heavy emphasis
> on not altering
> evidence during the acquisition process. But it
> does not explain the
> relationship between this principle and the notion
> of evidentiary
> reliability as this is understood in forensic
> science. Aiken and Taroni
> define reliability in the following manner:
>
> "Reliability is the probability of observing strong
> misleading evidence.
> This is related to the amount of evidence one has.
> If one wishes to improve
> the reliability of one's evidence then the amount
> collected has to be
> increased. This is intuitively reasonable." Colin
> Aitken and Franco
> Taroni, Statistics and the Evaluation of Evidence
> for Forensic Scientists.
> Second Edition (Chichester 2004), 198.
>
> Reliable evidence is evidence for which the
> probability of observing strong
> misleading evidence is kept below a certain
> tolerable level. We do not
> approach this question in the abstract. Rather, we
> must compare the
> probability of observing strong misleading evidence
> with physical memory to
> the probability without this analysis. Increasingly
> the scale seems to be
> tipping in favor of considering this so-called "new"
> evidence.

How would you suggest that we go about this
comparison?

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------