Brett's Ramblings
“Forensically Sound”. One of those phrases that is commonly used, misused, unused, and abused.
Disclaimer: This is my opinion, which is not a legal opinion. I call it Brett's Opinion. But along with that, I have identified, seized, analyzed, requested analysis, checked-in/out, transferred/assumed custody, and had entered into court cases thousands of items of evidence from electronic data to brain matter.
This short post is to give my opinion on the use “forensically sound”. The reason I want to mention this is because I witnessed a DF expert state in public that capturing live (volatile) memory is not forensically sound because you can’t reproduce it or enter it as evidence. I think we must be careful about some things we say.
In the most basic sense, any “thing” that is accepted by a court as evidence is forensically sound, since the court accepted the process used and admitted the "thing" as evidence.
We get caught up when performing computer science work in digital forensics and tend to forget that every situation is a bit different from the next situation, in either minor or major ways. The general processes we use are similar for each situation, but of course we vary a little depending on what we come across. The situation we approach dictates how we proceed.
There was a time when pulling the plug on a computer to image the hard drive with a hardware write blocker was the only forensically sound method accepted. Doing it any other way meant you ruined the evidence. This belief persisted for years even after realizing volatile memory is also valuable evidence (sometimes even more valuable than data on the drive). Sure, sometimes you need to pull the plug and sometimes volatile memory has nothing to do with what a specific case may need. That goes to the point of every case being different. For the must-always-use-a-hardware-writeblocker crowd, I’m not sure what they do with the computers that the hard drive cannot be removed for a multitude of reasons. Situation dictates choices.
My point is that we all have best intentions and rely upon generally accepted processes; however, we need to also be aware of what evidence is and what evidence is not. If you can get a ‘thing’ admitted into court that can prove or disprove an allegation, then you have evidence. Forensically sound more aptly applies to the technical processes and methods, but does not really define whether or not a ‘thing’ is evidence or not or that a court will accept it or not.
Another holdover from days past is that of being able to exactly reproduce an analysis in order to be forensically sound. On a hard drive that was shut down when you approached it, imaged through a hardware write blocker, and verified using a software that everyone else uses – easy peasy. On anything else, good luck. Live memory changes as you capture it. Shutting down/pulling the plug on a computer changes the data. Waiting to decide whether or not to shutdown or pull the plug or image live changes the data (it changes as you watch and think about what to do!) A crime lab that tests the content of a drug destroys a portion of the drug that it tests. An autopsy on a body damages and changes the body (as does the passage of time with decomposition). A burning building destroys evidence of the cause of the fire, as does the efforts to put out the fire.
When teaching court admissibility of digital evidence, be careful if you are unsure of what is forensically sound, especially when talking about evidence. You’d be amazed at the types of evidence that can be admitted in a trial along with the evidence that doesn’t. Best answer: do your best with the evidence seizing situation you encounter, admit it as evidence, and let the court decide if it was forensically sound. Personally, I believe anyone working in a job where you look at data should be versed in 'evidence'. Cops have it easy. They deal with it every day until it becomes second nature. For everyone else, a short class in 'what is evidence' can make or break a case later.
Then there is the sliding scale of veracity…but that’s another story.
About the author
Comments
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
1505 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short story Any person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with…
Sunday September 01
1555 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
1679 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
2318 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
2346 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde ’ s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I…
Monday June 24
13276 hits / 0 comments
-
The Easy Way to Learn DFIR
Summary There is no easy way to learn DFIR . You can stop reading from here if you want. Longer version Ok. Since you are…
Saturday June 08
11151 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
23703 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
4836 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful…
Tuesday April 09
4992 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
1182 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
2540 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
12646 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
16095 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions ( https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html ). I agree with…
Tuesday March 05
2431 hits / 0 comments
-
All you need is a tiny spark to solve your case.
During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he…
Saturday March 02
2216 hits / 0 comments
-
Some CONS are good. Some cons are bad.
The bad cons are the criminals that victimize you. The good CONS are the conferences that you were glad to attend. CTIN is one of…
Thursday February 14
7574 hits / 0 comments
-
This is how I know someone will make it in DFIR (or in anything)
The #1 factor is not giving up . The #2 factor is talent . Actually, scratch #2. You can make it without talent if you…
Wednesday January 09
18297 hits / 0 comments
-
5 tips in how not to be outdone, outmaneuvered, or just outright embarrassed in DFIR.
Short version:
- Bring your A Game
- Don’t hold back
- Be prepared
- Know what you claim to know
- Fight complacency&...
Tuesday January 01
by Brett Shavers
7544 hits
/
2 comments
Only race cars should burnout.
Only race cars should burnout.
This week, @taosecurity ( Richard Bejtlich ) wrote an important blog post on managing burnout ( Managing Burnout ). As he mentions in the first…
Sunday December 23
by Brett Shavers
23609 hits
/
0 comments
{source}
© 2019 Brett Shavers