Friday, August 27, 2010

Court Approved?

I continue to hear this phrase mentioned by fellow forensicators in email lists and at conferences, so I thought I would, once again, help to dispel the myth.


Saying that one tool is court approved and another is not, is like saying you can take crime scene photos with a Nikon, but not a Kodak. It's just silly, and it's a myth perpetuated by those who seek to benefit from the existence of such a rumor.

Now, there ARE tools that have been used in court cases, which may be more familiar to attorneys and/or judges. This does NOT make them court approved, it simply means that they have been used before...nothing more. Pay careful attention to what I am writing here...simply using a tool...any tool...DOES NOT make your findings any more relevant, valid, or indisputable then if you had used any other tool to come to the same conclusions. The data is simply the data.

Your job as a forensic investigator is to produce forensically sound results. This too is a term that is often used incorrectly or as a buzz word. Forensically sound means that if given the same set of data, any other investigator, using any other tool, would come to the same conclusion.

Now really think about what this means. Let's say you have been asked to identify a date range for files in a specific directory. If given the same image, 10 different people, using 10 different tools, should come to the exact same results...EnCase, FTK, TSK, MFL, Perl scripts, Python, whatever...the conclusion should be the same because the means by which you would extract that data is the same.

The implications of a conclusion being forensically sound invalidate the entire premise of something being court approved. How can one tool that comes to the same conclusion as another tool be approved while the other is not? They DO the same THING. While the GUI may change, or the vendor - open source code versus proprietary - Linux versus doesn't matter. The data is the data.

Thursday, August 5, 2010


In case you haven't noticed, I have not posted anything in awhile. That is due to the fact that last week during Black Hat, DEF CON, BSIDES week, my wife ended up in the Emergency Room, and surgery.

She is OK now, an at home recovering, but obviously my focus had to shift from forensics to my family. Once she is back on her feet and feeling better, I will be back to my usual forensic-y goodness.

I also want to give a HUGE thanks to all of you from BSIDES and SANS for sending me your thoughts and prayers. I also want to issue s public apology to the folks at The Next HOPE conference and DEF CON for having to miss my speaking engagements. You have my most sincere apologies, and hope you realize that my absence was a significant medical issue.

Thanks again!