RE: Computer Forensics

From: Jason Coombs <jasonc(at)science.org>
Date: Tue May 06 2003 - 04:28:17 EDT

Remember that "forensics" is defined through the use of forensics.

Establishmentarians like to build big walls around the subject and ensure there is a high barrier to entry with requirements for certifications, formal education and training, and so forth... But the fact is, and always will remain, that forensics is expert rhetoric meant to convince others of a particular viewpoint. Any forensic expert who believes with absolute certainty that their methods and procedures cannot be fooled is a danger to everyone in society because they are delusional.

Sometimes the rhetoric is backed up by empirical evidence, so we can write and read books about how to gather and analyze this evidence empirically so as not to contaminate it or misinterpret it, but in the end you cannot escape the fact that any person and any method that proves to be more convincing becomes the standard of practice in forensics. Thus any claim of the "right" way to do something is valid only until somebody else comes up with a different way to do something and a convincing explanation as to why it too is "right" or perhaps even "better".

Remember also that many, many established forensic experts reject the very existence of "computer forensics"; pointing out (accurately) that this is nothing more than a sub-specialty area within the catch-all "forensic engineering" field, where engineers (rather than scientists) who ply a trade with expert technical knowledge of methods and procedures can offer valuable testimony in a court setting without being scientists or being bothered to adhere to lofty principles like the scientific method, the pursuit of truth and justice, and simple ethics.

Sincerely,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: Kruse, Warren G, II (Warren) [mailto:wgkruse@lucent.com] Sent: Monday, May 05, 2003 8:23 AM
To: 'Matías Bevilacqua-Brechbühler Trabado'; 'Jonathan A. Zdziarski'; 'yannick'san'; 'William Cimo'; forensics@securityfocus.com Subject: RE: Computer Forensics

Very true, that plus the technology changes so fast. We fought that problem for two years when we were writing our computer forensics book. You don't want it to be outdated before it hits the shelves.

-wk

Warren G. Kruse II, CISSP, CFCE
Investigations Manager
Lucent Technologies
732-949-8713
wgkruse@lucent.com

-----Original Message-----
From: Matías Bevilacqua-Brechbühler Trabado [mailto:mbevilacqua@cybex.info] Sent: Sunday, May 04, 2003 2:45 PM
To: 'Jonathan A. Zdziarski'; 'yannick'san'; 'William Cimo'; forensics@securityfocus.com
Subject: RE: Computer Forensics

> > Will it be only technical procedures or will it integrate

This is because Computer Forensics depends so much on methodology and procedures. Both are critical for a successful Forensic process. I will be taking this into consideration when creating the survey I talked about, let's see what the rest of the community thinks about it.

Regards,
Matías Bevilacqua Trabado
CYBEX

---

PGP-ID: 0x40A4869F
PGP Fingerprint: 2052 98A0 F0F0 2914 D7FA 4E7C 0488 7E8C 40A4 869F

---

CYBEX
Grupo Intelligence Bureau
Rambla de Catalunya, 32 4º-2ª
08007 Barcelona-SPAIN
Tel. 93 215 53 23
Fax. 93 215 50 72
http://www.cybex.info

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue May 6 09:01:51 2003