SANS Digital Forensics and Incident Response Blog

Guidance Software and Access Data are NOT "court validated"

by Rob Lee

It is about time someone did a post on this, but for many years Guidance Software has been claiming their tools are the only "court validated" tools on the market. The argument came to a head over the past couple of weeks when Access Data made a major "News" release also claiming their tool was validated by highlighting a bunch of case chaff.

This topic, when brought up, created a constant "eye-roller" moment for most of us who do work in forensics community for years. This was pure marketing spin. It would be a similar strategy if McDonald's began claiming that because they sell more hamburgers worldwide, that their hamburger is the Official Hamburger of the World.

Like living in a Dilbert nightmare, the competition's marketing team strategy sessions have concluded that this must be a genius strategy that has resulted in more sales for their competitor. They decided to mimic their competition by copying the faulty strategy and attempting to create counter-FUD. And with that action, the straw broke the camel's back.

Craig Ball, who is one of the panelists at the 2009 Forensic Summit for "Forensic Challenges from the Court Room", has written an excellent post that will hopefully drive the point home. Neither Access Data or Guidance Software are "court validated." Read his post on the EDDUPDATE blog at Law.com here. Thank you Craig for the article that has been needed.

Vendor Marketing Teams take note:

Tell us why your product is better. Tell us that your product creates value. But please stop the legal navel gazing.

We need good forensics software:

I use Access Data's products. I also use Guidance software's products. They have greatly sped up my investigative capabilities. Are they perfect? No. But they are slicker than anything else I have worked with. As vendors should do, they keep inventing new things to add. I want them to employ smart developers and build a competitive product so I squeeze out the most value.

As a software vendor, they also have to supply patches. Not only for security problems, but for analysis problems as well. It is natural to want to limit the attacks of possible cross examination of an investigator's analysis, but any attack on your product will only make you better. Without technnical scrutiny, what would force either company to try and make a better product?

Why would evidence NOT be accepted in court?

For a judge to not accept evidence based on a tool would be interesting as tool validity is hard to fit in Federal Rules of Evidence 901 and 902 for relevancy and authenticity. Generally the weight could be affected, but generally what is attacked is the interpretation of the evidence and what it shows as possibly unreliable. While not directly related, take a look back at this blog article I wrote to potentially help with some additional links for evidence here.

https://blogs.sans.org/computer-forensics/2009/01/07/law-is-not-a-science-admissibility-of-computer-evidence-and-md5-hashes/

Best,

Rob Lee

_________________________________________________________________________________________________________________________________________

Rob Lee is a Principal Consultant for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.

Sign up for the NEW class SEC408 Computer Forensic and E-Discovery Essentials debuting at SANSFIRE 2009. Receive a Tableau T35e Read-Only Write-Blocker forensic kit as a part of the new class.

2 Comments

Posted April 16, 2009 at 7:19 AM | Permalink | Reply

johnmccash

Hey Rob,
Did you know that Guidance even puts a version of this FUD as a question on one version of their EnCE exam? I don't remember the exact wording, but it was a true or false on whether commercial or open-source software was better in the courtroom. It irritated me immensely to be forced to answer true because that was the expected answer.
John

Posted April 16, 2009 at 7:53 AM | Permalink | Reply

robtlee

John, you are right. That statement for a test question is misleading.
To back up your thoughts: http://www.digital-evidence.org/papers/opensrc_legal.pdf
Are there ways to challenge test questions like the do for the GIAC exams?
''"Rob