SANS Digital Forensics and Incident Response Blog: Category - eDiscovery

Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes

Another day... another hashing discussion:

On the SANS GIAC Alumni list the other day, the question popped up from one of the individuals on the list:

"I'm assuming that this group has had the pleasure to consume the latest research focused on MD5 hash collisions. Discussions about hash collisions seems to carry the same energy as religion and politics. My question is regarding digital evidence and the use of MD5 hashes to establish digital evidence integrity. The use of hashes to ensure digital evidence integrity has legal precedence. However, as more research companies introduce concerns related to MD5 hashes, the courts will at some point, no longer consider this as a valid technology to ensure integrity.

Digital Forensics Professionals: Texas PI Legislation Interpreted

Automated Traffic Enforcement Opinion: Relevant to Electronic Discovery Work?

A Texas state government agency has published a formal opinion interpreting controversial new legislation on the licensing of computer forensics experts as private investigators. The Texas Private Security Bureau says it "generally" feels the private administrators of traffic enforcement cameras need not be licensed as PIs. The ruling may help us construe this new law in other contexts, such as e-discovery performed by computer forensics professionals.

The agency's reasoning is that the companies running traffic cameras are engaged in only "ministerial" activities at the direction of public servants (i.e. city employees). But the Bureau says its opinion applies only "generally" to traffic camera operators because some operators might be


Destruction of adverse documents

It is an offence to destroy any document that is or may be used as evidence in an ongoing or potential judicial proceeding in most western (at least the common law) jurisdictions. An organization must not destroy documents on the foundation that the evidence is unfavorable. The penalties for the destruction of documents suspected to possibly be subject to litigation may perhaps end in a charge of obstruction to justice. This makes the determination of deleted material that has been destroyed following a litigation hold situation a key goal of the forensic investigator.

Adverse inferences are often upheld in litigation if a party cannot produce the required documents. There is also the hazard of reputation damage. In British American Tobacco Australia Services Limited v Roxanne Joy Cowell for the estate of Rolah Ann McCabe [2002] VSCA 197 the Judge in first instance seriously denounced BAT for the methodical destruction of a large number of records. Documents that may hold

... Continue reading Destruction of adverse documents

PTK: Evidence adding and Indexing

At the moment the output formats used in computer forensics for the support of media duplication are mainly three:

? dd (RAW image) - the best and most utilized format
? Encase format (EWF) - closed format now widely supported by the CF products
? AFF Lib Format- very complete but still expanding

PTK can recognize the above listed formats. Usually, a media copy can be made from a single file or on split files. PTK is able to recognize the split image situation and, given the first chunk, automatically import the additional files. No log files or other types of data are allowed inside the evidence directory (i.e. file.e01, file.e02, file.log is not permitted). Through TSK, PTK automatically recognizes every partition


More command line forensics fu

Recently, I was asked to if I could recover all images from a hard disk drive that could be linked to a specific digital camera. In this case, the EXIF data contained the make, model and serial number of the camera in question. Using some simple command fu, I was able to quickly recover all of the images. I could have used GUI tools, but I believe in keeping my command line skills polished so I try to use them as much as I can.

Here's how I did it. For the sake of demonstration, I'm using the ipcase_ntfs.img from SANS Security 508: Computer Forensics, Investigation and Response, but the concepts are the same for any hard drive image.

To begin with, extract the strings from the image as follows:

strings --radix=d image_file > image_strings.txt

Using the --radix=d causes the strings command to include the byte offset in decimal where the given string