±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 125

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What is "forensically sound"?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 

Senior Member

Re: What is "forensically sound"?

Post Posted: Oct 20, 05 00:48



Re: What is "forensically sound"?

Post Posted: Oct 22, 05 01:21

My comments relate to the UK and in particular the ACPO guidelines.

My personal view is that many people get far too hung up about what is and is not a forensically sound process.

The ultimate aim of the process is to recover evidence from any computer and demonstrate to a court that the evidence is both accurate and reliable.

Under normal circumstances with static computer data, this will mean that that the process of imaging the computer is documented, and should someone else do exactly the same at a later time, the result will be exactly the same.

However, should some situation occur in which the result is not the same, document the reasons for this , and explain what the effect is on the reliability of the evidence.

A good example, is a laptop I dealt with. There was no way to remove the battery without lifting the screen and removing the keyboard, at which point the hard drive booted up. The result being a few files were accessed before I could shut the machine down and remove the battery.

So what is the effect of this. I have documented that it happened, and importantly why it happened. Other than smashing open the bottom of the laptop, there was no other way to get into it(accept I couldn't boot from CD or floppy etc).

Next issue, is what is the effect?. I can explain and show exactly what happened and why and what the result was (which files had MAC time changed etc ). Also I explain what the result of these changes were on the 200 pictures relevent to the case.

The reliality is that I dealt with the laptop in a manner that I considered best. If someone wished to challenge that, then they could explain to a court how they would have done it better and most importantly what effect the 'better way' would have had on the evidence. In my 4 1/2 years of computer forensic experience(17 years as a Police Officer in total), the courts would be very unlikely to make my evidence inadmissible.

So to briefly equate this to a live server situation, we recover the evidence in a way that is most accurate and reliable based upon the capabilities of the industry at this time(best tools and techniques available), but if that means some evidence is potentially lost or altered in some small way, document and explain why, and the consequences.

'Forensically sound' to me, is creating the most accurate and relaible copy and analysis of computer data based upon the individual circumstances of the case. This will differ greatly between a unpowered stand alone computer and a running server in a corporate environment.  


Re: What is "forensically sound"?

Post Posted: Dec 02, 05 20:52

Dear All,

To introduce myself to you, I am from India and an advocate by profession and member of Supreme Court of India Bar Association.

The discussions here are very interesting and with good technical support. I appreciate the forum members & the administrator.

I feel that the forensic science is applicable irrespective of the nationality, however, the interpretation may need different approach.

As far as computer forensic is concerned, As per Indian Law foreign judgements and law can be considered as basis for interpretting the case.

Thanks & Regards

Kamal Dave
Advocate & Legal Advisor
kamal_dave_advocate @ yahoo.com  

Senior Member

Re: What is "forensically sound"?

Post Posted: Dec 03, 05 00:19

With the default encryption and security methods proposed for the Microsoft Longhorm system that will no doubt be with us shortly it is a good question to put as it would appear that if, like now, we "pull the plug" on a running system the data it contains will most likely be unretirevable. It would seem that it will be likely that these will have to be examined in a running state.

Personally "forensically sound" to me is an assessment of the situation, the reaching of reasonable and justifiable conclusions in respect of that situation and the carrying out of whatever processes are neccessary to retrieve the data in the best possible way.

All of the above must be fully recorded with the reasoning behind them and hopefully at the end of the day you do what you think is best for all the right reasons and the courts and other side agree with you.


Re: What is "forensically sound"?

Post Posted: Dec 03, 05 19:08

Hi guys.

Here goes with my two-pence-worth:

I would utilise my current toolkit to conduct a live collect on the network against the mac or IP address of the target system in order to ascertain whether the "stolen" data is traversing the network, either originating or going to the suspect system. The collect will also identify whether the web server has been compromised as malware will be identified during this process. If the collect generates sufficient reasonable grounds to suspect the individual(s) using the suspect system are commiting a breach of security then it would mandate a system level interrogation that I would employ either EE against or, preferably, I would use something like Helix to access the system that cannot be taken down and Netcat off the image to a remote storage device for later examination.

This whole process relates to having a forensic toolkit rather than reliance on one piece of software and is fundementally underpinned by the ACPO Guidelines against which all work is undertaken.

As for what tool to use to do the initial network collect - I use an award winning network forensics tool from an A List company though it is not EE.

Hope this goes some way to explaining an approach,


Page 2 of 2
Page Previous  1, 2