Security Incidents mailing list archives
RE: Digital forensics of the physical memory
From: Harlan Carvey <keydet89 () yahoo com>
Date: Sat, 18 Jun 2005 13:51:48 -0700 (PDT)
George and Ben,
The original author does at one point use the term "image" to describe his evidence collection process. I think that use of this term was unfortunate because it invites comparison with classical approaches to evidence gathering and standards. It is not possible to "image" a reality that is constantly changing.
Could you suggest a suitable term to use?
A "smear," on the other hand, is a pejorative term which assumes that a changing reality cannot therefore be measured accurately.
Perhaps you're correct about the use of the term "smear"...but how would you go about accurately measuring the changes that occur during the use of dd.exe? [snip]
One of the things that concern me is that we have an emerging practice within the forensic and law enforcement community without any real reflection on its theoretical or hermeneutic underpinnings. The absence of free and open public reflection and debate on this matter is a serious obstacle to computer forensic aspirations of becoming a scientific discipline.
Agreed. However, what would suggest as a remedy to the situation?
Conventional forensic doctrine places heavy emphasis on not altering evidence during the acquisition process. But it does not explain the relationship between this principle and the notion of evidentiary reliability as this is understood in forensic science. Aiken and Taroni define reliability in the following manner: "Reliability is the probability of observing strong misleading evidence. This is related to the amount of evidence one has. If one wishes to improve the reliability of one's evidence then the amount collected has to be increased. This is intuitively reasonable." Colin Aitken and Franco Taroni, Statistics and the Evaluation of Evidence for Forensic Scientists. Second Edition (Chichester 2004), 198. Reliable evidence is evidence for which the probability of observing strong misleading evidence is kept below a certain tolerable level. We do not approach this question in the abstract. Rather, we must compare the probability of observing strong misleading evidence with physical memory to the probability without this analysis. Increasingly the scale seems to be tipping in favor of considering this so-called "new" evidence.
How would you suggest that we go about this comparison? Harlan ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- Digital forensics of the physical memory Mariusz Burdach (Jun 15)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)
- Re: Digital forensics of the physical memory Mariusz Burdach (Jun 17)
- Re: Digital forensics of the physical memory Harlan Carvey (Jun 17)
- RE: Digital forensics of the physical memory George M. Garner Jr. (Jun 18)
- RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: Digital forensics of the physical memory David Pick (Jun 20)
- Moderator's note: Re: Digital forensics of the physical memory Daniel Hanson (Jun 20)
- part deux, was -> RE: Digital forensics of the physical memory Harlan Carvey (Jun 20)
- Re: part deux, was -> RE: Digital forensics of the physical memory Ben Hawkes (Jun 20)
- Re: Digital forensics of the physical memory Ben Hawkes (Jun 17)