I have a number of prepared presentations that I can deliver to conferences or user group meetings. One is on presenting technical evidence in court. I was asked to deliver this at a conference in Illinois one time. I met a group, obviously of law enforcement types, just before I was to give this presentation. We chatted, and I told them that I would undoubtedly be calling on one of their number, and so they should choose who was the best in the computer forensics area, which, despite the name, is now generally understood to be limited to the recovery of data from hard disks and other storage devices.
I always ask the same question, when I give this presentation. I suppose that I will have to change the question, now that I'm telling all of you this, but I always have presented it as a scenario for a situation in court. (Then again, with the increasing use of solid-state "drives," it may become redundant.) I am the defending lawyer, and I ask one of the audience to be the expert witness, in terms of computer forensics, for the prosecution. I ask whether, when they imaged the drive under question, they did a complete bit image copy. They generally reply that they did. I asked what commercial software they used to make that copy. They usually answer with one that is well known. I asked if they ensured that they recovered both the physical and the logical slack space. They generally answer in the affirmative.
At this point, I have proved that they don't know their stuff. This is really all you need to do in court. You do not need to prove that the expert witness is wrong, you just make him look like a fool. And by saying that they used a commercial product, and that it recovered all the slack space, including both the physical and the logical slack space, they have lied. There is no commercial product that will recover physical slack space.
I ask this question because even specialists in recovery of data very seldom understand the difference between physical and logical slack space. There is always logical slack space on any storage disk. Unused space, and also any space from deleted files which has been made available for storing additional files. It is fairly random data, and may contain bits and pieces of numerous previously deleted files. It seldom includes an entire deleted file. But it's valuable data, nonetheless, and can be used to at least partially recover a number of files that have been deleted.
Physical slack space is very different. It is the margin of error that disk manufacturers leave themselves. When they produce a disc, it is much more important that any data that you write to the disc is recoverable, then that the entire space on the disc is utilized. The physical disc is an analog object. It is used to store data, but the use to store data relies on the creation of tracks of data, and timing indicating how much data should be put into the sectors of those tracks, while leaving a margin of time, and space, that is unused at the end of the sectors. Thus, there is an awful lot of space on any disc in the unused space at the end of a sector, or on spaces between, or beyond, where tracks are marked on the disc. Which, if you are a good programmer, you can access for storage. This additional storage is completely unknown to the operating system. And commercial products only understand the tracks and sectors that are known to the operating system.
So, I got to the point in my presentation where I needed to make the point about not having to prove the opposition wrong, you only have to prove that the opposition is an idiot. I am making this point not for any of the lawyers in the audience who may wish to attack forensic technicians, but to warn forensic technicians that they need to be very careful about what they answer and that they completely understand the question that is being asked.
The crew of law enforcement people that I had identified just before the session were all seated together towards the back of the seminar room. I asked if they had chosen their champion. They all pointed at one guy. So I started asking my questions. He gave the predictable answers. I then explained to the seminar why I had just proved that he was a fool.
I saw him after the seminar. I asked if he was offended at being chosen for that particular demonstration, and he, very graciously, said no. He gave me his card. He was, in fact, the Director of the FBI's computer crime lab for the midwestern states.
Previous: https://fibrecookery.blogspot.com/2024/11/mgg-549-hwyd-dc-snow.html
Introduction and ToC: https://fibrecookery.blogspot.com/2023/10/mgg-introduction.html
Next: https://fibrecookery.blogspot.com/2024/12/mgg-551-hwyd-patent-trolls.html
No comments:
Post a Comment