.

Working for the dark side

<<

jimbob

Post Tue Nov 18, 2008 6:48 am

Working for the dark side

Hi,
I've noticed a significant prejudice against computer forensic professionals who work for the defense. Some professional bodies will deny you admission if you have ever worked for a defendant and you may find a lot of other doors closed to you if you do this. Certain tools for example are only available to law enforcement.

I believe computer forensics to be an extension of forensic science. I also believe that justice cannot be served by making the forensic process a closed system not open to scrutiny. In science peer review is important to ensure the validity of the scientific process and it's conclusions.

Does this attitude exist, and if so does it hold back the progress of computer forensics?

Jimbob
<<

Artful Dodger

Newbie
Newbie

Posts: 43

Joined: Tue Apr 29, 2008 8:58 am

Post Tue Nov 18, 2008 9:25 am

Re: Working for the dark side

I havent found this to be so.  There may be personal issues out there were someone has a problem with you working for the defense.  But Industry wide I havent run into anythin gremotley close to this.

A big part to remember is forensics is forensics.  Just like testing DNA...it is or isnt.  If you gain a reputation for being professional and honest, you should have no problems.  Plus, everyone knows that the defense is not always guilty.  Now if you turn into a scum bag that gets a CP person off under false pretense or technicality...you should probably punch yourself in the face.  but that is just a personal view:)
CISSP, C|HFI, Security+, Network+, XYZ...blah.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Nov 18, 2008 1:43 pm

Re: Working for the dark side

Actually, I have seen this.  There are at least two very well know groups (that I will refrain from naming) that will not accept you into the group, or remove you from the group, if they find out you worked as an expert witness for the defense in a criminal matter.  If you talk to the group members the prevailing opinion is that when you work for the defense, almost 100% of the time you are helping them make their case by challenging the methods or ability of another forensics analyst.  If you are attacking their methods (tools, the science behind data forensics, standard approaches, etc), then you are actually attacking the entire practice of forensics which is bad for the community.  If you attack the ability of the other analyst, then this is often viewed as a personal attack against someone that was trying to catch a crook.  I don't necessarily agree with these arguments, but I hear them a lot.  With that being said, if someone screwed up the case, then they screwed up the case.  Period.  Also, if you do your own analysis and can present evidence that is valid and relevant to the case (ex. you find out that someone's system was actually hacked into and the illegal activities might not have been performed by the system owner but by the intruder) then that should absolutely be presented in court.  However, whatever your motivation might be, as soon as you sit on the other side of the isle there are just going to be repercussions.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

jimbob

Post Tue Nov 18, 2008 2:51 pm

Re: Working for the dark side

Thanks pseud0, I think you pretty much summed up the feeling behind this attitude to defense expert witnesses. What leaves a sour taste in my mouth is the notion that those who put forensic practice under scrutiny are at fault. That's not how I understand justice to work.

Jimbob
<<

Artful Dodger

Newbie
Newbie

Posts: 43

Joined: Tue Apr 29, 2008 8:58 am

Post Wed Nov 19, 2008 4:34 pm

Re: Working for the dark side

I agree with that first part.  I guess there should have been a disclaimer.  If you are providing valid data, you are a good guy regardless of who you represent.  If you are picking apart another forensic expert you can be frowned on.  But really I think it all has to do with the situation.  If you argue on the defense about a specific practice that the other party used to prove a child porn case...punch yourself (unless it is absolutley legit and not a goofy technicality in a growing and erratic feild).  But if you work for the defense and show that it was indeed from a virus or different user...that is a different case.
CISSP, C|HFI, Security+, Network+, XYZ...blah.
<<

LSOChris

Post Thu Nov 20, 2008 11:57 am

Re: Working for the dark side

what if you did a forensics exam and found something contrary to what the other guy found?

havent there been cases where the defense forensics guy did find the possibility that the 1st analyst missed potential compromises or other issues?
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Thu Nov 20, 2008 7:40 pm

Re: Working for the dark side

There are always going to be cases where one side or the other missed something, but more often than not the defense is going to push for any shred of reasonable doubt based on concepts rather than facts.  It's become very common for the defense to latch onto any shred of malware as possible "proof" that their client did not download that 4GB of child pr0n.  I don't care how security conscious you are, you are almost guaranteed to have some artifact of malware on your system.  There were a couple of high profile cases where the defense argument was based around files that were left behind when the system anti-virus identified a malware and disabled/removed most of the affected files.  Of course it missed some which were left behind but not functional.  The defense argued that it proved the system had been compromised at some time in the past, and it created reasonable doubt because a "hacker" could have used the machine to download the pics.  None of the timestamps lined up, but of course that's because the "hacker" changed them all.  He also arranged all of the pictures into a nice, organized set of folders.  Anyway, in this case the forensics analysts produced the same data (what was on the system) but the defense was based on their version of what that data was saying.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software