[Full-disclosure] Re: Guidance

["Jason Coombs" <jasonc@xxxxxxxxxxx>]

It is not just defects in EnCase features that cause computer forensic 
examiners who use Guidance Software's products and training to produce 
incorrect and misleading expert testimony or fact evidence.

Guidance Software simply doesn't understand, and doesn't care to understand, 
information security.

It would be bad for sales of EnCase if Guidance admitted that they have no way 
to know whether anything discovered on a hard drive by EnCase is reliable 
circumstantial evidence.

The result of Guidance's software and their training is a severely 
dysfunctional industry built around making profits by looking at tea leaves and 
telling fortunes.

Data on hard drives simply is not evidence of anything. Even when it helps to 
prompt or guide investigations, the people who practice computer forensics must 
disqualify themselves and their reports from the status of 'expert' testimony 
or 'fact' evidence, yet they are taught by Guidance techniques to amplify the 
appearance of reliability and expertise instead of properly and competently 
explaining the inherent uncertainty in any computer forensic investigation.

Computer hard drive analysis is not expert testimony, and the result of such 
analysis is routinely misrepresented by people who use Guidance products, 
people who are trained by Guidance, and people who think the way that Guidance 
thinks.

The break-in to the Guidance computer network, and Guidance's typical botched 
corporate incident response, inadequate reporting, and failure to even try 
proactively to protect people who Guidance puts at risk, is just one point of 
proof that Guidance Software's failure to properly address the impact that 
intrusions and information security vulnerabilities have on the condition of 
data stored on hard drives is causing severe harm to the public safety 
worldwide.

Regards,

Jason Coombs
jasonc@xxxxxxxxxxx

-----Original Message-----
From: Alex Eckelberry <AlexE@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Dec 2005 10:21:37 
To:computerforensics@xxxxxxxxxxxxxxxxx
Subject: RE: Guidance

Yup, Brian got it.  Very good work on his part.  I was late on the
story.  Thanks for the pointer. 

The other issue with version 4 is worrisome.  If people went to jail
because of incorrect information, that would be disturbing.  However, it
seems it's all relative to the circumstances and the skill of the
forensics expert. 

Thanks again!


Alex
 

-----Original Message-----
From: Paul Alexander [mailto:paul@xxxxxxxxxxx] 
Sent: Monday, December 19, 2005 8:22 PM
To: computerforensics@xxxxxxxxxxxxxxxxx
Subject: Re: Guidance

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Eckelberry wrote:
> Hello,
>  
> I'm working on a short article on computer forensics and am doing 
> research on rumoured problems with Guidance software, particularly
>  
> a) the fact that their database was (allegedly) recently hacked
>  
> and
>  
> b) problems with version 4.0 providing incorrect information, 
> particularly showing incorrect files in the recycle bin vs. version 5 
> showing a correct number of files.
>  
>  
> If anyone can point me to some links or more info, I would appreciate
it.
>  
> TIA,
>  
>  
> Alex Eckelberry

Try this for the hacked database story -
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR200512
1900928.html

Regards, Paul Alexander.
www.linuxfx.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDp1y3umIg2LLN3EoRAmMyAJ4sYx8Xnc/SzPB6ZTUx87gowyKd1wCgwAdz
OSWcCrAJWAtyXG9rwt/5DDE=
=BFJV
-----END PGP SIGNATURE-----

Forensic Focus (http://www.forensicfocus.com) email list addresses:

Post message: computerforensics@xxxxxxxxxxxxxxxxx
Help address: computerforensics-help@xxxxxxxxxxxxxxxxx
Unsubscription address: computerforensics-unsubscribe@xxxxxxxxxxxxxxxxx

Forensic Focus (http://www.forensicfocus.com) email list addresses:

Post message: computerforensics@xxxxxxxxxxxxxxxxx
Help address: computerforensics-help@xxxxxxxxxxxxxxxxx
Unsubscription address: computerforensics-unsubscribe@xxxxxxxxxxxxxxxxx


.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/