[Full-disclosure] Fw: [IACIS-L] Statement by Defense Expert

["Jason Coombs" <jasonc@xxxxxxxxxxx>]

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: "Jason Coombs" <jasonc@xxxxxxxxxxx>

Date: Wed, 6 Jun 2007 04:13:33 
To:dave@xxxxxxxxxxxxxxx
Cc:iacis-l@xxxxxxxx,az_core@xxxxxxxxxxx
Subject: RE: [IACIS-L] Statement by Defense Expert


Dave_on_the_run <dave@xxxxxxxxxxxxxxx> wrote:
> Is you D expert by any chance Jason Combs?
> That is a typical statement by him.
> I have an entire public dialogue from
> him on various security lists where
> he makes many outrageous claims
> similar to that.


Dear Dave,

Are you aware that your comment, above, has been reproduced by the Maricopa 
County Attorney in a 92-page document that details the completely absurd 
statements that were made by Tami Loehrs in the Matt Bandy case? See

http://www.maricopacountyattorney.org/Press/PDF/bandy_case_20070107.pdf

Your statement has been used as part of this publication in an effort to 
discredit Ms. Loehrs, and to respond formally to the deceptive and manipulative 
tactics of the Bandy family as they waged a political war to 'defend' their 
son, Matt, so that he would not be required to register as a sex offender.

As you may know, the television program 20/20 did a story about the Bandy case, 
and it reportedly failed to present the prosecution side of the story. I have 
not seen it, personally.

I would be glad to discuss in detail anything at all that I have written or 
spoken that you or others deem to be outrageous.

My experience with criminal computer forensics goes back almost as far as yours 
does, and my experience with expert witness testimony in civil court most 
likely predates the start of your forensics career.

It may be outrageous from your perspective, but there is no doubt in my mind 
that computer forensic examiners are not expert witnesses.

There is no such thing as 'computer forensics' as a field of forensics. It is a 
misnomer to refer to it as 'forensics' in the same way that it is improper to 
refer to a sworn law enforcement officer as an expert in the field of law.

LEOs possess neither academic background nor work experience in principles or 
practices of law, as a distinct field of skilled human endeavor.

Attorneys, judges and others who are likely to possess true expertise in law 
are the ones that we rely on for expert testimony on the subject of the law, 
including interpretation thereof, whether that testimony is given before 
congress, for instance, or in court, or on our own behalf when we need legal 
advice. Anyone who takes legal advice from a cop is probably an idiot.

LEOs may possess many hours of work experience in a field of work related to 
the law, but they are not legal experts and the nature of their skilled work 
cannot ever result in the sort of expertise that would properly qualify a 
person to render expert opinions or give well-informed interpretations or 
advice in complex legal matters.

The skill that a LEO has with law is the sort of job-oriented skill that a 
trained computer forensic examiner possesses with respect to computers. Knowing 
how to do what you're told and learning from your mistakes so that you advance 
in your career is fine if you're an honest cop, but that does not qualify a LEO 
to program computers or prepare them to educate a jury or a judge in the truly 
intricate and technically-complex subject of computer science.

Experience recovering data from all manner of data storage devices does not 
qualify anyone as a computer expert. Ability to operate software that was 
programmed by somebody else is not expertise as anything other than a computer 
operator.

What is outrageous is that we are giving forensic certifications to trained 
computer operators. Every time a certified forensic examiner or an EnCase- or 
FTK-certified examiner performs an examination, authors a report, and renders 
flawed opinions it is an outrage and an affront to justice and common decency.

Until and unless a person has worked for years as a software engineer, and has 
studied technical details of information security including the creation and 
exploitation of software bugs to force software to do things that it was never 
designed to do, there is no way that a person can imagine the precise technical 
implications of the sort of scenarios that we encounter in the real world when 
law enforcement computer examiners and prosecutors collaborate to transform a 
particular bit of data into forensic evidence of guilt to be used against a 
person who stands accused of a crime.

In 1997 I was offered the opportunity to author the book Foundations of 
Computer Forensic Science which would have been published by John Wiley & Sons.

I refused, on the grounds that such a work required far more expertise to write 
than I possessed as a result of my mere ten years of programming experience.

In the ten years since 1997, I have acquired enough additional experience and 
skill that authoring such a book today would at least not do more harm than 
good, but still I refuse to author it.

The reason now is that I do not believe there will ever be such a thing as 
computer forensic science, and anyone who claims otherwise is an idiot.

My excuse for continuing to use the term 'computer forensics' in certain 
marketing literature and conversation, or even when giving expert testimony, is 
that this phrase has a non-technical meaning to laypersons (including to judges 
and attorneys) and it is possible to possess expertise enough to know what 
people who claim to be computer forensic examiners are actually doing.

Just because I have no other way to communicate the fact that I have experience 
with 'computer forensics' and just because I do work in 'computer forensics ' 
does not mean that I am advocating its existence as a legitimate field of 
forensic science by using the term out of necessity. It is clearly neither 
forensic nor science.

Frankly, I would prefer that the industry pick a different name for itself. My 
suggestion, some years ago, was 'computer investigations' rather than 'computer 
forensics' and I wanted all of you to be referred to as 'computer 
investigators' -- go get your private investigators' licenses if you intend to 
do this sort of work. Be a hi-tech sleuth if that makes you happy. It would 
make me happy for you.

But what are the chances that everyone will listen to my ideas on the subject, 
now that I have willingly passed up the opportunity to be considered one of the 
founders of 'computer forensics' by having written the first Foundations Of 
book on the subject?

I would like to invite you, and anyone else on this law enforcement-only 
mailing list, to review the Maricopa County Attorney's 92-page forensic report 
on the Matt Bandy case and tell me how anyone who knows anything about 
so-called 'computer forensics' can ever write the following statements:

'The viruses relate to spyware and adaware. They are not back door Trojans.' 
(bandy_case_20070107.pdf page 10)

or,

'The virus "instsrv.exe" is the "bargain buddy" adware program which is not 
capable of remotely controlling a computer.' (bandy_case_20070107.pdf page 11)

At this very moment I am in control of thousands of other people's computers 
via software that is not considered to be a 'back door Trojan' -- how many 
certified computer forensic examiners have this sort of real-world experience?

Nobody who understands how software is written and disseminated would ever say 
such things as the excerpts above from the Bandy forensic report, at least not 
if they are making any attempt to be precise, scientific, and objective.

Instead of explaining exactly how it might have been possible in the past for 
an intruder to have taken control of Matt Bandy's computer, even by way of the 
adware that was found to have persistently infected it, the law enforcement 
computer forensic examiner in the Bandy case did as every such examiner always 
does: they ignored all of the real-world possibility as though they truly 
believed that it was impossible for anyone other than Matt Bandy to have 
controlled Bandy's Windows computer.

The proper computer scientific explanation of how such remote control would 
have been accomplished, together with demonstrations showing how it could be 
accomplished similarly today, would in no way have diminished the fact that it 
was very unlikely that anyone other than Matt Bandy was responsible for the 
contraband in question.

However, instead of telling the whole truth and nothing but the truth, Maricopa 
County insists on doing what every other jurisdiction across the country is 
doing: perpetrate an outrageous fraud by positioning certified 'forensic 
experts' (who are frequently also sworn LEOs) to tell lies about how computers 
work in order to convince the jury that there is no doubt that the person who 
stands accused is guilty as charged.

Computer forensics, in practice today, is a lot like DNA fingerprinting 
technology and DNA forensics would be if its trained criminologists and lab 
technicians were to ignore all possible exculpatory explanations for genetic 
material to be present at a crime scene so they could focus only on pointing 
the finger at the accused just because a gel electrophoresis assay showed 
assay-labeled DNA fragments in the right places to match up with the suspect. 
Such behavior would obviously be against common sense and forensic experts 
would be tarred-and-feathered by angry mobs if they started getting on the 
witness stand and proclaiming 'this DNA evidence is the hand of God pointing 
the finger at the defendant.' in cases where the defendant's DNA is found to 
have been located in some mundane place such as on their very own toothbrush.

Unfortunately, computer forensics is able to deceive just about everyone 
because only the minority of computer programmers truly understand how software 
is written and how it executes on a microprocessor, along with comprehending 
the real-world chaos that has resulted from decades of programming effort by 
people of varying skill levels, most of whom never needed to understand 
computers in depth in order to write software and have a productive and 
economic career.

It is for this reason, the scale of the resulting decades of programming chaos 
created under the influence of the free market drive for profits, that software 
bugs and information security vulnerabilities are rampant in every computing 
platform and every software product, including EnCase and FTK or any other 
software used in computer forensics.

Computer forensics testimony from law enforcement always contains the sort of 
outrageously absurd mistakes like those Bandy excerpts above. This fact alone 
makes computer forensics worse than unreliable, it makes the whole computer 
forensics industry nothing short of a continuing criminal enterprise. Though 
one does wonder whether it is very organized.

Computer forensics professionals should be prosecuted to the fullest extent 
possible under law for the outrageous and damaging things they are doing to 
other people's lives by their act of pretending to be capable of discovering 
proof of things they clearly do not comprehend in the first place.

Computer forensics must be removed from court. Use it for investigations and 
when the limits of usefulness of computer forensics is reached, go do some 
electronic intercepts and conventional investigations to fill in the missing 
pieces of the case against the suspect.

To do anything else is uncivilized.

(Please forward my email to the IACIS mailing list, as I am not a subscriber)

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

P.S. No, I had nothing at all to do with the Matt Bandy case. Observant 
investigators may note that my dad wrote a silly manifesto about child 
pornography and computer forensics that the Bandy supporters reproduced on 
Justice4Matt.com -- let me just say that my dad is a better artist than he is a 
computer forensic examiner, but he does have a lot of professional experience 
and his clients value him for the same reasons your clients, or your government 
employers, value you: he works hard, knows how to operate a computer, and he 
produces something. That's all I have to say about that.

Sent from my Verizon Wireless BlackBerry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/