Monday, August 18, 2008

litsupport summary for the week ending on 08/17/08

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Can one use disposed (such as sold on eBay) hard drives for forensics training?
  1. Great for "free range" data to play with;
  2. This is a routine practice with many CCE examiners;
  3. Software licenses are not a problem - do not use the software on the driver, and private data is not a problem - study it for technical reasons but do not use it;
  4. The ethical responsibility is to do good work for the client;
  5. The person who sells the drive has lost his right to data privacy;
  6. There is no case law against this practice;
  7. This is no different from Google reading your gmail and automatically showing you the relevant ads.
  1. You can not post recovered files, because they are not in the public domain;
  2. This is legally questionable, possibly as conversion or identity theft, and ethically bankrupt, because lawyers are held to higher ethical standard, and because it makes a vendor look dirty;
  3. You own the drive but not the data, and you may have a stolen drive;
  4. Used drives do not work well, and one should not sell them anyway, but destroy them instead, and this is the advice to give to clients;
  5. "Nobody knows" is not an excuse, instead, spend the money and prepare legal data sets;
  6. The person who sold the drive did not realize that she was giving away her data, so it is stealing, and most people don't know that formatting their hard drive doesn't protect their data;
  7. Testing the tools on unknown data sources does not validate the tools anyway.
Q. How to track an internet site poster given the poster's IP?
  1. From the IP you can find out the provider detail using software such as PtWhoIs, then you subpoena the provider (sometimes through a John Doe lawsuit) to help you determine the physical address where that IP address was issued. A forensic exam of the computer at the physical address may turn up the remnants you are looking for to ultimately prove what computer was used to make the post;
  2. Road bumps above may include dynamic IP lost after 30 days, wireless router which was used by someone else driving by, spoofing or hacking the IP, or anonymous IP using any anonimizer service;
  3. An article on this and RIAA practices;
  4. New research deals with data preserved in computer memory for a long time (forensics side) and with author probabilistic identification based on comparison to corpus of known email from the user;
  5. In one practical case the combination of ISP information with linguistic analysis led to admission, and no forensics exam was required;
  6. Voluntary disclosure of information on a public website falls outside of any privacy protections one would want to later claim. It is one of the few exceptions to the Stored Communications Act (if you post the information, you cannot be protected from privacy of who you are.)

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner ( and edited by Aline Bernstein (

No comments: