thefuf wrote:
And if another consultant successfully demonstrates design flaws in your tool that result in missing / corrupted evidence?
It could be, but as I said it depends on how you weight the risks. To me the chance of trouble for using less-known tools is even more likely. Also WinFE certainly wouldn't be perfect too, e.g. I remember all the trouble I had with the wrong versions of Via and nForce chipsets drivers. In the end it all depends on how you weight the risks, the risk of the adverse party/judge naming a consultant that knows nothing about WinFE therefore putting doubt on the methodology doesn't seem that remote to me since I still haven't met a single consultant that ever mentioned it.
thefuf wrote:
These risks depend on how tricky the opposite consultant is. He may tell the court that your tool is inadmissible because:
- it was designed and produced in another country,
- it's not certified (by no matter who, just the word "certified" sounds great),
- the methodology you used is not described in the appropriate literature, etc.
There are tons of similar tricks, you can't be prepared for all of them. I don't think that serious decisions should be made based on a possibility of future groundless complaints.
If <tool #1> is used wider than <tool #2> and <tool #1> alters more bytes than <tool #2>, I choose <tool #2>. I don't think that "court-verified" argument should be used here.
From an absolute POV choosing the tool with the lowest chance of messing the data is certainly the right choice. But consider that CAINE/DEFT are made here in Italy, were used in lots of cases and are well (not perfectly, of course) documented, those are still pretty good reasons to me to give them the priority even simply against other distros. Of course, all this, case by case, if I know it's going to mess with some data that'll likely be important I'd leave them last. Another consultant may point the flaws in the distros but you could find just as easily another consultant or even the authors refuting, circumscribing or giving better context to the issues. I'd have a very bad luck finding somebody to do that regarding WinFE, with an even higher chance of another consultant mud-slinging the fact it's Windows, homemade, etc. Maybe WinFE is more popular in Russia but here I'd really not want to take the risks. And that said from somebody who still makes his own custom XP discs.
↧