In my prior company (life) we developed intellectual property for operating systems primitives in windows, and network security protocols such as IPSec (Internet Protocol Security), e.g. VPN. We had “bake-off’s” sponsored by the IETF (Internet Engineering Task Force) that blesses all of the standards that make up the Internet, to prove the worthiness of the security protocols in a way that was open to the most sophisticated cryptologists and hackers in the world.
Similarly, the legal argument for open source eForensics is a good one in that provides transparency to these experts to examine and soundness of the algorithms, operating system primitives, network protocols, and crypto libraries used to produce digital evidence.
This type of scrutiny will never be obtained in a closed and proprietary system.
This paper from Brian Carrier from Purdue University, lays out the legal argument for the use of open source tools in the field of eDiscovery and eForensics by applying “Daubert” guidelines.
In Mr. Carrier’s paper, he discuss the major concepts in eForensics as they apply to eDiscovery :
Acquistion, Analysis, and Presentation.
The analysis phase includes:
- Inculpatory Evidence: That which supports a given theory ( e.g., emperical log files that show Volume Serial ID’s of each hard drive, complete discovery of the the file system, disposition of each file extracted/copied)
- Exculpatory Evidence: That which contradicts a given theory (e.g., shows that data acquistion was not properly performed)
- Evidence of tampering: That which can not be related to any theory, but shows
that the system was tampered with to avoid identification (e.g., spoliation)
In terms of admissibility of evidence, The Daubert process identifies four general categories that are used as guidelines when assessing a procedure:
- Testing: Can and has the procedure been tested?
- Error Rate: Is there a known error rate of the procedure?
- Publication: Has the procedure been published and subject to peer review?
- Acceptance: Is the procedure generally accepted in the relevant scientific
Just as there is a “Chain of Custody”, that produces log files at the point of origin to log all of the data to be captured and it’s disposition, subsequent verification and encryption — there is also a similar set of analysis to show the operating system primitives that are called to produce this chain of custody.
These points of reference lay the groundwork for defensible eForensic tools not only for data acquisition, but also for eDiscovery processing, searching, culling, and file transformations for productions to opposing counsel.
We welcome your input on this discussion.
Founder, eDiscoverySquad, LLC