Did I Get This Right?


by Karl Denninger, Market Ticker:

The FBI “lost” tens of thousands of text messages.

Then they “un-lost” them.

Remember, this is the “agency” that is charged with never losing anything, and having legally-defensible forensic evidence to prosecute crimes.

I’ve done plenty of computer forensics and know exactly what the process looks like and why.  It’s obvious if you think about it for more than about 30 seconds and have a brain in your head that the first and foremost duty is to be able to prove, under oath, that what you are presenting is what was actually there.

This means you never work from originals, always and only from copies.  The originals are never written to and whatever is necessary to be done to prevent that is done.  In the “somewhat older” days this was done with a literal physical write-gate being disabled (you did your copying with the write-enable line physically cut on the cable, for example) and today it’s done via similar “offline” and “nearline” means.

Why?  Because the veracity of what you have will be challenged.  That’s the defense’s job — to show that maybe it was tampered with.  It’s called reasonable doubt and in a criminal case if the other side gets you on that the bad guy walks.

But it’s not just in criminal work that this matters.

Just a couple of weeks ago an associate of mine had a problem with a system he was charged with maintaining and asked me how I would proceed to try to fix it.  There were no backups.  I explained that first and foremost a direct, byte-by-byte image copy of the damaged device had to be made to the extent it was possible.

This added a couple of hours to the attempted recovery, and he balked at the time but did it under pressure.

Four hours later a minor mistake was made during the attempted recovery and the entire contents of the device was lost to any but sector-level recovery.

That image copy made this a nuisance instead of an all-on disaster and ultimately virtually all of the data was recovered.

The FBI knows all of this and in fact it’s their procedure and policy.  They didn’t just have one copy and they certainly did not fail to verify that their imaging, backups and integrity checks work.  To do so would be to render all of their cyber-based prosecutions worthless as they’d never get another conviction — ever.

So no, they didn’t “lose” anything.

Read More @ Market-Ticker.org