1 minute read

Reply to an email I received:

Is it possible to use Linux live CDs (or open source software) without trouble in court?

The answer is yes, certainly.

First, there is precedent in North America and Europe. See this, relatively old article from Italy [http://nannibassetti.com/digitalforensicsreport2007.pdf].

For a full discussion about open source tools in court, I highly recommend the following paper: http://www.digital-evidence.org/papers/opensrc_legal.pdf

Very basically, to have evidence obtained using open source tools / Linux live CDs accepted in court, you need to prove that the tools give 'correct' results and do not modify potential evidence. Check local court rules for any additional standards that need to be met. If you need any help with tool testing, please contact me.

For example, if your courts already accept EnCase and you want to compare acquisition and hashing, you can do the following:
1) acquire the data with EnCase and create a hash of the data
2) acquire the data with an open source tool and create a hash of the data
3) compare the hashes of the suspect data (should be the same)
4) repeat with 5+ different exhibits to show that the same result is always found

If your courts accept EnCase, and you can demonstrate that an open source tool produces the same result, then the open source tool must also be accepted.

A procedure for tool testing should be created in your unit, if it does not already exist.

You might also be interested in the Open Source Digital Forensics Conference in the U.S.: http://www.osdfcon.org/

Please let me know if you need any help with testing, or if you have any further questions.