Thanks to Bruce Schneier for pointing me toward a story on weaknesses in MD5 killing a case involving speed cameras. Excerpts from this story provide some details:
"Sydney [Australia] magistrate Lawrence Lawson threw out a speeding case after the RTA [Roads and Traffic Authority] said it had no evidence that an image from a camera had not been doctored.
Mr Lawson had adjourned the case in June, giving the RTA eight weeks to produce an expert to prove pictures from a speed camera on Carlingford Rd, Epping, had not been altered after they were taken.
But RTA lawyers yesterday told Hornsby Local Court they could not find an expert and the case was thrown out...
The case revolved around the integrity of a mathematical MD5 algorithm published on each picture and used as a security measure to prove pictures have not been doctored after they have been taken.
Mr Miralis argued that the RTA had to prove the algorithm it used was accurate and could not be tampered with."
Good grief. The prosecution in the case appears to have lost because they framed the issues incorrectly. If the battleground was the lack of collisions in MD5, of course the RTA would lose. Determining what is required to tamper with speeding camera images is a completely different subject.
This case exemplifies the difference between capturing packets and performing network foreniscs. Most people do the former, which opens their methodology and network-based "evidence" for questioning should it be scrutinized by a clueful defense attorney. One of the reasons I have introduced new material on network forensics in my latest book and training is to elevate the network forensics practice to the point where we have a chance of surviving a clueful defense attorney.
Speaking of forensics, those of you who like your forensics of the Windows host-based variety should check out a new post by Harlan Carvey on his Forensic Server Project.
Those of you who argue with me on the meanings of security terms will enjoy this post at Gunnar Peterson's blog. His Sherlock Holmes post was intriguing as well.
Update: A forensics expert who wishes to remain anonymous sent me a link to the following:
Computer Records and the Federal Rules of Evidence
"Computer records can be altered easily, and opposing parties often allege that computer records lack authenticity because they have been tampered with or changed after they were created...
The courts have responded with considerable skepticism to such unsupported claims that computer records have been altered. Absent specific evidence that tampering occurred, the mere possibility of tampering does not affect the authenticity of a computer record."