On Fri, 30 Nov 2007, David Newman wrote:
I'd heard about a kiddie porn case getting tossed because the defense successfully argued law enforcement's tap may have dropped frames. I didn't believe it until I measured this myself with a packet blaster.
I would like to see a citation for this case. Evidence from network taps would be very rare in a child explotation case, and extremely unusual for it to be the sole evidence in such a case. Despite the "CSI effect," the existance of perfect data is more suspicious than glitchy data in a criminal case. Sounds a bit like the story of a case being dismissed because a computer banner said "Welcome" (no such case has ever been found). If you had said it was a narcotics case, I would be less skeptical.
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
Thanks for the citation. Using an aggregation tap for a criminal investigation is not a good idea, but I guess it wouldn't surprise me if someone did. Investigators should understand the limitations of their equipment and as suggested check its calibration with known data.