±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36464
New Yesterday: 0 Visitors: 340

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

One forensic question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

kavithc
Newbie
 

One forensic question

Post Posted: May 31, 15 02:15

Dear All,

I would love to hear your views with regards to a question I stumbled upon. The question is

"What will you do, as a forensic examiner, if you visit a client who has requested your service where you had to take a forensic image of his personal laptop? He is allowing you to take only selected folders and not his personal folders".

I have no real life experience in forensics however I am curious to know what professionals would do in this case. Can you please guide?  
 
  

TDowney2394
Newbie
 

Re: One forensic question

Post Posted: May 31, 15 02:33

I would have thought if it's just for a singe client and not for any criminal case you can only take the folders specified. As investigators we have a duty to report anything iffy we find so if you find anything in these folders that gives you a cause for concern you could contact authorities and take it further. Otherwise you can only access what's specified. Whilst it may seem odd at first you can only take certain files don't forget these personal folders will probably have things like personal bank account info, passwords etc. as people do still store things like this.  
 
  

jaclaz
Senior Member
 

Re: One forensic question

Post Posted: May 31, 15 19:23

- kavithc
"What will you do, as a forensic examiner, if you visit a client who has requested your service where you had to take a forensic image of his personal laptop? He is allowing you to take only selected folders and not his personal folders".

That kind of "forensic image" is called in jargon NFPB (NON Forensic Partial Backup), you can print all of it and make it into rolls (I won't specify the further possible use of those rolls Very Happy ).

So you politely tell the client that the result of the operation carried along those client's rules will NOT be a forensic image, that in this case there is no need for a qualified forensic examiner as anyone with more than two neurons in the IT field will be able to do the same and that he might want to rephrase the question, or agree to pay a hefty sum of money to produce something that has not any forensic relevance whatsoever.

The only thing that can come out from that procedure is an affidavit in which you certify that on date/time you copied to device xy the files and directories as in the "attached DIR listing" from the hard disk model yz serial xyxyxyxx, as mounted into laptop model wx, serial wzwzwz, and that you verified the hashes of the single files to verify that the copy was an exact one.

The only actual use of such an affidavit that I can think of is to create a "verified date of existence" of something, possibly useful in a case where Authorship or Copyright is involved. Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

kavithc
Newbie
 

Re: One forensic question

Post Posted: May 31, 15 21:51

Thanks for your answers!  
 
  

AshishSingh
Member
 

Re: One forensic question

Post Posted: Jun 01, 15 17:40

- jaclaz

The only actual use of such an affidavit that I can think of is to create a "verified date of existence" of something, possibly useful in a case where Authorship or Copyright is involved. Confused

jaclaz


Hi Sir,

Will this be admissible in court if required?

Regards  
 
  

pbobby
Senior Member
 

Re: One forensic question

Post Posted: Jun 01, 15 18:39

- kavithc

"What will you do, as a forensic examiner, if you visit a client who has requested your service where you had to take a forensic image of his personal laptop? He is allowing you to take only selected folders and not his personal folders".


Capture just the selected folders.
_________________
Don't get baited. 
 
  

jaclaz
Senior Member
 

Re: One forensic question

Post Posted: Jun 01, 15 22:55

- AshishSingh

Hi Sir,

Will this be admissible in court if required?

Regards

Why should it not be? Confused
Of course the Law of each country (and also depending if the case is civil or criminal) may evaluate it differently, and the document in itself, or more generically any written sworn statement, may be self-standing or be only an aid for the witness that is heard in Court.

To prove copyright or paternity of an idea it is (or was) not uncommon to send to self an envelope containing the related papers through the official mail, and then keep the envelope unopened in order to prove the possession of the contents at a given date:
en.wikipedia.org/wiki/..._copyright

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next