±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34825
New Yesterday: 1 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

When do best practices "kick in"?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

When do best practices "kick in"?

Post Posted: Fri May 18, 2018 3:57 am

Interesting case in at the moment where a private insolvency practitioner had first access to the office computers and just had a good old rummage around the computer system of the firm (knowing there were strong allegations of fraud) before then handing the computers over to law enforcement. I know these practitioners are not law enforcement themselves but it does raise the question of professional standards and training when you are handling data that you know is going to be handed over to law enforcement.  

pbeardmore
Senior Member
 
 
  

Re: When do best practices "kick in"?

Post Posted: Fri May 18, 2018 4:12 am

- pbeardmore
Interesting case in at the moment where a private insolvency practitioner had first access to the office computers and just had a good old rummage around the computer system of the firm (knowing there were strong allegations of fraud) before then handing the computers over to law enforcement. I know these practitioners are not law enforcement themselves but it does raise the question of professional standards and training when you are handling data that you know is going to be handed over to law enforcement.


Maybe I am understanding the premise wrongly, but I don't see (much of) a problem.

Let's say the firm operated normally until midnight of the 15th June 2018.
In the morning of the 16th the "private insolvency practitioner" accessed the PC's and (knowingly or unknowingly) modified some data.
The LEO's intervened on the 17th.

Let's compare with this alternate timetable:
The firm operated normally until midnight of the 15th June 2018.
In the morning of the 16th an employee of the firm accessed the PC's and (knowingly or unknowingly) modified some data.
The LEO's intervened on the 17th.

Assuming that both the "private insolvency practitioner" and the "hypothetical firm employee" would not wipe the disks or shred important info, but either checked some pre-existing data or did something among the "normal" activities of the PC, what would be the "issue"?

Certainly, it would have been much better IF the LEO's got the PC's on the 16th at 00:01, but this is far from a perfect world ....

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: When do best practices "kick in"?

Post Posted: Fri May 18, 2018 4:26 am

Fair points but the practitioner and their staff are now in the firing line via a good defence barrister who will question exactly what data they accessed, how they did it etc etc. We also have the issue of the network being live so did the ex-directors or other members of staff have remote access?

With no notes being taken at the time and a junior member of staff involved, an experienced barrister will relish the opportunity of "muddying the waters" and putting a question mark over the process. It also places an additional burdern on the forensic examiner (we have all had this) re filtereing the file access date/times to identify activity etc.

Also, your example assumes a day of activity. Where does one draw a line, a few days, a week? Its interesting as the practitioner has to balance their own job of quickly tracing assets, establishing the financial situation, etc with the other role of working with law enforcement (when required),

tough call  

pbeardmore
Senior Member
 
 
  

Re: When do best practices "kick in"?

Post Posted: Fri May 18, 2018 7:13 am

This could be a costly mistake on the part of your client. When I have cases like this, I take the opportunity to educate my client in a diplomatic fashion. I encourage them to develop company wide policies and procedures for handling former employee's digital devices, emails, files on any shared drives, and when to contact a forensic expert/law enforcement.

They may lose this time, but the next time hopefully they will get a win.

In regards to the defense barrister, even if the company and you did everything right, it is his/her job to muddy the waters on behalf of the client. But your client has not done himself or you any favors by messing with the computer.  

kastajamah
Member
 
 
  

Re: When do best practices "kick in"?

Post Posted: Fri May 18, 2018 8:09 am

- pbeardmore
We also have the issue of the network being live so did the ex-directors or other members of staff have remote access?


Sure, and you have also a chain of custody issue regarding the interval between when the practitioner left the PC's and office unattended and the exact time/day the LEO's took charge of the matter.

What happened in that time lapse?

Did the ex-directors or other members of staff had access to the premises and computers?

Did a homeless hacker Shocked use the office for the night and while there change a few files to keep him/herself busy?

How can you prove it didn't happen?

Has the building been inspected to exclude the presence of a secret passage through which an ex-director may have entered the office?

Some will also advise you that best practice is to cut off the electricity of the office (or of the whole building or of the whole block, it depends on who is giving advice ) and put a guard before all entrances (of the office, of the building or of the block) to be on the safe side before even entering the premises and video record the whole activities performed during the access, using additionally a keylogger to record each and every key the practitioner pushed on any keyboard.

And if you do the above, someone else will come out telling you that by cutting off electricity you effectively prevented imaging RAM contents of the PC's that were on at that time, thus potentially losing a whole lot of "volatile" data, and that having pushed any key on the existing keyboards before fingerprints were taken may have altered evidence of other unauthorized people using them[1].

jaclaz

[1]and you cannot bring your own keyboard, because disconnecting and reconnecting a PS/2 keyboard to a switched on system may fry the motherboard (it never happened, but it is one of the warnings given at the time they were more common) and if you use a USB one, of course the plug 'n play manager will do a lot of writes to the Registry.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 1