i'm taking an intro to comp fornesics class and we learned that investigators are not suppose to take computers out of a business if it will do harm to the business and not allow them to run their business. Can someone help me out with the case in which started this trend?
Thanks
Brandon
Greetings,
I don't know of the particular case that started the trend, but it is why we try to image systems on site, and why we often image live servers. We're trying to strike a balance between conducting the investigation and allowing the business to continue functioning normally.
Many forensics companies prefer to image on site as it reduces the amount of customer equipment in the lab, along with the associated logistics. If you need to image 20 laptops, getting them all back to the lab, imaged, and returned to the client can be quite time consuming. It is generally easier to take them in as you have resources to image them, do the imaging on site, and return them to the owner soon after you're done. A rack mounted 4U server would be quite difficult to take to the office as well.
There is also a greater liability exposure if you remove all the equipment from the site.
-David
David is correct in that it's important to strike a balance. Also think about what could happen if you take a business down because of some alleged and then the business goes bust. Upon investigation you did not detect any signs of wrong doing.
I'm pretty sure the 'bust' company would be filing a claim for loss of business and damages.
Obviously this isn't always the case. Sometimes it's not safe to image onsite and you must move the or in the case where law enforcement are giving directions to ensure evidence is not tampered with.
investigators are not suppose to take computers out of a business if it will do harm to the business and not allow them to run their business. Can someone help me out with the case in which started this trend?
In terms of computers, one of the big cases was Steve Jackson Games vs. US Secret Service in 1993. In 1990, the USSS raided SJG and took just about everything - almost putting them out of business. SJG sued the USSS and won. See http//
The SJG case is mentioned in the "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" by the United States Department of Justice, July 2002, http//
The quote "Notably, exceptions exist when agents will not want to seize computer hardware even when the hardware is used as an instrumentality, evidence, contraband, or a fruit of crime. When the "computer" involved is not a stand-alone PC but rather part of a complicated network, the collateral damage and practical headaches that can arise from seizing the entire network often counsel against a wholesale seizure. For example, if a system administrator of a computer network stores stolen proprietary information somewhere in the network, the network becomes an instrumentality of the system administrator's crime. Technically, agents could perhaps obtain a warrant to seize the entire network. However, carting off the entire network might cripple a legitimate, functioning business and disrupt the lives of hundreds of people, as well as subject the government to civil suits under the Privacy Protection Act, 42 U.S.C. § 2000aa and the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-2712. See generally Steve Jackson Games, Inc. v. Secret Service, 816 F. Supp. 432, 440, 443 (W.D. Tex. 1993) (discussed infra). In such circumstances, agents will want to take a more nuanced approach to obtain the evidence they need. On the other hand, where a network is owned and operated by a criminal enterprise, it may be appropriate to seize the network to stop ongoing criminal activity and prevent further, substantial loss to victims."
bj
p.s. crap - I hope I didn't just do someone's homework for them roll
A nice source for search and seizure information is the Federal Judicial Center, http//
More specifically, their page on Materials on Electronic Discovery Search and Seizure of Computers and Data in Criminal Cases, http//
They have a document entitled, "Comprehensive set of definitions and procedures for the seizure of computers and data, conducting off-site searches of computers and data, and searching computers of an ongoing business enterprise ", http//
thanks for all the replies..no you didn't do my homework for me ) I was just curious why that trend started, my forensic teacher works in oklahoma, and is always talking about his mobile forensics unit. I definately understand that is the allegations are false and you've just ruined a business, that would suck. I didnt realize that it is a more common practice to do the images onsite in any situation if possible, if definately makes sense.
thanks
Brandon
does anyone know of another case involving a shoe company that had it's computer seized and then they later sued the government and won?
It seems almost common sense to us to minimize a companies downtime and business interuption.
Just think about an ecommerce company that was being sued and you needed to collect their SQL server. What do you tell them. Shutdown your whole business while I copy your 10TB system back at my office. It should only take like a week or so.
I joke but one of the most important things we do as investigators is to minimize the loss to our client by conducting ourselves in the most efficient way possible while still maintaining the requirements of the business.