Hello!
I work for a private forensics firm that handles a great number of cases brought to us by defense attorneys.
After investigating the circumstances of how the police seized the computer, nearly every time we find out they screwed up in some way. Whether it’s booting up the computer at the station or leafing through the contents at the scene, they simply don't know how to take these devices into custody without screwing up. These cases are then thrown out by the courts because the integrity of the evidence has not been preserved.
Now before everyone thinks I'm bashing the police, we have found that the regional computer investigations units do a good job (Federal government, state police, and some specialized comptuer crime units).
What I'm just curious about is if you guys out there have seen the same trend as I have… that local law enforcement/first responders simply does not know what they’re doing when it comes to computers.
What im just curious about is if you guys out there have seen the same trend as I have… that local law enforcement/first responders simply does not know what theyre doing when it comes to computers. Hopefully I'm wrong!
Thanks!
Being a local law enforcement officer, I see these kind of problems all to frequently. Our problems usually occur when ia patrol officer encounters something at a scene and tries too look at it himself/herself. I do all of the exams for my agency and I assist other agencies and I learned early on to determine whether or not the evidence was tainted by the officer seizing the equipment. Most of the time I try to do the system take downs, but I can't always be there so bad things have happened. State and Federal agencies are not immune to this problem either, but you are right, they tend to be better educated about how to handle digital evidence. Problems with local agencies are more pronounced because there are many many more of us than state or federal officers. I have tried to educate our patrol officers, but mistakes are still made.
Education is the key to preventing these kind of problems, but until the administrators understand the importance of digital evidence and that understanding trickles down to the line level officers, we will continue to face this issue.
PS: I have more problems with our narcotics officers doing this kind of thing more so than any other group of officers. It seems like every narcotics unit has its own "computer expert" who fires up the computer to look through emails and when they find something, they want a complete exam done. Then they get upset when I tell them that I won't do the exam because they have ruined the evidentiary value of the computer.
Matt
Hi Suomi, I see you only place your location as Earth so I am presuming you are talking about the US, (which is massive compared to European countries). I imagine there are lots of different jurisdictions, laws, police forces, including both state, federal and local. I’ve heard that shopping malls, department stores, schools and universities have their own police forces, something completely alien to the UK, where I work. We have ‘security guards’ – but that’s a different kettle of fish and nothing to do with ‘the police’, i.e. no police powers. Therefore I imagine getting all these different law enforcement agencies to follow the same procedures is a difficult task.
In the UK police forces (and most of the private sector) adhere to the ACPO (Association of Chief Police Officers) guidelines for digital evidence. This is a document produced by a collaboration of high ranking police staff from various areas of the country, advised by leading lights in the Forensic Computing community.
Andy
I'm reminded of a couple of chapters in Neal Barrett's "Traces of Guilt" where he was surprised at the level of care (with respect to evidential integrity) taken by members of the Flying Squad but disappointed by that taken by a professional forensics company in another case. Sometimes the coppers do get it right!
As mentioned previously education is certainly the key but I also hope that as new generations of police officers rise through the ranks their greater familiarity with computing devices (in a non-forensic setting) will help to alleviate some of the problems associated with officers who have little everyday knowledge of the issues involved. It's not often I'm optimistic(!) but I sense that, in the UK at least, great strides have been taken by those promoting computer evidence handling techniques over the past five years or so.
Cheers,
Jamie
Nearly forgot. Suomi, could I kindly ask you to update your profile to reflect your country location please, thank you.
Jamie
Hi Suomi
Do you have any case cites of the cases you mentioned where the cases were thrown out?
Thanks
Darren
Thanks to everyone who posted replies… this is a topic that I find very interesting.
As for individual cases, I can't think of one off of the top of my head. Usually once we show the prosecution what their first responders have done, they drop charges or plea out. I know of one specific case that the name of the case escapes me at the moment that the judge threw out a case immediately after he learned that the computer had been booted and had WinHex installed on it for examination purposes by the police 'expert'. That is probably one of the grossest errors that I have come across, but the most common are police booting the computer at the station and leafing through the contents. A co-worker of mine went to pick up the computer from the police department and the officers were playing one of the suspects games on it!!! He told them to go ahead and keep it.
Anyway, I agree with a lot of what you guys said… education of the first responders is key! But hey, in the end I guess I really dont mind when the police screw up because it makes my job that much easier!
No doubt some of what your saying could and probably does happen. I think, based on my own observation, that it's in the vast minority of cases. I am an examiner for a local law enforcement agency, and I also do private consulting. I've done examinations for federal agencies as well. So I have a background from which to speak.
Some of what your saying just doesn't add up. Particularly your last post where you state that a co-worker went to a local agency to "pick up" a computer and then told them to just keep it. I can't imagine a case where a defense examiner would be allowed to remove any item of evidence.
I have worked closely with some Canadian examiners and in my experience they are excellent at what they do. I think you bring up some serious accusations that you should be able to back up with verifiable proof. This is a public forum after all.
While I agree with what you are saying Greg, but he didn't name any names, and I am also skeptical about the claim of just dropping the case or a plea bargain.
I would have to say that it is on the very very rare side that if the defense shows evidence tampering on the prosecutions experts part then there would be a plea. From my experiences the defense continues with that evidence and goes for acquittal or dismissal but why a plea? That is why in my post I asked for a citing so I could see the ruling and heck I would even order a transcript.
Some of what your saying just doesn't add up. Particularly your last post where you state that a co-worker went to a local agency to "pick up" a computer and then told them to just keep it. I can't imagine a case where a defense examiner would be allowed to remove any item of evidence.
Just to respond to this question…
The local law enforcement was told to keep it by the person who went to pick it up simply because he knew that with he viewed at the station was enough to throw out the computer.
Sorry guys! I just cant offer any specifics at the moment because of the fact a civil action is in the works.