The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?
I am sure that this was a bit tongue in cheek, but while it might be nice to know this, it is usually not our concern.
On the cases I have worked where IT have been in and had a play first I have found it useful to still keep them 'on-side'. The last thing you want to do is p**s someone off or have them overly worried about their mistake, particularly if genuine.
You want them to help by describing to the best of their recollection (they're unlikely to have any notes) what it is they did and why. You do not want them trying to hide things from you…
All in all it seems to me (when talking of PC's) most of the (irreversible) issues come from a not-fully-compliant method to image the original disk or failure to image it.
So to solve a large part of the possible issues it would be enough to
1) Let the IT guys know that they MUST always make a proper forensic image of the disk
2) provide them with a suitable program/way
For #1 all is needed is to repeat this message over and over, before or later it will become "common knowledge" (though I suspect that it already is - at least for a large part of the IT community).
For #2 the task is to find a suitable, simple tool and validate it, through support from the Forensics community, *like* Osfclone, which was discussed in the past but which validation was not finalized
http//
(if I remember correctly last time Thefuf found a possible issue with it but it wasn't corrected and re-verified, still if I recall correctly ? )
Or fully validate one of the WinFe builds and related Windows tools …
With tablets, smartphones, etc., i.e. every device where it is not possible (or doable for non-specialists) to image the storage, the issues seems to me much bigger, as it seems to me that even the forensic specialized tools and methods (due also to the ever-changing devices) are far from being fully validated 😯 .
jaclaz
I spent the earlier part of my career doing IT techy dogsbody stuff, working my way up. I remember a situation where we needed a director's laptop looking at as we were aware that there was pornography on there in some quantity and HR wanted all the facts, particularly if any IIOC was present, before turning it over to LE if necessary. I knew enough and had enough clout by then to stop anybody taking it upon themselves to 'have a quick look', but it took some doing. I then fabricated an issue with the laptop so I could take it into my custody (no CoC done though) and then locked it in our backup tape safe until a properly qualified consultant came on site - he wasn't allowed to take the laptop offsite as it was a defence company.
I persuaded the IT director that putting the consultant into a meeting room for the week that everybody walked past was a bad idea and instead found him an empty out of the way office with a lockable door that he could work from. He was nice enough to show me a few things that he was doing as I had a bit of interest in CF by that point, and I can credit that experience with putting the idea in my head that it was a really interesting field that I might want to specialise in one day, though it took another 6 or 7 years before I started my first job as a Forensic Analyst. And sure enough the director was pretty smutty and was travelling to the Far East to do very bad things but nothing that required LE involvement, to HR's immense relief, and the director was strongly advised to keep that stuff on his home computer. I then got a member of staff to flash a clean image onto his laptop )
I was working for a different IT company a few years later when I decided to take the plunge and go back to uni to learn about Digital Forensics. I will always remember sitting down with the owner of the company and explaining how grateful I was for everything but I had taken the decision to follow a long held dream and train in Digital Forensics. He evidently took personal offence at this as his manner immediately changed and he coldly informed me that he didn't think I was technically experienced enough to be any good at it, would probably fail my degree, and that there was no demand for those skills anyway as he would just get his cleverest engineers to 'do the forensics' if it was ever needed. I smiled and said thanks again and walked away.
In the years since I have encountered similar attitudes when I have been trying to work with IT 'leaders' who don't understand why specialists are needed, and had to patiently explain that their engineers could find themselves in the box trying to explain the unexplainable with no notes, or even worse, could find themselves inadvertently committing criminal/regulatory offences and so on. Most 3rd line engineers don't need that additional stress in their lives…