A general question I am getting conflicting answers on. If investigating a case what for arguments sake we will say is a divorce or fraud case. When examining the evidence you find credentials for a web site or web email box.
Do you feel you are authorized to access this resource. Keep in mind you are not aware if this contains case evidence but the credentials and web address were found while examining evidence that IS part of your case.
Thoughts
It depends upon the instructions or contract for the case. If you're not specifically authorized to access the site you found, the information itself may be evidence, but you can potentially be in a lot of trouble if you use those credentials to access the site.
I know how most folks are about giving away too much specific information about a case, but to be honest, sometimes the best answer is to go back and review the case documentation.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Also depends if you are LE or not. If you are speak to your legal advisor about the issue. If you are not LE be much more careful about the scope you have been set by your client. In the past, though not for some time, I have done some divorce work and I would often get asked by one side or other to 'access' email of the spouse. The law is clear on privacy issues here in the UK and I would always take legal advice before making such a decision.
As an example I may be asked to examine a PC owned by a company who believe the user is up to no good. If I find evidence of a hotmail account not owned by the company I DO NOT have the right to access it even though it may contain useful material.
There are legal channels that can be taken by the company to petition a judge to allow me access. However if I just wade in I dare not use it as evidence anyway otherwise I'm in trouble
Nick
I think if you access a hotmail account for instance, and review email, that is in transit so to speak, then you are treading on what could be considered a wiretap. A crime without a title 3 order. Obviousely a law enforcement examiner would have to be very careful about doing that. I simply don't. I don't know that it has ever been prosecuted, but I don't want to be the first.
As email is a communication it is a little different than if I find a login to the guy's online banking. It may still not be a prudent course of action, but I don't think the consequences are so dire.
That being said the basic rule of thumb is to go after the information properly. You'll sleep better and all it takes is a little more effort.
Greg,
That being said, how would you handle an instance where you found a username and password in the evidence you are searching through on a suspects PC.
Do you feel this is acceptable to log into and see what it entails?
Greg,
That being said, how would you handle an instance where you found a username and password in the evidence you are searching through on a suspects PC.
Do you feel this is acceptable to log into and see what it entails?
I don't think it's at all acceptable. Whatever authority you have to access the system certainly wouldn't extend to a user's private data residing on a server someplace. I would never get so involved in an examination/investigation to risk my personal freedom, money, or integrity in seeking a particular outcome.
This is a forensic science. We can only report on what is there. If a fiber analyst can't find the smoking gun on a particular piece of evidence they wouldn't go to the suspects house looking for more (CSI notwithstanding). The investigating agency may however seek another search warrant to get the same. There are ways to access this information legally if it is important to a case. Generally by order of a judge. This is the only way to get the information properly.
Greg,
that was the answer I was looking for. I could not agree with you any better.
Thanks for your input -)