I have a hdd which is placed in an outer case with usb port, however, the hdd does not seem to be working when you connect it through the case's power connector. So, in case there is a problem on the case, I have to open it and remove the hard drive, however the case does not seem to have any proper way of opening, no screws, no sliding etc. So, the outer case may break apart while I remove the hdd.
My question is Should I go on and open the case even if it may break or should I stop here considering the suspect may sue me for damaging his property?
What would you do in such cases where you may have to physically damage the outer box of a media for making a forensic examination?
It doesn't work? How can the suspect sue you for damaging something that is already broken?
If it is a real concern you can always buy a new enclosure.
This is an interesting question. Even more interesting is the appropriate answer.
The first questions to ask
1 Do you have legal necessity and authority to retrieve the data on the device?
2 What are your company's/organization's policies?
3 In reference to the first question, does the device potentially contain data important to the case?
Since the answer to the last question is really an unknown we, as forensic examiners, must presume the device contains data relevant to the investigation or you wouldn't be looking at it in your lab. So the question to #1 should be yes as well and the answer to question 2 should follow along the industry standard for collecting this type of evidence.
You must get the evidence, but you must also do it in a way where the device can be returned to it's owner in the same condition it was seized.
That said, every agency or organization may have it's own rules. If your organization is willing to be responsible for any damage incurred then go for it. Other entities may take a hands off approach.
Best advice would be to research the device and manufacturer as much as possible on the internet before attempting to disassemble it. If you find absolutely nothing, contact the manufacturer yourself. I'm sure some one will be able to assist you with the process. Most enclosures can open up even if they appear not to. If you get no help there you're back to your quagmire and cowboy approach.
I used to work under a system where the warrant gave us permission to open anything, even destructively, whilst searching for evidence. That covered us if we had to force open something like this in the lab.
Let me guess… It's an external Maxtor USB drive with that pretty gray case, venting all around?
If so, I used computer desktop case expansion slot cover metal piece. Hammered it out, and cut it with snippers to get it to work.
You have to push two metal latches on each side, but they are obstructed by the plastic casing. The slot cover has to be cut into a J piece…
For jhup's question, it is actually western digital 1 TB placed in a black box, not maxtor.
And for all other members who replied, I really appreciate your contributions. Thank you.
As a rule of thumb, I always crack the case. You will not only image the drive better, but you also eliminate the possibility that a very small os on the board could change all the last access dates on your device. You have to be especially careful when you try and acquire a unit which looks like a nas box, I have had cases before where this seemly innocent box has its own bios and linux os!
Hope this helps
Steve
As an additional note, you never know how safe a caddy is, consider this…
Duff caddy, large power serge… dead hard drive
I've had more than one shock up my arm from dodgy laptop power supplies in the past which has made me very cautious of this D
As an additional note, you never know how safe a caddy is, consider this…
Duff caddy, large power serge… dead hard drive
I've had more than one shock up my arm from dodgy laptop power supplies in the past which has made me very cautious of this D
My whole lab, and even my field acquisitions are done on a UPS. I had a power drop on-site a long time back and it took an extra hour to get the job done. That's why I got one for my field kit.
As an additional note, you never know how safe a caddy is, consider this…
Duff caddy, large power serge… dead hard drive
I've had more than one shock up my arm from dodgy laptop power supplies in the past which has made me very cautious of this D
My whole lab, and even my field acquisitions are done on a UPS. I had a power drop on-site a long time back and it took an extra hour to get the job done. That's why I got one for my field kit.
Not as good as the acquisition I did before where one of the companies employees decided to start rummaging around in a cupboard and took a direct blow from one of my brand new 1TB hard drives to the head. Forensic Investigator beware, confused staff do not see your cables and will ruin your new hard drive and 2 hours of now wasted acquisition lol roll