Hello I need some opinions,
I have done a forensic examination on a computer for my department. The defense wants to rexamine the hard drive. Instead of having someone who is trained in a forensic examination they are sinmply having a person familar with computers look at the data. They are requesting a copy of the suspect hard drive. I have suggested sending them an image of the hard drive but they are insisting on a copy. I am not afraid of them questioning my findings but I am hesitant to go the copy route.
What are your feelings on a copy versus the image? If you say the copy is ok, what program whould you suggest to make the copy?
Thanks for the replies.
Greetings,
If I had to make a copy, I'd either a) create it from the image I used in my examination or b) clone it with one of the hardware imaging solutions. In either case, make sure all your matches line up.
Either way, you're giving them the same material since the image you were using is identical to the original disk and will be identical to the copy/clone you make for the other side.
-David
I typically create a working copy of all originals and an image of all originals. I then compare the hash of my working copy to my original and my image. This is useful because it complies with a condition of my validation protocols and is a demonstration of repeatability. FTK Imager allows you to copy to multiple destinations - I volunteer this as one example - several suites allow Examiners to perform a one-to-many operation.
I believe the strength of evidence is relative to the hash, however. The hash, be it MD5 or SHA1, is an expression of how unique the data is. As a calibration exercise I often zero out a drive and verify the hash for that drive is expressed as a string of all zeroes. Conversely you could write out 1s to the drive and verify the hash is expressed as a string of all 1s. So long as the hashes of your original and whatever form of duplicate you opt to create are identical you shouldn't worry overmuch about the perceived validity of the media.
I'm not sure I'd be entirely comfortable providing evidence to a non-expert who has some computer familiarity without certain caveats. A person who is familiar with how to operate a computer isn't necessarily going to understand how file systems or even the operating system saves and manipulates data. The presence of a file or directory, alone, does not constitute wrongdoing - the context of that file or directory and understanding how it came to reside on the media is really what your investigation should focus on. Although I'm beginning to drift off-topic I suggest you compose a layman's report outlining what was found, how it was found, how it was validated, and why it is believed it came to reside on the media.
Depending on the arena in which this information has to be presented you may also want to describe how you conducted your examination so that a third party can be used to validate your results.
Not a expert on the subject, but my view after reading the post is, firstly the defense has the right to examine the files however and with whoever they wish (correct???) It is better for you if it is someone who has limited experience with computer forensics, since it will make it easier for you to make your point.
My guess is that if they don't want the image files, they may just be hooking up the drive not write protected to view/open the files, which again is good for you.
Again, not a expert with how computer forensics is handled in criminal cases (all my experience coming in the corporate world) but I would just give what the defense what they are asking for and hope they screw it all up and make you look like the smartest guy in the world on stand.
Thank you for the replies so far. I also have a problem with whose doing the exmination.
Another question that I have regarding providing a copy is the fact that the defense provided different make, model, and size hard drive for the copy. How much of an "exact" copy will this be?
Greetings,
It usually isn't our place to decide who is doing the examination for the opposing side. I'm not even sure I'd risk raising that point in most circumstances.
If you clone the original disk or convert your image back to its original form, the hash values should match even if the drive provided is different than the original. As fdd_dkerr pointed out, it is all in the hash.
-David
Another question that I have regarding providing a copy is the fact that the defense provided different make, model, and size hard drive for the copy. How much of an "exact" copy will this be?
It will be 'exact' for some given value of 'exact'. And it's the defense that gives you that value.
Even an identical hard drive model would not be 'exact' – the S.M.A.R.T. attributes would be all wrong (the 'number of power cycles', for example), and the remapped block lists also. You usually can't do anything about those – though you can document them.
But as far as 'user contents' is concerned it would be exact sector by sector. (Make doubly sure you zero out any extra sectors on the copy.) If the drive has some other C/H/S structure there might perhaps be inconsistencies where those attributes are concerned, say in partition structure, but again, that falls within the particular selection of 'exact'.
And that makes me wonder … but I ask that in another thread.
You didn't say what they meant by "copy". A logical copy? A forensic copy or a restore from a forensic image? (I am not sure that they know).
Assuming the latter, I would make sure that you document that the hashes for the original and copy match, which means that you'd want to make the copy using forensically sound software or hardware that has the capability of creating a audit log; even better (though not necessary) if it captured the drive serial number as well. If their "expert" doesn't understand how the copy was made and verified, it may open the door to a challenge, later.
I suspect that they don't want the image because they are either not sure what it is or how to use it. That doesn't bode well for their ability to analyze the evidence but, as others have stated, that their problem.
Our agency will provide a copy in each form if/when requested. The 'copy' will always be from the image as by this point we have most certainly placed the original media in sealed evidence bags. If they ask for a copy of the image we ask them to specify the form they want it in (dd , ewf etc.) That way we get some notion of how competent their side is.
We don't concern ourselves too much with the opposing 'analyst'. That's our lawyer's problem on cross-examination - with our input of course )
We do get requests for 'paper' copies of the files and will do that as well.
In all cases we give the defence a copy of the full blown forensic report that went to the Crown Prosecutors office.
Call me a cynical old goat but just maybe, it's a defence attempt to receive evidence from you where the hashes don't match or at least that the method of producing the copy/image did not follow forensic best practice (or whatever), thus providing them with a chink to undermine you….
I would give them what they have requested, covering your bases by both (i) undertaking the suggestions already made by other posters and (ii) by providing an accompanying letter confirming your recommendation that an image of the physical device is worked upon, your rationale and a statement that your recommendation was dismissed.
And the choice of defence expert is a the defence's business.