I would think the best option is to supply a copy of the forensic image and let them make whatever type of copy they wish from that.
The defence have a right to request whatever format they wish but supplying them with a forensic image does not deny them this, rather it ensures they have the best evidence and best opportunity to perform a proper examination.
If they have a problem working with a forensic image then that should be made clear as it would suggest they are not qualified to provide a proper defence. Their client has a right to a proper defence.
Give the defense what they ask for. The judge may not like it if you appear to be making things difficult for the defense. Some attorneys want to look at the data themselves and don't know shinola about image files. If they want a clone, give them a clone and document everything in your report. I use the Hard Copy 3 for cloning.
Hello I need some opinions,
I have done a forensic examination on a computer for my department. The defense wants to rexamine the hard drive. Instead of having someone who is trained in a forensic examination they are sinmply having a person familar with computers look at the data. They are requesting a copy of the suspect hard drive. I have suggested sending them an image of the hard drive but they are insisting on a copy. I am not afraid of them questioning my findings but I am hesitant to go the copy route.
What are your feelings on a copy versus the image? If you say the copy is ok, what program whould you suggest to make the copy?
Thanks for the replies.
Most of the time, when there is a question regarding this type of thing, the LEO will make a "clone" of the original hard drive to a defense supplied hard drive so it can be read using Windows if it is hooked up as a secondary drive. To them, this would be a "copy" of the hard drive that they can browse through and look at the data.
Chances are, and I cannot predict this of course, they will not write protect their copy and if they are using someone who is "familiar" with computers to look at the drive, who knows what that means. It could be their local computer guy rather than a forensic examiner.
To begin with, the defense should be requesting forensic copies of all the digital evidence your department seized, whether you examined them or not.
I always request copies in Encase format since I use Encase for the majority of my work. However, I will take the forensic copy in any format I can get and then just deal with it.
Since they are not requesting a forensic copy, I seriously doubt they will be checking the hash value of the acquisition, etc.
Also, if you recovered information that is not available using standard "computer technician" tools, chances are they won't be able to verify your findings, much less question them.
There are so many red flags raised by the bold part of your post from a defense standpoint it is just sad.
"I always request copies in Encase format since I use Encase for the majority of my work. However, I will take the forensic copy in any format I can get and then just deal with it."
My practice is to request to image the machine myself, from the original. Why take anyone's word with someone's life and or livelihood at stake that the images they provide you are good images.
If you take their images, you are accepting the methods and protocol they used to make those images and the same claims of tampering with drives that LE often makes, you can make that things were played around with and THEN an image was made.
"I always request copies in Encase format since I use Encase for the majority of my work. However, I will take the forensic copy in any format I can get and then just deal with it."
My practice is to request to image the machine myself, from the original. Why take anyone's word with someone's life and or livelihood at stake that the images they provide you are good images.
If you take their images, you are accepting the methods and protocol they used to make those images and the same claims of tampering with drives that LE often makes, you can make that things were played around with and THEN an image was made.
It would depend on the venue of the case and the legislation involved. Here in Canada we would never allow access to the original media as the Criminal Code prohibits access except pursuant to a court order per 490(15) and then we would make sure that the order would direct us do the hookup of the writeblockers and supervise the defence imaging or examination. That way we can exhibit continuity of possession. We also do this in respect of CP cases (offence to distribute, access or allow access to CP under the Criminal Code) and solicitor client privilege issues.
Typically, we prepare a clone immediately after seizure and before we make and upload the forensic working images on our servers in our lab(s).
The clone is give to the party from whom the media was seized before we make our return to the issuing justice (application for detention of things seized). In effect we turn over the clone before we have even begun our analysis.
If you make a copy with Encase and I come to your office with the same software and writeblockers you have, then it would be hard to claim that I would mess something up.
Here in the US, I can't think of one time unless it was a CP case where the court denied me the ability to make an image from the original computer.
There have been several cases where I know the other sides intentions were noble, but the only training they had was from the NCMEC and it consisted of a few classes being a few hours in length and only discussed habits of predators online, nothing about imaging etc.
So when someone else requests to make an image they are up in arms because we don't make the image the same way they did, but they didn't use a WB, and actually were clicking on data in the house before the suspect arrest.
Obviously YMMV
If you make a copy with Encase and I come to your office with the same software and writeblockers you have, then it would be hard to claim that I would mess something up.
Here in the US, I can't think of one time unless it was a CP case where the court denied me the ability to make an image from the original computer.
There have been several cases where I know the other sides intentions were noble, but the only training they had was from the NCMEC and it consisted of a few classes being a few hours in length and only discussed habits of predators online, nothing about imaging etc.So when someone else requests to make an image they are up in arms because we don't make the image the same way they did, but they didn't use a WB, and actually were clicking on data in the house before the suspect arrest.
Obviously YMMV
I know what you are saying, but for me it is a straight legal rather than a technical issue. We don't allow unsupervised access to anything whether digital or physical items like paper. It is the custodian's responsibility to hold the evidence safe for the court. In fact our detention orders here actually have that spelled out in them.
Another issue is that on some write blockers you can set the dip switches on say, a Tableau, and be able to write to the drive. So how do we know the write blocker that was used by the applicant wasn't altered? How can we testify that something didn't happen unless we rehash the media after you are there and then it could be too late. The evidence would have been out of our actual control so we can't demonstrate continuity of possession.
I would take the position that I don't care how or with what you make your image as long as I can testify it was safely done and the only way I can do that is by using a known properly functioning write blocker. If evidence is tainted it reflects on the custodian (LE) and the admissibility of the evidence, not the defence. I am sure that we would be criticized by the court during a voir dire if we can't testify that we were satisfied that the copy was made in a safe fashion. Sometimes, it isn't that some modification of the data actually occurred, but that it could have occurred.
We (and other LE here) don't even allow other LE agencies to make court authorized copies of data unless we supply the write blockers.
Who is paying for your time to do this?
Tell them you will give them an EncASe image, as well as a SMART and/or SafeBack on different drives (even offer to encrypt). Hash the drive and all the files and provide documentation.
Then tell them you will expand one of the images to another drive with FTK Imager and hash all the files from the root and provide the .CSV file with all the hashes with it so they can plug and play and re-hash check themselves against all your images and their own intake.
If they don't know what they are doing then it is not your responsibility to cover their butts. Give them a them a bunch of options, hash and document, let them figure it all out and bill THEM for your work.
I have a slight issue with agencies that dictate that you use their equipment. As a general principle, the examiner is responsible for validating their equipment prior to use, so if I was required to use a write blocker which was not my own, I'd have to take the time to validate it before conducting an exam. I had this issue once previously where an agency required me to use their write blocker, and I only accepted it because in that particular case, I was not tasked to conduct an examination, but only to review what the other side was providing.
The way I have dealt with the issue of giving the opposing side access in the past is to hash the drive prior to giving access (confirming that it matched our existing hashes) and then hashing the drive afterward. If the drive was altered by the opposition examiner, then that's something you bring up at the trial, and potentially use to discredit them. And since I have at least 2 forensic images of the unaltered drive, I don't have to worry about lost evidence.
Going back to the original question, it's no more of an overhead to provide a forensic copy (or a restored drive if you are working from images) to the defense than it is to provide E01 or any other image format. You're still copying the same amount of data. The only increased overhead is zeroing out the drive before copy, and I'd be doing that anyway. It's also good professional courtesy and less hassle just to give them what they ask for and let them bear the burden if the opposition examiner is not skilled properly.
The way I have dealt with the issue of giving the opposing side access in the past is to hash the drive prior to giving access (confirming that it matched our existing hashes) and then hashing the drive afterward. If the drive was altered by the opposition examiner, then that's something you bring up at the trial, and potentially use to discredit them. And since I have at least 2 forensic images of the unaltered drive, I don't have to worry about lost evidence.
One of the issues we are trying deal with in our procedure is that in 99% of our cases we are required to tender the original media as the evidence. This goes back to an old case in the UK called Oxford v. Moss that deals with the legal status of information (you can't seize or steal it because it is an intangible without right to title) and some cases here regarding the theft of information (and in other jurisdictions) that esentially say that the physical device is the actual thing seized , not the data (information). We actually have a section in the Criminal Code dealing with making copies on site and seizing the copies instead of the original media that is used mostly for mainframes or servers we don't want to take for various reasons.