Out and about so can't do lengthy answer (ipadn s up to it, my missuses patience is not). I tink we also need to bear in mind that the vast majority of digital media will have no evidence of any crime on it and if it is turned on the consequences are zilch. Again didn't see this program so my comments are general, but every laptop in every car that is stopped might have evidential value but that does not mean that every laptop should be bagged and tagged.
The common sense issue is whether the laptop is seen as a potential source of evidence in relation to why the suspect was stopped (not that the techniques of an examination are common sense). If it is simply a matter of "is this yours?" then sending it to a forensic unit is surely overkill and booting it to see if the registered user is Leroy or lucy seems much more appropriate and proportionate.
This discussion has generated differing views as to how people view computer forensics. So thanks for the replies guys.
RavAlert, I can see where you are coming from. I see the point being made by Braveheart about dead-man's trap. I also see Harry's viewpoint. Given the 'patrol stop' lead to the Officer dealing with a potential drugs issue was fine; the Officer handled the matter very well. But the laptop could have been connected with drugs, too. The Officer didn't really know. OK, today it is all hurry hurry hurry as people want results and find the quickest way to achieve it and it all looks very pragmatic to do this sort of thing.
However, as equally pragmatic, putting a laptop in an evidence bag is not asking the Officer to work to the nth degree. If the Officer had picked up a knife from the suspect's car, would the Officer then ask the suspect to put the knife in his hand, thus putting the suspect's fingerprints on the knife? No. The Officer would have put the knife in an evidence bag straigtaway and to link up ownership later. Putting the laptop in an evidence bag without the Officer switching it ON is not difficult, it is not rocket science. But as I said I do not think the Officer is at fault here. Most have seen the programme and it clearly looks like the Officer was unaware of good practice. I don't mean to labour the point, but if the evdience bag was unnecessarily restrictive on the Officer doing his job, could he not have been taught to radio to the Nick indicating he had got a laptop and any advice before switching it ON as he, the Officer, had probably cause to establish ownership?
If its the case that in the forensics arena we must refine our thinking and approach to good practice, then so be it. But it has been well over a decade now for computer forensics and it is the case no one has thought about varying scenarios that can occur during seizure and to have properly recorded them? And, if it has been thought about and recorded, why has that NOT been clearly set out in ACPO Guidelines previously?
The world wont come to an end because of this matter, but for us to remain silent or not openly challenge bad practices it could be that that style of conduct may be seen by others as tacitly agreeing with bad practice being used. That leads to dilution in, and maybe dissolution of, standards.
"If the Officer had picked up a knife from the suspect's car, would the Officer then ask the suspect to put the knife in his hand, thus putting the suspect's fingerprints on the knife? No. The Officer would have put the knife in an evidence bag straigtaway and to link up ownership later."
embarrassing for me here for I totally forgot about physical forensics. Things will be more direct with fingerprints of the suspect found on the laptop itself. Thanks for bringing that up. )
I think we have to think outside the box here. This was the the culture change that ACPO forensic triage was trying to address. Sealing up the laptop and taking it to the HTCU in those circumstances. Well it would not get through South Wales Police when I was there. I am pretty sure that it would not get through now. That is the whole issue of massive backlogs. Just in case, risk aversion. It the above example that officer should be commended. At least he was not handing over the problem. As for the legalities, the ACPO guidelines are not law. No matter what ACPO think of themselves, they are not part of the legislature, executive or judiciary. If the above matter went to court, then it is up to the Judge to decide admissability. I look at the ACPO guidelines as a plaything for either the prosecution or defence.
Oh and another thing. Forces have a duty to manage resources. Almost every crime scene has digital media. The police in the UK have to move away from the preciousness of computer crime. Medical staff will always remove a dead body from a scene (unless decapitated or RM set in) even though obviously dead. So the scene is ruined. The "last accessed" dates will be changed. But the murder will not be in admissable!!
Just playing devils advacote, but what if the police officer had taken the laptop back to his local station and then looked at it himself? the same if he had found a couple of mobile phones? before you know it, he becomes the informal expert within his local station and becomes the local point of contact for instant, non-forensic investigations of digital devices.
It's a fine line between encouraging initiative at a local level and a breakdown in quality procedures within the whole organisation.
Just playing devils advacote, but what if the police officer had taken the laptop back to his local station and then looked at it himself? the same if he had found a couple of mobile phones? before you know it, he becomes the informal expert within his local station and becomes the local point of contact for instant, non-forensic investigations of digital devices.
It's a fine line between encouraging initiative at a local level and a breakdown in quality procedures within the whole organisation.
I think you are putting 2 + 2 together and getting 5 here - you can do that sort of "what if" scenario for ever.
It has been interesting reading how digital evidence could be treated or the exposure of treatment applied to the device/exhibit depending upon the circumstances and environment in which the seizure took place.
There have been no contradictions as far as I read about ACPO GPG omitting reference to all these extra treatments that can occur in the field and that there is no guidance for examiners on what to do or the necessary/appropriate declarations to be made.
Moreover, the invitation to the suspect to touch the exhibit is another matter where there are no contradictions. I assume that is because preservation of evidence and fingerprints and DNA are also mentioned in ACPO GPG.
Apparently, a third element in the equation for this happening maybe down to yet another matter and that is the use of the Major Incident Manual (MIM) that also deals with digital evidence that maybe referred to and ACPO GPG is either not known or may not be referred to at all.
As previously mentioned throughout I do not cast any doubt on the Officer in this matter. Frankly how could he know what was going to be best when there is so much conflicting advice in the background. I do not believe there is any judgment being made against Police either, but comments made in this discussion thread suggests the type of treatment of exhibits being discussed has been going on and it is expected to happen, which appears to defeat the argument that the discussion in this thread is alleged to be a "what if" one-off event or a "storm in a teacup".
Just playing devils advacote, but what if the police officer had taken the laptop back to his local station and then looked at it himself? the same if he had found a couple of mobile phones? before you know it, he becomes the informal expert within his local station and becomes the local point of contact for instant, non-forensic investigations of digital devices.
The Judge rules the evidence inadmissible and the officer (and probably any supervisor that allows this to occur) gets either a serious amount egg on their face or even gets investigated for a disciplinary offence (or both).
The exercise of discretion is a powerful tool but it is well recognised that it is open to abuse and that is why there are (in the UK at least) checks and balances to prevent blatant abuse like the scenario you have outlined.
Paul
I didn't see the program so I'll first qualify my response with that. From what I can glean the officer was trying to establish whether or not the laptop was stolen.
Assuming his search was reasonable to that point I can't find fault in his actions. Playing the "what if" game suppose he did immediately see evidence of a crime involving the computer itself. So what? His actions were reasonable and the login would be no different than every other time the computer was turned on.
Turning on the computer and having the owner login will not create that evidence. The changes made to the operating system are minor, and predictable.
If we cannot as examiners explain this then we have failed the officer, not the other way around. If the defense examiner uses this and somehow convinces a jury that it nullifies the evidence then they have committed a fraud.
Thanks for all the responses so far, it has made this discussion a very interesting read.
Hi gmarshall139 that wasn't the purpose of why the patrol car officer stopped the car. It related to drugs when the officer asked the driver of the car to get out of the car and the officer could smell a strong odour of drugs coming from the car. The officer then went on to search the car on suspicion of drugs and see what if drugs supply was evident and then went to see what was in the boot of the car where the laptop was found.
The "what if" game is not being played, because if it was the same may be said of "what if" when you provide the observation "If we cannot as examiners explain this then we have failed the officer…" that too could be construed as a "what if" scenario.
It is the omission about the pragmatic point that if there is an acceptance that examination of digital devices on scene takes place why has that not been record in good practice guidelines? Why have ACPO Guidelines saying one thing and promoting the principles for use to others to get others to follow the principles, then have another guide saying something else on the same subject and then have a third set of procedures for device examination at site of seizure which is based upon discretion.
The objective of the discussion seems to have turned to do we need to refine forensic principles to "openly" accept that procedures in the lab cannot or will not be practiced on site and for the Guidelines to be clear and transparent about that activity and the impact on evidence.
I working on the assumption that you know ACPO Guidelines are updated and that there have been different versions published over the years. I am also assuming you know that ACPO Guidelines overtly state not to switch ON at a crime scene.
Hi gmarshall139 that wasn't the purpose of why the patrol car officer stopped the car. It related to drugs when the officer asked the driver of the car to get out of the car and the officer could smell a strong odour of drugs coming from the car. The officer then went on to search the car on suspicion of drugs and see what if drugs supply was evident and then went to see what was in the boot of the car where the laptop was found.
I'm just not sure the computer is likely to be evidence, even in the presence of narcotics. The officer would need a warrant to sieze it, and if those were his intentions then certainly he's violating any reasonable practice by turning it on.
I've formerly worked interdiction and I'd be thinking that since this guy has drugs in his car and valuable property in the trunk; good chance it's stolen.
I working on the assumption that you know ACPO Guidelines are updated and that there have been different versions published over the years. I am also assuming you know that ACPO Guidelines overtly state not to switch ON at a crime scene
Agreed, and understood. I just think that were going a little overboard if we consider any computer at any crime scene evidence. That's bound to be the challenge of the future. Every device will be a computer. We will need to train first responders better in determining what to sieze.