To explain the quoted bold you were asking about It is not forensically sound due to having to install it directly on the custodians device. Traditionally speaking, this is not forensically sound and an attorney may have a field day trying to discredit you in court. It is viewed as compromising your evidence.
FYI this is not a jab at anyone's procedures, just trying to explain from a traditional standpoint.
Remotely accessing a computer automatically introduces spoliation. If there is any chance of criminal or civil litigation, remote access (and certainly software installation) should not be performed.
Remotely accessing a computer automatically introduces spoliation. If there is any chance of criminal or civil litigation, remote access (and certainly software installation) should not be performed.
How does remotely accessing a computer automatically introduce spoliation?
Can you clarify why you believe remote access and "certain software installation" should not be performed when there is a chance of civil or criminal litigation?
How does remotely accessing a computer automatically introduce spoliation?
Can you clarify why you believe remote access and "certain software installation" should not be performed when there is a chance of civil or criminal litigation?
Remote access grants control of the computer to another person. While documenting this process allows this method to be legally defensible, opposing counsel could still have a field day. OC could question how what was found during evidence collection was not introduced, accidentally or intentionally, during the collection process. Logs have changed, MAC values are modified, RAM evidence has been invalidated, etc.
The word I used was certainly - as in definitely.
Remote access grants control of the computer to another person.
I think control is not really an appropriate term. For example F-Response allows remote access to a remote target in read-only mode.
While documenting this process allows this method to be legally defensible, opposing counsel could still have a field day. OC could question how what was found during evidence collection was not introduced, accidentally or intentionally, during the collection process. Logs have changed, MAC values are modified, RAM evidence has been invalidated, etc.
The word I used was certainly - as in definitely.
Opposing counsel can claim a lot of things and they often do, however that does not invalidate the process.
Saying that you should never access a computer remotely or to stretch if further to say you should never work on a live box because logs, RAM, etc. would change is just not a feasible position to take anymore. There are far too many instances where an examiner needs to gain access to remote computers (yes even on the LE side) and/or work on live systems. The days of being able to go into (typically) a business and just pull the plug and seize everything are a thing of the past. Even in a residential environment there are media servers and other devices that can only be accessed remotely. Are we as examiners just supposed to ignore those devices because we cannot kill the box and pull the drive?
What about evidence on the "cloud". How are you going to access that data if not by remote access?
At some point you will have to install a piece of software or run a piece of code to perform an imaging function or some other forensic/exploitation process, you just have to know and document what the software does . And that process does stand up in court.
Saying that you should never access a computer remotely or to stretch if further to say you should never work on a live box because logs, RAM, etc. would change is just not a feasible position to take anymore. There are far too many instances where an examiner needs to gain access to remote computers (yes even on the LE side) and/or work on live systems. The days of being able to go into (typically) a business and just pull the plug and seize everything are a thing of the past. Even in a residential environment there are media servers and other devices that can only be accessed remotely. Are we as examiners just supposed to ignore those devices because we cannot kill the box and pull the drive?
What about evidence on the "cloud". How are you going to access that data if not by remote access?
At some point you will have to install a piece of software or run a piece of code to perform an imaging function or some other forensic/exploitation process, you just have to know and document what the software does . And that process does stand up in court.
I've been in law enforcement and there are circumstances where you just go for a live acquisition, such as a missing persons case. But I'm adamant that a dead acquisition is far more defensible forensically than a live acquisition. And yes, I've been part of going into a business and just seizing everything - that was the policy when I left a year ago.
Cloud evidence is usually obtained by court-ordered subpoenas, unless a live acquisition is possible. And live acquisitions can be obtained by runtime command line tools. They do change some logs, but that part is certainly defensible if properly documented. Installing and running programs that modify the registry do not sit well with me.
Different jurisdictions have different policies for digital evidence collection in LE, so it's not so much a forensic issue than a policy issue at that level. From an e-discovery point of view, I think we all go with what the attorney we are working for at the time feels he/she can defend. Someone on the CCE list today mentioned a code of ethics by which we are bound. Here is one point which I think is relevant
"[Shall not] Exceed authorization in conducting examinations."
When we go in, we are working for a party. It is our job to inform that party of what we believe is forensically relevant and obtainable, but in the end, the party that employs us is the one authorizing what we can do.
While I appreciate your reply I am still interested in your post
Remotely accessing a computer automatically introduces spoliation. If there is any chance of criminal or civil litigation, remote access (and certainly software installation) should not be performed.
I maintain that there is a growing list of circumstances where remote access (and software installation) is a necessity and asserting that those actions should not be performed if there is any chance of criminal or civil litigation is a policy that needs to be reassessed. If people (examiners, attorneys, etc.) continue to beat the dead box forensics is the only forensics drum, with the changes in technology we are going to find ourselves with precious little admissible evidence to examine. Live forensics is no more or less defensible than dead forensics. There are plenty of examples of examiners botching and skillfully examining both.
As for spoliation, remotely accessing a computer may or may not introduce spoliation. While it is true that logs and the content of memory will change, that does not automatically lead to the willful destruction of evidence or the failure to preserve potential evidence for another's use in pending or future litigation. It may lead to spoliation, however leaving a system running, shutting a system off or just pulling the plug can also lead to spoliation. Every instance is unique and must be evaluated.
Digital forensics is different than physical forensics. Ours is a rapidly changing field that is different than say fingerprint examinations. While there may be new methods for finding prints, examiners are still dealing with the same ridges, lakes, deltas, etc. that they have been for years. Unless technology suddenly stagnates where there are no new media types for storing data, no new operating systems, no new -insert name of cool new tech phenomenon- on the Internet, examiners, attorneys and the courts and everyone else involved in the process will have to accept that digital evidence and the processes for capturing, processing and presenting it are and will continue to evolve.