Original device no ...
 
Notifications
Clear all

Original device no longer working

17 Posts
7 Users
0 Likes
1,852 Views
wotsits
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?

 
Posted : 12/05/2020 3:19 am
Rich2005
(@rich2005)
Posts: 534
Honorable Member
 

Going to be up to the court.
In many ways this is nothing new - in the sense that there are variety of "live"/"volatile" things that might be captured but are "gone" immediately or shortly afterwards.
There's little difference between that and an image you've captured of an SSD that subsequently degrades.
Let's face it, in reality, in most scenarios, someone forensically examining a disk has raw access to it, prior to the image being taken. In almost every single case, the defence could argue that data has been wiped or placed on there, prior to imaging. So arguably every single case trusts the examiner to a significant degree.
Of course it's possible to imagine a particularly persuasive/forceful defence counsel persuading a judge that the evidence isn't admissible however a well prepared prosecution team should be able to explain the practical reasons why this happened, and isn't an indication of something untoward.
You've arguably got the same problem with garbage collection on SSDs anyway without waiting years (and therefore the recovery of data from unallocated areas).

 
Posted : 12/05/2020 8:22 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Going to be up to the court.
In many ways this is nothing new - in the sense that there are variety of "live"/"volatile" things that might be captured but are "gone" immediately or shortly afterwards.

Yep ) , but with SSD's the point might pivot on "did the actual responsible for the storage/repository did everything he/she could to keep the evidence in good condition?", think of "wet" forensics where some samples may need to be kept in refrigerator or however in contolled temperature/humidity/etc conditions.

Or - if you prefer - "shouldn't SSD's be connected to a power source from time to time?" (as part of "best practice").

Due to the peculiar nature of data persistence on unpowered SSD's the issue is different from that of the occasional hard disk that after a couple years in storage won't spin up anymore, we do know that data on SSD's is going to deteriorate after a given period of time if kept non powered. (how much exactly this period is is highly debatable and it is dependent on the SSD technology and possibly also on make/models).

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

 
Posted : 12/05/2020 12:54 pm
wotsits
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…

 
Posted : 13/05/2020 12:34 am
dega
 dega
(@dega)
Posts: 252
Reputable Member
 

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?

It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done

 
Posted : 13/05/2020 1:21 am
wotsits
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?

It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done

That is clearly a different scenario to what most of us experience. In your example both defense and prosecution were there to verify the devices were copied at that time. I've never known this to happen and certainly where we are property remains seized until the matter is fully concluded.

 
Posted : 13/05/2020 4:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…

You shouldn't.

https://blog.korelogic.com/blog/2015/03/24#ssds-evidence-storage-issues)

Mind you, I am not saying that it will happen or that it will happen commonly, I am saying that it can happen and the position of someone that is legally responsable for the keeping of evidence might become a "tight" one.

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz

 
Posted : 13/05/2020 10:02 am
minime2k9
(@minime2k9)
Posts: 474
Honorable Member
 

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz

You get around it by stating that you retain the image files of the evidence.
You just use 17025 logic throughout the process
We validated (in some sense) imaging of these devices.
We back up these and can show they are the same when we get them back.

If they ask what happens if something went wrong during imaging, you can say its an ISO 17025 process and therefore infallible lol

Edit
It should be noted that 17025 has many attributes of a religion and, like most religions, it covers up its own flaws and inconsistencies well.

 
Posted : 13/05/2020 10:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Edit
It should be noted that 17025 has many attributes of a religion and, like most religions, it covers up its own flaws and inconsistencies well.

Yep, and religions tend to have commandments (or similar "good practice advice" that is mandatory), even if usually religions have fewer commandments and they are more clear and easy to apply.

Now, the prophets of the ISO religion applied arbitrarily to digital forensics the ISO 17025 commandment.

Why not applying also - say - the ISO 13485 or the ISO 11930 to digital forensics?

jaclaz

 
Posted : 13/05/2020 11:33 am
wotsits
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…

You shouldn't.

https://blog.korelogic.com/blog/2015/03/24#ssds-evidence-storage-issues)

Mind you, I am not saying that it will happen or that it will happen commonly, I am saying that it can happen and the position of someone that is legally responsable for the keeping of evidence might become a "tight" one.

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz

How in the world would you imagine that being implemented?

By way of example the last LEA I worked for seized some 15,000 computers, phones and HDs in one year. That's ONE LEA, in ONE year, several years ago. The number is probably at least double now given the increase in cyber enabled crime and the ever increasing numbers of digital devices.

To cope with this let's say they rent some huge aircraft hangar sized warehouse with all these rows of power outlets and all these thousands of devices connected with these little timers. Some technician watches over this cache and then whenever they flash on every few months he makes a note on the register to say said device is still working for another 3 months. All those power outlets and electric current in one place would make it a huge fire risk, so you'd also need 24 hour security and fire safety otherwise all those cases are going to be lost, not to mention facing a huge compensation claim under the Police Property Act for all the lost property!

How much would all that cost? With the public budgets these days, do you have any idea how difficult it is just to get a simple equipment request approved!

 
Posted : 14/05/2020 2:12 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To cope with this let's say they rent some huge aircraft hangar sized warehouse with all these rows of power outlets and all these thousands of devices connected with these little timers. Some technician watches over this cache and then whenever they flash on every few months he makes a note on the register to say said device is still working for another 3 months. All those power outlets and electric current in one place would make it a huge fire risk, so you'd also need 24 hour security and fire safety otherwise all those cases are going to be lost, not to mention facing a huge compensation claim under the Police Property Act for all the lost property!

How much would all that cost? With the public budgets these days, do you have any idea how difficult it is just to get a simple equipment request approved!

It doesn't work like that.

You don't need to check every three months that the device is actually working and you don't need to power the 15,000 devices all together during the SAME 5 minutes every three months.

The (hypothetical) directive says that you need to power each SSD device for at least five minutes no less than three months apart.

That means that you can do that with a single power supply that can have (365 days, 24 h/day, 11 šŸ˜Æ cycles pr hour [1]) 11*24*365=96360 cycles per year or - in a more common working year (220 days, 8 h/day, 11 cycles per hour) 11*8*220=19360.

In other words you can respect the directive for 15,000 devices (and of course you need anyway the space to store them when you store them unpowered) with the electrical power that a single power supply uses or with 15,000 power supplies (and 15,000 switches/timers).

In practice, it would make more sense to group devices in clusters of - say - 50 or 100 devices, which would bring down the need for switches, 3,000 or 1,500 of them (which can be simple relays) and raise the instant consumption to that of 50 or 100 devices, let's say 100*2 A @ 5 V or 10 W, something in the order of magnitude of 1 kW, let us double that for losses and whatever and you have 2 kW which is less than the minimal contract you can have with the electricity supplier.

If we go back to the directives commonly in use for keeping products that need refrigeration (like food or medicines besides "wet forensics" samples/evidence) the requirements are "simple"
1) the goods must be kept at a temperature or no more than - say - 4Ā° C
2) the refrigerator, if powered off should be able to keep a temperature between 4 CĀ° and 0 CĀ° for at least n hours
3) at least once a day (or even more frequently depending on the specific) the temperature of the refrigerator needs to be checked and its value annotated in a registry [2]

Also, since these goods are moved, there is the so-called Cold chain
https://en.wikipedia.org/wiki/Cold_chain
everytime you eat a steak, you should appreciate that *someone* noted down the temperature of the various regriferated containers in which it has been at least once for each container and at least once daily since it was still part of the living cow.

Yet, the slaughterhouses, transporters, butchers, restaurant chef's, etc. do not make any fuss about that.

jaclaz

[1] not 12, to account for switching times.
[2] with ISO 17025 you would need additionally to have a set of thermometers and periodically exchange them so that, once or twice a year you can have them calibrated and re-certified in an authorized laboratory

 
Posted : 14/05/2020 10:37 am
Rich2005
(@rich2005)
Posts: 534
Honorable Member
 

I was curious about this SSD deterioration thing and it doesn't sound quite as simple as made out in the article cited.

I'm still reading, trying to find better articles, but there seems to have been a lot of misunderstanding about the data retention ability, based on a JEDEC presentation about drives that are at their end of their life rather than new.

It seems like 1 year is the standard for consumer drives at 30c and 3 months at 40c for enterprise without power (the lower the temperature the increasingly lower the degradation and the higher the past usage the worse the retention it seems).

I can see an SSD manufacturer citing in their documentation
"Data Retention 10 Years @ Life Begin; 1 Year @ Life End".

From what I've read so far, I suspect that, assuming that evidence is kept in a nice cold store (rather than a warm boiler room), or you've got a particularly knackered SSD, that you probably won't run into a data retention problem.

 
Posted : 14/05/2020 1:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

From what I've read so far, I suspect that, assuming that evidence is kept in a nice cold store (rather than a warm boiler room), or you've got a particularly knackered SSD, that you probably won't run into a data retention problem.

Sure it likely won't ) , the exercise is more about whether it can happen (and after what amount of time, if all trials would be concluded within 1/2 year or less it is a non-problem, if they take several years it may become one, and no, in this case "averages" don't count, we need to have ALL trials be concluded - at least up to the point when the technical debate is carried on - within the minimum expected lifetime, to be on the safe side).

jaclaz

 
Posted : 14/05/2020 7:33 pm
Rich2005
(@rich2005)
Posts: 534
Honorable Member
 

Sure it likely won't ) , the exercise is more about whether it can happen (and after what amount of time, if all trials would be concluded within 1/2 year or less it is a non-problem, if they take several years it may become one, and no, in this case "averages" don't count, we need to have ALL trials be concluded - at least up to the point when the technical debate is carried on - within the minimum expected lifetime, to be on the safe side).

jaclaz

I understand why you're considering/discussing it (rightly so - hence interested enough to search further).

Unless there's going to be an astronomic rise in the funding of the legal system, and police/high-tech crime, then expecting trials to be concluded (or even started) within a year is a complete non-starter (especially if you're talking start to finish). Some might be….but definitely not all. Over here anyway.

The further past the end of life/higher the usage of the SSD it appears the weaker the retention will be. I'm not sure you could put a sensible date on it to guarantee complete data extraction. I don't think manufacturers even guarantee that. I think it's just one of those situations which would require sensible guidelines for most cases (store in a cold room and then attempt to extract within a year ideally - for example). Once you have a forensic image, you've then got more protection, in that, to have a big problem, the argument would have to be the forensic image isn't valid/complete AND ALSO that there has been irrecoverable storage degradation material to the case.

This is the sort of thing that would really benefit from proper guidance from a panel of people who are experts in the real low-level physics/electronics of SSDs (perhaps via JEDEC) perhaps with the aid of some statisticians if necessary. Assuming they'll say 100% guaranteed recovery is something that doesn't exist - then it's probably in the realms of trying to consider all the factors involved - to achieve a very high probability of recovery in most cases (to give as a recommendation - rather than requirement). With perhaps a supplementary short document, with some further guidance on what happens in other scenarios, in plain English, that could be relied upon by judges to inform them, when considering the merit of arguments about data reliability/recovery.

 
Posted : 15/05/2020 9:49 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This is the sort of thing that would really benefit from proper guidance from a panel of people who are experts in the real low-level physics/electronics of SSDs (perhaps via JEDEC) perhaps with the aid of some statisticians if necessary. Assuming they'll say 100% guaranteed recovery is something that doesn't exist - then it's probably in the realms of trying to consider all the factors involved - to achieve a very high probability of recovery in most cases (to give as a recommendation - rather than requirement). With perhaps a supplementary short document, with some further guidance on what happens in other scenarios, in plain English, that could be relied upon by judges to inform them, when considering the merit of arguments about data reliability/recovery.

Yep, and of course that depends on local laws and specific procedures needed or used, giandega made a reference

It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done

to a procedure - I believe - that is called "incidente probatorio" in Italy, which is (or can be) done any time there are reasons why a given test cannot be repeated.

In the case giandega related the reason is that the devices(s) have to be returned to the suspect, but it is very common in "wet forensics" where - example - the amount of found DNA is enough for only one test.

Italian Wikipedia (not too bad via Google Translate), though classroom is of course courtroom
https://it.wikipedia.org/wiki/Incidente_probatorio

https://translate.google.it/translate?hl=en&tab=wT&sl=it&tl=en&u=https%3A%2F%2Fit.wikipedia.org%2Fwiki%2FIncidente_probatorio

Normally, Italian procedural law provides that all the elements collected during the preliminary investigation phase in the preliminary investigation phase supervised by the investigating judge may not be used later in the classroom debates. Instead with the evidentiary incident the public prosecutor (also at the request of the offended person) and the defense of the suspect may request the early assumption of the means of proof in the phases preceding the hearing. In addition to the magistrate, this is an investigation session in which legal representatives and consultants from various parties participate, and which, unlike normal investigative documents, has evidence that can be used directly in a possible process as if it were a hearing procedural, and is therefore by its nature, a "crystallized" and non-repeatable test.

In simpler words, with the evidentiary incident it is required to acquire a proof ("form" a proof) already during the preliminary investigation phase (or in the preliminary hearing) before these are concluded and the trial phase opens; evidence that subsequently, and possibly, it will be brought before the judge or the GUP.

This procedure is chosen when there are potential time limitations related to the formation of the test and therefore you do not want to postpone it for a future trial, as you want to avoid the risk that, with the passage of time, the source of evidence will be compromised or the authenticity of the test itself is lost. This procedure takes place more rarely than normal investigative measures, or in any case in an extraordinary way, and for this reason it is called "accident".

etc.

jaclaz

 
Posted : 15/05/2020 11:33 am
Page 1 / 2
Share:
Share to...