Original device no ...
 
Notifications
Clear all

Original device no longer working

17 Posts
7 Users
0 Reactions
2,692 Views
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter  

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?


   
Quote
(@rich2005)
Honorable Member
Joined: 18 years ago
Posts: 541
 

Going to be up to the court.
In many ways this is nothing new - in the sense that there are variety of "live"/"volatile" things that might be captured but are "gone" immediately or shortly afterwards.
There's little difference between that and an image you've captured of an SSD that subsequently degrades.
Let's face it, in reality, in most scenarios, someone forensically examining a disk has raw access to it, prior to the image being taken. In almost every single case, the defence could argue that data has been wiped or placed on there, prior to imaging. So arguably every single case trusts the examiner to a significant degree.
Of course it's possible to imagine a particularly persuasive/forceful defence counsel persuading a judge that the evidence isn't admissible however a well prepared prosecution team should be able to explain the practical reasons why this happened, and isn't an indication of something untoward.
You've arguably got the same problem with garbage collection on SSDs anyway without waiting years (and therefore the recovery of data from unallocated areas).


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 

Going to be up to the court.
In many ways this is nothing new - in the sense that there are variety of "live"/"volatile" things that might be captured but are "gone" immediately or shortly afterwards.

Yep ) , but with SSD's the point might pivot on "did the actual responsible for the storage/repository did everything he/she could to keep the evidence in good condition?", think of "wet" forensics where some samples may need to be kept in refrigerator or however in contolled temperature/humidity/etc conditions.

Or - if you prefer - "shouldn't SSD's be connected to a power source from time to time?" (as part of "best practice").

Due to the peculiar nature of data persistence on unpowered SSD's the issue is different from that of the occasional hard disk that after a couple years in storage won't spin up anymore, we do know that data on SSD's is going to deteriorate after a given period of time if kept non powered. (how much exactly this period is is highly debatable and it is dependent on the SSD technology and possibly also on make/models).

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz


   
ReplyQuote
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter  

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…


   
ReplyQuote
 dega
(@dega)
Reputable Member
Joined: 10 years ago
Posts: 265
 

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?

It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done


   
ReplyQuote
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter  

Recently the issue came up, what if years after a device was seized and examined that original device was no longer working, then how admissible would any evidence recovered from that device be?

Many investigations can go on for many years. Some SSDs for example can only hold the data on them for a finite period of a few years without being powered on before the data is lost.

Let's say at the beginning of the investigation you imaged said SSD and investigators recovered various pieces of evidence. Years later the matter went to trial but the original SSD no longer holds the original data.

Would the evidence recovered from it still be admissible? Or would the inability of the defense to be able to examine the original device render it effectively useless?

It depends from the law. Last week me and a Policeman, we did forensic copy of few phone, and few hard disk included an SSD.
I was there to represent the suspect. At the end of the job, we signed that the job has done correctly, and the Prosecutor can return the thigs to my client.
I don't know how many years it will last. BUt the basic task has done

That is clearly a different scenario to what most of us experience. In your example both defense and prosecution were there to verify the devices were copied at that time. I've never known this to happen and certainly where we are property remains seized until the matter is fully concluded.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…

You shouldn't.

https://blog.korelogic.com/blog/2015/03/24#ssds-evidence-storage-issues)

Mind you, I am not saying that it will happen or that it will happen commonly, I am saying that it can happen and the position of someone that is legally responsable for the keeping of evidence might become a "tight" one.

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz


   
ReplyQuote
minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
 

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz

You get around it by stating that you retain the image files of the evidence.
You just use 17025 logic throughout the process
We validated (in some sense) imaging of these devices.
We back up these and can show they are the same when we get them back.

If they ask what happens if something went wrong during imaging, you can say its an ISO 17025 process and therefore infallible lol

Edit
It should be noted that 17025 has many attributes of a religion and, like most religions, it covers up its own flaws and inconsistencies well.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 17 years ago
Posts: 5133
 

Edit
It should be noted that 17025 has many attributes of a religion and, like most religions, it covers up its own flaws and inconsistencies well.

Yep, and religions tend to have commandments (or similar "good practice advice" that is mandatory), even if usually religions have fewer commandments and they are more clear and easy to apply.

Now, the prophets of the ISO religion applied arbitrarily to digital forensics the ISO 17025 commandment.

Why not applying also - say - the ISO 13485 or the ISO 11930 to digital forensics?

jaclaz


   
ReplyQuote
(@wotsits)
Reputable Member
Joined: 10 years ago
Posts: 253
Topic starter  

Still having stored SSD's connected to a DC power supply with a timer that switches it on for - say - 5 minutes every 3 months or so would probably be not that bad an idea. ?

jaclaz

I'll take this with a big hint of sarcasm…

You shouldn't.

https://blog.korelogic.com/blog/2015/03/24#ssds-evidence-storage-issues)

Mind you, I am not saying that it will happen or that it will happen commonly, I am saying that it can happen and the position of someone that is legally responsable for the keeping of evidence might become a "tight" one.

So I wouldn't be too surprised if the good people that forced ISO 17025 down the throat of UK forensics examiners would come out with some definite, stringent, set of requirements for the preservation and storage of digital evidence, after all it remains part of "quality assurance".

jaclaz

How in the world would you imagine that being implemented?

By way of example the last LEA I worked for seized some 15,000 computers, phones and HDs in one year. That's ONE LEA, in ONE year, several years ago. The number is probably at least double now given the increase in cyber enabled crime and the ever increasing numbers of digital devices.

To cope with this let's say they rent some huge aircraft hangar sized warehouse with all these rows of power outlets and all these thousands of devices connected with these little timers. Some technician watches over this cache and then whenever they flash on every few months he makes a note on the register to say said device is still working for another 3 months. All those power outlets and electric current in one place would make it a huge fire risk, so you'd also need 24 hour security and fire safety otherwise all those cases are going to be lost, not to mention facing a huge compensation claim under the Police Property Act for all the lost property!

How much would all that cost? With the public budgets these days, do you have any idea how difficult it is just to get a simple equipment request approved!


   
ReplyQuote
Page 1 / 2
Share: