Please, help to resolve this.

Mick can you confirm exactly which

(I) Legislation has been breached relevant to your country by reference to the Law title/Clause etc.?
(II) Regulation/s that have been breached by the officer's conduct?
(III) Law Enforcement Procedures that have been breached by the officer's conduct?

Legally? where? in Africa? may be… .

An (admittedly very) old N.Y. (United States of America) case, JFYI
https://www.cnet.com/news/electronic-evidence-anchors-porn-case/

jaclaz

You want proofs of tampering - they exist- but they are indirect analysis - i.e. windows registry values with no Windows in existence mentioned, no his version, etc and many others… .

But you are unable to go further in your forensic examination, because of lack of hash values, and inability to obtain copies of the images.

You accept that the lack of hash on acquisition + lack of complete [and methodologically correct] hashes from the lab are permissible in court today?

Your proposition for further forensic examination of the tampering, without the digital copies in presence?

You accept that the lack of hash on acquisition + lack of complete [and methodologically correct] hashes from the lab are permissible in court today?

I don't "accept" anything (nor I am in a position to "accept" even if I wanted to), you just showed us an example where this actually happened, and I showed you a not-so-different case that also actually happened.
Maybe a similat case never happened in your country (or in mine) but seemingly they can happen and not only - as you hinted - in a third world country.

The methods and procedures (that in some countries may well be strictly dictated by Law) that you use daily may not be the "only" way all over the world or they may be in other countries mere recommendations, "best practices" or academic (or industry) de facto standards, while still not being mandatory.

I am trying to help you free yourself of your current (as said understandable) indignation to (hopefully) see the case with some detachment.

You seem like being focused on the malpractices on the handling of the evidence, which in some cases may be only formal or however tolerated by the local Law (or - possibly lower - standards), what I was proposing you was to try treating the case assuming - temporarily - that such malpractices didn't actually invalidate the evidence or didn't substantially alter it, and look instead for what actually can be found on the devices, and whether what is found has been "planted".

It is extremely difficult AFAICT to "plant" evidence without leaving some traces.

Your proposition for further forensic examination of the tampering, without the digital copies in presence?

Ah well, if there is nothing to examine it will be hard to examine (further) anything, but if such images existed and were available, a scientific way to examine them would be to find any evidence that can be gathered from them including (but not limited to) evidence of tampering with their contents.

jaclaz

Mick can you confirm exactly which

(I) Legislation has been breached relevant to your country by reference to the Law title/Clause etc.?
(II) Regulation/s that have been breached by the officer's conduct?
(III) Law Enforcement Procedures that have been breached by the officer's conduct?

Will do not do this. You know why I'm unable to do this. )
Just ask yourself, where in one civilized curt, judge will accept forensic EnCase evidence file without matching hashes. If this acceptance without hashes is valid for UK, ask yourself then

* How the genuineness of the evidences is supported by missing hashes? How otherwise this genuineness must be proved - by declaration of good faith?
* What image copies the defense will be able to obtain, without a proof, that the data is digitally the same data form the day of their acquisition? Remember you, that the right of obtaining copies is a basic right of the defense, and not satisfying this is a break of the European Convention on Human Rights, Article 6.
* The defense is not obliged to proof- the prosecution is obliged to proof his accusations- what kind of proof may exist without clear forensic evidences of the genuineness of the digital data. Without valid digital data, what case exist at all?

Actually, i do not think that today competent forensic specialist exist who ignore the correct hash procedure in his work.

p.s. How many forensic specialists, testifying in court, you know to

* accepting before judge, openly and vocally, that they work on defendant's computer, without blocker, with an USB storage device attached, and consistently opening files on the target computer, for 4 hours
* accepting before judge, openly and vocally, that they were working on the defendant's computer , opening and changing file attributes, with also vocally and openly declarations, that the files date/ time stamps they changed are "irrelevant thing", of no matter whatsoever.
* accept, that hash on acquisition is not an important thing- more important is to put the defendant immediately in jail.

and NOT to be eaten to their bones immediately from the defense lawyers? You need penal code articles, why they will be eaten?

We know all these details- we asked peoples there - do not think, that if you live in [some way] , modern country, the rest do too. They do not.

Just make a decision. The facts in raw are clear.

Do you need further help?

Do you need further help?

I just re-reading patiently all the opinions here, waiting for more. And thinking.
Actually, the situation today for me [and us, like lab] became absolutely clear. We are in process of making important decisions. The frame takes shape today.
No bad feelings towards me at all. My job is secure.

From third person we hear, that national ombudsman human rights team will sue in court [defendant's country] the two officers and their lab immediately. I do not known for sure, if it is true, or not.

Thank you for your interest.

I reread some things here, and wish to comment some points

jaclaz wrote, p.3, here

“…2) the disk can only be accessed through a write blocker for imagining it.
This is a common (and correct and smart) procedure, but it is not necessarily "vital" for the integrity of the image (as an example a read only OS or a software write blocker may be used) and even if the integrity of the image cannot be guaranteed, that doesn't mean that - say - changing a disk signature in the MBR (or changing a key in the Registry) creates out of nowhere tens or hundreds of compromising e-mails, images, logs, etc., some (usually minor) modifications to the file system may compromise finding some files, but it won't create them.”

IT IS totally untrue! Details

- Here, we speak about putting someone’s USB key in the defendant's computer, without blocker. We do not talk about making image not using blocker [ which also is not ok at all ] ! And working with this USB key in, for 4 hours! Even with the standards of the 2014, the USB capacities are huge. Based on the case frame here, there is no need to transfer e-mails or to made some extensive modifications or make sophisticated tampering- it is enough to transfer 20 files, put 1000-2000 in the unallocated space + to put logs, or whole directories from 3 or 4 software packages, to put one man in jail for knowledgeable “possession”. More, implanting one p2p searching terms files and adding one “known.met” and “shareddir.dat” file from someone’s else computer - it is already ready for the court presentation the “intention of possession” clause.

“And if you think a bit about it, the whole chain of custody (perfectly and continuously maintained) is only as reliable as the officer in charge of it is reliable, for a given time frame in the chain the device is in the hands of someone (or of someone else), and there is a presumption that this someone (or someone else) is honest, capable and properly trained and would never (intentionally or by accident) contaminate or tamper with a piece of evidence.
But the point remains whether there is proof of contamination (or tampering) or there is not.”

NOT TRUE at all!

First- in this case, there is a mass evidences of tampering, existing in the every each of the confiscated defendant’s hdd. Second, like I wrote, the protocol of confiscation have 3 invalid, for various reasons, hdd- i.e. one of them, have an invalid serial and model number – i.e. he does not exist in reality- and there is a forensic exam result from this hdd!! At least at my country, there is no evidence hdd, “forgotten” in someone’s car, especially not sealed, and especially in the back seat of the car, with the one of the officer’s notebook on the right of them, and traveling with this open and unsealed bag [ and the hdd evidences in her] for 4-5 hours. More- I personally do not know from my practice, officer to admit in court, that he, AND AFTER the acquisition ends, makes more “ investigations” of the confiscated hdd [ they must be, presumably, already sealed].
The confiscated hdd here, in my country, is a sealed forensic package - nobody forget this in his car, even for a minute- they do not traveled to the sea for sunbathing, with their forensic material waiting in the car.

I reread some things here, …

No you haven't (or you did not fully understand the meaning of my notes), I was NOT at all commenting your specific case.

In your country, like in every other country, you rely mainly on the integrity of the forensic investigators and examiners, the "sealed" bag that you are so proud of is periodically unsealed and resealed by the investigator or by the examiner, all handling is done by either the investigator or the examiner, the imaging is done by the examiner, etc., and the procedures are generally very UNLIKE that used for - say - launching a nuclear missile or "two man rule"
https://en.wikipedia.org/wiki/Two-man_rule

and rest assured that in your country, like in every other country, a determined "crook" (examiner or investigator) can alter evidence every which way you can imagine (and also a few that you cannot even imagine), the difference being that in these (hopefully rare) cases it is done "professionally", leaving no traces, and surely without telling about it in Court.

jaclaz

I'm not able to believe this - they go to another lab, same story. But the second lab cut them short in a heartbeat.
Most important- the second lab will sue all of them by name, and will make statement to various European agencies.

More details come through the second lab - we talk to them. They are contacted now by a businessmen ( no official person now) who want to help two of his police relatives… but the same story. By the way- the money they propose to the second lab was much, much more.

And more technical details surfaces - actually, third person, not member of the acquisition team, take the hdd's with him, and for some hours, there is a gap, where these disks goes… .

And more, more forensics details too.

@jaclaz, pls no more generalities ) and mentoring tone. )