? Recently I have conducted a number of examinations where the law enforcement agency has completed their entire examination using EnCase in preview mode. They justify their examination method saying that due to the increasing size of hard drives, it is now becoming impractical to image them.
I am a bit concerned from from an evidential point of view, that if for some reason the drive becomes corrupted/unusable while they are examining it, either physically or electronically, then the drive cannot be further examined to prove or disprove what has been asserted.
I am interested in what people's opinions are, with regard to the above practice and whether the current international standards (ACPO and NIJ) are still that which should be adhered to
? Recently I have conducted a number of examinations where the law enforcement agency has completed their entire examination using EnCase in preview mode. They justify their examination method saying that due to the increasing size of hard drives, it is now becoming impractical to image them.
Okay. This has been an issue for a while.
I am a bit concerned from from an evidential point of view, that if for some reason the drive becomes corrupted/unusable while they are examining it, either physically or electronically, then the drive cannot be further examined to prove or disprove what has been asserted.
It's unlikely (albeit possible) that the drive will become physically damaged during the preview process. Electronic failures of the drive can be fixed.
I am interested in what people's opinions are, with regard to the above practice and whether the current international standards (ACPO and NIJ) are still that which should be adhered to
Too often, LE or federal "standards" lag. There are those of us in IR who have been doing this for some time.
But keep in mind, it really depends on what you're doing. If you're looking for an artifact of some kind…keyword, specific file, or some other "tool mark" that indicates that the system being previewed is "of interest", then this is a very useful technique. Say there's an infrastructure with 300 workstations and some servers; by the time you get done imaging all 300 workstations, you're days/weeks into the process and still haven't provided answers to the customer/victim.
This is no different from what happens in the real world…if a residence gets broken into, other nearby homes may be checked for similar signs. If none are found, there's no reason to establish or expand the crime scene.
from the current acpo guidlines (version 4)
In order to comply with the principles of computer-based
electronic evidence, wherever practicable, an image
should be made of the entire target device. Partial or
selective file copying may be considered as an alternative
in certain circumstances e.g. when the amount of data
to be imaged makes this impracticable. However,
investigators should be careful to ensure that all relevant
evidence is captured if this approach is adopted.
I get the impression that there is an increase in the amount of previewing being used mainly as a triage process.
However I'd hope that if anything interesting is found then the whole drive is imaged and given the full going over.
We use the Preview only as a triage. We have had some LE clients who have tried to haggle with us so that we produce files exported during a preview as primary evidence. We have refused this on the basis that imaging first is standard/best practice. I think there was the thought that we were just doing this to justify a higher fee but it's just not worth the risk. It would concern me that any lab (LE or private) would use data from previews as a standard procedure.
We use the Preview only as a triage.
We do, as well. Commonly for the purpose of verifying user activity, date and time information, whether there has been any suspicious activity (what software recently installed, what programs recently run, what devices recently attached), etc.
We have had some LE clients who have tried to haggle with us so that we produce files exported during a preview as primary evidence.
I don't have much problem doing this, especially if this is a rush case and the hope is to limit further damage by producing the data, quickly. I do this with FTK Imager, regularly. An EnCase acquisition isn't particularly fast on a large device (neither is FTK for that matter), and often times all I need is sufficient information to warrant a preservation order, subpoena, or to stave off one of these.
I wouldn't, however, agree to this if this was the "one bite of the apple".
I agree - with the size of drives now and the amount of drives that are generally brought into labs for analysis - it is not inconceivable to triage them based on user/location the drive was found etc as it pertains to your case as long as proper methods are in place to protect the integrity of the data and the drive itself.
Exporting certain files for quick review or for sending out subpoenas or PLs is fine. One can even export all the images and have a case officer quickly review them to see if there is anything of importance before a more indepth analysis is undertaken on that drive itself.
I still feel that should anything of relevance be found, it is in the best interest of all the Examiner to image that drive - it will mitigate any spoliation or contamination challenges in the future.
-=ART=-
We use the Preview only as a triage. We have had some LE clients who have tried to haggle with us so that we produce files exported during a preview as primary evidence. We have refused this on the basis that imaging first is standard/best practice. I think there was the thought that we were just doing this to justify a higher fee but it's just not worth the risk. It would concern me that any lab (LE or private) would use data from previews as a standard procedure.
And you are correct to stick to your guns in such a scenario.
Imaging first does not have to be standard practice but the production of evidence will require that a full forensic image is acquired in order that a proper defence can be carried out.
Preview examinations are performed when there is little or no intel to suggest the exhibit can be considered a priority, in this scenario, preview exams help identify exhibits of relevance and can help exclude those of less or no importance. This helps the investigating officer to develop intel -where little or none existed- quickly with less expense. LE agencies get a raw deal when contractors insist on standard/best practice protocols being applied carte blanche. The times are changing and a little more intuition needs to be applied to all digital media investigations.
Thanks for all the great feedback. I am sorry if I gave the impression that imaging first was the only acceptable standard. My big concern is when the entire examination, which includes the extraction of files, recovery of images and any other work etc, is done entirely in preview mode. No imaging of the drive(s) has been undertaken.
I have had a recent instance where the LE agency copied data from a drive and burnt it to DVD. This was supplied to the defence as the complete set of files that had been found on the drive. It was of particular relevance as these files were from a surveillance system.
When the computer was returned to the subject, the drive was found to be faulty and a computer shop replaced it, not knowing that it was going to be needed for a future hearing. The lawyer and suspect thought the agency had fully examined the drive for evidence and did not know it had not been imaged.
When asked for the image of the subject drive, the defence were informed that the drive was never imaged and the files on the DVD were the only ones available.
Of course then the question arose of selective copying by the LE agency, but I won't go into that. No notes were kept by the examining officer and they could not say if these were the only files of interest on the drive.
This is not the first instance that I am aware of where an entire examination has been conducted in preview mode and the drive has failed for some reason after the examination.
I am of the opinion that if a drive is examined in preview mode for triage purposes etc and data is located that is of interest and will possibly be used in a court case, then the drive should be immediately imaged.
One case in particular that is before the court, is where 80 laptops and computers have been seized and evidence is being relied on, that has been recovered from the drives, as direct evidence in court. None of the drives have been imaged.
Thanks once again for all your input.
I always try to image, no matter what.
I can pick up a 1TB SATA drive for less than $100. I spend that much in a Manhattan evening.
Which… leads me to an other question… in an other thread…
I am of the opinion that if a drive is examined in preview mode for triage purposes etc and data is located that is of interest and will possibly be used in a court case, then the drive should be immediately imaged.
In criminal cases, I can see no reason why LE would not want to preserve the evidence in its entirety in order not to risk the possibility of spoliation or destruction of evidence.
But, in my experience in both civil and criminal cases, the Courts have not always granted a party access to a forensic copy of the media in the absence of evidence to arguments as to why this is necessary. Triage can be an important part of building the case for a full forensic exam.
This having been said, I think that the producing party (whether it be LE or civil), is making a mistake by not taking steps to protect the evidence via a forensic image. It is one thing to argue that you shouldn't need to turn it over, but another to say that you couldn't even if you wanted to.