In my forensic lab, there are a few cases (3-5 years old) that have since been completed per the client's request (full analysis and forensic report). Each of these cases may have an accompanying hard drive with evidence pertaining to an imaged PC or mobile device.
If I wanted to forensically wipe these hard drives and reuse them for whatever reason, what would be the proper procedure for doing so? Contacting the client and giving them a verbal notification would be the first step I believe…should they sign something as well that authorizes me to wipe the evidence? And if they should, can someone point me to a good template for that document/wiping agreement?
Also, if anyone is wondering, I would want to wipe the hard drives to make room for new forensic cases and their accompanying hard drives. Please also let me know your thoughts if you feel that 3-5 years is not long enough to wait before forensically wiping evidence from storage media.
Answering your last question first, how long is reasonable is determined by 2 things
1. Whether you're a govt organisation or otherwise subject to legislated or regulated requirements for data retention; or
2. If you're in private practice, the terms of your contract for services with the client.
So on point 2, if you're asking these questions, I'm guessing this wasn't in your contract. This therefore is something you need to work out with your client, and may need to consult your lawyer about if you and your client can't come to an agreement. As a general principle though, always get a consent in writing, because a verbal agreement is worth the paper it's (not) written on.
(Not a lawyer, not legal advice.)
I am not from the US so US law may be different and you don't say what 'side' of the fence you are working on and if it is criminal or civil etc.
However, I would say it would depend on the type of case. If you had a murder case then 3-5 years for the Prosecution to retain the evidence I would not deem to be adaquate. If it was defence, then 3-5 years may be acceptible since the Prosecution already have a retained copy.
If it's a civil IP theft issue involving a value of $20 then you would perhaps treat this different to something that was $20,000,000 since the chances of 'come back' are far greater.
I would perhaps consider placing something in your original contract with the client/solicitor (assuming civil or corporate) regarding the data retention requirements including billing them for the secure retention as well as give an expectation for how long it would be retained. In some cases they may not wish you to retain it or grant permission for you to retain it beyond the case conclusion? so if you don't contact them they may never know you still have a copy.
Kind regards
Sorry Tony. It looks like our posts crossed!
If I wanted to forensically wipe these hard drives and reuse them for whatever reason, what would be the proper procedure for doing so? Contacting the client and giving them a verbal notification…
Well, you didn't say but, legally, to whom do the drives belong? The fact that they have been in your possession, even for this long, does not, necessarily, entitle you to dispose of them. Make sure to check the terms of your agreements with the clients and if there has not been an explicit transfer of ownership, make sure that you get it, or a release, in writing.
Is there any reason you cannot send them to the client with a bill and buy new ones?
Thanks for the helpful responses!
Our company is part of the business sector and NOT associated with any government organization. We charge X amount of dollars for a complete forensic imaging, analysis, and report. The cost of the evidence hard drives (these store the image of the client's PC, of course) are included in this X amount of dollars.
Our forensic agreement does not state that the client owns the evidence hard drives. It also does not state how long evidence hard drives will be stored after the forensic report is given to the client.
What is the industry standard on archive retention periods concerning evidence hard drives? In the 3rd post of this thread, Samr implies that the retention period varies on a case-by-case basis. Do I understand this correctly?
We first contact the client as to whether the data needs to still be preserved. If not, we send along a document requesting signatures authorizing us to delete the data. Once that is signed, we wipe the data accordingly.
As Gregg said you should be doing some form of internal audit trail and CoC on the evidence container media. Page 4 of our long form CoC we have a final disposal action that requires a sign off by the client.
Retention periods should be discussed and met with compliance and/or litigation concerns. Sometimes the data might be required to be maintained for up to ten years. If the forensic recovery is the only thing left of data that is compliance regulated talk to the client about retention plans.
Another thing you should ascertain from the client is their internal records retention policy for paper documents for business continuity and for docs that get involved in litigation. Try to have the electronic record retention be in order with paper document retention (see Zubulake v. UBS Warburg).
Data storage is a cost of doing business expense so you have to balance your internal policy with client needs and all associated costs. Don't feel bad about telling the client that they have to pony up for storage outside of the case work flow particularly in cases that go on for years.
So don't look at it as the industry standard for time - there is none. It is an agreed upon time frame that you make with client balancing your costs, their costs, compliance regulation, litigation time frame, client's retention policy.
And, compression is your friend. FTK Imager rocks for this for archiving multiple disk images onto preservation drives.
Our forensic agreement does not state that the client owns the evidence hard drives. It also does not state how long evidence hard drives will be stored after the forensic report is given to the client.
Well, assuming that you follow a standard procedure in which the drives that you retain are the originals, legally, they remain the property of original owners and I, for one, would not destroy their contents without written authorization from the owner, a court of appropriate jurisdiction, or an authorized agent of the owner.
If they are your drives, then ownership is not the issue but there may be other concerns as well. In particular, if you were not a party to the action you may not be aware of the terms under which the actual parties are operating and what actions/agreements may be binding upon you as custodian of their data.
What is the industry standard on archive retention periods concerning evidence hard drives? In the 3rd post of this thread, Samr implies that the retention period varies on a case-by-case basis. Do I understand this correctly?
Yes, you do. The problem with "retention" is that there may be legal, regulatory or statutory requirements based upon the data contained on the drives. There also may be statute of limitations concerns.
Bottom line, unless you have a written agreement with the drive owner to the contrary, you are on shaky ground in deleting or destroying what may still be evidence.
Is it that hard to write them a letter asking if you are free to delete their information? In most cases, my clients or their attorneys are quick to respond to such a request.