The victim files a complaint that the suspect recorded her private moments secretly and put it online web sites. So, after a forensic examination on suspect computer, we found the video files and provided it to the court.
Now, the prosecutor requests us to make a copy of those files and wipe the ones in suspect's hard drive, however it does not sound like a request we should be doing in a forensic lab. So, I think I should get your contributions as you might have already got such a request.
How would you act in such a situation where prosecutor asks you to delete some files in suspect's hard drive?
Would you do it?
How would you act in such a situation where prosecutor asks you to delete some files in suspect's hard drive?
Would you do it?
I don't get it.
Who does actually pay you?
Is the prosecutor the one?
If yes, and if he writes this order down, what would the problem be?
You might anyway want to tell the prosecutor that deleting a file is not enough, and that you will also need to wipe ANY unused sector on the suspect HD, if the scope of the order is that the suspect should never access those videos again.
jaclaz
How would you act in such a situation where prosecutor asks you to delete some files in suspect's hard drive?
Would you do it?
A similar thread has been discussed, before. The problem arises because, unless you are empowered to do signature analysis, expansion and searching of compound files, discovery of encrypted volumes/files, etc., there is practically no way that you can verify that the materials have been truly erased from the system.
A common practice that we have employed is to get a clean disk and a fresh install of the OS on the subject's machine then ask the subject to identify which files from the original he/she wants to retain. Examine those to determine that they do not contain the offending content and then copy them to the new drive.
There are simply too many ways to hide data in original drive and, as another asked, who is going to pay you to look for these? In addition, if you are asked to "certify" that these files do not exist/cannot be recovered, you should be able to propose a methodology which is acceptable to you.