As with all new comers in the field, we're taught that the most important thing in computer forensics is to preserve the evidence. Ensure chain of custody, compute md5/sha1 hash and verify nothings changed from acquisition to analysis etc etc etc. Thats all good in instances where you've legally seized the evidence and no one can access it without authority. But what about for example in a private sector? In the corporate environment a client suspects one of their employees of stealing and selling confidential data but have no proof and wish to have us investigate the suspects pc without them having knowledge of whats transpiring by leaving the pc there. Thus I enter in the middle of night acquiring a forensically sound image. Verify the exact copy with a sha1 hash and find the damning evidence a week later.
Obviously in that time the drive data would have changed due to it being used. Would this still be admissable? How would this pan out in the legal system (esp in the u.k as i've just relocated here. Also interested in how it would work in different countries). Also assume the client had adequate AUP's in place for the company that permitted auditing of company pcs.
As most of you can guess, im still a bit wet behind the ears in this field.
Bluepup,
There are many considerations around your question and what would be the best thing to do. Certainly with a number of forensic tools you could image the original disk (in the middle of the night) and then restore that image to a fresh disk which you substitute into the original computer. Seal the original drive into the company's own safe, or take it off site sealed away and you have your original intact. It is inlikely the suspect would ever realise they are using a cloned drive.
Certainly anything you have in your image is evidence you can rely upon. If at that stage you have enough for the member of staff to be suspended you go back in and image the drive again, this second image is a clone of the original plus whatever he has done in the last week(s), month(s). If he had still been acting illegally/inappropriately he certainly couldn't say he'd stopped a while ago if there was new evidence in this second image.
Steve