In some cases, suspect asks for his drive given back to himself after the forensic guys acquired it, saying that he needs the hard drive for his business, however, there may be incriminating files inside the hdd such as child pornography. And you do not know it for sure until you complete the examination.
So, If you give the hard drive back, he will continue to commit the crime (storing child pornography files) even further as he will his incriminating files back, and if you do not give the hdd back he will lose his business.
How do you act in such situations? Do you give the hdd back or keep it until the whole examination and investigation is completed?
I think that it would depend upon your local laws. In the US, if you have a reasonable suspicion of illegal content, you are required to report that to law enforcement. Typically, they or the Justice Department determine what is done with the evidence including, possibly, your forensic image.
Also, as a practical matter, if the user requires that a drive be returned, independent of whether there was illegal content, we typically give them a clone of the drive and preserve the original as long as there is a possibility of criminal or civil action.
Why?
Consider that if you return the drive, any drive activity will change the drive hash which means that you'll no longer be able to document that your image is forensically identical to the original. If you preserve the original, that shouldn't be a problem.
Ask him which files he needs and copy those to a new hard-disk or any other medium he supplies. Check these files for e.g. child pornography and hand out the data. Do not give him the original media until the examination is finished.
It happens so often that the suspect "urgently" needs his data but as soon as you ask him what exactly he needs it suddenly isn't that important anymore.
When I started working criminal cases, the suspect would provide a CD/DVD and a list of files or folders that (s)he wanted copied out.
However, once I started my fraud specialisation, I would offer to clone their drive to a new one for them so they could keep on doing business. When you work mostly corporate, business continuity is important.
Also, just because you return the original drive doesn't mean that your evidence is bad. It just means that you'll potentially spend a little time explaining your acquisition process, and how you verified your forensic image/copy before returning the original drive.
For an example of this, Rule 1003 of the Federal Rules of Evidence specifically covers the admissibility of duplicates.
Generally when you are returning an original drive, as a practical matter, you get the defendant / other party to sign an acknowledgment that your forensic copy is true and valid, just to CYA.
In the UK, if you have any suspicion that there are Child Abuse Images on the Computer and you then return it to the Owner you are potentially guilty of an offence relating to Distribution of those images.
Simply, we do not return computers that have Child Abuse on them.
I echo the comments of previous posters, if a suspect needs files off his computer which are vital to his, or one of his family members, well being then he can ask us to copy them to some media provided by him and, as long as he can provide us with clear, concise instructions we will do our best to comply. It is surprising how many people find that there really isn't anything important once they are asked to list the file names and full paths.
We also strongly resist any request, whoever it comes from, to remove the HDD and return the machine to it's owner. Our view is that the HDD is merely one constituent part of a whole, if you seized a car used in a robbery, would you take the engine out and return the rest to the owner? No, I didn't think so.
If anyone disputes our actions they are at liberty to go to court and challenge our decisions using the Police Property Act. Suprisingly, we don't get many of these!!
Onwards and upwards,
Nigel
Also, just because you return the original drive doesn't mean that your evidence is bad. It just means that you'll potentially spend a little time explaining your acquisition process, and how you verified your forensic image/copy before returning the original drive.
For an example of this, Rule 1003 of the Federal Rules of Evidence specifically covers the admissibility of duplicates.
True, but time can be money. If the other side wants to do their own forensic imaging, and you no longer have the original, and they either get a different hash or damage the drive during the hashing process, they can argue that they did not have the opportunity to verify that the copy was a true copy. In fact, I had that very thing happen in a case that I worked on, and while the court dismissed the oppositions concerns since we were both using the same image for our analysis, the argument still cost many hours of expert and lawyer time (which translated into big bucks).
Bottom line is that drives are cheap. It is safer to give them a clone and keep the original. Also, I keep originals for as long as there may be any chance of legal action, which can be years. Law firms keep their records indefinitely.
Generally when you are returning an original drive, as a practical matter, you get the defendant / other party to sign an acknowledgment that your forensic copy is true and valid, just to CYA.
If you can get them to do it, great. But, as I said, unless they witnessed the imaging they may not want to accept your word. In the case that I mentioned, the opposition refused to acknowledge that the forensic copy that I provided them was a true copy, even though I documented the process by which I obtained it.
In the US you are not allowed to put him out of business by siezing his hard drive. If the suspect makes his living from the computer or server that you need to investigate he has to submit a formal request to be allowed to keep it running. I don't know if this happens before or after the hard drive is siezed by you, probably after, at which time if his request to resume operations is approved you would clone the drive and give back the original. You may not interfere with his lawful means of earning a living if he can prove the computer or server is part of his business operation.
Hi
From the UK standpoint I would not expect a Forensic Examiner to make this choice. Only to offer advice.
It would be for the organisation who has legal custody of the Computer to make the choice.
If a company asked for one of its computers to be examined a director acting for the company has legal control.
If a law enforcement organisation seized the PC they have legal control and would make the decision.
The person the PC was seized from would not know who the Forensic Examiner was in the initial stages of the investigation.
Hard Disks are cheap compared to the cost of damages if no incriminating evidence is found on a PC which is vital for a business (eg stock control, accounts etc).
Our evidence store has a collection of PC's which after trial & conviction the Courts have ordered to be confiscated.
After erasing the hard disk with dban they are offered to a Charity or if not wanted scrapped.
regards
Mike Barnes
Mike, I could not agree more with you and this was the motivation for my original concern re the FAST project and the interpretation of the powers used by local TSOs during that project.
Not a chance, in my experience, if the suspected crime is that of illegal material, under no circumstances give that disk back until a full examination of that disk is complete. No exceptions.
However, offer the chance for them to request some critical data and provide that on a clean disk after you have verified that data is legit.
L