Testing suspect sys...
 
Notifications
Clear all

Testing suspect system after reassembly

11 Posts
7 Users
0 Reactions
868 Views
(@csteger)
Active Member
Joined: 14 years ago
Posts: 6
Topic starter  

Good day,

I just finished imaging and analyzing a Dell Inspiron N4010. As some of you already know, to access the hard drive the system has to be (basically) disassembled.

As this is the first system I have done which required a complete tear down, my question is. Is it an acceptable practice to power on to P.O.S.T. to verify proper re-assembly and operation of such a system after being imaged and analyzed? Or is this something that should be done immediately prior to the system being released to its owner?

And yes, I do know once the system is powered on things begin to change on it.


   
Quote
(@infern0)
Trusted Member
Joined: 17 years ago
Posts: 54
 

I wouldn't do it until you are releasing it from evidence and naturally have already verified all of your acquired images.

If you were doing it to prove it was a bootable drive, etc; you could use one of your acquired images for this.


   
ReplyQuote
 isth
(@isth)
Trusted Member
Joined: 15 years ago
Posts: 65
 

I think booting the machine after making an image is a good idea and I often do this before releasing the machine back to the owner. If the machine is not in use and just going back into storage it's not as necessary.

Doing this will save yourself the headache of getting an angry call/email when the user tries to turn their machine on and is greeted with a black screen because a SATA cable was loose. You already have two copies of the image so no harm done. Of course, you will already have verified your images are working before doing so.


   
ReplyQuote
(@csteger)
Active Member
Joined: 14 years ago
Posts: 6
Topic starter  

Thanks for the responses. I am confident that I re-assembled the laptop correctly, but I want to make sure it works when/if it is ever released to the owner. I have yet to power it on to double check, but have added a note to the tag to remind me to do it prior to being released.

As for there being a standard practice, I guess this would fall into the case-by-case category.

And yes, there are two verified images of the drive.

Thanks again for the input.


   
ReplyQuote
4n6art
(@4n6art)
Reputable Member
Joined: 18 years ago
Posts: 208
 

IMHO I think it depends on the case.

There are times when I boot it after release only - like when its taken from an opposing party.

However, if it is a voluntary consent and the machine was in use before and will be put to use right after I am done with it from a cooperating individual, then i will boot it to check and make sure its working before its dropped off.

If it is evidence and its going to the evidence locker, I will seal the drive and keep it separate or put the drive back in and keep the cables unpluged if possible (to prevent inadvertent power on) and seal the power input areas.

Both Infern0 and isth make good points…. it is on a case by case basis IMHO.


   
ReplyQuote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

You generally start up the computer after imaging so you can pull the system config and check the clock operation from the BIOS anyway, so I don't see the problem. You can take steps to check the config without the hard drive attached if you're not certain of how to enter the BIOS and are worried about booting accidentally because you don't get into the BIOS in time. Obviously the objective here is to get into the BIOS without booting from the HDD.


   
ReplyQuote
(@csteger)
Active Member
Joined: 14 years ago
Posts: 6
Topic starter  

With desktops, and some laptops yes, I am able to check the BIOS with the drive removed. However in this case, the hard drive is on the bottom of the system board, which had to be removed just to get at it.

The first thing I did was make & verify two images. The system was then cobbled together sans HD to get the BIOS information; then (properly) assembled with the main battery tagged and set next to the laptop.

Right now it is sitting in evidence; but I feel it will be released at some point as there was nothing on it that was noteworthy.

I mainly want to avoid the problems that isth brought up with the complaint about the computer being broken after its return.

Thank you again for the input.


   
ReplyQuote
(@pbeardmore)
Reputable Member
Joined: 18 years ago
Posts: 289
 

we always look at the BIOS whilst the hard drive is removed.
Re booting the machine just before returning it, unless the item was confirmed as on and in full working order at the time of seizure (most of ours seem to be off at time of seizure) you dont have any evidence that the actual unit was working anyway.
We take photos etc and say, if asked, that the unit is in identical condition compared to the time it was delivered and we do not boot up the machine.


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

I once (a long tme ago) did a job up near Manchester were I removed a drive imaged it and replaced it. When the machine was booted (in front of the suspect (civil case) the monitor displayed in green only. Suspect made a song and dance and both solicitors started to discuss compensation for me breaking the computer.

10 mins later the suspects secretary came in and on noticing the green screen said something along the lines of "is that machine playing up again" ). Even though I had insisted that nothing I had done could have caused the problem I still heaved a sigh of relief.


   
ReplyQuote
(@pbeardmore)
Reputable Member
Joined: 18 years ago
Posts: 289
 

one other point to consider. By not booting the machine following rebuild, you are allowing the original owner/suspect the opportunity (if appropriate) the ability to have the machine imaged and investigated by their own expert rather than then requesting a copy of your image.
Just a thought.


   
ReplyQuote
Page 1 / 2
Share: