To image or not to image a drive

When ever possible, image, as soon as you receive the drive.

I'd have thought most people will say, as mscotgrove said, image the drive when you can. Unless there's a particularly good reason not to, such as business critical servers perhaps.
This gives you the benefit of being able to examine it further if needed at a later date (should new information come to light), and also allows the data to be verified at a later date by the defence.
The relevant guideline would be Principle 3 of the ACPO guidelines in the UK states that the processes you perform should be repeatable at a later date to achieve the same result by an independent 3rd party.
There are caveats within the document for when this isnt feasible but that being the exception rather than the rule. So in short, image where possible would be a reasonable summary.

I personally would "strike" it a bit, as
ALWAYS image, unless there are exceptional, and exceptionally sound and documented reasons not to.

About the OP example, it's difficult to say.
I mean I don't think that a new forensic examination of the now dead drive coould cause the finding of different data, only that it may deliver additional data.

Just as an example, if the first examination conducted by a qualified forensic expert has found in the hard drive a compromising e-mail, a new examination won't result in that particular e-mail not being there, but it may result in other e-mails that may be useful to the defense to explain the context in which the "found" e-mail has been sent or received.

jaclaz

I always work off an image. I have rarely processed off of an original evidence drive. When I did process the original evidence it was ALWAY on hardware write blockers. I had one occasion (out of approx. 1000) where I processed the original drive, then it crashed, resulting in a lashing during cross examination.

Imaging is closely related to the issues involved with seizure, the search warrant specifics, etc. If the court does not permit physical seizure of the entire evidence drive, for instance, a drive image might not be permissible either. In such a case, if only identifiably relevant evidence can be seized, a copy of an incriminating email, obtained in a forensically sound fashion (e.g. from a write-blocked drive using appropriate tools) DOES probably constitute the "image" that the warrant permits. A forensically-sound image need not include the entire drive or even a partition of a drive. You can hash a single file and pull it off the drive and it will be perfectly sound from a forensic standpoint. A warrant may thus permit you to search a drive, but restrict seizure (forensic copy/image) only to evidence that is relevant to the warrant. Quite a few warrants are issued that are closely constrained as to just what can be seized, certain courts being more restrictive than others.

The observations provided by the OP do not address any of the seizure issues, making it impossible to say why drives might not be imaged. However, one assumes that if the failure to image the entire drive were forensically unsound practice within the constraints of permissible seizure in a given case, defense attorneys would, by virtue of having evidence excluded or rendered useless at trial, quickly put an end to that practice. Prosecutors don't like to lose cases due to avoidable exclusion of evidence and would set the forensic examiners straight, I'm sure. In other words, I assume that your justice system itself will drive any corrective actions needed (if any) "naturally", in the course of events.

Greetings,

The latest episode of the Cyberspeak podcast alluded to defense attorneys trying to limit the examination of hard drives to specific areas of the drive or volume. The major argument in support of this seems to be protection of privacy, ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.

It'd be interesting to see any articles about this practice.

-David

ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.

It strangely reminds me of Schroedinger's Cat
http//en.wikipedia.org/wiki/Schrödinger's_cat

?

I would also be interested to know more about this approach.

jaclaz

Thanks everyone for your responses.

Here in New Zealand we are not restricted as to what we can do once a drive/computer has been seized under a search warrant. Once a drive has been seized you can look at everything and anything on the drive and if you find anything on the drive that does not relate to your warrant then you can look at it and if necessary charge the person(s). Its a bit different from other countries.

I am examining this drive as an independent examiner and have grave concerns as to the data removed from the drive. Other files such as thumbnails are telling a different story and also files in the wrong folders and certain log files missing.

This now becomes an issues where we cannot check and corroborate what has been copied from the drive. We know that the computer was running at the time it was seized so there should be files up till the date/time the warrant was executed and when the computer was shut down, but none of the data provided has files for the shutdown date. The files relate to a CCTV system and was recording at the time.

Anyway, thanks to everyone who has replied.

There is also another possibility. ?

It would not be the first (nor the last) CCTV system with a completely UNLIKE exact Date/Time set.

From the (VERY little) I have seen of those, I could make a statistic like this
Systems UNmanaged 30%
Systems "managed" by elderly ladies 60%
Systems managed by a knowledgeable technician 10%

Systems with wrong date/time set 15%+30%=45%.

I am assuming that by sheer luck half the UNmanaged systems somehow kept the right date, and that half of the elderly ladies are very exact in following the manual. wink

jaclaz