Join Us!

To image or not to ...
 
Notifications
Clear all

To image or not to image a drive  

  RSS
Amicus
(@amicus)
Junior Member

I am interested in the members opinions regarding the matter of conducting forensic examinations without evidentially imaging the drive.

Recently here in New Zealand I have been finding that the forensic examinations have not been conducted using an evidential image. The examinations have been conducted in Preview Mode and the drives are only imaged when the image is requested by the defence.

Other instances have occurred where the computers have been seized, data extracted from the drives and supplied to the defence, without the drive being imaged. In one case the drive then failed, but the prosecution is still relying on the data extracted even though it can no longer be authenticated or checked.

The opinions of the members would be appreciated and what guidelines they use when examining drives.

Quote
Posted : 16/12/2009 1:41 pm
mscotgrove
(@mscotgrove)
Senior Member

When ever possible, image, as soon as you receive the drive.

ReplyQuote
Posted : 16/12/2009 2:38 pm
Rich2005
(@rich2005)
Senior Member

I'd have thought most people will say, as mscotgrove said, image the drive when you can. Unless there's a particularly good reason not to, such as business critical servers perhaps.
This gives you the benefit of being able to examine it further if needed at a later date (should new information come to light), and also allows the data to be verified at a later date by the defence.
The relevant guideline would be Principle 3 of the ACPO guidelines in the UK states that the processes you perform should be repeatable at a later date to achieve the same result by an independent 3rd party.
There are caveats within the document for when this isnt feasible but that being the exception rather than the rule. So in short, image where possible would be a reasonable summary.

ReplyQuote
Posted : 16/12/2009 3:31 pm
jaclaz
(@jaclaz)
Community Legend

I personally would "strike" it a bit, as
ALWAYS image, unless there are exceptional, and exceptionally sound and documented reasons not to.

About the OP example, it's difficult to say.
I mean I don't think that a new forensic examination of the now dead drive coould cause the finding of different data, only that it may deliver additional data.

Just as an example, if the first examination conducted by a qualified forensic expert has found in the hard drive a compromising e-mail, a new examination won't result in that particular e-mail not being there, but it may result in other e-mails that may be useful to the defense to explain the context in which the "found" e-mail has been sent or received.

jaclaz

ReplyQuote
Posted : 16/12/2009 5:05 pm
Boggs30
(@boggs30)
New Member

I always work off an image. I have rarely processed off of an original evidence drive. When I did process the original evidence it was ALWAY on hardware write blockers. I had one occasion (out of approx. 1000) where I processed the original drive, then it crashed, resulting in a lashing during cross examination.

ReplyQuote
Posted : 16/12/2009 6:42 pm
BattleSpeed
(@battlespeed)
Junior Member

Imaging is closely related to the issues involved with seizure, the search warrant specifics, etc. If the court does not permit physical seizure of the entire evidence drive, for instance, a drive image might not be permissible either. In such a case, if only identifiably relevant evidence can be seized, a copy of an incriminating email, obtained in a forensically sound fashion (e.g. from a write-blocked drive using appropriate tools) DOES probably constitute the "image" that the warrant permits. A forensically-sound image need not include the entire drive or even a partition of a drive. You can hash a single file and pull it off the drive and it will be perfectly sound from a forensic standpoint. A warrant may thus permit you to search a drive, but restrict seizure (forensic copy/image) only to evidence that is relevant to the warrant. Quite a few warrants are issued that are closely constrained as to just what can be seized, certain courts being more restrictive than others.

The observations provided by the OP do not address any of the seizure issues, making it impossible to say why drives might not be imaged. However, one assumes that if the failure to image the entire drive were forensically unsound practice within the constraints of permissible seizure in a given case, defense attorneys would, by virtue of having evidence excluded or rendered useless at trial, quickly put an end to that practice. Prosecutors don't like to lose cases due to avoidable exclusion of evidence and would set the forensic examiners straight, I'm sure. In other words, I assume that your justice system itself will drive any corrective actions needed (if any) "naturally", in the course of events.

ReplyQuote
Posted : 16/12/2009 6:49 pm
kovar
(@kovar)
Senior Member

Greetings,

The latest episode of the Cyberspeak podcast alluded to defense attorneys trying to limit the examination of hard drives to specific areas of the drive or volume. The major argument in support of this seems to be protection of privacy, ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.

It'd be interesting to see any articles about this practice.

-David

ReplyQuote
Posted : 16/12/2009 9:01 pm
jaclaz
(@jaclaz)
Community Legend

ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.

It strangely reminds me of Schroedinger's Cat
http//en.wikipedia.org/wiki/Schrödinger's_cat

?

I would also be interested to know more about this approach.

jaclaz

ReplyQuote
Posted : 17/12/2009 1:29 am
Amicus
(@amicus)
Junior Member

Thanks everyone for your responses.

Here in New Zealand we are not restricted as to what we can do once a drive/computer has been seized under a search warrant. Once a drive has been seized you can look at everything and anything on the drive and if you find anything on the drive that does not relate to your warrant then you can look at it and if necessary charge the person(s). Its a bit different from other countries.

I am examining this drive as an independent examiner and have grave concerns as to the data removed from the drive. Other files such as thumbnails are telling a different story and also files in the wrong folders and certain log files missing.

This now becomes an issues where we cannot check and corroborate what has been copied from the drive. We know that the computer was running at the time it was seized so there should be files up till the date/time the warrant was executed and when the computer was shut down, but none of the data provided has files for the shutdown date. The files relate to a CCTV system and was recording at the time.

Anyway, thanks to everyone who has replied.

ReplyQuote
Posted : 17/12/2009 2:07 am
jaclaz
(@jaclaz)
Community Legend

There is also another possibility. ?

It would not be the first (nor the last) CCTV system with a completely UNLIKE exact Date/Time set.

From the (VERY little) I have seen of those, I could make a statistic like this
Systems UNmanaged 30%
Systems "managed" by elderly ladies 60%
Systems managed by a knowledgeable technician 10%

Systems with wrong date/time set 15%+30%=45%.

I am assuming that by sheer luck half the UNmanaged systems somehow kept the right date, and that half of the elderly ladies are very exact in following the manual. wink

jaclaz

ReplyQuote
Posted : 17/12/2009 7:21 pm
seanmcl
(@seanmcl)
Senior Member

The latest episode of the Cyberspeak podcast alluded to defense attorneys trying to limit the examination of hard drives to specific areas of the drive or volume. The major argument in support of this seems to be protection of privacy, ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.

It'd be interesting to see any articles about this practice.

You can look at the Recommendations of the Sedona Conference Working Groups. Made up mostly of jurists, their recommended best practices often are short of what most forensics examiners would consider a complete and thorough examination. And while I have an interest in the issue of privacy, it is hard to reconcile that against the possible ways that relevant data can be "hidden" from view especially if that view is restricted to a particular area of storage.

These instances where the legal community attempts to apply non-technical precedent to technical issues is most significantly embodied in the RAM copy doctrine which is, in my humble opinion, one of the worst reasoned examples of the misapplication of law to technology that I have encountered.

Also, the 2006 revisions to the FRCP (US) pretty much give parties to discovery one drink from the well. Thus, the forensic expert needs to be involved before the pre-discovery conference in order to ensure that his/her client is not deprived of whatever is necessary to perform a thorough examination.

In my experience, the privacy issues can be dealt with by agreeing that the independent examiner can only disclose to his/her client those findings which are pertinent to the case at hand (and, anyway, only those findings would be admissible as evidence). If I am being asked to look at a device for evidence of kickbacks, what business is it of mine that the user is cheating on his spouse?

On the other hand, sometimes seeming irrelevant findings can, ultimately, be linked back to the case at hand.

For example, in one case looking at some questionable practices on the part of an employee of a company we found that the married employee was being extorted by another employee with whom he was having an affair (the similarities to Fatal Attraction were uncanny). Had we been limited in our investigation, we may well have missed this crucial piece of the puzzle.

Another solution sometimes employed is to use a court-appointed or party-appointed special master to serve as a gateway. I am seeing more of the latter, i.e., both parties retain an independent investigator to act as a special master, because this process still allows each party to retain a separate expert to advocate for their client.

ReplyQuote
Posted : 17/12/2009 7:57 pm
BattleSpeed
(@battlespeed)
Junior Member

…I am assuming that by sheer luck half the UNmanaged systems somehow kept the right date, and that half of the elderly ladies are very exact in following the manual. wink

jaclaz

Very true. This might be (roughly) verified if there is an event recorded for which the approximate time and date are known with certainty, checking the timestamp of the recording of that event against the actual time and date. If so, you might be able to come up with a reasonable (logically defensible) "error offset" that could be applied to other recorded events - or at least those that are fairly proximal to the known event.

ReplyQuote
Posted : 17/12/2009 8:02 pm
BattleSpeed
(@battlespeed)
Junior Member

On the other hand, sometimes seeming irrelevant findings can, ultimately, be linked back to the case at hand.

For example, in one case looking at some questionable practices on the part of an employee of a company we found that the married employee was being extorted by another employee with whom he was having an affair (the similarities to Fatal Attraction were uncanny). Had we been limited in our investigation, we may well have missed this crucial piece of the puzzle.

Of course, here the extortion is not irrelevant and hence would not come within this context. What we're conflating here are limitations on the permissible scope of the search versus limitations on what may be seized, and whether the court views imaging as a "search" function or a "seizure". In part, this can depend on the circumstances and whether the system is to be examined live/on-site or postmortem. I've heard of at least one jurisdiction, for instance, in which examiners have to get a search warrant for the on-scene activities and then get another to examine any images that they bring back to the forensics lab, which are treated as separate seizures by some weird legal logic that I can't personally fathom.

ReplyQuote
Posted : 17/12/2009 8:18 pm
Share: