The latest episode of the Cyberspeak podcast alluded to defense attorneys trying to limit the examination of hard drives to specific areas of the drive or volume. The major argument in support of this seems to be protection of privacy, ie, examiners/analysts should not be able to look through the entire image because they might come across private information that isn't relevant to the case.
It'd be interesting to see any articles about this practice.
You can look at the Recommendations of the Sedona Conference Working Groups. Made up mostly of jurists, their recommended best practices often are short of what most forensics examiners would consider a complete and thorough examination. And while I have an interest in the issue of privacy, it is hard to reconcile that against the possible ways that relevant data can be "hidden" from view especially if that view is restricted to a particular area of storage.
These instances where the legal community attempts to apply non-technical precedent to technical issues is most significantly embodied in the RAM copy doctrine which is, in my humble opinion, one of the worst reasoned examples of the misapplication of law to technology that I have encountered.
Also, the 2006 revisions to the FRCP (US) pretty much give parties to discovery one drink from the well. Thus, the forensic expert needs to be involved before the pre-discovery conference in order to ensure that his/her client is not deprived of whatever is necessary to perform a thorough examination.
In my experience, the privacy issues can be dealt with by agreeing that the independent examiner can only disclose to his/her client those findings which are pertinent to the case at hand (and, anyway, only those findings would be admissible as evidence). If I am being asked to look at a device for evidence of kickbacks, what business is it of mine that the user is cheating on his spouse?
On the other hand, sometimes seeming irrelevant findings can, ultimately, be linked back to the case at hand.
For example, in one case looking at some questionable practices on the part of an employee of a company we found that the married employee was being extorted by another employee with whom he was having an affair (the similarities to Fatal Attraction were uncanny). Had we been limited in our investigation, we may well have missed this crucial piece of the puzzle.
Another solution sometimes employed is to use a court-appointed or party-appointed special master to serve as a gateway. I am seeing more of the latter, i.e., both parties retain an independent investigator to act as a special master, because this process still allows each party to retain a separate expert to advocate for their client.
…I am assuming that by sheer luck half the UNmanaged systems somehow kept the right date, and that half of the elderly ladies are very exact in following the manual. wink
jaclaz
Very true. This might be (roughly) verified if there is an event recorded for which the approximate time and date are known with certainty, checking the timestamp of the recording of that event against the actual time and date. If so, you might be able to come up with a reasonable (logically defensible) "error offset" that could be applied to other recorded events - or at least those that are fairly proximal to the known event.
On the other hand, sometimes seeming irrelevant findings can, ultimately, be linked back to the case at hand.
For example, in one case looking at some questionable practices on the part of an employee of a company we found that the married employee was being extorted by another employee with whom he was having an affair (the similarities to Fatal Attraction were uncanny). Had we been limited in our investigation, we may well have missed this crucial piece of the puzzle.
Of course, here the extortion is not irrelevant and hence would not come within this context. What we're conflating here are limitations on the permissible scope of the search versus limitations on what may be seized, and whether the court views imaging as a "search" function or a "seizure". In part, this can depend on the circumstances and whether the system is to be examined live/on-site or postmortem. I've heard of at least one jurisdiction, for instance, in which examiners have to get a search warrant for the on-scene activities and then get another to examine any images that they bring back to the forensics lab, which are treated as separate seizures by some weird legal logic that I can't personally fathom.