The prosecutor sends 7 hard drives and 200 CD's -seized from suspect's house- to our state laboratory and tells us to image all hard drives and CD's and gave one copy to the suspect's lawyer.
According to law, the imaging should have been done during seizure, and one copy of images must be given to the suspect if he wants one. However the seizing officers did not do it saying to prosecutor that they did not have technical equipment and knowledge. So, the prosecutor now wants our lab to do the imaging of all hard drives and CDs and give one copy of everything to the lawyer. However, according to the regulations, our lab only do the examinations and so it is not our duty to make image copies for the suspect, and it goes beyond our personnel and resources as there is only four examiners who are already overworked with piles of har drives waiting to be examined.
So, what would you do in such a situation?
a) Would you do what prosecutor tells you to do even if it is not your duty?
b) Would yourefuse to do it and say to prosecutor that you cant do the all the imaging as it is not lab's duty and that it should have been done during the seizure?
Thanks in advance
Few questions.
Was proper chain of custody maintained?
Are you a independent lab or government owned?
How fast do the want the images?
Are you responsible for maintaining a preservation copy in house?
Hi douglesbrush,
1. Yes, we can say chain of custody was maintained. I mean, they have written down the brand and serial number etc of what they have seized, but they did not have the hash values as they were not able make acquisitions of hard drives and CDs.
2. We are a government owned lab, it is actually a crime lab and we do not have spare hard drives to make and put images on and give it to suspects because we only work inside lab and we have a storage for our own work.
3. The prosecutor wants the image as soon as possible however he does not set a time limit for it.
4. No, we are not responsible for maintaining a preservation copy. ACtually there is nothing in the law about that. The law says "if the suspect asks for a copy of data, it shall be given to him during the seizure". So, this is all what the law says. It does not say the copies should be preserved in this or that place nor for how long they should be preserved, so anyone can make different interpretations. )
So, what do you think we should do?
Thanks in advance
From the details you provide, it's not clear if your lab reports functionally to the prosecutor.
If you don't report to the prosecutor in any way, you could explain that the charter or the mission of the lab is not in line with his/her request. Just be cognizant that the relationship may be damaged, but if you don't care, so be it.
If you somehow report to the prosecutor, you may need to comply and fulfill that request. In that case, I would put a plan that includes, resource requirements, and estimated level of effort to complete. Resources would be the # of hard drives and media you need to make the image request ( I would imagine the prosecutor will fund the drives and media); level of effort would be the length of time you think it will take you to complete the entire request. Then prioritize this request with the backlog of hard drives waiting to be examined. Who approves the prioritization of those cases? The prosecutor?
If you report to another body (police?), then someone else higher up should negotiate that request with the prosecutor.
I work in a similar situation, although in the US.
Please take anything I say as my opinion and should be considered within the bounds of your lab SOPs and Agreements with legal authority you report to.
A few things you can do, ask the Prosecutor or the Defense lawyer to pay for the hard drives and perhaps the overtime to complete this order.
Another thing to think about in the lab, is to minimize the amount of data you are looking at. For instance, the CD's- you could setup a review station and ask the Prosecutor to have the police investigators go through the CDs before you image them to pick which one's have evidence to be used in the case. Then return those they aren't using. This could take weight off your lab.
Good luck. It is difficult to work with so few people and so many cases. You need to be proactive in figuring out how to minimize the amount of exams you do to maximize your impact to your cases, minimize your avg case length and your backlog. This includes methods similar to above, and also training the seizing officers to think and not simply take every piece of digital media they find.
The way I look at it is this If you do spend time on a forensic exam and it is not used in the prosecution, then that time was wasted. The exam was not needed. The hard part is figuring out what does not need to be exam'd without missing evidence.
Good Luck
Thanks markg43 and CFEx. I appreciate your contributions.
Just like you said our lab manager called the prosecutor and explained how resource-consuming and time-consuming it would be to image all those materials along with the current examinations requests we have.
The prosecutor agreed and did not want imaging anymore and he asked us to start examining and complete it soon.
Thanks.
Glad to hear a discussion is all it took to convince the prosecutor.