When does computer data become computer evidence?

I guess everyone has his own guts. wink

Basically you are saying that in the UK ( possibly untrained) police officers can access (personal) data in a "non-forensic sound" manner BEFORE having "reasonable grounds" for suspecting that the owner of the data may have committed a crime?

I would be curious, if you care, to know which are some

examples where law enforcment officers have the powers to make routine checks

and what actually is a "routine check".

I had the idea, possibly wrong, that at least a hint of a suspect is needed to allow accessing (private) data.

jaclaz

…many examples where law enforcment officers have the powers to make routine checks.

Are these specific "court-ordered" cases, or do officers have discretionary access in the UK?

Please, keep in mind, I am not an attorney…and the following is based on my observations/experience.

It is my understanding that, in the U.S., there must exist probable cause, owner consent, or legal search authority for searches of property to which an owner has a "reasonable expectation of privacy." If it is "plain view" or "abandoned" property, no search authority is required.

Some regulatory requirements specify periodic or routine searches. For example, physicians ("quacks" to UK folk? ) ) consent to certain oversight when they receive license to distribute controlled substances. Regular audits and order stream monitoring are expected and conducted under the licensing rules. Even still, out-of-cycle audits need at least an administrative warrant.

Anyhow, to answer your overall question, I understand that property/items become evidence when seized by an authorized agency.

http//www.prosecurityzone.com/Customisation/News/IT_Security/Software_Asset_Management_and_Compliance/Second_phase_of_compliance_raids_conducted_in_Wales.asp

Remind me to leave my computer at home if I ever travel to the UK. I'm anxious to see the examples of discretionary review myself.

For the U.S. csericks comments are pretty much on par. However, most organizations will take that a little farther. When we talk about plain view, searches incident to arrest, or even an inventory post arrest there are strict guidelines in place to protect the offender. If I walk by an unattended car and see a gun or drugs laying in the front seat am I going to break the window and retrieve that evidence? The answer to most should be no. The proper action is to secure the vehicle and start the appropriate procedure for gaining legal access to retrieve the evidence. Even if the owner of the contraband was never identified, we know that following the correct legal procedure insured the evidence was collected appropriately.

If I walk down the hall of my office and I see child porn on someones screen that is in plain view I don't immediately start looking around for more evidence. I now have what I need to secure that evidence and obtain a warrant to extend my search beyond what was witnessed. This would even include removable media in the adjacent vicinity of the crime.

Now to take this a step further into your scenario If I am at my place of work and I have knowledge that my work computer is being monitored and that any and all electronic communications are solely the property of my employer, I am forewarned. Subsequent to this an audit is performed of my data. The auditor may find evidence of me deviating from what is considered appropriate activity at work or may even find evidence of illegal activity. Regardless of whether the activity is civil or criminal; the observation of the data was legally performed. Now the question must be asked on how to continue.

The forensically appropriate answer? Stop what you're doing. If the intent is to take action on the discovered data whether it be civil or criminal there is a responsibility to maintain the integrity of the initial observation and any future discoveries. At this point the auditor should contact the appropriate personnel to first safeguard any potential evidence and secondly start the procedure to obtain the evidence in a forensically sound manner.

If you have moderately trained people reviewing data they have a legal right to review that is fine, but as soon as they observe an infraction of even the slightest binary bit of data they must stop and do everything possible to preserve the evidence in it's observed state. Even if the person reviewing the data indiscriminately was a forensic examiner they would need to stop and begin a forensic approach.

This is really no different than a street cop who patrols everyday. Is he not looking for and responding to incidents of crime? As soon as a crime is reported or witnessed the appropriate measures are activated to safeguard the crime scene and specialist are brought in to collect the evidence. It comes down to the original legal authority which brought you to the observation of the infraction and the steps taken afterward to protect the evidence.

http//www.prosecurityzone.com/Customisation/News/IT_Security/Software_Asset_Management_and_Compliance/Second_phase_of_compliance_raids_conducted_in_Wales.asp

It seems to me like there was a presumption of breaking the Law with regards to using counterfeited or pirated software in that one.

This kind of "reviews", at least in Italy, are performed as well, but all the enforcement officers do in these cases is to check which programs are installed, and if a corresponding proof of ownership of appropriate licenses exists.

AFAIK they are NOT allowed to open documents, read mails, ANYTHING but checking which apps are installed/present on the Hard Disks without a Warranty or a legitimate suspicion that something else is going on, in which case they can seize the actual device/PC, that will be examined by trained personnel with a "forensic approach", as there have been several cases where inappropriate handling of the "proofs" led to their nullity.

jaclaz

Thats very interesting concerning the situation in Itlay. Regarding the checks to see what software titles are installed, are these checks done within a forensically sound environment?

Thank you for the article, pbeardmore.

It certainly gives me pause about carrying a system to the UK…not in fear of a license compliance violation, but concern over the degree of invasion of privacy that seems to exist as compared to the US. I wonder what specific methods are used by entities such as FAST to examine systems. Are forensic drive images (physical or logical) created? What tools are used to evaluate software compliance? Or do they just show up unannounced and browse at will with Explorer? If images are created, how are they stored and used for future reference?

Privacy sure is a can of worms…

Thanks to zbrojovka for expounding on the evidence issue–provides a good deal of clarity.

FAST go in together with Law Enforcment and use this system

http//www.evidencetalks.com/spektor-forensic-intelligence.html

Thanks. I visited the site and don't see much more than marketing content, as below. I wonder about FAST data selection criteria and methods that preclude "other than license compliance" information.

Using a combination of unique portable hardware and software, SPEKTOR delivers the ability to interrogate computers and removable storage devices for the presence of relevant material quickly, accurately and within a forensically and legally acceptable framework.

How SPEKTOR works

Using an intuitive touch screen interface on the powerful SPEKTOR Control POD, users configure re-usable "SPEKTOR Collector Devices" from a list of predefined configurations for different investigation scenarios.

Once configured, the collector device is plugged into the target computer where it immediately starts to gather relevant data.

Optimised for speed, SPEKTOR Collector devices can scan an average laptop faster than other triage solutions.