A local in-house police forensic unit recently examined my pc due to a concern with a tenant in a shared properties access to the internet. The PC was eventually returned to me but it appears that all drives are still write protected. The folders in each of the drives are visible, but am not able to access/open them.
I have raised issue with this to the relevant police department but they refuse to accept responsibility, claiming that it is not procedure to write-protect or change anything about the drive. But from what I have found, this is exactly what they do to prevent any changes to the drive or accusations of evidence tampering.
Question being, is there any way I can possibly remove this protection myself as I have been told there is no way they will consider rectifying the issue other than for me to take them to court to force their hand. Producing proof that they have write-locked all the drives.
Or is there a way I can gain a report from the HDD to show the status it has been left in?
Assuming they followed standard forensic procedures, write protection is external to the file system being examined and no alteration is made to your disk or file system.
If what you say is accurate, then their procedures are defective.
In any case, you need to look at the file and directory permissions/ownership. If you have admin authority you can seize ownership back.
No matter what, directory permissions should give you a strong clue as to what happened. You don't say what OS you're using so I'm guessing Windows 10?
Right click a folder, select Properties, select Security
Typically you'll see "Group or user names" for SYSTEM, yourself, administrators, and perhaps others.
Select yourself and look at the permissions below.
Also your account should have a parenthetical identifier something like "(DESKTOP-50K0DVG\you). Now open a command window and type whoami /user
Does the username match?
The SID is a security ID. You can Google for details. It's possible that rather than change the files, they changed your account. Another possibilty is that rather than image your drive with a write blocker, they directly mounted it and inadvertantly altered all the ownerships with their examination.
This is all speculation on almost no information. Let us know the result.
————— edit ————-
It just occurred to me. Are these NETWORK folders? If so, it may be that the network admin disabled access while your machine was taken, in which case you should contact your network admin.
Assuming they followed standard forensic procedures, write protection is external to the file system being examined and no alteration is made to your disk or file system.
If what you say is accurate, then their procedures are defective.
In any case, you need to look at the file and directory permissions/ownership. If you have admin authority you can seize ownership back.
No matter what, directory permissions should give you a strong clue as to what happened. You don't say what OS you're using so I'm guessing Windows 10?
Right click a folder, select Properties, select Security
Typically you'll see "Group or user names" for SYSTEM, yourself, administrators, and perhaps others.
Select yourself and look at the permissions below.
Also your account should have a parenthetical identifier something like "(DESKTOP-50K0DVG\you). Now open a command window and type whoami /user
Does the username match?
The SID is a security ID. You can Google for details. It's possible that rather than change the files, they changed your account. Another possibilty is that rather than image your drive with a write blocker, they directly mounted it and inadvertantly altered all the ownerships with their examination.
This is all speculation on almost no information. Let us know the result.
————— edit ————-
It just occurred to me. Are these NETWORK folders? If so, it may be that the network admin disabled access while your machine was taken, in which case you should contact your network admin.
Thanks for your reply, I shall try as you said with one of the drives on windows 10 and get back.
All I know is that they removed all drives from the tower and tested them one by one rather than through the OS, I'm really not sure their procedure but they have done this in-house rather than using a professional service - when the PC left me all drives were working 100% correctly and basically they were drives in a W10 media pc so no special set-up.
The first drive I connected to an external dock when I received the pc back to check that all was fine reported through windows 10 a severe hardware failure, and had to format the drive to save it, losing everything on it so was hesitant to continue with the other drives but when I went through each one all that happened is the explorer window opened when loaded through the dock and all in appearance looked fine but the actual folders were not able to be opened and when I looked at the properties it showed zero data - I've never come across anything like this before, and like I say only occurred after they had returned the pc so it was something that happened while with them and assuming they had left them locked or something.
I would reinstall Windows 10 and keep all personal data, so do not format the hard drive. After that, copy all your important files to an external drive. Then reinstall Windows 10 again, but this time with formatting the hard drive- to delete all possible trojans or surveillance software that was installed by the police.
That would be my approach. The way "Watcher" described is another solution, too.
regards,
Robin
You said two things in different posts that taken together confuse me
"…The PC was eventually returned to me …"
This implies they took the entire machine and returned the entire machine.
"… The first drive I connected to an external dock … with the other drives but when I went through each one …"
Did they not give you back an intact system as taken?
Did you connect the drives of the taken machine to a different machine, as opposed to using the original returned machine?