John Doe a FORENSIC PRACTITIONER takes his exam machine into a location. Once John Doe is on location the person at the location presents him with a hard drive to index. John Doe hooks up the drive to be indexed to his exam pc and starts the indexing process. Because the process will take a long time, John Doe leaves the location and his PC stays at the location while it indexes a hard drive which is not his, but it is his CLIENT's hard drive. Upon John Doe leaving the person at the location decides to poke around on John Doe's exam computer while it is indexing John Doe's clients hard drive.
BTW for experimental purposes it has been stated what can be shown as to files accessed through MRU and access dates.
If the examiner's machine is ordered to be indexed, therefore implying it will be searched (otherwise, why index it?), then there would have to be one or more reasons for it.
You have to trust your government or if you don't trust the government with your potentially personal, or private, or confidential, or embarrassing, or business data, you don't have any choice in the matter anyway but hope for the best with whomever is handling your data.
If by chance you could show that inappropriate actions were taken, then civil recourse along with a formal complaint to the agency sounds like your potential remedy. But as it's been said before, some things cannot be remedied, as once the arrow is flown, nothing will bring it back and make everything right again.
I'd say an attorney would be able to give you advice on what to do if you suspect that to have happened.
Sometimes it takes me a few times to get it….(my wife says all men are confused due to our genetic makeup, at times like this, I tend to believe her).
In that case, you can exam your PC for anything that may have happened so you know what happened, particularly if you may be testifying as to the collection of evidence for chain of custody. LNK files, PreFetch, event logs, new USB device connections, anything that looks like someone played around with the PC. Then I guess a discussion with the client through an attorney would be in order.
I believe you are missing the thread. I don't want to edit the thread to include every possible thing that could happen. Just say having a sterile machine is not possible.
But it is possible. In fact it's the best possible thing to do under the circumstances. Why are you taking the best option off the table? It seems that people in our line of work should be well aware of the danger of leaving our computers sitting around unattended.
Do you have data on there that is protected by NDA's? Then I would suggest that you are foolish, even negligent, in leaving them accessible to others while the computer is outside your control.
As far as your original question, what do I think of the police taking the occasion to look through your personal files? Well I think it's uncool. Probably not a criminal act, but one that would certainly be a violation of most agency's codes of conduct.
Thank you for the replies.
This is a hypothetical. I take options off the table to not have to try and answer well all the possible scenarios people can think of.
For the sake of this argument say that there are no NDA's in place.
Do you take your information to the court, do you file a report with a police agency, do you talk to the person in charge of the location, is this action noted in your report to the client?
Years ago I'd worked on several cases where various divisions either weren't trained or didn't care (I'm guessing more of the first) and poked around on a PC and then imaged the PC. This is a sort of different take on that type of a scene but now I'm saying it's your computer which is the victim of being sifted through.
I'm going to presume that you're dealing with an Adam Walsh Act restriction here since it mandates that contraband material must remain in the possession of the govt/LEA/court.
First up, I can't see a circumstance where I'd be doing this and not password protecting my computer, and given that circumstance, I can't see how them rummaging through your live system would be an issue. I'd probably go further and use tamper evident tape over the system and/or drives to indicate if they did touch them physically. If for some reason they insist that you can't password protect it, then I'd be having your client (the attorney) work it out with them in advance. In fact, I'd have my client work out in advance all the issues of access so it's clear who has access to what, and at what time.
You can comply with the requirements to keep the contraband in the govt possession by burning any results you need to keep to a CD/DVD, presenting that for inspection by them to verify no contraband, then blowing away all your drives, both OS/Apps and working drives and allowing them to verify that your drives are wiped before you leave. That said, you still have the issue that you're not working in a forensically sound environment because you can't control access, but the password and the tamper evident protection can deal with much of that.
If you find out after taking all the reasonable precautions you can that they touched your computer, then I'd be informing my client and having him lawyer it out with them.
I blogged on this issue twice last April.
http//
http//
Goal here is to generate discussion on a topic that I haven't seen covered.
Thanks to all who reply.
I'm actually pretty paranoid by nature, so there's no way I'd leave a PC at any site that had anything but a clean build and the tools I need on it and if I did I'd lock it with a screen saver.
If it did happen to me though, I'd be pretty angered. I would definately inform council.
Nor would I. I cannot see any legal reason to provide any access to my machine unattended. If they demanded such, as Tony said, I would get the lawyer who hired me involved, and refuse.
Furthermore bshavers is correct. There is nothing on the forensic machine, other than tools, so the only reason someone whould dig in there is potentially to steal software.
It was not clear for me, even till this second page that you are talking about a forensic workstation being mucked with versus evidence.
"Furthermore bshavers is correct. There is nothing on the forensic machine, other than tools, so the only reason someone whould dig in there is potentially to steal software."
The only reason someone would dig in there is to steal software? Most good forensic software requires dongles, most other software isn't a simple right click of an .exe. To say the only reason is not allowing for much thinking. A good reason for people to look around on a computer is just that "to look around" they don't know what they will find, much like you don't know what you will find when you look around on a computer.
Thanks adamd for posting what you would do in this instance.