I admit, I had to reread the original posting again to finally get it (at least what I think is the point). You leave your forensic machine onsite while it works on a client hard drive (for whatever reason). The issue is the security of the forensic machine and what to do if someone messes with it.
1) Is it in a locked room, such as the evidence room where all entries into the room are logged or is it in a room accessible to anyone in the building?
2) What safety procedures are put on the forensic machine (locked screen, keylogger running, webcam capture of activity in the room, alarm in the room, etc…)?
3) Do you have a sign that says, "EVIDENCE - DON'T TOUCH"
Leading to what to do if someone bypasses the above security and pokes around your computer. At a minimum, given anyone touching the computer, whether personal/private/business data exists or not, a formal complaint to be filed would be appropriate. But even at that, if you don't have physical control of the computer, expect that someone else will, and that means they own it. Kinda like the law of land warfare.
Thank you bshavers for your post.
This thread has gotten quite a few hits today.
Given your original post and the following assumptions
1. The PC is located in a room that is at least secure enough for proper storage and/or processing of evidence.
2. The ONLY people with access to that room are authorized to be there AND they are required to log in and out. (I'm not in law enforcement so I'm not sure how common this procedure is.)
3. You have absolute proof that someone other than you "looked around" on your PC while it was processing evidence and you were not around.
I would file a complaint with the authorities where this occurred. I would also let the judge, your lawyer and the other side's lawyer know what happened.
I would also be prepared for the opposing lawyer and the judge to come down on you. Could you be in violation of the court order or the accepted common practices for protecting and preserving evidence?
You've potentially made one mistake leaving the PC and evidence. Don't make another mistake by failing to disclose.
TonyC
I'd say the reason they had a dig around was to see what you were using and how the system was set up (its alway interesting to see how others work).
I'm pretty careful with a system once it starts indexing due to the fact it could crash depending on a number of factors, (like the software used) especially on a windows machine.
If I really wanted to be difficult and cause a fuss over it, I could point out that the machine was being accessed whilst it was performing a very complex and CPU intensive task and raise the question of whether any problems may have occured whilst it was being accessed. Did any dialog boxes come up? Are you really satisfied that the indexing completed without a problem? etc (Of course, you should check the logs of the indexing software and system logs for any problems).
There is also the question of the chain of evidence if an un-authorised user has accessed the system with an evidence drive attached. Did they copy anything off? etc
That's all being pretty picky though and going back out and doing it again is just going cost your client more money.
Personally, if it was me, I'd inform Council of what happened in detail (and make a file note of course, including the access dates etc) and let them decide a course of action, which would likely be a note of complaint to the other side just so that it's on record. That way your a**e is covered and someones elses is likey to get kicked.
TonyC's point about you breaching accepted practise is a good one and something to think about.
We're lucky in NSW in that the police often provide you with a clean workstation on site with various up to date tools installed on it which they wipe after every preview. You just have to bring your own dongles and any specialist tools you use yourself.
You've potentially made one mistake leaving the PC and evidence. Don't make another mistake by failing to disclose.
I didn't think of it like this, that is an interesting point.
TonyC,
Not sure about the You've unless it's meant in the general sense.
Also
"You've potentially made one mistake leaving the PC and evidence. Don't make another mistake by failing to disclose."
What is the mistake leaving the pc and evidence?
For sake of the discussion let's say the drive is a big drive and sitting around waiting for it is not an option as the area you are in is a 9-5 type place and you will be coming in the next day or afternoon to start reviewing the evidence. Even if you could sit there from 9-5 you know the indexing will take longer than the posted hours and the tampering would have occurred after the normal hours by someone with a key.
Hopefully this thread gives people thought into drives and leaving them wherever. While to most this is old hat, there are new people here all the time and some of the things presented here may not have crossed the mind of people or possibly not all the ideas presented may have.
As far as your original question, what do I think of the police taking the occasion to look through your personal files? Well I think it's uncool.
Nicely put, Greg lol
forensicakb,
Yes, I meant "You've" in the general sense. To restate…John Doe potentially made one mistake…"
Leaving an image processing in my office/lab under lock and key is one thing. Leaving it at a location outside of my direct control is another. I didn't want to make too many assumptions outside of what your original post stated.
But, if John Doe did the right thing and took a sterile system and the only evidence that is on the machine is what the others in the room have access to, then perhaps no harm was done by the snooping. On the other hand, if the system has evidence from other cases he is working on, those cases could be at risk. I think I would still err on the side of caution and notify the judge and lawyers.
Regardless of what was on the PC, what the police did shows a complete lack of ethics. The machine does not belong to them and they had no jurisdiction nor right to look at it. If they would snoop maybe they would also leak what they saw to news media, judges, lawyers whoever may be interested in what was found (if anything was found).
No one has even speculated on the officers involved. Would it make a difference if they were forensic investigators? What if they were the officers tending to the evidence room, would that make a difference?
Great post by the way. The discussion has been very thought provoking.
TonyC
Assuming you (general sense) are working for your client via defense counsel, is the information on your computer (specifically with regard to the current case) protected by client/counsel relationship? Or is that a stretch? If so, there are some interesting arguments to be made regarding a violation of that protection by the govt.