Well if the court orders you to leave the examination machine there, they can't fault you for it from that aspect (if something happens).
I think if there's any evidence of someone going through the machine, you'd have to take it back to the court and tell them what happened. Then let the attorney's fight it out (or whomever).
I think there are a couple of realities that would come from this scenario
1) Odds are (as most people have stated), you would try to set up an environment where the examination machine is "clean" (or at least free from any old/other case data).
2) If you're working in this scenario, most likely someone (the client) would want to make sure that the room that the machine is in is secured (if LE is on the other end the client is probably not going to trust them).
3) Murphy being the law, whomever looked at the machine would probably just try to sign into their facebook account and when it didn't work they would leave. p (ok I had to throw that one in there)
I agree it's a good topic to think about, but there are so many variables with it that it's hard to say what anyone would do.
The only reason someone would dig in there is to steal software? Most good forensic software requires dongles, most other software isn't a simple right click of an .exe.
I am sure you will find quite a few of us who use "good forensic software" which do not require dongles.
I did not say they would steal it, but they reason that they potentially may. Not knowing they cannot extract license keys, does not preclude them from attempting.
I presumed Linux box, versus a Windows machine.
To say the only reason is not allowing for much thinking. A good reason for people to look around on a computer is just that "to look around" they don't know what they will find, much like you don't know what you will find when you look around on a computer.
I value a "you are an idiot" placed so eloquently.
I believe you narrowed the scope of the theoretical scenario. It was not just "people". This, in its nature allows within the confines of your scenario. Allowing only for "little" thinking.
We are talking about professionals here, correct? Law enforcement officers, who grasp the consequence of tainting or ruining evidence, potentially losing a case, getting fired and brought up on legal charges? These are the same guys who can force you to leave your forensic machine (or not allow evidence into your possessions)?
These are the ones that just want to look around, correct?
There are plenty of reasons to have an issue with the restrictions that are imposed by this statute, but inventing a scenario where you are so incompetent as to let your computer be completely unsecured, and the police are so stupid as to walk all over it is totally unrealistic.
Having worked extensively on the LEA side, but also on the defense side, I can't think of a possible reason why a police officer would try to use a computer in a controlled space with a password lock, evidence tape and a sign saying "do not touch" unless he was mentally deficient or abjectly corrupt. Tampering with evidence is a career ending event.
At some point at the completion of an Adam Walsh act defense examination, you are going to present your drives and evidence for the LEO to check that you're not walking out the door with contraband, which is why you blow away all your drives before leaving, and only put any logs, non-contraband files or forensic reports on an R/O media for inspection prior to departing. If you walk in to conduct said examination without the lawyer who hired you threshing out the boundaries before-hand, then you're foolish or incompetent. Those boundaries should include a clear demarcation of the point at which the police get to touch your stuff, which shouldn't be until you are finished and have blown your stuff away.
The agency I used to work for did a similar offer for defense examiners to what Adamd said, but that's perhaps because they were also an Australian agency. However I do have serious issues with using anyone else's equipment to conduct an examination because in doing so, you have even less control than if it's your own equipment, and you're at a disadvantage as far as controlling your forensic environment goes to start with. If you haven't set up and/or tested the forensic system yourself, it's hard to speak as to the reliability of the evidence it produced.
I have done a review of the other side's evidence using their equipment, but I clearly delineated that as a review, and not a forensic exam.
I would at least try playing a prank on those guys. wink
Like placing something on it that when an access is attempted produces this visual effect
http//
then triggers this screensaver
http//
http//
And would add a key cover on the Esc key
http//
Just to stir around the waters a bit. roll
jaclaz
It's been alluded to but never really stated out loud
What would happen to any evidence that has been obtained during the indexing process ? I personally would suggest that it is discarded and the process started again - as, whatever you _think_ might have happened, you run the risk of just having the whole damn lot rendered inadmissible through a technicality. I would also go down the route of (a) lodging an offical complaint (b) kicking myself hard for being such an idiot.
However, in some respects it's not an entirely stupid scenario if you lift it up a level - assume that the machine is left as described, but has been locked, to what extent does someone coming in and waggling the mouse ( as we all do when we see an unattended machine - at least in the security world - to find out if it _is_ locked ) influence the evidence ? In "meatspace" forensics this kind of action ( coming in and poking the DNA extractor ) would likely cause significant problems for the admisibility of the evidence.
Interesting discussion, at least once I'd read the thread and understood the question !
I just ran into this post and thought I would join in…albeit, several months later.
I had a similar situation happen about a year ago and here is how we handled it.
1.) I brought my system into the law enforcement agency and set it up in a witness interview room.
2.) During the entire time my equipment was there, either attended or unattended, the video recording system was running. The law enforcement officers were not allowed in the locked witness interview room without me being there.
3.) When the case was over, I received a copy of the video and the law enforcement office retained one for their records.
This seemed to work quite well and is how I would do it again if the need arises.
That's a good idea.
Most of the replies to this thread were, I would have never put myself in that situation, you didn't do this right if the attorney didn't intervene, etc. Easy arm-chairing
Few really addressed what actually happened and what to do from there.
While others said that it's "totally unrealistic" Orders do exist which state there may be no screen saver may be used, nothing may impede a persons view of the monitor at any time, no additional items may be connected to the computer other than the mouse, dongle, and the external hard drive.
There was a post which stated
"If you walk in to conduct said examination without the lawyer who hired you threshing out the boundaries before-hand, then you're foolish or incompetent. Those boundaries should include a clear demarcation of the point at which the police get to touch your stuff, which shouldn't be until you are finished and have blown your stuff away."
I guess I am foolish and incompetent… I've yet to see a situation where you can go to a police facility, RCFL, or any Govt facility and dictate to them how things will run, especially in the Federal system. You are told where you can go, what you can bring, even the hours you can stay. Furthermore, you can also have restrictions placed like mentioned above on the machine itself.
Having done enough adverse environment examinations (civil and criminal) I have to agree with forensicakb - sometimes you get what you get in Govt facilities. Usually the lawyers have their own agenda and case strategy so you are only one piece of the case to them - although it is everything to you. Rarely do you get to dictate the conditions but are asked, "given the situation can you do X, Y and Z." If you can but it takes some creative thinking or QT on your part then that's what is needed to get the job done. Certainly put in writing and back up verbally all your concerns (a.k.a c.y.a.) so if asked you can say you did your due diligence.
By indexing the subject hard drive do you mean creating image files with FTK Imager or the like? Are you being prevented from showing up with a Logicube and cloning the drive? For instance the presence of CP? If that is the case and you are not imaging what is the indexing process you refer to? Perhaps hashing all the graphic files? I would show up with a laptop with only the tools that I need to accomplish the task. As long as they didn't interfere with the process at hand I wouldn't care if the LEO had a look see. There is a good chance you already know the forensic team at the local PD and are even friends with them. Interesting discussion though.