Many (all) of the cases that we have been involved in have centered on the aquisition and analysis of machines that were not siezed and locked away at the time of the imaging. In other words, every machine was used by the client or suspect after the image was taken.
We were recently faced with the possibility of appearing to testify in one of the cases. My question is this. Given that the orginal is useless as proof that there was no alteration of the evidence, what if anything can we do to protect ourselves (beyond testifying to the use of proper procedures, writeblockers …)
The best evidence is always the original. The purpose of imaging a machine is to ensure that the 'doctrine of documentary evidence' is adhered to. This is basically that the evidence is no more and no less than when it was originally taken into possession.
If you have fully documented the process and explained why the machines could not be preserved for court, then I cannot foresee any problem.
I'll ditto Andy's comments in large part as they relate to the US court system. Generally I testify that the image was verified as a true and complete copy of the original and then follow with a short explanation of hash analysis if necessary. If there were any errors (bad sectors) encountered during acquisition I'll point out which sectors those were and state that nothing of evidentiary value resided on the clusters in which those sectors were located.
I agree with the comments made , my concern, especially with respect to the hash values, is not that the we have the hash but that we have nothing to compare the hash to since the orginal has changed.
Given that , what is my answer to opposing council that accuses us of adding the evidence after the fact.
In my mind the possible solution to this is to make a second copy of the image and store those somewhere else. At least you can make the argument that the work you did can be recreated by a third party if necessary.
You didn't get a hash of the original media at the time it was acquired?
yes but what value is it. I can not recreate it since the original drive has been used since the aquisition. I can state that this is the hash value but what is my proof that it is accurate.
At some point when you go to court the judge/jury has to trust you, that's why you take the oath. You may need to explain why the computer had to be used after your acquisition, but in the end it's going to come down to who the judge or jury believes. The reason it matters that you have the acquisition and verification hashes, and that they match, is that you did the right thing. You followed proper procedure and you can testify to that honestly.
Thats pretty much the conclusion that we have come to. Thanks for the imput.
"The best evidence is always the original"
What if the original is not able to be aquired?
what if we take 2 images of original evidence..restore first image and hand over restored image to concerned party..Keep original evidence in safe custody of prosecution.Analyse the second image for reporting the findings…Once the case is finilized in the court of law, return the original evidence to party after disposal of case..this way the all the parties will be in win win situation..
is this ok?