In consultation with Indian LE we have arrived at the following process.
- first make 2 bitstream images from the source.
- make a ghost copy of the source (to give suspect - only in cases where required)
- Sieze & Seal original in the presence of 2 independent witness with MD5 hash values etc.
- Send 1 bitstream to a Government forensic lab for analysis and official report
- Use 2nd Bitstream for purposes of furthering investigation in the shortest possible time (basically identify and pursue further leads)
Some variation of this might be the way to go for you as well.
HTH
Samir Datt
I would suggest getting a stipulation agreement prior to releasing the computers. It would basically say that the forensic image was serve was the best evidence and the other party agrees to make not objection of these grounds.
David
I am curious as to why the obvious solution was never mentioned in this thread. Ergo
We try to convince the clients that the replacement of the hard drive is the best policy. We then store original in our evidence room to be returned to the client at the conclusion of the case. The price of IDE hard drives is so cheap in today's market that the expense is not a problem. We simply restore a copy of the acquired image to the new hard drive and plug it in. There can be no question as to preservation of evidence at that point.
We are not always successful, but in most cases where it is properly explained, the client will do it.