Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: LadTor
New Today: 0
New Yesterday: 0
Overall: 29537

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 is it possible to verify if a HDD was wiped with DBAN
 Forenic artifacts if someone accessed a remote Win10?
 timeline analysis
 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics

Computer Forensics World Forums


Pages Served
We received
56013196
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Quick Question about Siezing a hard drive
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Quick Question about Siezing a hard drive

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
Oriska
Newbie
Newbie


Joined: Oct 02, 2010
Posts: 20

PostPosted: Thu Jan 27, 2011 11:38 am    Post subject: Quick Question about Siezing a hard drive Reply with quote

When going to acquire a suspects hard drive, is it okay just to make an image copy of the hard drive and leave the original hard drive with the suspect? What if you took a video recording what you did- showing that you did everything as procedure is suppose to go?

THhanks
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Jan 27, 2011 1:12 pm    Post subject: Reply with quote

Absolutely not. The original IS the evidence. There are very limited circumstances that you wouldnt take the computer. VERY limited.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Jan 27, 2011 4:10 pm    Post subject: Reply with quote

When you write "suspect" I think LE. If you are LE you would never leave the suspect with contraband.

If you are discussing this in terms of a larger scope of "subjects of interest" then in the ediscovery world you are very likely to image drives and leave with only the image of the drive(s).
Back to top
View user's profile
michalwrp
Newbie
Newbie


Joined: Jan 10, 2011
Posts: 3
Location: Europe

PostPosted: Thu Jan 27, 2011 7:14 pm    Post subject: Reply with quote

Actually the main reason you acquire drive “on-site” is that you have to give back suspect its original hard drive. Otherwise it is better to make acquisition in laboratory.

Decision to give back or to take original hard drive after making copy should be made by authority which ordered investigation (depending on legal system or country it can be e.g. prosecutor, court…)

In majority of legal systems, not device but information stored on it is evidence.
Back to top
View user's profile Visit poster's website
gawlerj
Newbie
Newbie


Joined: Jan 07, 2011
Posts: 6

PostPosted: Sat Jan 29, 2011 3:44 am    Post subject: Reply with quote

I agree with the others here, leaving the origianl drive with the suspect is not a good practice. If (and when) your image goes bad on you, you've lost everything, since the data will have changed on the original drive by then.

Also the defence may not want your image to exmaine, they may want to create their own image from the original.

Additionally, if there is evidence on there that you may need to prevent the suspect from getting back (CP, etc) letting them have the drive gives them the ability to make copies.

The only reason I can think of allowing a suspect to retain the drive would be if the target drives where part of a business, say a server, in which the business could not operate without. But if it's a single laptop or desktop frmo someones home, it's very likely going to sit in evidence until the case is adjudicated.
Back to top
View user's profile
Oriska
Newbie
Newbie


Joined: Oct 02, 2010
Posts: 20

PostPosted: Sun Feb 06, 2011 4:55 am    Post subject: Thanks Reply with quote

Thank you. The reason I asked this question was because what if the suspect needed the computer for work. For example, what if he was a game designer working from home.

Maybe a solution to this is if we give the suspect an imaged copy of his hard drive with spyware on it. So we know what he is doing at all times.

I know sometimes innocent suspects are involved in cf investigations and I would prefer to examine the real suspects hard drive and not interfere with another innocent persons life.
Back to top
View user's profile
gawlerj
Newbie
Newbie


Joined: Jan 07, 2011
Posts: 6

PostPosted: Sun Feb 06, 2011 7:22 am    Post subject: Reply with quote

I you have a search warrant to seize the drive I, again, would think it would simply be seized and any work the owner has on it will have to wait. If his lawyer convinces a judge to give him back his drive so he can continue to work (there may be an intellectual property issue there) then so be it. But I wouldn't offer to do this without a judges order.

As for installing spyware, not without a warrant.

True, someone who may have nothing to do with a alleged crime may have their computer taken for an investigation, and that could set them back months and years depending on the case. Hopefully people in a business in which they rely on data have some offsite back up in place. Not so much to get around the law, but for fires, theft, etc. And it would come in handy if the cops seized your system too.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sun Feb 06, 2011 9:51 am    Post subject: Reply with quote

If you had probable cause, you had probable cause. It doesnt matter if his entire business is run from the computer. As I originally stated, the original IS the evidence. Your image is nothing more than something for you to analyze. How are you going to prove to the court that his original drive IS the drive you created the image from, if you dont have the original? All it would take is leaving the drive there and the suspect booting the computer one time to make the checksum change and now they have reasonable doubt. As I said before, there are very few cases where you would leave the drive, and an individual in a criminal case is never one of them.
Back to top
View user's profile
michalwrp
Newbie
Newbie


Joined: Jan 10, 2011
Posts: 3
Location: Europe

PostPosted: Sun Feb 06, 2011 11:50 pm    Post subject: Reply with quote

In legal system in my country, hard drive is not evidence, information stored on it is evidence.

Forensic copy have the same legal value as original hard drive.

That is why in most cases HD are imaged on site and original drives are left to suspects. If there is no possibility to image it on-site (there is no time, specialists, forensic tools available) hard drive is seized and taken away.

Doesn’t matter if it is civil, business, criminal investigation. Not device but information stored on it is evidence…

Important is to answer about which country legal system we are talking about...
Back to top
View user's profile Visit poster's website
Oriska
Newbie
Newbie


Joined: Oct 02, 2010
Posts: 20

PostPosted: Mon Feb 07, 2011 1:10 am    Post subject: Reply with quote

Thank you all VERY VERY VERY MUCH!

Thank you for contributing great information for the community.
Back to top
View user's profile
garofski
Newbie
Newbie


Joined: Jun 04, 2010
Posts: 1

PostPosted: Mon Apr 04, 2011 5:31 am    Post subject: Reply with quote

Ok so you take a copy, one of the principles of computer forensics is to preserve the evidance, it doesn't matter whether the drive or the information on the drive is the evidence, by leaving it with the suspect then they are able to change the data! When it comes to court how can you prove that the information on the image is the same as the one on his drive!!!

They could have destroyed it and purchased a new one, there goes your evidence.

Only just starting out so would like clarity on this!
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.