Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Nein
New Today: 0
New Yesterday: 2
Overall: 29410

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
52863939
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Digital Evidence Chain of Custody
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Digital Evidence Chain of Custody

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Sat Nov 24, 2012 5:57 pm    Post subject: Digital Evidence Chain of Custody Reply with quote

Dear Everyone,

Scenario: An employee is accused of having committed a crime using a company provided computer. Police come in to investigate. The police request to seize computer. Company gives consent, computer is seized - only identified by serial number of computer. All this happens in employee's absence.

The police go and do digital imaging and hashing at their offices on their own.

The accused contends that he should have been present at Seizure, Imaging and Hashing (MD5) and given a hash key. The accused also contends that he should have been given a digital copy.

Did the police break the chain of Custody? Are the expectations of the accused employee legitimate? Is such evidence admittable in court?... Considering that MAC times are easily manipulated.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sat Nov 24, 2012 8:57 pm    Post subject: Reply with quote

Accused employee does not need to be there during seizure. Employee's lawyer can have their forensics examiner image and hash the evidence drive. There will be plenty on the computer to identify it as a computer used by the employee.

From description chain of custody has not been broken as long as they maintained a chain of custody from the time it was seized.

Times are not as easily manipulated as you seem to think. If the police find evidence on there, then they found evidence. They will use other information on the system to assist in proving whether the suspect is the one that was on the computer at the time.

I can say that there are times when the examination actually proves the suspect is not the guilty party.

From the sounds of it, you need to get a lawyer though.
Back to top
View user's profile
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Sat Nov 24, 2012 10:59 pm    Post subject: Digital Evidence Chain of Custody Reply with quote

Cybercop,

Many thanks for your comment. Just to add some clarity to the scenario:

The employee's lawyer was not present when the hashing was been done at Police HQ. Not even any company representative was available at the police during the hashing and imaging process. Basically, the police got custody of the computer... and went back... and did everything else on their own.

The nature of the digital evidence is a computer program. The police seized the computer 90 days after the program was last used.

Will appreciate further comments from you.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sun Nov 25, 2012 3:30 am    Post subject: Reply with quote

They do not have to be there during any part of the examination. Again, the suspects lawyer can have a forensics examiner image the drive and verify the hash that the police made. The suspects examiner can then examine that image in any way they want.
Any evidence the police find whether pointing towards the suspects guilt or innocence will be given to the prosecutor AND turned over to the defense through the evidence discovery process.
Back to top
View user's profile
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Sun Nov 25, 2012 5:57 am    Post subject: Reply with quote

The concern for the defense is as follows:

What guarantee do they (defense) have that the program was not modified (tempered with) to meet police / prosecution requirements BEFORE the hashing and imaging was done? The defense are not saying they should have been available during exmanination, but rather during that important stage of hashing and imaging.

How do you interprete the following information in relation to the above requirement:

1.
http :// www . attorneygeneral . gov . uk/Publications/Documents/Guidelines%20on%20digitally%20stored%20material%20July%202011.doc.pdf

Read Page 5. “…17. An image (a forensically sound copy) of the digital material may be taken at the location of the search. Where the investigator makes an image of the digital material at the location, the original need not be seized. Alternatively, when originals are taken, investigators must be prepared to copy or image the material for the owners when practicable in accordance with PACE 1984 Code B 7.17….”.

2.
http :// www . mttlr . org/voleight/Brenner.pdf

Go to Page 79. “...When a court issues a seizure and off-site search authorization, it should also require that the officers create at least one back-up copy of the information on the seized equipment and give this back-up copy to the owner of that equipment……”.

Go to Page 106. “...When officers take the original files, they usually provide the owner of that property with a copy of those files, though the owner may have to wait a few days to receive the copy….”


Look at this as well...

http :// www . slideshare . net/Eacademy4u/preserving-and-recovering-digital-evidence

18. Computer Image Verification• At least two copies are taken of the evidential computer.• One of these is sealed in the presence of the computer owner and then placed in secure storage.• This is the master copy and it will only be opened for examination under instruction from the Court in the event of a challenge to the evidence presented after forensic analysis on the second copy.

Moderator Note: Direct links are not allowed
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sun Nov 25, 2012 6:31 am    Post subject: Reply with quote

Assuming this is an investigation based in the US, a guide from the UK's AG (1st link) has no power here.

As I said, the defense WILL be given an opportunity to review the evidence.

What it sounds like to me is that 1. You are the suspect. 2. You know there is evidence proving you are guilty. 3. You are grasping at straws attempting to find technicalities to try to disqualify the evidence.

If the above is true, you need to look elsewhere for the technicalities because it sounds like the police have followed procedure from the beginning based on your description.

I want to add this also. What would make you think the police would give the suspect back a copy of the drive at the time of seizure? Lets say I have a case regarding child pornography. By your requirements, I should image the drive on site, then give the suspect a copy of that image (which is suspected to contain child pornography) so they now still have their copies to look at. NOT going to happen.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Nov 25, 2012 1:27 pm    Post subject: Reply with quote

Innocent wrote:
The concern for the defense is as follows:

What guarantee do they (defense) have that the program was not modified (tempered with) to meet police / prosecution requirements BEFORE the hashing and imaging was done? The defense are not saying they should have been available during exmanination, but rather during that important stage of hashing and imaging.
I see these posts where people are concerned about the police tampering with or manufacturing evidence and just have to laugh.

In the same vein as the answer from Cybercop, I have to ask, what motivation does law enforcement have to tamper with evidence?

Do you really believe that law enforcement picked the defendant out of all the people in the area, decided that the defendant needed to be guilty of some crime, devised a plan to manufacture probable cause, got a Judge/Magistrate to sign a warrant based on the manufactured evidence, seized the computer and without touching any other parts of the evidence injected the manufactured evidence into the computer in all the spots necessary so that the evidence looks real, and then with all those people involved did not have any leaks to a friend or the press or someone? Seriously?

Also in regards to giving the subject a copy of the drive at the time of the seizure there are many factors, as Cybercop posted if there is contraband then law enforcement is not going to leave a copy of the evidence. The other factor is the size of the drive or drives being seized. With the large drives being encountered it is becoming almost impossible to image drives on scene anymore.
Back to top
View user's profile
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Sun Nov 25, 2012 2:42 pm    Post subject: Reply with quote

Many thanks to both Cybercop and PreferredUser for your valuable comments.

I'm actually not the accused. I am a police officer, but not related to the case. The accused is a brother in marriage. Am just trying to find out how I can help the guy. I am from a country were these types of cases are not common. It could be the first of its type. Our laws are quite silent on these matters. Looks like the courts may have to rely on Commonwealth Laws and precedences. Including what is prevailing in the US.

You may wish to know that the accused was actually approached by his employers (perhaps on instructions from the police) so that they resolve the matter outside court. They promised to pay the accused off, separate him from the company and withdraw the case. But they wanted him to admit wrongdoing... His lawyers refused the offer. the company further said they had brought into the country an IT Expert from the outside country to investigate the accused's laptop.... but the expert didnt find anything - presumably in plain view. They claim they only found something upon doing a data recovery (using EnCase) and then doing reverse engineering of the executable that was OVERWRITTEN or DELETED. Accused's computer was only seized over 90 days from alleged crime.

This information is suggesting something is not OK. Officers attached to the case say there is no evidence.... but say the early publicity given to the case has made the police to push ahead with the case - wrong or right.

From an IT perspective, overwritten data is dead for good. Deleted data MAY not survive 90 days on a used computer...

Your comments again.
Back to top
View user's profile
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Sun Nov 25, 2012 3:51 pm    Post subject: Reply with quote

Cybercop....

This is a very interesting topic... I wish we could meet and discuss it over a 'beer summit'.

I understand why porn would not be left behind with the accused. But should there be legitimate need, the defense counsel can be given access. However, this is not a porn issue. It is about a Visual Basic program that was used in a competition to randomly select winners. Police claim the developer used it to predetermine a winner... then shared the cash with the winner.

Looks like the police are working in reverse direction. They think they have proof that the money was shared between the winner, the program developer and others. Now they want to prove that actually the winner was predetermined.

So, hashing/imaging and leaving a copy with the accused and his defense counsel should not be a far fetched expectation. The computer hard disk is about 250GB.... but obviously the program itself should have been a less than 50MB.

In the absense of hashing/imaging having been in the presence of the defense counsel, the scenario is easy to modify.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Sun Nov 25, 2012 11:50 pm    Post subject: Reply with quote

Not being a case based in the US, I would have no idea of any of the laws that may or may not exist. If there aren't any laws regarding digital evidence, then maybe this case will set precedent.

Good luck.

I might add that if they recovered the file, it wasn't overwritten. As far as deleted, deleted doesn't mean gone. It just tells the OS that the area it occupies on the storage device is available to store other data. If the OS never writes anything to that area, the file is just as intact as it was before it was "deleted" and recovery is extremely simple.

You keep alluding to intentional manipulation by the police. If you are a police officer like you said, then you should know that the police have no reason to do that. If you think otherwise, I am glad that I am not in your jurisdiction.
Back to top
View user's profile
Innocent
Newbie
Newbie


Joined: Nov 23, 2012
Posts: 6

PostPosted: Mon Nov 26, 2012 2:29 am    Post subject: Reply with quote

It is because of its precendence that a lot of us are either directly or indirectly following the case so that we can pick up some lessons for the future.

The prosecution forensic expert told the Court that EnCase can recover 100% Overwritten and Deleted data. Obviously, from the technical point of view, recovering Overwritten data is impossible...atleast this is what i know. Even Guidance Software says it is not possible to recover overwritten data. This is an attempt to mislead the Court. Recovery of Deleted data is possible... but with over 90 days having elapsed from date of deletion to date of alleged recovery... chances of finding the data intact is slim... especially on a heavily used computer.

Further, the prosecution say they used De-Compilation. This means they recovered a Deleted program executable....then they de-compiled it. Now, I refuse to believe that the entire program executable was left untouched for over 90 days.... If a part of it was overwritten such that only a portion was recovered in the File Slack, what guarantee is there that this portion can fully be De-Compiled? Hence the doubts Cybercop...

In a situation like this, it is easy to manipulate and recover a 'deleted' executable. MAC times are changeable...

It is for this reason that the defense team feel digital evidence chain of custody should have been followed to the very last letter to prevent such possibilities... There are two primary reasons why Imaging and Hashing are done: 1. Prevent spoliation AND 2. Prevent tampering.

In this case, Spoliation may already have happened considering the fact that the computer was in use for over 90 days before the computer was seized. The next issue to have been taken care off is Tampering... which the police / prosecution cannot convince anyone that they adequately followed procedure to convince any mind that there was absolutely NO tampering.... Look at the document... Authenticating Digital Evidence - Identify and Avoid the Weak Links in Your Chain of Custody... - criminallawlibraryblog.com/Authenticated_DigitalEvidence_2-20-09.pdf - Page 2.... Clearly an example of hashing being done on site. That is the only way of convincing doubting Thomases...
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.