Thursday, October 9, 2008

Please don't tamper with the evidence!

From time to time on cases I am working on, original evidence will be given to the attorney or the client first. Usually this is a complete working computer or a media card from a camera or a USB drive, or even a working digital camera or cell phone.

I cannot stress strongly enough that you must resist the temptation to take a quick look. That is a violation of the first and most important rule in forensics: Do not modify original evidence. Poking around in the computer or loading up the media card, etc is going to put the original evidence at risk.

And since I have to prepare a report of the evidence handling, sometimes in an affidavit, I like to be able to say that no one tampered with the evidence, especially not the attorney. Jeepers.

And don't let the family or the local computer guy touch it either. The bane of forensic computer experts is the local computer guy or the corporate IT consultant. They know not what they are doing when they mess with the computer!

They do not have a clue how to protect the evidence and they REALLY do not know how to make a complete copy of a hard drive or any other piece of electronic data.

And if you let them play sleuth, you are going to put your entire case at risk.

Operating a computer for any reason changes and destroys evidence if it is not handled forensically.

You wouldn't let the local high school lab work with the DNA evidence before you send it to a real DNA lab would you? I hope not.

It is the same thing. Computers are like a huge chunk of DNA and are just as easy to contaminate by mishandling.

Case in point: I am working on a capital murder case where the family got the computer before anyone had a chance to forensically image it. What did they do?

They took it to the local computer guy to get a copy of the hard drive.

But another attorney picked it up and said he would handle the copying.

Lo and behold when the computer gets back to the original owner, the drive is blank.

What does he do? He downloads some Linux rescue CD or something and tries to recover the data on the drive on his own.

Now I step in as the retained expert and will have to deal with this.

Does it make my job impossible? No. Does it jeopardize the evidence in the case? Tremendously. Will it be a lot more expensive for me to get my work done now? Yes.

Please don't be penny wise and pound foolish. Get the evidence to a computer forensic expert first. It will cost you a lot less in the long run if you have to retain one later and he or she has to undo all the work someone else did, not to mention the missing evidence that was destroyed and new evidence that was added becuase of operating the computer.

And the cost to forensically copy the evidence will be the same anyway.

A computer is like a digital crime scene all by itself. It can contain a vast amount of information. Stomping around in the crime scene is a bad idea. That's why they don't like it when people stomp around in a physical crime scene. It destroys evidence and adds evidence. Never a good situation when trying to collect and analyse evidence.


  1. Larry,

    Great post! I can't tell you the number of times I've gone on-site and during the triage process had the IT admins tell me repeatedly that they "didn't do anything", only to find anomolies in my analysis. A closer look often reveals that someone using the Administrator account logged in, ran AV, installed some tools, etc.

    I've seen for a long time now how state and federal legislation (think CA SB-1386) and regulatory requirements (PCI, HIPAA) are driving incident response. IT admins are now faced with questions that they are not able to answer; namely, was there "sensitive data" on the system, and if so, was it exfiltrated from the system? The typical IT admin's "wipe it and get it back in service" approach does not account for that. Once legal/compliance finds out about the incident, questions come up...and the IT admin's response exposes their company to great risk than the incident itself.

    I say this because some of the regulatory requirements state that if the system did have sensitive data on the system, and it was compromised, and you cannot explicitly state what occurred, you have to assume that ALL of the sensitive data was exfiltrated, meaning that you then have to notify and in some cases, pay fines.

  2. Hi,

    the post of Larry is a description of a real world scenario, and i agree.


    I never seen IT admins using the "wipe it and get it back in service" approach without inform the management. Often is the management that is worried about
    corporate reputation after an incident and choose to apply that approach.

  3. Snip,

    I've seen both. I've seen admins do so prior to telling mgmt, b/c that's how they've always done it, and I've seen IT admins tell mgmt that its the ONLY way to be sure...


I have moderated my comments due to spam.