Thursday, October 9, 2008

Please don't tamper with the evidence!

From time to time on cases I am working on, original evidence will be given to the attorney or the client first. Usually this is a complete working computer or a media card from a camera or a USB drive, or even a working digital camera or cell phone.

I cannot stress strongly enough that you must resist the temptation to take a quick look. That is a violation of the first and most important rule in forensics: Do not modify original evidence. Poking around in the computer or loading up the media card, etc is going to put the original evidence at risk.

And since I have to prepare a report of the evidence handling, sometimes in an affidavit, I like to be able to say that no one tampered with the evidence, especially not the attorney. Jeepers.

And don't let the family or the local computer guy touch it either. The bane of forensic computer experts is the local computer guy or the corporate IT consultant. They know not what they are doing when they mess with the computer!

They do not have a clue how to protect the evidence and they REALLY do not know how to make a complete copy of a hard drive or any other piece of electronic data.

And if you let them play sleuth, you are going to put your entire case at risk.

Operating a computer for any reason changes and destroys evidence if it is not handled forensically.

You wouldn't let the local high school lab work with the DNA evidence before you send it to a real DNA lab would you? I hope not.

It is the same thing. Computers are like a huge chunk of DNA and are just as easy to contaminate by mishandling.

Case in point: I am working on a capital murder case where the family got the computer before anyone had a chance to forensically image it. What did they do?

They took it to the local computer guy to get a copy of the hard drive.

But another attorney picked it up and said he would handle the copying.

Lo and behold when the computer gets back to the original owner, the drive is blank.

What does he do? He downloads some Linux rescue CD or something and tries to recover the data on the drive on his own.

Now I step in as the retained expert and will have to deal with this.

Does it make my job impossible? No. Does it jeopardize the evidence in the case? Tremendously. Will it be a lot more expensive for me to get my work done now? Yes.

Please don't be penny wise and pound foolish. Get the evidence to a computer forensic expert first. It will cost you a lot less in the long run if you have to retain one later and he or she has to undo all the work someone else did, not to mention the missing evidence that was destroyed and new evidence that was added becuase of operating the computer.

And the cost to forensically copy the evidence will be the same anyway.

A computer is like a digital crime scene all by itself. It can contain a vast amount of information. Stomping around in the crime scene is a bad idea. That's why they don't like it when people stomp around in a physical crime scene. It destroys evidence and adds evidence. Never a good situation when trying to collect and analyse evidence.

No comments:

Post a Comment

I have moderated my comments due to spam.