±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35896
New Yesterday: 1 Visitors: 122

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Procedure for CP evidence?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 ... , 10, 11, 12  Next 
  

Bulldawg
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: May 16, 12 20:36

This thread is getting a little long in the tooth. At the time it was started, there was a new law here in the USA, and there was a lot of discussion about how it could be interpreted to mean that even the investigator may end up in jail.

Does anyone have a resource for current laws or cases involving investigators who stumble on CP during an investigation? How has this new law worked in practice? I assume no one has gone to jail for reporting finding CP or there would be some screaming going on in this thread.

I'm new in the field, and I realize I have to be prepared to respond appropriately if I ever do find CP on a computer. I think it's better to have a procedure in place already so the heat of the moment (moment of discovering the images) doesn't cause me to do something stupid.

Stop, drop, and roll seems like good advice, and that's a good start for my policy, but I need to flesh that out a little more.  
 
  

bshavers
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: May 18, 12 02:12

Rule #1 : If you come across it, get it off your hands (call 9-1-1 so they can take it). Don't ship it, transport, copy it, mail it, view it, show it, delete it, wipe it, modify it, or give it to anyone, including your client. 9-1-1 (PD, SO, etc...) can come and pick it up from you.

Rule #2: If you need to examine it or the media it exists on, get approval

Approval means a court authorized protection order or signed letter of non-prosecution by both the Federal and local prosecution authorities. I prefer a judge's order personally.

"Getting rid" of it does not mean deletion or otherwise destroying it (that would be destroying evidence)
Be prepared your machine may be co-mingled with criminal evidence (cache, etc...) and will need to be cleaned or could be seized, depending on circumstances. With that, forensic machines should always be 'forensic machines', not personal or business use machines (email, client files, personal files, etc...), because you never know if it becomes part of a case due to co-mingled evidence from CP.

Let clients know in advance that if CP is found, all bets are off. LE has to take custody of the affected data and media.

In short, "stop, drop, and roll".

You can ask your local prosecutor how to handle it as well. Don't ask your local PD for help unless you speak with the forensic examiner directly.  
 
  

miket065
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: May 18, 12 04:59

I don't work non-LEO cases but, I always thought that if I were doing a private engagement, I would try to do my examination (depending on what the matter was) so that images and videos were the last thing I reviewed. That way, I would may could get the evidence I needed (and the billable hours) before I found any CP.
_________________
Some things you just can't "unsee". 
 
  

danielng0811
Newbie
 

Re: Procedure for CP evidence?

Post Posted: Nov 01, 13 10:00

As a former computer forensics examiner in police force, I suggest reporting it to the local law enforcement. Even only one CP exists on the hard drive, it is a very serious crime. We have treaty amongst different countries to join force to combat the CP offence.

Thinking about the victims, if you have conscience you need to report it!  
 
  

trewmte
Senior Member
 

Re: Procedure for CP evidence?

Post Posted: Nov 01, 13 23:53

It should also be a company policy, best practice and moral conscious to report any CP found on mobile tablets/smart phones interconnecting and accessing/receiving data from company networks; thus should NOT be outside the focus of company continuous focus.

This is potentially another reason to be cautious with BYOD as it has the potential to emerge as a major problem if CP is allowed to infect company data systems; particularly as companies are not fully in control of BYOD products communicating with company systems.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

CFA_dave
Newbie
 

Re: Procedure for CP evidence?

Post Posted: Dec 04, 13 08:39

The only new point to the conversation I would like to add. If YOU, reading this thread are NOT the company owner, then get your own attorney. Remember the company attorney advises the owner and really doesn't care of the individaul  
 
  

pmurton
Member
 

Re: Procedure for CP evidence?

Post Posted: Jan 16, 14 18:55

Is there a documented guideline for handling CP in the UK?

I work in a corporate environment providing a number of security services to large UK company. As part of this I provide some forensic services. As part of a recent investigation, I identified what I believed to be CP. At this point, the investigation was halted, the client informed, and law enforcement engaged.

No problem with any of this.

I've subsequently been asked by the company's HR/legal team for some information on the evidence found. I have responded to say that I have nothing I can provide them as little analysis was done, because in line with accepted guidelines, I ceased the investigation immediately on finding CP.

I'm now being asked to provide them with information on where these guidelines are documented, and to date I have been unable to do so. I initially thought it would be under the ACPO guidelines, but I have been unable to find it there.  
 

Page 11 of 12
Page Previous  1, 2, 3 ... , 10, 11, 12  Next