±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35770
New Yesterday: 2 Visitors: 115

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Independent Forensics Review in CP case

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

wQuant
Newbie
 

Independent Forensics Review in CP case

Post Posted: Jan 30, 19 00:12

In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,  
 
  

tracedf
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 30, 19 00:35

- wQuant
In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,


The Adam Walsh Act prevents the copying/dissemination of the contraband material to the defense. Instead, the defense can view the materials at a law enforcement facility. You would view an image, not the original drive/device. I'm not sure what other restrictions might apply.

Disclaimer: I am not a lawyer and this is not legal advice.  
 
  

armresl
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 30, 19 20:41

You can view all the same data the FBI or AUSA has.
The data you remove is just text based - a few .png, etc. which would exist by the software makers report.

You can also pull any files which are non graphical such as some .dat files.

I usually ask for privacy, sometimes if it is a jurisdiction I have not worked in before, they have someone sit in the room, but I would usually ask counsel to let me be alone to do my work.


- wQuant
In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

jaclaz
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 30, 19 20:45

- wQuant
And will they get a chance to examine the original drive/device or only the forensic image ...


Is there a difference between the original drive and the forensic image? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

armresl
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 30, 19 21:09

I like to image the original myself as opposed to be handed an image.

- jaclaz
- wQuant
And will they get a chance to examine the original drive/device or only the forensic image ...


Is there a difference between the original drive and the forensic image? Question

jaclaz

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

jaclaz
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 31, 19 09:37

- armresl
I like to image the original myself as opposed to be handed an image.


Sure Smile , and I prefer my coffee strong and black (two cups of sugar, please), still - by definition - there should be no difference between a disk drive and its forensic image, and I believe that - again by definition - what is actually examined is always the forensic image and never the original disk drive.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

pbobby
Senior Member
 

Re: Independent Forensics Review in CP case

Post Posted: Jan 31, 19 14:46

There can be a great many differences between the original SSD and an image due to wear levelling and garbage collection operations. You will want to examine the image so that your analysis can be compared to that of law enforcement.


An example I worked recently:

1. 250Gig SSD, user deletes approx 30Gig of data.
2. User powers down the computer following that operation.
3. I image the drive.
4. Much of the deleted data was part of that image because it takes actual time to clean up that much data.
5. 2 weeks later another analyst wanted to image the drive, no deleted content was available on the SSD because the garbage collection had finally completed (30gigs is a lot of garbage collection).
_________________
Don't get baited. 
 

Page 1 of 2
Page 1, 2  Next