Civilian company do...
 
Notifications
Clear all

Civilian company doing LE forensics

10 Posts
3 Users
0 Likes
446 Views
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

Hi ladies and gentleman,

After retiring from the Las Vegas Police Department in late 2012 I started my own company doing computer forensics in the private sector. Nevada Digital Forensics.

When I left the Computer Forensics Unit they were 100+ cases behind and is now even further behind.

I left in good standing and I still have contact with the supervisor (Sgt) who supports the idea, but unfortunately for me, it is not his decision to make.

Most of my work has been for attorneys and private investigators but I have had the opportunity to do a few exams for the local police departments.
One issue is that when doing the exams for the PDs I have to do the exam either at the evidence vault or at the detective bureau while a detective stands by and "watches". This is to preserve the chain of custody but as we all know, this can consume hours of a police officers time.
These exams were cellphones so it was not too much of an issue.
I have had the FBI release computer cases to me to examine at my office.

I have a few ideas on how to present the idea to the local PDs of releasing evidence to me so that it can be examined at my office rather than wasting a police detectives expensive time but I would like to hear from civilian folks that are doing exams for local PDs or from officers that have civilians take evidence offsite for examination.

I am looking for contacts at PDs or Sheriffs offices, MOUs or policies or even ideas that I could plagiarize.

I plan on submitting a letter to the Sheriff real soon and if I could show that the idea of using outside civilian companies is a growing trend I think that it will make the decision easier.

Thanks, Larry

 
Posted : 12/08/2015 6:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I don' t get it. ?

I mean, maybe the presence of an officer is "needed" for the time you hold in your hands the original evidence, but as soon as you make a physical copy/extraction, only security issues (the risk that the copy you made could be stolen or modified because you left it unsecured) should matter.

Otherwise there must be absolute trust in your actions.

Basically, you go to the Police station carrying with you any number of tools (write blockers, cables, disk drives, a laptop, othere strange looking boxes with flashing leds and tiny switches, etc.) and - under the supposedly untrained eye of "a" detective you connect them to the original evidence, typing obscure commands in a command prompt (or similar).

I guess that IF you actually want to compromise the original evidence you could do so not one but several times without the "watching officer" ever being able to perceive you doing it. 😯

jaclaz

 
Posted : 12/08/2015 8:18 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

The issue, at least in Vegas, is that as long as that evidence is checked out to the detective, they must stay with it.
THey will not check out evidence to a civilian, yet…

So, if the case is a fraud case with 3 laptops @ 1TB each, seven thumb drives, and two external drives @ 2TBs each this could potentially by days imaging. All the while a detective would have to stay with the evidence.

 
Posted : 12/08/2015 9:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The issue, at least in Vegas, is that as long as that evidence is checked out to the detective, they must stay with it.
THey will not check out evidence to a civilian, yet…

So, if the case is a fraud case with 3 laptops @ 1TB each, seven thumb drives, and two external drives @ 2TBs each this could potentially by days imaging. All the while a detective would have to stay with the evidence.

Yes, I understand, I was trying to highlight how allowing someone to "touch" evidence, even under the surveillance of an officer makes very little difference from giving the evidence to that someone, when it comes to "integrity" of the evidence.

For all the detective knows you may well wipe the evidence disks, or "plant" on them or delete from them *anything*, heck with a little manual ability you could even replace a whole disk or device with another one.

As said, I can understand the possible security issues with "checking out" an item (risk of losing it or theft or damage during the moving to your location or in your location), but little more, i.e., as I see it, making in the Police station a "special room" to have external consultants image the devices may avoid the need for the presence of the officer, you go there, receive the evidence in the special room, you are then locked in 😯 alone with your devices and the evidence, but there is no real need that someone is constantly with you and watching your actions.

jaclaz

 
Posted : 13/08/2015 3:21 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

thats true, I will use that as an example. Maybe they would allow me to start the acquisition then leave, and lock the room behind me. THen I could come back hours later and finish the acquisition and start the next device if there is one.
Otherwise, if I have to sit there for X# of hours, they have to pay for that time.

Although, I don't know if they have a secure room that would suffice in the Evidence Vault but,
I suppose that I could use a cubicle in their Computer Forensics Lab. Its secure. THey may have space available for that.,

Larry

 
Posted : 13/08/2015 10:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

thats true, I will use that as an example. Maybe they would allow me to start the acquisition then leave, and lock the room behind me. THen I could come back hours later and finish the acquisition and start the next device if there is one.
Otherwise, if I have to sit there for X# of hours, they have to pay for that time.

Although, I don't know if they have a secure room that would suffice in the Evidence Vault but,
I suppose that I could use a cubicle in their Computer Forensics Lab. Its secure. THey may have space available for that.,

Larry

At the very minimum a "wire mesh box" in a corner say 2 m by 2 m (or 7' by 7') with a desk, a chair and a couple electric outlets could be enough, something *like* this I mean
http//www.thebluebook.com/inc/img/qp/78404/wire-mesh-and-security-fencing.jpg
(which might also be seen as a Faraday cage wink protecting from some electrical/electronic interferences).

jaclaz

 
Posted : 14/08/2015 3:34 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

I think a cubicle would be better,,, those jokers would throw a padlock on that wit me in it..!

 
Posted : 14/08/2015 6:25 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think a cubicle would be better,,, those jokers would throw a padlock on that wit me in it..!

Well, the idea was actually to lock you in, otherwise someone should be there looking to avoid that you exit with the evidence and everything would be back to square #1.

Of course if the cops in the room (or anyway someone in the building) cannot be trusted with opening the door at your request, then there is a problem.

jaclaz

 
Posted : 14/08/2015 8:13 pm
(@athulin)
Posts: 1156
Noble Member
 

The issue, at least in Vegas, is that as long as that evidence is checked out to the detective, they must stay with it.
THey will not check out evidence to a civilian, yet…

But that's not what you want, is it?

I see no reason to check out original evidence for this … except for a) creating an image of the relevant physical storage media, and b) to settle any disputes about problems with such copies.

Best practice – as far as I understand it – requires that evidence remains as untouched as possible. So evidence storage media is imaged in at least one, sometimes two generations.

evidence –> master image –> working copy

Now, a copy from the master image should be enough to work on. It will probably have a CoC of its own, branching of the CoC of the master image, and start off with some hashing to verify the integrity of the master image as well as the new working copy.

I've seen a situation where no master image was created, but only a working copy. This caused *major* headaches when another interested party wanted to verify that the perp (a computer consultant, whose laptop had been taken in evidence) had not stolen business info from them. A master image would have made things so much easier.

But perhaps I'm looking in the wrong direction yours may be a headache of a different colour.

 
Posted : 15/08/2015 9:50 pm
(@lasvegascop)
Posts: 98
Trusted Member
Topic starter
 

In the situation that the PD is in right now is that they are hundreds of cases behind.
THe digital evidence (computers, hard drives, etc) has been impounded by the detectives but never imaged.
That is what I am proposing to the PD. Have my company do the imaging and return the devices to the evidence vault. At that point we can get with the case agent or investigator and see what they need done from there.

Larry

 
Posted : 16/08/2015 8:25 am
Share: