Independent Forensi...
 
Notifications
Clear all

Independent Forensics Review in CP case

8 Posts
5 Users
0 Likes
762 Views
(@wquant)
Posts: 8
Active Member
Topic starter
 

In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,

 
Posted : 29/01/2019 11:12 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,

The Adam Walsh Act prevents the copying/dissemination of the contraband material to the defense. Instead, the defense can view the materials at a law enforcement facility. You would view an image, not the original drive/device. I'm not sure what other restrictions might apply.

Disclaimer I am not a lawyer and this is not legal advice.

 
Posted : 29/01/2019 11:35 pm
(@armresl)
Posts: 1011
Noble Member
 

You can view all the same data the FBI or AUSA has.
The data you remove is just text based - a few .png, etc. which would exist by the software makers report.

You can also pull any files which are non graphical such as some .dat files.

I usually ask for privacy, sometimes if it is a jurisdiction I have not worked in before, they have someone sit in the room, but I would usually ask counsel to let me be alone to do my work.

In the US, in federal, how does an independent investigator for the defense go about reviewing the evidence in a CP case? For example when the image comes from a shared computer and the original forensics report does did not collect all possible information/time stamps that could be used to determine the actual user/handler of the CP?

Does the defense get a court order from the judge permitting the forensic investigator to possess and handle the image? And will they get a chance to examine the original drive/device or only the forensic image and under what restrictions?

Thanks,

 
Posted : 30/01/2019 7:41 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

And will they get a chance to examine the original drive/device or only the forensic image …

Is there a difference between the original drive and the forensic image? ?

jaclaz

 
Posted : 30/01/2019 7:45 pm
(@armresl)
Posts: 1011
Noble Member
 

I like to image the original myself as opposed to be handed an image.

And will they get a chance to examine the original drive/device or only the forensic image …

Is there a difference between the original drive and the forensic image? ?

jaclaz

 
Posted : 30/01/2019 8:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I like to image the original myself as opposed to be handed an image.

Sure ) , and I prefer my coffee strong and black (two cups of sugar, please), still - by definition - there should be no difference between a disk drive and its forensic image, and I believe that - again by definition - what is actually examined is always the forensic image and never the original disk drive.

jaclaz

 
Posted : 31/01/2019 8:37 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

There can be a great many differences between the original SSD and an image due to wear levelling and garbage collection operations. You will want to examine the image so that your analysis can be compared to that of law enforcement.

An example I worked recently

1. 250Gig SSD, user deletes approx 30Gig of data.
2. User powers down the computer following that operation.
3. I image the drive.
4. Much of the deleted data was part of that image because it takes actual time to clean up that much data.
5. 2 weeks later another analyst wanted to image the drive, no deleted content was available on the SSD because the garbage collection had finally completed (30gigs is a lot of garbage collection).

 
Posted : 31/01/2019 1:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

An example I worked recently

1. 250Gig SSD, user deletes approx 30Gig of data.
2. User powers down the computer following that operation.
3. I image the drive.
4. Much of the deleted data was part of that image because it takes actual time to clean up that much data.
5. 2 weeks later another analyst wanted to image the drive, no deleted content was available on the SSD because the garbage collection had finally completed (30gigs is a lot of garbage collection).

Do you mean that in the two weeks between 4 and 5 the garbage collection completed? (presumably with the SSD not powered 😯 ) or that it happened during 5?
wink

jaclaz

 
Posted : 31/01/2019 2:49 pm
Share: