SQLite Forensics Book, now available on Amazon

More information here

 

Pauls blogs/ramblings

Police boot suspects computer.....

Rating: 2 votes, 5.00 average.
A post on one of the computer forensics forums in relation to computer forensics standards and specifically about a non computer forensics officer switching on a device that is currently switched off has got me thinking. First off I didn’t see the program (I understand it was in relation to the occupants of a car stopped in for questioning in respect to drug related matters) so can't comment specifically, but that aside, are we a little over paranoid about computer evidence and the affect that such “mis-handling” has on the end product, i.e. the evidence produced from the device, rather than the evidence that is the device itself? Would restricting “any and all” examinations of digital media to appropriately trained officers be counter-productive.


Until there is something found that makes the officer think of the laptop as a likely source of evidence, rather than something that deserves a little more of a look-see does it deserve evidential handling. Or put it another way - should the occupants of the car have been removed, the car cordoned off and then dusted for finger prints before being handed back to the owners (presumably innocent at this time) some hours/weeks/months later, this seems to be the equivalent to what is being proposed for the laptop.


As all things a little common sense needs to be applied and I believe that we need officers to look at computers, phones etc. when the suspect is questioned and not six months later. This does not mean that every computer should be treated in this way - if there is good evidence that something might be found on it (intelligence led IIoC investigation) then of course the computer should be left off and dealt with as evidence in the appropriate way. However if the investigation is an impromptu stop and search I don’t feel it would be appropriate to bag and tag the laptop and then make the owner wait for six months while the local force gets through its backlog.


The same applies to mobile phones, if the local law allows an officer to take a phone and look through the SMS messages at the side of the road then in certain circumstances this might be appropriate and sensible.


I have dealt with many hundreds of examinations over the 17 years I have been doing this job and in only a handful has the computer been switched on by an “over zealous” officer. What I can say is that in all of my cases in no way has the evidence been tainted by the acts of the officer, in that one set of evidence (the dates and times of event logs etc.) actually supports the actions of the officer while a different set of evidence (emails, P2P history) shows the acts of the defendant.


What we don’t want is a situation where a device is only allowed to be examined by a HTCU after being seized as evidence which prevents us doing real front line policing.

Submit "Police boot suspects computer....." to Facebook Submit "Police boot suspects computer....." to Twitter Submit "Police boot suspects computer....." to Digg Submit "Police boot suspects computer....." to del.icio.us Submit "Police boot suspects computer....." to StumbleUpon Submit "Police boot suspects computer....." to Google

Tags: None Add / Edit Tags
Categories
General Articles

Comments

  1. GlosSteveC's Avatar
    I have encountered this scenario on the very rare occasion and to be fair I have almost always been told by the shamefaced officer what they have done.
    I just build the information into the analysis and deal with it.
    It is exactly the same as if the OIC has touched an exhibit - that is why they take elimination fingerprints from policemen.
    The "war story" relates to a murder, although it was still a missing person enquiry at the time, and I had to unpick the honest and concerned police officer's actions - he thought if he could find the big clue he might save the victim. Sadly he was mistaken and I had a bit of a job doing the analysis afterwards - but my report was eventually produced as evidence and accepted with nothing more than a quizzical remark by the Judge who immediately accepted the that Officer's actions were honest and well meaning.