--- "J.A. Terranson" <measl@mfn.org> wrote:
On Sat, 11 Dec 2004, Bill Stewart wrote:
The more serious problem is what this means for computer evidence search and seizure procedures - the US has some official rules about "copy the disk and return the computer" that came out of the Steve Jackson case, not that they're always followed;
Actually (at least here in the Midwest), it's copy ("image") the machine and provide a copy of that image. The computer and original drive stay locked in the evidence locker till the case is over.
From a purely technical perspective, there is no possible reason why the
I can't say what the legal practice is in Canada. I imagine it depends on whether the legal proceedings are politically charged; whether the cops are out to discover evidence, or if they are looking to destroy evidence; or any of a number of motivating factors. police would ever need to keep the computers and all copies of data related to an investigation. It is possible to image everything on a hard disk in an afternoon, including the extra bits available through, say, the, READ LONG(10) command in the SCSI protocol, which are normally used for ECC and CRC on each sector. Depending on the device, it may also be possible to access the spares tracks. In the rare event that a forensics firm is looking to scoop data that was overwritten, the police should be able to provide a copy of the original data back to the individual or business at a trivial cost in comparison to the costs of the forensic proceedures. Apart from data stored in flash memory, or similar less common places, there is no good reason why the actual computer hardware would need to be confiscated, except in the most exceptional circumstances where in-situ testing might need to be done with the original equipment. But in that case, the police should be required to acquire hardware that duplicates the original, so that they cannot be said to have tampered or damaged the originals. For correctness, the original computer equipment should be used once for the acquisition of a read-only copy of the data residing on it. However, it seems that the police will pretend that they are more incompetent than they actually are in order to use confiscation as extra-judicial punishment -- and that is just the common case where there are only legitimate legal proceedings at issue. In some cases, the police (in canada) are apparently willing to go to great lengths to destroy evidence and impose extra-judicial sanction on the subject of an `investigation', which may not exist at all in a legal sense, by way of employing clandestine tactics. In terms of my experience, the near total loss of my computers and other materials was carried out over a period of about three years, in an incrimental fashion that did not have even the pretense of legitimacy, but which nevertheless accompanied a subtle PR campaign that sought to suggest that there was some sort of hush-hush investigation that as a result of so-called exceptional circumstances, necessitated the particular methods that I observed. Total bullshit, actually, but we know that SpookWorld is exempt from the normal rules of civilised behaviour because of the special nature of its denizens. Anyhow, my assessment of the needs of computer forensic proceedures is probably quite accurate. The reality of conflicting and extra-legal agendas at work in some cases (such as the Steve Jackson incident) has apparently dictated a deliberately 'stupid' approach on the part of law enforcement personnel when it suits them. Regards, Steve ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca