Blinky Rides Again: RCMP suspect al-Qaida messages

Sat Dec 11 19:01:16 PST 2004

 --- "J.A. Terranson" <measl at mfn.org> wrote: 
> On Sat, 11 Dec 2004, Bill Stewart wrote:
> 
> > The more serious problem is what this means for computer evidence
> > search and seizure procedures - the US has some official rules about
> > "copy the disk and return the computer" that came out of the Steve
> Jackson
> > case, not that they're always followed;
> 
> Actually (at least here in the Midwest), it's copy ("image") the machine
> and provide a copy of that image.  The computer and original drive stay
> locked in the evidence locker till the case is over.

I can't say what the legal practice is in Canada.  I imagine it depends on
whether the legal proceedings are politically charged; whether the cops
are out to discover evidence, or if they are looking to destroy evidence;
or any of a number of motivating factors.

>From a purely technical perspective, there is no possible reason why the
police would ever need to keep the computers and all copies of data
related to an investigation.  It is possible to image everything on a hard
disk in an afternoon, including the extra bits available through, say,
the, READ LONG(10) command in the SCSI protocol, which are normally used
for ECC and CRC on each sector.  Depending on the device, it may also be
possible to access the spares tracks.  

In the rare event that a forensics firm is looking to scoop data that was
overwritten, the police should be able to provide a copy of the original
data back to the individual or business at a trivial cost in comparison to
the costs of the forensic proceedures.  Apart from data stored in flash
memory, or similar less common places, there is no good reason why the
actual computer hardware would need to be confiscated, except in the most
exceptional circumstances where in-situ testing might need to be done with
the original equipment.  But in that case, the police should be required
to acquire hardware that duplicates the original, so that they cannot be
said to have tampered or damaged the originals.

For correctness, the original computer equipment should be used once for
the acquisition of a read-only copy of the data residing on it.

However, it seems that the police will pretend that they are more
incompetent than they actually are in order to use confiscation as
extra-judicial punishment -- and that is just the common case where there
are only legitimate legal proceedings at issue.

In some cases, the police (in canada) are apparently willing to go to
great lengths to destroy evidence and impose extra-judicial sanction on
the subject of an `investigation', which may not exist at all in a legal
sense, by way of employing clandestine tactics.  In terms of my
experience, the near total loss of my computers and other materials was
carried out over a period of about three years, in an incrimental fashion
that did not have even the pretense of legitimacy, but which nevertheless
accompanied a subtle PR campaign that sought to suggest that there was
some sort of hush-hush investigation that as a result of so-called
exceptional circumstances, necessitated the particular methods that I
observed.

Total bullshit, actually, but we know that SpookWorld is exempt from the
normal rules of civilised behaviour because of the special nature of its
denizens.

Anyhow, my assessment of the needs of computer forensic proceedures is
probably quite accurate.  The reality of conflicting and extra-legal
agendas at work in some cases (such as the Steve Jackson incident) has
apparently dictated a deliberately 'stupid' approach on the part of law
enforcement personnel when it suits them.

Regards,

Steve

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca