Plod confiscate a desktop PC in connection with a non-sexual non-fraud
based 'crime' (more a disorder than crime, but crime under the law
nevertheless). They are looking for browser and word processing
history. 

Does anyone know;
1.) what checks they are likely to make?
2.) what software they use to scour the disk drive?
3.) do they go digging for anything else like pr0n, emails or keywords
like 'terrorist', etc?

with gratitude.

"Mark"  wrote in message 
news:g66v6h$8nv$1@news.datemas.de...
> Plod confiscate a desktop PC in connection with a non-sexual non-fraud
> based 'crime' (more a disorder than crime, but crime under the law
> nevertheless). They are looking for browser and word processing
> history.
>
> Does anyone know;
> 1.) what checks they are likely to make?
> 2.) what software they use to scour the disk drive?
> 3.) do they go digging for anything else like pr0n, emails or keywords
> like 'terrorist', etc?
>
> with gratitude.
>

The first thing to be done is to electrically isolate the hardrive from the 
computer and make a clone of it. Then a certified examiner will use 
something like Encase to perform a detail search of the hardrive using 
various filters. Programs like Encase keep a detailed and certified record 
of all the search results with hash values, times, dates, file extensions 
and sizes. It also prepares reports from the findings to be used as 
evidence.

Mark  wrote:

> Does anyone know;
> 1.) what checks they are likely to make?

Remove the hard drive(s) from the computer. If they have their heads
screwed on they may lift any latent prints from the internal drive, but
often they don't bother. Connect the hard drive(s) to one of their
computers and create a forensic image of the drive(s). This will be done
without mounting the hard drive and usually this is done using a rig
that will prevent data from being written to the drive under any
circumstances. The disk image made from the drive will be used to
generate a cryptographic hask value. The same will be done for the disk
itself and these hash values will be used as evidence that the drive and
disk image are identical.

Then the examiner will search the drive for anything incriminating. The
forensic software used will permit the examiner to search for particular
types of file and will show previews of the file contents. This will
work even if the file has been deleted and/or partially over written. It
will also work if the drive has been formatted.

> 2.) what software they use to scour the disk drive?

Most probably Encase, but if you are in Scotland it will be their own
homebrew forensic tools (which are arguably superior to Encase). If you
are outside the UK it could be a range of tools including Sleuthkit
and/or the standard Unix tools for examing disk drives and disk images,
including hex editors, dd, strings and various tools to open mailboxes.

> 3.) do they go digging for anything else like pr0n, emails or keywords
> like 'terrorist', etc?

They will look for whatever they can find. And they will look in all the
usual places that they know and the average computer user doesn't. So
they should be able to reconstruct browsing, email, IRC, downloads etc.

In message <1ikjlv9.1ddkwpn5zs534N%%steve%@malloc.co.uk>, at 18:25:04 on 
Wed, 23 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>Remove the hard drive(s) from the computer. If they have their heads
>screwed on they may lift any latent prints from the internal drive, but
>often they don't bother. Connect the hard drive(s) to one of their
>computers and create a forensic image of the drive(s). This will be done
>without mounting the hard drive and usually this is done using a rig
>that will prevent data from being written to the drive under any
>circumstances.

How does that work if the computer has a RAID controller (which my 
desktop PC does)? I suppose they either need a different technique, or a 
jig that glues together all the images.
-- 
Roland Perry

In article , Oscar Fister 
 writes
>
>"Mark"  wrote in message
>news:g66v6h$8nv$1@news.datemas.de...
>> Plod confiscate a desktop PC in connection with a non-sexual non-fraud
>> based 'crime' (more a disorder than crime, but crime under the law
>> nevertheless). They are looking for browser and word processing
>> history.
>>
>> Does anyone know;
>> 1.) what checks they are likely to make?
>> 2.) what software they use to scour the disk drive?
>> 3.) do they go digging for anything else like pr0n, emails or keywords
>> like 'terrorist', etc?
>>
>> with gratitude.
>>
>
>The first thing to be done is to electrically isolate the hardrive from the
>computer and make a clone of it. Then a certified examiner will use
>something like Encase to perform a detail search of the hardrive using
>various filters. Programs like Encase keep a detailed and certified record
>of all the search results with hash values, times, dates, file extensions
>and sizes.

The file extension as advertised, rather than the underlying file 
format? On file sharing formats people routinely misstate file 
extensions. Usually, WMV files given mpg, mpeg or avi extensions. I 
don't understand why, as a person must know the file extension. I can 
only assume it is to prevent the file from being pre-viewed before 
download complete.

Also, some fileshare networks show a file as being downloaded when it 
fact it has been cancelled.

>It also prepares reports from the findings to be used as
>evidence.
>
>
>

-- 
Ken

Ken  wrote:

> The file extension as advertised, rather than the underlying file 
> format? 

No.

Roland Perry  wrote:

> How does that work if the computer has a RAID controller (which my 
> desktop PC does)? I suppose they either need a different technique, or a
> jig that glues together all the images.

Well, it's possible to image each drive independently to ensure that a
frensic copy has been made. Copies of the images can then be mounted as
a RAID using a loopback interface. I've seen reports that RAID 5 is
difficult to image.

Guidance Software claim that EnCase provides native support for NT
Striped RAIDs but the problem with EnCase is that it is closed,
proprietary software and no one can validate the claim.

In message <1ikjy0o.1okxud2mwkx6wN%%steve%@malloc.co.uk>, at 22:40:11 on 
Wed, 23 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>Guidance Software claim that EnCase provides native support for NT
>Striped RAIDs but the problem with EnCase is that it is closed,
>proprietary software and no one can validate the claim.

My RAID has a hardware controller, and is independent of the OS; so it's 
probably more difficult.
-- 
Roland Perry

On Thu, 24 Jul 2008 08:45:05 +0100, Roland Perry wrote:

> In message <1ikjy0o.1okxud2mwkx6wN%%steve%@malloc.co.uk>, at 22:40:11 on
> Wed, 23 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>>Guidance Software claim that EnCase provides native support for NT
>>Striped RAIDs but the problem with EnCase is that it is closed,
>>proprietary software and no one can validate the claim.
> 
> My RAID has a hardware controller, and is independent of the OS; so it's
> probably more difficult.

I wouldn't have thought so - plug the discs (after initial imaging) into 
a known clean identical hardware RAID controller and they can be read as 
easily as a single disc.

Having a hardware raid controller limits the number of ways the data 
could be striped onto the discs drastically.

In message <e84ik.32329$E41.2593@text.news.virginmedia.com>, at 19:50:10 
on Thu, 24 Jul 2008, PCPaul  remarked:
>>>Guidance Software claim that EnCase provides native support for NT
>>>Striped RAIDs but the problem with EnCase is that it is closed,
>>>proprietary software and no one can validate the claim.
>>
>> My RAID has a hardware controller, and is independent of the OS; so it's
>> probably more difficult.
>
>I wouldn't have thought so - plug the discs (after initial imaging) into
>a known clean identical hardware RAID controller and they can be read as
>easily as a single disc.

If they have an example of that controller in their armoury.

>Having a hardware raid controller limits the number of ways the data
>could be striped onto the discs drastically.

Yes, that's true, although the controller still needs to be configured 
with what partition and drive sizes, and what types of RAID, the group 
of drives implements.

-- 
Roland Perry

Roland Perry  wrote in 
news:QGYVURrgdNiIFAIL@perry.co.uk:

> 
> If they have an example of that controller in their armoury.

There is a place up in Cumbria that can courier you an example of almost  
any hard-drive, floppy drive, zip drive, tape drive, controller etc ever 
made. Phone them in the morning and the chances are you can have it mounted 
by the end of the day.

-- 

Regards,

Periander

PCPaul coughed up some electrons that declared:

> On Thu, 24 Jul 2008 08:45:05 +0100, Roland Perry wrote:
> 
>> In message <1ikjy0o.1okxud2mwkx6wN%%steve%@malloc.co.uk>, at 22:40:11 on
>> Wed, 23 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>>>Guidance Software claim that EnCase provides native support for NT
>>>Striped RAIDs but the problem with EnCase is that it is closed,
>>>proprietary software and no one can validate the claim.
>> 
>> My RAID has a hardware controller, and is independent of the OS; so it's
>> probably more difficult.
> 
> I wouldn't have thought so - plug the discs (after initial imaging) into
> a known clean identical hardware RAID controller and they can be read as
> easily as a single disc.
> 
> Having a hardware raid controller limits the number of ways the data
> could be striped onto the discs drastically.


It's not particularly hard, having done it myself when a controller went
phut and refused to online the volume. I cheated because I could use the
original controller, which recovered after a reset enough to build a new
test RAID volume on some spare disks, write simple patterned test data to
it and then analyse the test data patterns on individual discs.

What I found (Chapparall controller): Meta data block of fixed size from
sector 0 to X where X was in the MB range (I forget, it was years ago).

Then the rest of each disk was left-assymetric parity (common) with a fairly
common block size (64k in this case). Not hard to write a quick and dirty C
program to read the disks and spit out the linearised data to a (very big)
file which could be loopback mounted and data recovered filewise on demand.

The point being: There are only a few common RAID block layout schemes that
manufacturers are *likely* to use. There'll probably be a blob of metadata
at the start or the end of each disk and it will probably be constant size
across all disks. Block (or chunk) sizes vary but 64k or 32k or 128k are
very good bets to start with. Decent raid controllers use hardware
accelerators. Hardware is fiddly to design or program (in the case of FPGA
type programmable hardware) so the designers are generally going to keep
their schemes as simple (standard) as possible.

Finally, if you can guess some of the data on the disk, eg it's an NTFS
filesystem then you have a fairly good chance of looking at the disks in a
hex/strings viewer for known data like the filesystem headers, bits of the
root directory, common files that are likely to be present, guessing the
metadata size (and thus ignoring it) and taking a fair stab at determining
the block/chunk size and the stripe layout.

If you are really paranoid, you need encryption with precautions about where
the keys are kept. If you are totally paranoid, and deal in small amounts
of incriminating data, you probably want steganography (hiding secrets
inside innoculous data, picture and audio files are a good place as no-one
generally notices a little bit of error introduced by bit hiding). This is
akin to hiding your diamonds in full view in a large glass chandelier.
But even some types of steganography are detectable by analytic tools.

If you are *really* paranoid, have a few dodgey files (but less so that your
incriminating files) slightly hidden. The accusers will possibly think
they've struck gold finding those but you won't take the full hit. Akin to
leaving your rubies in a cheap safe under the chandelier with the diamonds.

I've never had the reason to hide anything much, except all my financial
access data (banking, pins etc) which are heavily encrypted and on
removable media.

Personally, I don't trust any hardware encryption device I didn't build to
look after my valuables. I use open source utils because I can at least see
what's going on.

Cheers

Tim

Tim S  wrote:

> If you are totally paranoid, and deal in small amounts
> of incriminating data, you probably want steganography (hiding secrets
> inside innoculous data, picture and audio files are a good place as no-one
> generally notices a little bit of error introduced by bit hiding)

You'd think so, wouldn't you? But I managed, during the Forensic
Challenge sessions created by Venema, to discover data hidden within a
picture simply because adding one bit per pixel made the image look
wrong.

Steve Firth coughed up some electrons that declared:

> Tim S  wrote:
> 
>> If you are totally paranoid, and deal in small amounts
>> of incriminating data, you probably want steganography (hiding secrets
>> inside innoculous data, picture and audio files are a good place as
>> no-one generally notices a little bit of error introduced by bit hiding)
> 
> You'd think so, wouldn't you? But I managed, during the Forensic
> Challenge sessions created by Venema, to discover data hidden within a
> picture simply because adding one bit per pixel made the image look
> wrong.

Hmm, the force is strong in this one...


;-D

Tim S  wrote:

> Steve Firth coughed up some electrons that declared:
> 
> > Tim S  wrote:
> > 
> >> If you are totally paranoid, and deal in small amounts
> >> of incriminating data, you probably want steganography (hiding secrets
> >> inside innoculous data, picture and audio files are a good place as
> >> no-one generally notices a little bit of error introduced by bit hiding)
> > 
> > You'd think so, wouldn't you? But I managed, during the Forensic
> > Challenge sessions created by Venema, to discover data hidden within a
> > picture simply because adding one bit per pixel made the image look
> > wrong.
> 
> Hmm, the force is strong in this one...

Nah, it was a bit obvious on a properly calibratd monitor. I suspect
that the original head been created on a PeeCee with the weird gamma
settings that Microsloth seem to like.

%steve%@malloc.co.uk (Steve Firth) wrote:

>Mark  wrote:
>
>> Does anyone know;
>> 1.) what checks they are likely to make?
>
>Remove the hard drive(s) from the computer. If they have their heads
>screwed on they may lift any latent prints from the internal drive, but
>often they don't bother. Connect the hard drive(s) to one of their
>computers and create a forensic image of the drive(s). This will be done
>without mounting the hard drive and usually this is done using a rig
>that will prevent data from being written to the drive under any
>circumstances. The disk image made from the drive will be used to
>generate a cryptographic hask value. The same will be done for the disk
>itself and these hash values will be used as evidence that the drive and
>disk image are identical.
>
>Then the examiner will search the drive for anything incriminating. The
>forensic software used will permit the examiner to search for particular
>types of file and will show previews of the file contents. This will
>work even if the file has been deleted and/or partially over written. It
>will also work if the drive has been formatted.

Other replies suggest the police won't go on a mission to search for
things outside of the case material they are actually seeking. Do you
(or anyone) agree with this please? 

Also, is there a 'routine' search for "xyz" when checking a HDD or
should they initially restrict their search to say just the
"keywords" if it is a text based enquiry?

>> 2.) what software they use to scour the disk drive?
>
>Most probably Encase, but if you are in Scotland it will be their own
>homebrew forensic tools (which are arguably superior to Encase). If you
>are outside the UK it could be a range of tools including Sleuthkit
>and/or the standard Unix tools for examing disk drives and disk images,
>including hex editors, dd, strings and various tools to open mailboxes.

England.

>> 3.) do they go digging for anything else like pr0n, emails or keywords
>> like 'terrorist', etc?
>
>They will look for whatever they can find. And they will look in all the
>usual places that they know and the average computer user doesn't. So
>they should be able to reconstruct browsing, email, IRC, downloads etc.

Will they search things like backup files or for example, Forte
Agent's data files containing posts like this one?

with gratitude.

Mark  wrote:

[snip]

> Other replies suggest the police won't go on a mission to search for
> things outside of the case material they are actually seeking. Do you
> (or anyone) agree with this please? 

They won't go out of their way to look exhaustively for evidence but
they will report all the evidence they find. As mentioned before EnCase
provides thumbnal views of all images on the disk, whether they are
deleted or not. Standard practice is to look through these thumbnails
since a text search will not find them or classify their content.

> Also, is there a 'routine' search for "xyz" when checking a HDD or
> should they initially restrict their search to say just the
> "keywords" if it is a text based enquiry?

Why would the search be restricted? If a computer is seized for (say) a
blackmail case and there is evidence of a terrorist or paedophile
offence why should the examiner be instructed not to look for that
evidence?

Steve Firth <%steve%@malloc.co.uk> posted
>
>Why would the search be restricted? If a computer is seized for (say) a
>blackmail case and there is evidence of a terrorist or paedophile
>offence why should the examiner be instructed not to look for that
>evidence?

There are two answers, a legal one and a moral/political one.

The legal one is that the equipment was seized under a PACE warrant that 
authorises the police to look only for evidence regarding the offence 
specified in the warrant. But maybe this isn't true any more. It may 
have been superseded by section 867(b)(i) of the 2008 Police Powers 
Against Terrorism, Serious Crime and Paedophilia Act, as amended by 
Schedule 24, part 9 of Statutory Instrument no 40,895, paragraph no 
2,567,984.

The moral/political objection is that, if the authorities can switch 
investigations at the drop of a hat from one "suspected" crime to 
another, then it becomes incredibly easy for the police to persecute 
individuals for their own reasons. Hey, this guy is a troublemaker, he 
blogs some nasty stuff about the Iraq war, he might be a terrorist, so 
let's seize his computer. Oh shit, we couldn't find any terrorism stuff 
on it - never mind, let's look for some child porn ... damn, none of 
that, well maybe he's a money launderer ... nope, no joy there! What 
about drug dealing, let's go through his email records  - hmm, couldn't 
see anything there either ... So is he file sharing some copyright pop 
songs? Rats! Still nothing ... I know, let's check out his Usenet posts! 
Here's one where he admits to having stolen a shilling from his mum's 
purse when he was fourteen! Got him!

-- 
Les
"God will save her, fear you not, be you the men you've been.
Get you the sons your fathers got and God will save the Queen."

%steve%@malloc.co.uk (Steve Firth) wrote:

>Mark  wrote:
>
>[snip]
>
>> Other replies suggest the police won't go on a mission to search for
>> things outside of the case material they are actually seeking. Do you
>> (or anyone) agree with this please? 
>
>They won't go out of their way to look exhaustively for evidence but
>they will report all the evidence they find. As mentioned before EnCase
>provides thumbnal views of all images on the disk, whether they are
>deleted or not. Standard practice is to look through these thumbnails
>since a text search will not find them or classify their content.

In my case they are looking for text only, word processing, email and
web browser cache. They have absolutely no reason within the
circumstances of this issue to show any interest in images of any kind
whatsoever.

>> Also, is there a 'routine' search for "xyz" when checking a HDD or
>> should they initially restrict their search to say just the
>> "keywords" if it is a text based enquiry?
>
>Why would the search be restricted? If a computer is seized for (say) a
>blackmail case and there is evidence of a terrorist or paedophile
>offence why should the examiner be instructed not to look for that
>evidence?

 Instead of "restricted" I should have perhaps said "focused". If they
just do a quick sweep of all images there will likely be thousands if
not millions. Noticing say "2" questionable ones within that lot would
be very un/lucky indeed.

I guess it is in the lap of the gods, how much time they have when my
drive is being examined, the mood/curiosity of the examiner, etc.

Big Les Wade  wrote:

> Steve Firth <%steve%@malloc.co.uk> posted
> >
> >Why would the search be restricted? If a computer is seized for (say) a
> >blackmail case and there is evidence of a terrorist or paedophile
> >offence why should the examiner be instructed not to look for that
> >evidence?
> 
> There are two answers, a legal one and a moral/political one.
> 
> The legal one is that the equipment was seized under a PACE warrant that
> authorises the police to look only for evidence regarding the offence
> specified in the warrant. But maybe this isn't true any more.

I don't think it ever was true. Section 7 of PACE code B makes it clear
that a warrant is not always required for seizure of documents or
equipment and  Criminal Justice and Police Act 2001, Part 2 allows an
officer to seize equipment for examination somewhere other than the
premises on which the equipment was found. The officer only has to have
reasonable grounds for believing that the item seized is evidence of an
offence (not a specified offence) and there is no limitation preventing
prosecution or reporting of evidence of crimes other than the one for
which a warrnat was raised or which was suspected at the time of
seizure.


> It may 
> have been superseded by section 867(b)(i) of the 2008 Police Powers 
> Against Terrorism, Serious Crime and Paedophilia Act, as amended by 
> Schedule 24, part 9 of Statutory Instrument no 40,895, paragraph no 
> 2,567,984.

It seems irrelevant since the ability to seize evidence was never
limited in the way you seem to think it was or is. Take for example the
case of Martyn Gilleard whose premises were searched for evidence of
paedophile activity using a PACE warrant. During the search evidence of
terrorist activity was discovered, the police were not restricted by the
warrant from charging Gilleard for both offences, and he was
subsequently convicted on both charges.

http://news.bbc.co.uk/1/hi/uk/7469180.stm


> The moral/political objection is that, if the authorities can switch 
> investigations at the drop of a hat from one "suspected" crime to 
> another, then it becomes incredibly easy for the police to persecute 
> individuals for their own reasons. Hey, this guy is a troublemaker, he
> blogs some nasty stuff about the Iraq war, he might be a terrorist, so
> let's seize his computer. Oh shit, we couldn't find any terrorism stuff
> on it - never mind, let's look for some child porn ... damn, none of 
> that, well maybe he's a money launderer ... nope, no joy there! What 
> about drug dealing, let's go through his email records  - hmm, couldn't
> see anything there either ... So is he file sharing some copyright pop
> songs? Rats! Still nothing ... I know, let's check out his Usenet posts!
> Here's one where he admits to having stolen a shilling from his mum's
> purse when he was fourteen! Got him!

And if we take the other side of the coin, you seem to be advocating
that if a search of premises is conducted under a PACE warrant for tax
evasion that if the search leads to evidence of murder that the suspect
should not be charged with murder.

Steve Firth <%steve%@malloc.co.uk> posted
>Big Les Wade  wrote:
>
>> Steve Firth <%steve%@malloc.co.uk> posted
>> >
>> >Why would the search be restricted? If a computer is seized for (say) a
>> >blackmail case and there is evidence of a terrorist or paedophile
>> >offence why should the examiner be instructed not to look for that
>> >evidence?
>>
>> There are two answers, a legal one and a moral/political one.
>>
>> The legal one is that the equipment was seized under a PACE warrant that
>> authorises the police to look only for evidence regarding the offence
>> specified in the warrant. But maybe this isn't true any more.
>
>I don't think it ever was true. Section 7 of PACE code B makes it clear
>that a warrant is not always required for seizure of documents or
>equipment and  Criminal Justice and Police Act 2001, Part 2 allows an
>officer to seize equipment for examination somewhere other than the
>premises on which the equipment was found. The officer only has to have
>reasonable grounds for believing that the item seized is evidence of an
>offence (not a specified offence) and there is no limitation preventing
>prosecution or reporting of evidence of crimes other than the one for
>which a warrnat was raised or which was suspected at the time of
>seizure.

I knew you would say that. The difference is that in one situation the 
examiner *happens* upon evidence of one crime while searching for 
evidence of another. Whereas you appear to be recommending that the 
examiner should be permitted to *search* for evidence of a crime that 
was not specified in the warrant.

-- 
Les
"God will save her, fear you not, be you the men you've been.
Get you the sons your fathers got and God will save the Queen."

Big Les Wade  wrote:
[snip]
 
> I knew you would say that. The difference is that in one situation the
> examiner *happens* upon evidence of one crime while searching for 
> evidence of another. Whereas you appear to be recommending that the 
> examiner should be permitted to *search* for evidence of a crime that
> was not specified in the warrant.

Short answer, no I'm not.

On Thu, 24 Jul 2008 20:30:09 +0100, Roland Perry 
wrote:

>>> My RAID has a hardware controller, and is independent of the OS; so it's
>>> probably more difficult.

>>I wouldn't have thought so - plug the discs (after initial imaging) into
>>a known clean identical hardware RAID controller and they can be read as
>>easily as a single disc.

>If they have an example of that controller in their armoury.

Which they obviously will have, having confiscated it from the suspect
along with everything else.

-- 
Cynic

On Mon, 28 Jul 2008 09:10:11 +0100, Big Les Wade 
wrote:

>I knew you would say that. The difference is that in one situation the 
>examiner *happens* upon evidence of one crime while searching for 
>evidence of another. Whereas you appear to be recommending that the 
>examiner should be permitted to *search* for evidence of a crime that 
>was not specified in the warrant.

Searching for evidence of the suspected crime involves running a
search with a standard forensic tool which will end up listing all
sorts of things and making thumbnails of all images on the HDD.

Looking through the results may well uncover a completely different
crime that the police could honestly say they just happened to come
across while looking for evidence of the suspected crime..

-- 
Cynic

Cynic  wrote:

> On Mon, 28 Jul 2008 09:10:11 +0100, Big Les Wade 
> wrote:
> 
> >I knew you would say that. The difference is that in one situation the
> >examiner *happens* upon evidence of one crime while searching for 
> >evidence of another. Whereas you appear to be recommending that the 
> >examiner should be permitted to *search* for evidence of a crime that
> >was not specified in the warrant.
> 
> Searching for evidence of the suspected crime involves running a
> search with a standard forensic tool which will end up listing all
> sorts of things and making thumbnails of all images on the HDD.
> 
> Looking through the results may well uncover a completely different
> crime that the police could honestly say they just happened to come
> across while looking for evidence of the suspected crime..

And given the way EnCase and other forensic tools work, it's impossible
to examine image files without actually looking at thumbnails of the
images. There's no text or automated search facility for images.

The OP's belief that the police are somehow prevented from browsing
through image files looking for evidence because he thinks they should
only look at text files is umm bizarre. Obviously anything on the disk
could be evidence of the crime which gave rise to a warrant to seize and
search the HD. Each item has to be examined to see if it has a relevance
to the crime or not. If the examination shows that an item is evidence
of a different crime then that has to be reported.

%steve%@malloc.co.uk (Steve Firth) wrote in
news:1ikt3xt.412j4n18p16emN%%steve%@malloc.co.uk: 

> Cynic  wrote:
> 
>> On Mon, 28 Jul 2008 09:10:11 +0100, Big Les Wade 
>> wrote:
>> 
>> >I knew you would say that. The difference is that in one situation
>> >the examiner *happens* upon evidence of one crime while searching
>> >for evidence of another. Whereas you appear to be recommending that
>> >the examiner should be permitted to *search* for evidence of a crime
>> >that was not specified in the warrant.
>> 
>> Searching for evidence of the suspected crime involves running a
>> search with a standard forensic tool which will end up listing all
>> sorts of things and making thumbnails of all images on the HDD.
>> 
>> Looking through the results may well uncover a completely different
>> crime that the police could honestly say they just happened to come
>> across while looking for evidence of the suspected crime..
> 
> And given the way EnCase and other forensic tools work, it's
> impossible to examine image files without actually looking at
> thumbnails of the images. There's no text or automated search facility
> for images. 
> 
> The OP's belief that the police are somehow prevented from browsing
> through image files looking for evidence because he thinks they should
> only look at text files is umm bizarre. Obviously anything on the disk
> could be evidence of the crime which gave rise to a warrant to seize
> and search the HD. Each item has to be examined to see if it has a
> relevance to the crime or not. If the examination shows that an item
> is evidence of a different crime then that has to be reported.

(Devils advocate mode) Surely though you'll still get your lab form 1s
or MGFSS as they are now that will say (words to the effect of) ... 

"Recover all instant message logs and text" or
"Search all text documents for the following keywords"

Especially now that the MGFSS is "Question based" (and a right royal
pain in the arse that is) 

The point being that on some occassions there will be no need to even
look at/for image files. 

-- 

Regards,

Periander

Periander  wrote:

> The point being that on some occassions there will be no need to even
> look at/for image files. 

Yes, but EnCase indexes and presents them all anyway. I suppose if one
chose to wear a blindfold...

%steve%@malloc.co.uk (Steve Firth) wrote in news:1iktb4v.19xbyqds131b6N%%
steve%@malloc.co.uk:

> Periander  wrote:
> 
>> The point being that on some occassions there will be no need to even
>> look at/for image files. 
> 
> Yes, but EnCase indexes and presents them all anyway. I suppose if one
> chose to wear a blindfold...

Sledgehammer to crack a nut? FTK or anyone of several tools would do the 
job just as well - of not quicker in a case of "mere" text retrival.


-- 

Regards,

Periander

In message , at 20:00:12 on 
Mon, 28 Jul 2008, Cynic  remarked:
>>>I wouldn't have thought so - plug the discs (after initial imaging) into
>>>a known clean identical hardware RAID controller and they can be read as
>>>easily as a single disc.
>
>>If they have an example of that controller in their armoury.
>
>Which they obviously will have, having confiscated it from the suspect
>along with everything else.

So you think the police have the right to cannibalise evidential 
computers in order to send parts off to the forensic lab?
-- 
Roland Perry

Roland Perry  wrote:

> In message , at 20:00:12 on
> Mon, 28 Jul 2008, Cynic  remarked:
> >>>I wouldn't have thought so - plug the discs (after initial imaging) into
> >>>a known clean identical hardware RAID controller and they can be read as
> >>>easily as a single disc.
> >
> >>If they have an example of that controller in their armoury.
> >
> >Which they obviously will have, having confiscated it from the suspect
> >along with everything else.
> 
> So you think the police have the right to cannibalise evidential 
> computers in order to send parts off to the forensic lab?

They have the "right" to seize whatever they wish in terms of a search
warrant or whatever they have reasonable cause to beleive is evidence of
a crime. When it comes to seizing computer equipment they are (or should
be) trained to seize the equipment in such a way that evidence is
preserved. In general this requires them to seize all of the equipment
rather than to dismantle it. Which means that the forensic examiner will
have access to the RAID controller.

However when it comes to examining RAID drives it is more likely that
imaged copies of the drives will be used in the FE's own rig or that
drive images will be accessed using a software loopback interface and
software RAID controller. One is not looking for performance when
examining a suspect device, one is looking for thorough, reproducible
techniques and can afford to spend some time about it.

In message <1iku68w.1ypzzyo7m7s1hN%%steve%@malloc.co.uk>, at 11:20:10 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> >>>I wouldn't have thought so - plug the discs (after initial imaging) into
>> >>>a known clean identical hardware RAID controller and they can be read as
>> >>>easily as a single disc.
>> >
>> >>If they have an example of that controller in their armoury.
>> >
>> >Which they obviously will have, having confiscated it from the suspect
>> >along with everything else.
>>
>> So you think the police have the right to cannibalise evidential
>> computers in order to send parts off to the forensic lab?
>
>They have the "right" to seize whatever they wish in terms of a search
>warrant or whatever they have reasonable cause to beleive is evidence of
>a crime. When it comes to seizing computer equipment they are (or should
>be) trained to seize the equipment in such a way that evidence is
>preserved. In general this requires them to seize all of the equipment
>rather than to dismantle it. Which means that the forensic examiner will
>have access to the RAID controller.

Although the controller is inside the evidential computer, not the 
forensic examiner's one.

To use it inside the latter it will have to be removed, and quite likely 
reconfigured (to be able to co-exist with the original contollers in 
that rig).

>However when it comes to examining RAID drives it is more likely that
>imaged copies of the drives will be used in the FE's own rig or that
>drive images will be accessed using a software loopback interface and
>software RAID controller.

Dear liza, dear Liza. This is where we were several days ago in the 
thread.
-- 
Roland Perry

Roland Perry  wrote:

> >They have the "right" to seize whatever they wish in terms of a search
> >warrant or whatever they have reasonable cause to beleive is evidence of
> >a crime. When it comes to seizing computer equipment they are (or should
> >be) trained to seize the equipment in such a way that evidence is
> >preserved. In general this requires them to seize all of the equipment
> >rather than to dismantle it. Which means that the forensic examiner will
> >have access to the RAID controller.
> 
> Although the controller is inside the evidential computer, not the 
> forensic examiner's one.
>
> To use it inside the latter it will have to be removed, and quite likely
> reconfigured (to be able to co-exist with the original contollers in 
> that rig).

The computer to be examined will be dismantled in the forensic lab.
anyway. The suspect's computer is never used in the investigation the
drives are removed and imaged before the investigation proceeds.

It is preferable that the controllers used would also be supplied by the
forensic lab and labs keep hardware libraries including obsolete
equipment just in case it is needed for an examination. So it's likely
that whatever controller you are using that the examiner will have
access to the same equipment.

However if, as you seem to think, your equipment is so rare and special
that no one else will have one available then there's still no problem.
Either a software technique can be used or your controller can be used
with a RAID of brand new disks which have forensically verified copies
of your disks loaded onto them.

The rig gets configured afresh for every analysis so the need to
reconfigure the card doesn't exist.

> >However when it comes to examining RAID drives it is more likely that
> >imaged copies of the drives will be used in the FE's own rig or that
> >drive images will be accessed using a software loopback interface and
> >software RAID controller.
> 
> Dear liza, dear Liza. This is where we were several days ago in the 
> thread.

You seemed to have forgotten and therefore I was reminding you. The
objections that you are raising are all complete non-starters there's a
way around each of them. Your belief that the seized computer will be
not be dismantled is odd it just won't be dismantled by who you think
would do the job (the police) it will be dismantled by a forensic
professional.

Periander  wrote:

> %steve%@malloc.co.uk (Steve Firth) wrote in news:1iktb4v.19xbyqds131b6N%%
> steve%@malloc.co.uk:
> 
> > Periander  wrote:
> > 
> >> The point being that on some occassions there will be no need to even
> >> look at/for image files. 
> > 
> > Yes, but EnCase indexes and presents them all anyway. I suppose if one
> > chose to wear a blindfold...
> 
> Sledgehammer to crack a nut?

One tool fits all uses. The licensing per seat for EnCase is "quite a
bit" and having invested in it it gets used for everything. I don't
think this is a good thing myself and have talked up open source tools
and promoted the CTOSE approaches to generation of a truly open source
forensic application. However that doesn't sort any wrangles about
interface and in most jurisdictions around the world "show me what
you've got" seems to be the preferred way of examining disks.

> FTK or anyone of several tools would do the job just as well - of not
> quicker in a case of "mere" text retrival.

True but FTK/Sleuthkit has it's own plusses and minuses. TBH I can do
text searches fairly rapidly using dd and strings/grep with MD5/SHA1 for
disk image verification but then explaining what has been done takes a
lot more effort.

The last time I used dd to image a disk there were problems with EnCase
and dd being inconsistent in the creation of a disk image and different
MD5 strings for the same image. It turned out both were at fault. EnCase
couldn't image the last sector on the disk and dd couldn't image the
last few bytes. That really takes some explaining.

One headache with a text-only search is that one misses information held
in picture file formats such as Fax tiff or the drag and drop .PNG
images used by some ISPs to provide temmporary username/password
combinations. TheCloud and BT OpenReach do this and the information can
be important if it is suspected that a laptop was used to connect to a
WLAN outside the home. Doing a visual browse through all of the pictures
on a disk to see if any of those files exist is reasonable.

On Tue, 29 Jul 2008 10:00:19 +0100, Roland Perry 
wrote:

>>>If they have an example of that controller in their armoury.

>>Which they obviously will have, having confiscated it from the suspect
>>along with everything else.

>So you think the police have the right to cannibalise evidential 
>computers in order to send parts off to the forensic lab?

Yes, most certainly they do.

The usual way is to first remove all the HDDs and clone them.  The
original HDDs are then bagged and kept safe as evidence.  Boot the PC
from a forensic boot disk and take a copy of the CMOS settings,
including the RTC.

Next make a second set of cloned HDDs on different HDDs which are
installed into the suspect's PC.  That PC can then be booted up
without the risk of destroying evidence - it doesn't matter what
happens to the HDD clones.  The exact behaviour and contents of the PC
as it was at the time it was seized can then be examined at length.

-- 
Cynic

In message , at 13:20:16 on 
Tue, 29 Jul 2008, Cynic  remarked:
>On Tue, 29 Jul 2008 10:00:19 +0100, Roland Perry 
>wrote:
>
>>>>If they have an example of that controller in their armoury.
>
>>>Which they obviously will have, having confiscated it from the suspect
>>>along with everything else.
>
>>So you think the police have the right to cannibalise evidential
>>computers in order to send parts off to the forensic lab?
>
>Yes, most certainly they do.
>
>The usual way is to first remove all the HDDs and clone them.  The
>original HDDs are then bagged and kept safe as evidence.  Boot the PC
>from a forensic boot disk

That's where the fun starts, because the PC boots off the RAID drive and 
therefore the boot discs need to be readable by the RAID controller. 
Although it may be easier to boot off a CD-ROM.

>and take a copy of the CMOS settings, including the RTC.

-- 
Roland Perry

In message <1ikua8e.8vyxhn5zroqgN%%steve%@malloc.co.uk>, at 12:50:07 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> >They have the "right" to seize whatever they wish in terms of a search
>> >warrant or whatever they have reasonable cause to beleive is evidence of
>> >a crime. When it comes to seizing computer equipment they are (or should
>> >be) trained to seize the equipment in such a way that evidence is
>> >preserved. In general this requires them to seize all of the equipment
>> >rather than to dismantle it. Which means that the forensic examiner will
>> >have access to the RAID controller.
>>
>> Although the controller is inside the evidential computer, not the
>> forensic examiner's one.
>>
>> To use it inside the latter it will have to be removed, and quite likely
>> reconfigured (to be able to co-exist with the original contollers in
>> that rig).
>
>The computer to be examined will be dismantled in the forensic lab.
>anyway. The suspect's computer is never used in the investigation the
>drives are removed and imaged before the investigation proceeds.

So it sounds like you are agreeing with me that the lab won't be using 
the suspect's cannibalised disk controller.

That's all I wanted to know.

>The objections that you are raising are all complete non-starters 
>there's a way around each of them. Your belief that the seized computer 
>will be not be dismantled is odd it just won't be dismantled by who you 
>think would do the job (the police) it will be dismantled by a forensic 
>professional.

But it won't be dismantled in order to supply the lab with a suitable 
controller.

>However if, as you seem to think, your equipment is so rare and special

Just obsolete. But if they can simulate it in software then I'm duly 
impressed.

>that no one else will have one available then there's still no problem.
>Either a software technique can be used or your controller can be used

Oops, or maybe they will cannibalise it after all.

>with a RAID of brand new disks which have forensically verified copies
>of your disks loaded onto them.

That's as expected.
-- 
Roland Perry

Roland Perry  wrote:
[snip]

> So it sounds like you are agreeing with me that the lab won't be using
> the suspect's cannibalised disk controller.

No I'm not. I'm pointing out what the process of investigation involves.
There is nothing to preclude a raid controller from the suspect's
computer being used if nothign else is available. I even took care to
spell this out in the following paragraph.

> That's all I wanted to know.

Since I haven't stated what you seem to think I have stated, I have not
confirmed your view.
 
> >The objections that you are raising are all complete non-starters 
> >there's a way around each of them. Your belief that the seized computer
> >will be not be dismantled is odd it just won't be dismantled by who you
> >think would do the job (the police) it will be dismantled by a forensic
> >professional.
> 
> But it won't be dismantled in order to supply the lab with a suitable
> controller.

Really? Why not?
 
> >However if, as you seem to think, your equipment is so rare and special
> 
> Just obsolete. But if they can simulate it in software then I'm duly 
> impressed.

If it can't be simulated in software then there are other options, as I
pointed out.
 
> >that no one else will have one available then there's still no problem.
> >Either a software technique can be used or your controller can be used
> 
> Oops, or maybe they will cannibalise it after all.
> 
> >with a RAID of brand new disks which have forensically verified copies
> >of your disks loaded onto them.
> 
> That's as expected.

Maybe it might be better to get to the end of the post that is being
replied to before formulating a reply.

Roland Perry  wrote:

> >The usual way is to first remove all the HDDs and clone them.  The
> >original HDDs are then bagged and kept safe as evidence.  Boot the PC
> >from a forensic boot disk
> 
> That's where the fun starts, because the PC boots off the RAID drive and
> therefore the boot discs need to be readable by the RAID controller. 
> Although it may be easier to boot off a CD-ROM.

The suspect PC will not be booted up, other than possibly with disks
disconnected in order to record BIOS/CMOS settings.

There's no need to boot into your OS at all, so the fact that your PC
boots from the RAID has no relevance.

On Tue, 29 Jul 2008 13:55:09 +0100, Roland Perry 
wrote:

>>The usual way is to first remove all the HDDs and clone them.  The
>>original HDDs are then bagged and kept safe as evidence.  Boot the PC
>>from a forensic boot disk

>That's where the fun starts, because the PC boots off the RAID drive and 
>therefore the boot discs need to be readable by the RAID controller. 
>Although it may be easier to boot off a CD-ROM.

It will be booted from a forensic floppy or CD with *no* HDDs in the
PC.  The only purpose is to take a snapshot of the hardware
configuration and the CMOS and RTC settings.  If the PC does not have
a CD drive or floppy drive, one will be installed for the purpose
(albeit a minimal change to the CMOS may in that case be required).

With that information the suspect PC can be restored at any time to
the exact state it was in at the time it was seized.  Install freshly
cloned HDD's and load the CMOS  and RTC, and Bob's your Uncle.

-- 
Cynic

In message <1ikuf59.1l9qn0j1fg4lkmN%%steve%@malloc.co.uk>, at 14:20:09 
on Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>Roland Perry  wrote:
>[snip]
>
>> So it sounds like you are agreeing with me that the lab won't be using
>> the suspect's cannibalised disk controller.
>
>No I'm not. I'm pointing out what the process of investigation involves.
>There is nothing to preclude a raid controller from the suspect's
>computer being used if nothign else is available. I even took care to
>spell this out in the following paragraph.

Using an interesting technique of saying one load of stuff ...

"The suspect's computer is never used in the investigation"

... to start with, then contradicting yourself at the end!

Which I did notice, as you saw.
-- 
Roland Perry

In message , at 14:30:10 on 
Tue, 29 Jul 2008, Cynic  remarked:
>The only purpose is to take a snapshot of the hardware
>configuration and the CMOS and RTC settings.

>With that information the suspect PC can be restored at any time to
>the exact state it was in at the time it was seized.  Install freshly
>cloned HDD's and load the CMOS  and RTC, and Bob's your Uncle.

I wonder if they ever incorporated the extra security feature I put in 
(early) Amstrad PCs so that it told you when booting what time/date the 
computer was last used. That date was incremented by the BIOS and it 
would be quite difficult to reset it afterwards to the same condition it 
was when the powered-off PC was seized, so that *next* time it was 
switched on the exact correct information was displayed.

A trivial example, but it's often much more difficult than you think to 
put a machine back to a "known" state.
-- 
Roland Perry

In message <1ikufez.1msnbf71tkxtxcN%%steve%@malloc.co.uk>, at 14:20:17 
on Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>Roland Perry  wrote:
>
>> >The usual way is to first remove all the HDDs and clone them.  The
>> >original HDDs are then bagged and kept safe as evidence.  Boot the PC
>> >from a forensic boot disk
>>
>> That's where the fun starts, because the PC boots off the RAID drive and
>> therefore the boot discs need to be readable by the RAID controller.
>> Although it may be easier to boot off a CD-ROM.
>
>The suspect PC will not be booted up,

So what PC are you referring to when you say above:

"Boot the PC from a forensic boot disc"?

> other than possibly with disks
>disconnected in order to record BIOS/CMOS settings.

Ah, there's that U-turn again.

>There's no need to boot into your OS at all, so the fact that your PC
>boots from the RAID has no relevance.

Which just leaves the question of what you are using to boot the PC (to 
record the BIOS settings).  [I guess it's a CD).

I think we may be generally in agreement, but you are making very heavy 
weather of your explanations.
-- 
Roland Perry

Roland Perry  wrote:

> In message <1ikufez.1msnbf71tkxtxcN%%steve%@malloc.co.uk>, at 14:20:17
> on Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> >Roland Perry  wrote:
[snip]

> So what PC are you referring to when you say above:
> 
> "Boot the PC from a forensic boot disc"?

I didn't make that reference, someone else did.

> > other than possibly with disks
> >disconnected in order to record BIOS/CMOS settings.
> 
> Ah, there's that U-turn again.

It's not a U-turn, it's an explanation. If the PC were to be booted it
would be booted from a forensic boot disk as someone else explained.
This is not the same as booting from the suspect HDs which will *never*
be done.
 
> >There's no need to boot into your OS at all, so the fact that your PC
> >boots from the RAID has no relevance.
> 
> Which just leaves the question of what you are using to boot the PC (to
> record the BIOS settings).  [I guess it's a CD).

You guess wrong.
 
> I think we may be generally in agreement, but you are making very heavy
> weather of your explanations.

The explanations are clear, it's the interpretation which is in error.

Roland Perry  wrote:

> In message <1ikuf59.1l9qn0j1fg4lkmN%%steve%@malloc.co.uk>, at 14:20:09
> on Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> >Roland Perry  wrote:
> >[snip]
> >
> >> So it sounds like you are agreeing with me that the lab won't be using
> >> the suspect's cannibalised disk controller.
> >
> >No I'm not. I'm pointing out what the process of investigation involves.
> >There is nothing to preclude a raid controller from the suspect's
> >computer being used if nothign else is available. I even took care to
> >spell this out in the following paragraph.
> 
> Using an interesting technique of saying one load of stuff ...
> 
> "The suspect's computer is never used in the investigation"

Correct the suspect's computer is not used as the platform for an
investigation. There's no need to do so. For just about any
investigation that you can think of with any equipment that you can
think of in just abotu any circumstances that you can think of, the
forensic examiner will have available all of the hardware that he needs
to examine any suspect computer.

> ... to start with, then contradicting yourself at the end!

No I didn't. You were positing a highly unlikely scenario in which
somehow or other there exists a controller card which cannot be
replicated in software and which the examiner has no access to. *If*
such a device exists then it is perfectly reasonable for the examiner to
attach that device to a RAID from from new disks (not the ones from the
suspect computer) and to use that controller to access the disks.

At no time is the suspect's computer being used in the examination.

 
> Which I did notice, as you saw.

You are attempting to make something out of nothing. Quite why I don't
know.

In message <1ikuiyc.usqdlo1eekgezN%%steve%@malloc.co.uk>, at 15:35:05 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> So what PC are you referring to when you say above:
>>
>> "Boot the PC from a forensic boot disc"?
>
>I didn't make that reference, someone else did.

OK, so your position is that the original hardware is never used?

>> Which just leaves the question of what you are using to boot the PC (to
>> record the BIOS settings).  [I guess it's a CD).
>
>You guess wrong.

So what is used to boot it?

>> I think we may be generally in agreement, but you are making very heavy
>> weather of your explanations.
>
>The explanations are clear, it's the interpretation which is in error.

So explain it better.
-- 
Roland Perry

In message <1ikuiqg.lqt5dc15p2v8eN%%steve%@malloc.co.uk>, at 15:40:10 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> >[snip]
>> >
>> >> So it sounds like you are agreeing with me that the lab won't be using
>> >> the suspect's cannibalised disk controller.
>> >
>> >No I'm not. I'm pointing out what the process of investigation involves.
>> >There is nothing to preclude a raid controller from the suspect's
>> >computer being used if nothign else is available. I even took care to
>> >spell this out in the following paragraph.
>>
>> Using an interesting technique of saying one load of stuff ...
>>
>> "The suspect's computer is never used in the investigation"
>
>Correct the suspect's computer is not used as the platform for an
>investigation.

Which contradicts other postings.

>You were positing a highly unlikely scenario in which somehow or other 
>there exists a controller card which cannot be replicated in software 
>and which the examiner has no access to.

Clearly, they could buy one on eBay (eventually), but I was wondering 
how they might be able to proceed otherwise.

>At no time is the suspect's computer being used in the examination.

and..

>You are attempting to make something out of nothing. Quite why I don't
>know.

Because you've also described how the controller from the evidential 
computer might be used/cannibalised as an enabler for the forensic 
analysis.

You can't have it both ways.
-- 
Roland Perry

%steve%@malloc.co.uk (Steve Firth) wrote in 
news:1iku3dw.qkmg1e16ey50wN%%steve%@malloc.co.uk:

> 
> One tool fits all uses. The licensing per seat for EnCase is "quite a
> bit" and having invested in it it gets used for everything.

Yup, but it is (or can be very slow), many is the time I have sat 
staring at teh machine willing it in to life - and no I'm not encase 
certified but when appropriate the relevent person will light the blue 
touch paper so to speak and then leave me to it.

You then go on to say that it's not costing anything to be running awy 
on its own - whilst that may be true in a lab enviroment it is not true 
when you have (say) only 2 or 3 machines running the damned thing and 
the work is piling up.

Many is the itme I have personally only needed chat logs, emails and the 
like and to be frank finding images of child abuse would only overly 
complicate a situation. But of course if you are a lab and need to keep 
the money rolling in ... :-)

BTW you ... QQ or C4, I've been looking through a shed load of old 
reports but didn't see your name. Not that you have to answer of course

ulm at domain are always read.


-- 

Regards,

Periander

Roland Perry  wrote:

> In message <1ikuiyc.usqdlo1eekgezN%%steve%@malloc.co.uk>, at 15:35:05 on
> Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> 
> >> So what PC are you referring to when you say above:
> >>
> >> "Boot the PC from a forensic boot disc"?
> >
> >I didn't make that reference, someone else did.
> 
> OK, so your position is that the original hardware is never used?

No, my position is that it is used as little as possible. The orignal
computer should never be started as it was configured in the hands of
the owner.
 
> >> Which just leaves the question of what you are using to boot the PC (to
> >> record the BIOS settings).  [I guess it's a CD).
> >
> >You guess wrong.
> 
> So what is used to boot it?

It depends. If it will boot from a USB key, from one of those. If it
will boot from a USB floppy then it may be booted using a USB key that
can emulate a floppy. Or from a floppy, or from an IDE HD or from a SATA
HD how long is your piece of string?

> >> I think we may be generally in agreement, but you are making very heavy
> >> weather of your explanations.
> >
> >The explanations are clear, it's the interpretation which is in error.
> 
> So explain it better.

It's pointless if someone is wilfully determined to misunderstand.

Periander  wrote:

> It is wasted man hours when you have a limited number of machines and the
> work is piling up.

True, but machines are cheap bodies aren't. Again it's the licensing
costs for the tools that's the most expensive thing. It's that, and the
superior performance that has made the Scots "roll their own" solutions.

Periander  wrote:

> BTW you ... QQ or C4, I've been looking through a shed load of old 
> reports but didn't see your name. Not that you have to answer of course

QQ but management and QA. You'll find my name on research papers and
presentations at seminars rather than on lab reports. I've been there
since the mid 90s but am about to swap to the HO.

Roland Perry  wrote:

> In message <1ikuiqg.lqt5dc15p2v8eN%%steve%@malloc.co.uk>, at 15:40:10 on
> Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> 
[snip]

> >Correct the suspect's computer is not used as the platform for an
> >investigation.
> 
> Which contradicts other postings.

No it doesn't.

> >You were positing a highly unlikely scenario in which somehow or other
> >there exists a controller card which cannot be replicated in software
> >and which the examiner has no access to.
> 
> Clearly, they could buy one on eBay (eventually), but I was wondering
> how they might be able to proceed otherwise.

I had already told you how they proceed.
 
> >At no time is the suspect's computer being used in the examination.
> 
> and..
> 
> >You are attempting to make something out of nothing. Quite why I don't
> >know.
> 
> Because you've also described how the controller from the evidential 
> computer might be used/cannibalised as an enabler for the forensic 
> analysis.
> 
> You can't have it both ways.

You seem to mistake the part for the whole. HTH.

Cynic  wrote:

> On Tue, 29 Jul 2008 18:05:06 +0100, %steve%@malloc.co.uk (Steve Firth)
> wrote:
> 
> >True, but machines are cheap bodies aren't. Again it's the licensing
> >costs for the tools that's the most expensive thing. It's that, and the
> >superior performance that has made the Scots "roll their own" solutions.
> 
> How does enCase ensure that it is not used on more machines at the
> same time than it is licenced for?

AFAIK it doesn't. OTOH installing ripped off copies of software is an
extremely good way to end up hitting the pavement at velocity as
security escort the miscreant from the premises.

Periander  wrote:

> very occassionally if the work required is very much 
> out of the ordinary.

FX: <waves>

Our lot have a rep for getting data off seriously trashed hardware and
from very old hardware.

In message <1ikuos8.1mnmnb217tyk8N%%steve%@malloc.co.uk>, at 17:50:08 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> >Correct the suspect's computer is not used as the platform for an
>> >investigation.
>>
>> Which contradicts other postings.
>
>No it doesn't.

You have made contradictory postings about the extent to which the 
suspect's computer (or more precisely its disc controller) can be used 
as part of the forensic investigator's hardware.

-- 
Roland Perry

Roland Perry  wrote:

> In message <1ikuos8.1mnmnb217tyk8N%%steve%@malloc.co.uk>, at 17:50:08 on
> Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> 
> >> >Correct the suspect's computer is not used as the platform for an
> >> >investigation.
> >>
> >> Which contradicts other postings.
> >
> >No it doesn't.
> 
> You have made contradictory postings about the extent to which the 
> suspect's computer (or more precisely its disc controller) can be used
> as part of the forensic investigator's hardware.

No I haven't. You have stated that I have made contradictory statements
but I have not done so.

%steve%@malloc.co.uk (Steve Firth) wrote in news:1ikuwww.t7hgvb15sks00N%%
steve%@malloc.co.uk:

> Periander  wrote:
> 
>> very occassionally if the work required is very much 
>> out of the ordinary.
> 
> FX: <waves>
> 
> Our lot have a rep for getting data off seriously trashed hardware and
> from very old hardware.
 
FX: <waves back>

So do many others ;-)

-- 

Regards,

Periander

Periander  wrote:

> FX: <waves back>
> 
> So do many others ;-)

Wife and starving co-workers to support guv. Spare change?

In message <1ikv1u5.1omn05n1i9pnjaN%%steve%@malloc.co.uk>, at 22:50:06 
on Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>You have stated that I have made contradictory statements
>but I have not done so.

....

In message <1ikuiqg.lqt5dc15p2v8eN%%steve%@malloc.co.uk>, at 15:40:10 on 
Tue, 29 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>At no time is the suspect's computer being used in the examination.

[...]

 >There is nothing to preclude a raid controller from the suspect's 
 >computer being used if nothign else is available.

Given that it was the "cannibalisation" scenario that started this 
subthread, I don't understand why you didn't just say "yes, sometimes 
the evidential computer may be cannibalised".
-- 
Roland Perry

Roland Perry  wrote:

[snip] 
> Given that it was the "cannibalisation" scenario that started this 
> subthread, I don't understand why you didn't just say "yes, sometimes
> the evidential computer may be cannibalised".

Because you had that wrong as well. The computer is not dismantled by a
polic eofficer at the scene of the crime as you seemed to think.

Again you seem to be trying to make something out of nothing.

In message <1ikwb79.l6arlappon7tN%%steve%@malloc.co.uk>, at 14:40:15 on 
Wed, 30 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>> Given that it was the "cannibalisation" scenario that started this
>> subthread, I don't understand why you didn't just say "yes, sometimes
>> the evidential computer may be cannibalised".
>
>Because you had that wrong as well.

Please be specific about what you think is wrong.

>The computer is not dismantled by a polic eofficer at the scene of the 
>crime as you seemed to think.

I never suggested it would be dismantled at the scene. That's a very 
curious representation.
-- 
Roland Perry

Roland Perry  wrote:

> In message <1ikwb79.l6arlappon7tN%%steve%@malloc.co.uk>, at 14:40:15 on
> Wed, 30 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
> >> Given that it was the "cannibalisation" scenario that started this
> >> subthread, I don't understand why you didn't just say "yes, sometimes
> >> the evidential computer may be cannibalised".
> >
> >Because you had that wrong as well.
> 
> Please be specific about what you think is wrong.

Please read a little further before replying.
 
> >The computer is not dismantled by a polic eofficer at the scene of the
> >crime as you seemed to think.
> 
> I never suggested it would be dismantled at the scene. That's a very 
> curious representation.

"So you think the police have the right to cannibalise evidential 
computers in order to send parts off to the forensic lab?"

In message <1ikwejl.upzobe1r1io3zN%%steve%@malloc.co.uk>, at 16:00:26 on 
Wed, 30 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:

>> >> Given that it was the "cannibalisation" scenario that started this
>> >> subthread, I don't understand why you didn't just say "yes, sometimes
>> >> the evidential computer may be cannibalised".
>> >
>> >Because you had that wrong as well.
>>
>> Please be specific about what you think is wrong.
>
>Please read a little further before replying.
>
>> >The computer is not dismantled by a polic eofficer at the scene of the
>> >crime as you seemed to think.
>>
>> I never suggested it would be dismantled at the scene. That's a very
>> curious representation.
>
>"So you think the police have the right to cannibalise evidential
>computers in order to send parts off to the forensic lab?"

Is it your view that the police *do* have that right, to cannibalise an 
evidential computer (which by then is stored at the police station) in 
order to send a disk controller to the forensic lab so they can view 
mirrors of the original HDDs.
-- 
Roland Perry

Roland Perry  wrote:
[snip]

> Is it your view that the police *do* have that right, to cannibalise an
> evidential computer (which by then is stored at the police station) in
> order to send a disk controller to the forensic lab so they can view 
> mirrors of the original HDDs.

They have the right to seize in evidence anything covered by a warrant
and anything revealed in a search may be evidence of a crime, subject to
PACE. They have the duty to retain items seized for the minimum period
that is reasonable, subjec to the need to forensically examine the items
in question. Such an analysis may require partial or complete
disassembly of the seized property whether that be an aeroplane, car,
computer, playstation, lawnmower or whatever.

You ideas about how this may be done and by whom and at what time appear
to be complete bunk.

In message <1ikwidk.17sx7af11n3z19N%%steve%@malloc.co.uk>, at 17:15:08 
on Wed, 30 Jul 2008, Steve Firth <%steve%@malloc.co.uk> remarked:
>> Is it your view that the police *do* have that right, to cannibalise an
>> evidential computer (which by then is stored at the police station) in
>> order to send a disk controller to the forensic lab so they can view
>> mirrors of the original HDDs.
>
>They have the right to seize in evidence anything covered by a warrant
>and anything revealed in a search may be evidence of a crime, subject to
>PACE. They have the duty to retain items seized for the minimum period
>that is reasonable, subjec to the need to forensically examine the items
>in question. Such an analysis may require partial or complete
>disassembly of the seized property whether that be an aeroplane, car,
>computer, playstation, lawnmower or whatever.
>
>You ideas about how this may be done and by whom and at what time appear
>to be complete bunk.

I'm not denying they can seize and examine things, it's the using of 
cannibalised parts that's my main concern (and one you seem now to be 
avoiding).

Say they seized and examined my car, could they use the tyres on a 
police car while the case was waiting to come to court?
-- 
Roland Perry

%steve%@malloc.co.uk (Steve Firth) wrote in news:1ikvzmn.1nmjzxh19q2wg2N%%
steve%@malloc.co.uk:

> Periander  wrote:
> 
>> FX: <waves back>
>> 
>> So do many others ;-)
> 
> Wife and starving co-workers to support guv. Spare change?

I have to say that I do prefer C4 (very helpful over the phone, flexible, 
liason throughout and I like the way they do their reports), your lot come 
a close second so when I put stuff through CSL for dispatch/tasking I tell 
them to send to either QQ or C4 (so I can't be accused of favoritism). 
Other folks have their own fav labs but the reports from other folks can be 
a PITA at times - for instance, they'll do their reports it RTF, not only 
that (hen it's images) they'll embed the relevent images in a RTF file 
instead of simply extracting them and putting them in a directory - our 
viewing machines don't have a RTF filter! So you get the text without 
images. Or the communications can be poor, turn-around may be delayed etc

Besides qq have so much work on the go they're like the borg of cyberworld 
:-)

-- 

Regards,

Periander

Periander  wrote:

> Besides qq have so much work on the go they're like the borg of cyberworld
> :-)

Heh, as of today they have a bit less because I'm moving on. Someone has
made me an offer I can't ignore.

%steve%@malloc.co.uk (Steve Firth) wrote in
news:1ikynje.1kj9fsu1h7tsw0N%%steve%@malloc.co.uk: 

> Periander  wrote:
> 
>> Besides qq have so much work on the go they're like the borg of
>> cyberworld 
>> :-)
> 
> Heh, as of today they have a bit less because I'm moving on. Someone
> has made me an offer I can't ignore.
 
One hopes that you've escaped the clutches of the HO? It would have been 
such a waste.


-- 

Regards,

Periander