Susan Brenner has an article on her CYB3RCRIM3 blog about the chilling effects of the Adam Walsh Act putting the fear of God into people, esp the defense regarding dealing with child exploitation material. (CEM is one of the nicer terms for child porn, and the one I generally use since it was in favour at QPol where I used to work.)
I have dealt with the restrictions of the Adam Walsh Act from the defense examiner side, and personally feel that some of the restrictions are onerous to say the least. You are basically requiring a forensic examiner to transplant part of his laboratory to a government facility to conduct the examination, which is forensically unsound, because one of the major issues with forensics is the “sterile environment” concept.
Part of the sterile environment is the examiner having control of all access to their evidence. In a government facility, you most certainly do NOT have control of your environment. I’ve never known a proper examination of a computer to take less than a few days, so you’re leaving your gear there overnight, unattended, in a room and building over which you have no control. And you can’t just take your equipment back to the office with you at the end of each day, because the examination process potentially creates copies of contraband material on your exam machine.
The government also has a habit of refusing to grant access to the original evidence. A properly trained examiner doesn’t want this access in order to manipulate the evidence on the original, but rather to make the forensic copy themselves, or to get a hash and validate the supplied copy.
But enough about the joys of the Adam Walsh Act. The case referred to in Ms Brenner’s blog is STATE OF TENNESSEE v. RE´LICKA DAJUAN ALLEN No. E2007-01018-CCA-R3-CD.
What really makes this case interesting is the absolutely wrong statements made by the defense “expert” witness. Now I’ve never heard of Mr Herbert Mack, and I can’t seem to find anything about him outside this case through a few google searches. Seriously though, this guy shouldn’t have passed a Daubert challenge, and the prosecutor was weak on not challenging him.
Here commeth the whoppers:
He said that, given the large number of images allegedly contained on the computer, he would not be able to remember the specifics of the information without taking the computer hard drive from the sheriff’s department.
One of the golden rules of forensics is: document everything important. You should have a notepad recording every procedure, every search you conduct, and any pertinent results. Forensic software also lets you produce volumous reports of files and meta data – none of which need contain contraband – if the quantity of material is too much for your notes. In fact, production of a file list of evidentiary files with metadata is a standard part of reporting every forensic examination.
Mack expressed concern about working from a “mirror image” rather than the hard drive itself, testifying that the computer programs in existence did not create
true mirror images
Here is a small, non-exhaustive list of computer programs which create mirror images:
In fact, FTK Imager is free (as in beer) and dd is free (both as in beer, and as in speech being open source) and contained on every version of linux and BSD that I know of, along with a bunch of linux based forensic boot disks.
In order to be a “mirror image” or “forensic image”, the image must contain the complete disk, including system areas such as the boot sectors, partition tables, and any unallocated space. All forensic imaging software will do this.
Mack conceded that his examination of the actual hard drive would entail
reconnecting the original personal computer equipment, turning the computer on, and
loading his software file-searching tools, and he agreed that in the process of booting
up the Windows operating system the contents of the hard drive would be changed.
Booting Windows will change hundreds of files and settings. Installing his software will most likely alter the registry, and potentially overwrite evidence in deleted space. What he is proposing is the equivelant of walking all over a crime scene in muddy boots with no gloves. You’re destroying evidence, AND leaving your own fingerprints all over the place. This is horrible from a forensics viewpoint.
I have booted up a suspect’s computer before, but it was ALWAYS with a forensic copy of the hard drive. There is never a good reason to boot the original.
However, according to his testimony, booting the computer would not alter either the
file creation date or last accessed date of the images in question.
Ok, this is half right. You probably won’t change the MAC dates of the files at start up, but as soon as you start looking at them on the live system you will. Open a file in Windows, and generally, the accessed date is changed.
Try this little exercise out: Right click on a picture file in Windows Explorer. Select Properties. Check the Accessed Date. Windows will tell you that you lasted accessed the file “Today” and the Accessed Time will be the time when you clicked on Properties.
Mack stated that there was an increased risk of disclosing non-discoverable information because the State’s expert would be able to determine what tools had been run on Defendant’s computer hard drive and what information had been recovered before Defendant was obligated to disclose its expert report.
So now that he’s gone and dirtied up his evidence, he’s complaining that the prosecution will find his fingerprints on the evidence? This is why CSIs wear gloves, and forensic computer examiners don’t run live unprotected exams on the original evidence.
Remember, when hiring a computer forensic expert you are looking for training and experience. Training generally involves a certification. Any examiner worth their salt is going to have a CFCE, CCE, EnCE or ACE. Experience should be measured both in years of experience, and number of forensic examinations.