Police raids

Brian Beesley BJ.Beesley at ulster.ac.uk
Mon, 3 Mar 2003 10:49:34 +0000 

On Friday 28 February 2003 20:42, Kieran wrote:
> >
> > I can make copies of hard discs at customer's offices. I don't see
> > why the police cannot. Anyway, what is needed is an image of the
> > disc, which can be made on any media but is best made on a non-
> > volatile media. With such a media the police would find it difficult
> > to adjust the copy, as they can with a volatile media. People may
> > recall that the police have a habit of adjusting things in their
> > posession.
>
> The police also need to preserve the integrity of the evidence.  This
> means that they cannot just copy the disk by booting: it might
> over-write evidence in swap space, and the copying process would
> change the last access time on the files.

Well - if I have physical access to the system, it has some means of booting 
from some other medium (e.g. floppy or CD) and I have another disk drive with 
the same physical & electrical interface and the same or greater capacity as 
the drive to be copied, I can easily make a sector-by-sector copy of the 
whole of the "target" disk, without changing a single bit on the original. 
The copying process doesn't take very long.

I'm really dubious about inferring anything from "unused" sectors, but it 
would in any case be possible to remove the original HDD from the suspect's 
computer, leaving the copy in its place. The computer itself would be left 
fully operational; even files in "trash" folders would be recoverable.
>
> Or at least I'd hope they need to do that.  It's quite possible that
> the courts don't require the evidence to be preserved correctly.

I fear that the courts may simply not understand the very strict controls 
required to ensure that data provided as evidence can be depended on as an 
indication of the truth. For instance, is there any independent verification 
of software used to enhance images taken by e.g. speed cameras, or any 
reasonably robust check on the way in which it is used?

> Of course, that means that it would be relatively easy to plant
> evidence.

Or for a single relatively unimportant case to discredit a major 
investigation, perhaps overturning a huge number of previous cases.
>
> Realistically, computer forensics ought to be able to image seized disks
> as a matter of routine.  If the punter supplies them with a 80Gb disk,
> they should be able to copy in a couple of working days at the outside.

I'd give them one hour downtime per system.

> At roughly 100ukp for cheap ones, this is the least that should be done.
> In fact, they could probably negotiate a bulk discount :)

A standard 80 GByte disk is now _well_ under 100 pounds, at one-off retail 
prices. At the very least the Home Office would be saving a substantial 
amount by claiming back the VAT.

Brian Beesley