Monday, November 17, 2008


Or is it? In real terms, remembering that this is US not UK law, it is just another formal step to take in the forensics process - i.e. get your warrant before you start your analysis. There is a much more detailed analysis of how this fits in with the 4th Amendment, 'zipless searches', sniffer dogs noses and 'reasonable expectation of privacy' at Arstechnica and a post on the Volokh Conspiracy which explains why anyone was looking at the computer in the first place. And you could always read the actual judgement which seems balanced and reasonable.

Hash table comparisons, both to exclude known material (NIST produce lists for standard operating system builds and application software installations) - leaving just items that may have been created or altered by the user, or to identify known bad files (malware as well as porn) are great tools for digging straight down into potentially relevant material. Couple this ability to rapidly identify potential evidence with the EnCase Gallery and Timeline views and you can often quickly include or exclude data sources from your case evidence.

The bit about platters seems to be a rather interesting aspect of an important element of US law - did the initial private citizen's viewing of a few images mean that a warrant was not required for a more comprehensive law enforcement search? (This, I suspect, is actually an administrative rather than substantive point for future investigation - would you be refused a warrant if you had a witness complaint of kiddie pr0n? I doubt it.) The contrast between the findings of the Runyan case - a search of a random selection from a collection of disks by a private individual was held to not permit a warrantless search of the whole collection - and this case where viewing some files on a disk does not permit the search of the whole disk is interesting. However, it seems to be based on a slight misunderstanding of technology - disks do not record sequentially on platters, which are an integral component of the overall disk rather than, as appears to have been believed, analogous to the individual CDs in a multichanger cartridge - the information will be scattered across them, therefore there is no reasonable belief that the initial private search did not view multiple platters. Having said that, that the EnCase search was "a search different in character from the one conducted by Hipple, and thus it cannot be defended on the grounds that it did not exceed the private party search" is obvious.

On the whole, it seems to be an excellent judgement, if of minor relevance to UK & European investigations. Anyway, it is back to the 1st rule of digital forensics - it is your evidential processes that will screw things up, not the (ab)use of technology!

No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.