As good forensicators, I hope that we’re all familiar with the ACPO ‘Good Practice Guide for Computer-Based Electronic Evidence’. For those outside the UK, this is the booklet produced by the Association of Chief Police Officers covering the dos and don’ts for the seizure, analysis and presentation of computery stuff by Law Enforcement in the UK. It’s got lots of advice and guidelines in it, and if you’re practising in the criminal field here then you should be at least passingly familiar with the Four Principles within it.
When the GPGFCBEE (pronounced ‘Gup-guff-sea-bee’) was updated a couple of years ago it drew a lot of ‘WTF’s in the LE world because of its heavy branding (heavy on a ‘black hole, sucking in gravity itself’ scale) by a well known forensics company. There was no problem with the content, it was just that ACPO seemed to have ignored the 43-odd HTCUs in England and Wales and all of the highly experienced LE practitioners in them who are the end-users of the Guide, and gone off to consult a commercial entity. To the best of my knowledge no explanation was ever given for this, and indeed ACPO seem to have handed the Guide over in its entirety to their partner – or at least that’s the impression one would get from the apparent lack of any mention of it on ACPO’s website. Maybe they were scared that we’d moan about backlogs and funding, maybe they didn’t like our dress sense or maybe they’d just forgotten about us. Who knows? Who cares? Caring about a perceived snub by a faceless body of chauffeured chiefs would be an egotistical act and, as we all know, destruction of the ego is the biggie on the path to enlightenment. Ho hum. <Monkey sits in the Lotus position for a while>
Aaaaaaaaaaanyhoo. I was reading the Guide the other day, and noticed that it’s been a while since it was updated. It’s also quite limited in its scope – it sticks to the straight route of HTCU work and never really leaves that path for a wander among the bluebells. I convened a meeting of the MCCF (Monkeytown Cabal of Chief Forensicators i.e. me sitting naked and bloodied in front of pieces of a broken mirror) and over a bottle of brandy and a bowl of peaches, we cobbled together the following:
MCCF Computer Forensicy and Related Stuff Least-Bad Practice Guide
Supported by Golden Apple Ltd, Manufacturers of Exquisite Pies, Pasties and Industrial Vodka
Least-Bad Practice Principles
- Don’t mess up the evidence.
- Never play cards for money with a guy named after a city.
- If you’ve got to mess up the evidence, make sure you can explain why and how.
- Never get locked up in a country that uses a different alphabet to yours.
- Write shit down.
- You provide all the evidence but the OiC owns the case: he gets the commendation for your work, but if it all goes wrong it’s his fault. On paper.
- Friday is hot dogs day!
Dealing with Volatile Data
Don’t bother. We didn’t bother with it in 2001, so there’s no reason we should start now. Trying to execute a warrant at a time when the suspect’s at the keyboard would only mess up breakfast arrangements, too. Mmmmm….breakfast.
Crime Scenes
Don’t wear your best trousers, wash your hands before eating.
Electronic evidence is everywhere. All over the bloody place. Could be in anything, really. In a computer? Yup. In a thumbdrive shaped like a duck? Sho nuff. In a 32GB microSD card that the suspect is busy necking while you’re waiting for him to answer the door? No diggity, no doubt. But don’t forget to look in the places that you might not immediately think of, too.
For example, there are devices on the market that use the mains power in a house as a data network – which is just plain weird to start with – but if you follow the implications of this to their logical conclusion, it means that if there is an empty light socket above your head in a house, it could be dripping contraband data all over you and your colleagues. To combat this, remember to pack a bucket in your search kit to put under any light sockets, to capture errant data.
Wear gloves if you’re going through someone’s dressing gown pockets. Srsly.
If you’re at a business premises, find a comfy chair at a desk with a good view of proceedings and make it your ‘Base of Operations’. Open a laptop and run a few sciencey-looking things, and wait for the admin chicks to come flocking. It’s not as if they’ll be doing any work, with you stealing all their computers.
Workplace Welfare
Staff in an HTCU are exposed to mountains of truly horrible shit, on a daily basis – only this week, I watched a man masturbate an alligator. To help them cope with this, they need to be allowed to behave exactly how they want. They should also be offered counselling, massages, aromatherapy, paid sabbaticals to go treasure hunting in ancient ruined cities, free bikes and pick of foxy ladies in the canteen queue. Venting spleen in a blog can work wonders, too.
Poor diet can also be a stressor, so why not relax with one of Golden Apple’s marvellous pies or pasties, washed down with some ice-cold vodka? A vodka a day keeps Occupational Health away!
Defence Access
Everyone’s got a right to a decent defence, and part of this involves allowing a defence forensicator access to the exhibit. This should be done under controlled circumstances, and the process should be monitored to ensure the safety of the original evidence. If the defence monkey is about to turn the machine on, the correct way to respond is to scream ‘For the love of God man, NOOOOOOOOOOOOOOOOOOOOOOOOO!’, before expelling him from the building and telling the solicitor to stop sending his feeble-minded relatives round under false pretences.
On the other hand, many defence monkeys are lovely and know their stuff – the best are even ex-Police – and these can be welcomed with open arms, as long as they bring biscuits or Golden Apple pies, pasties and vodka.
So that’s my tuppence worth. Maybe a guide like this is better crowdsourced so if you’ve got any suggestions, stick em in the comments.
WeaselHunter
May 27, 2011
I love the phrase, “A vodka a day helps keep
Occupational Health away” ROFL ROFL LOL LOL
Neil
May 27, 2011
Under welfare of staff.
When in gallery view ‘ No scat pictures before breakfast!’
happyasamonkey
May 28, 2011
That’s definitely one for the list. Add bestiality on there, too – I truly, truly hate that stuff and it seems to be this year’s ‘in thing’. In fact its rise in popularity seems to have coincided with the new law against possessing it.
Fainting Chicken
May 27, 2011
Monkey,
Venting spleen in a blog – don’t know who you mean?
ACPO stopped caring several years ago – sold their souls to the commercials, who probably (allegedly) supplied nice “on expenses” lunches and even nicer golf club sets. Hi Tech units are one of the biggest draws on budgets these days – lots of geeky looking people who don’t dress properly, have weird senses of humour, and (used to) go on lots of courses. Damm it, most of them aren’t even proper detectives !! Would never have happened in Gene Hunt’s day.
An excellent comprehensive guide to doing forensication stuff – more corporate branding is needed I think – for example, like they do on Channel 5, “Computer Forensics in association with Greggs”
The Volitile Data stuff is so relevant – when sorting out a job recently where catching the suspect in the middle of his naughties seemed quite important to us, we were told that it would be a good old fashioned “7-o-clock knock” bacause it meant messing with shifts, and of course, might incur overtime (Our managers are currently looking at getting a superinjunction out to stop us using the word “Overtime”). But, as normal, nobody listens to the Hi-Tech…..until it’s too late !
As for suggestions for the new guide:
1. Don’t let managers buy kit without consultation !!
2. Don’t let corporate IT get involved in purchasing kit – they don’t understand what we do, and wil fight tooth and nail to “keep it within the organisational purchasing guidelines”.
yougo2bekidin
June 13, 2011
Your Google Ads look like a spoof too -
Free ACPO Whitepaper
Ensure ACPO Compliance Standards With Our Free ACPO Whitepaper.
http://www.LogRhythm.com
!!!!!
happyasamonkey
June 13, 2011
Excellent
Couldn’t have planned it better myself!
Anonymous
July 26, 2011
Just one word – GENIUS. Many thanks Monkey!!
Speaking as someone who is in a commercial company (but not THAT one) I can say we were as bemused as anyone as to why ACPO had apparently put the Guide up for adoption.
happyasamonkey
July 26, 2011
Glad you enjoyed it! It would have been nice to get an explanation from them – and I bet it wasn’t cheap. In fact, there’s an FoI request in there…
GirlieGeek
September 10, 2011
Gah ! So you’ve uncovered my dastardly but hugely successful ploy for getting something resembling same-species acknowledgement out of LE oppos during Defence Monkey access – ATH (Always Take Hobnobs).
Actually, to be fair, they don’t always treat you like a close pal of the (almost inevitably) Paedo under investigation. Unless it’s the Met, for whom you rank more on the level of a close relative…
Funny piece but a tin of past sell-by Foie Gras to you for perpetrating the desperate old Canard that ex-LE are ‘the best’ Defence Monkeys.
Guess that’ll be the Prosecution minded ones, then, eh?
Anonymous
September 10, 2011
Don’t take it personally, Girlie! You know I’m just trolling
Good idea to take Hob Nobs – they mark you out as having class and not just going through the motions. As I’ve said before though, I think we at Monkeytown are very friendly and professional with defence monkeys. Even for the odd one who’s shown himself to be a dickhead.