As good forensicators, I hope that we’re all familiar with the ACPO ‘Good Practice Guide for Computer-Based Electronic Evidence’. For those outside the UK, this is the booklet produced by the Association of Chief Police Officers covering the dos and don’ts for the seizure, analysis and presentation of computery stuff by Law Enforcement in the UK. It’s got lots of advice and guidelines in it, and if you’re practising in the criminal field here then you should be at least passingly familiar with the Four Principles within it.
When the GPGFCBEE (pronounced ‘Gup-guff-sea-bee’) was updated a couple of years ago it drew a lot of ‘WTF’s in the LE world because of its heavy branding (heavy on a ‘black hole, sucking in gravity itself’ scale) by a well known forensics company. There was no problem with the content, it was just that ACPO seemed to have ignored the 43-odd HTCUs in England and Wales and all of the highly experienced LE practitioners in them who are the end-users of the Guide, and gone off to consult a commercial entity. To the best of my knowledge no explanation was ever given for this, and indeed ACPO seem to have handed the Guide over in its entirety to their partner – or at least that’s the impression one would get from the apparent lack of any mention of it on ACPO’s website. Maybe they were scared that we’d moan about backlogs and funding, maybe they didn’t like our dress sense or maybe they’d just forgotten about us. Who knows? Who cares? Caring about a perceived snub by a faceless body of chauffeured chiefs would be an egotistical act and, as we all know, destruction of the ego is the biggie on the path to enlightenment. Ho hum. <Monkey sits in the Lotus position for a while>
Aaaaaaaaaaanyhoo. I was reading the Guide the other day, and noticed that it’s been a while since it was updated. It’s also quite limited in its scope – it sticks to the straight route of HTCU work and never really leaves that path for a wander among the bluebells. I convened a meeting of the MCCF (Monkeytown Cabal of Chief Forensicators i.e. me sitting naked and bloodied in front of pieces of a broken mirror) and over a bottle of brandy and a bowl of peaches, we cobbled together the following:
MCCF Computer Forensicy and Related Stuff Least-Bad Practice Guide
Supported by Golden Apple Ltd, Manufacturers of Exquisite Pies, Pasties and Industrial Vodka
Least-Bad Practice Principles
- Don’t mess up the evidence.
- Never play cards for money with a guy named after a city.
- If you’ve got to mess up the evidence, make sure you can explain why and how.
- Never get locked up in a country that uses a different alphabet to yours.
- Write shit down.
- You provide all the evidence but the OiC owns the case: he gets the commendation for your work, but if it all goes wrong it’s his fault. On paper.
- Friday is hot dogs day!
Dealing with Volatile Data
Don’t bother. We didn’t bother with it in 2001, so there’s no reason we should start now. Trying to execute a warrant at a time when the suspect’s at the keyboard would only mess up breakfast arrangements, too. Mmmmm….breakfast.
Don’t wear your best trousers, wash your hands before eating.
Electronic evidence is everywhere. All over the bloody place. Could be in anything, really. In a computer? Yup. In a thumbdrive shaped like a duck? Sho nuff. In a 32GB microSD card that the suspect is busy necking while you’re waiting for him to answer the door? No diggity, no doubt. But don’t forget to look in the places that you might not immediately think of, too.
For example, there are devices on the market that use the mains power in a house as a data network – which is just plain weird to start with – but if you follow the implications of this to their logical conclusion, it means that if there is an empty light socket above your head in a house, it could be dripping contraband data all over you and your colleagues. To combat this, remember to pack a bucket in your search kit to put under any light sockets, to capture errant data.
Wear gloves if you’re going through someone’s dressing gown pockets. Srsly.
If you’re at a business premises, find a comfy chair at a desk with a good view of proceedings and make it your ‘Base of Operations’. Open a laptop and run a few sciencey-looking things, and wait for the admin chicks to come flocking. It’s not as if they’ll be doing any work, with you stealing all their computers.
Staff in an HTCU are exposed to mountains of truly horrible shit, on a daily basis – only this week, I watched a man masturbate an alligator. To help them cope with this, they need to be allowed to behave exactly how they want. They should also be offered counselling, massages, aromatherapy, paid sabbaticals to go treasure hunting in ancient ruined cities, free bikes and pick of foxy ladies in the canteen queue. Venting spleen in a blog can work wonders, too.
Poor diet can also be a stressor, so why not relax with one of Golden Apple’s marvellous pies or pasties, washed down with some ice-cold vodka? A vodka a day keeps Occupational Health away!
Everyone’s got a right to a decent defence, and part of this involves allowing a defence forensicator access to the exhibit. This should be done under controlled circumstances, and the process should be monitored to ensure the safety of the original evidence. If the defence monkey is about to turn the machine on, the correct way to respond is to scream ‘For the love of God man, NOOOOOOOOOOOOOOOOOOOOOOOOO!’, before expelling him from the building and telling the solicitor to stop sending his feeble-minded relatives round under false pretences.
On the other hand, many defence monkeys are lovely and know their stuff – the best are even ex-Police – and these can be welcomed with open arms, as long as they bring biscuits or Golden Apple pies, pasties and vodka.
So that’s my tuppence worth. Maybe a guide like this is better crowdsourced so if you’ve got any suggestions, stick em in the comments.