Friday, November 03, 2006

Real Life Imaging

Disk Imaging is one of those details of our jobs we find it all too east to take for granted. Imaging in the lab takes on a whole feeling of a robot. Only the necessity of taking detailed notes in the case notebook keeps me from making those mistakes of familiarity.

But in the field it can be really different as I found out AGAIN this week. Seemed a simple job, I had been contracted to go to a small town about 45 miles away, and image 9 drives and then perform analysis on them back in the shop.

After meeting with the attorney, going over the discoveries and interrogatories, we thought we had a good idea of what was involved. The age of the computers in the answers and the fact they said nothing had been repaired or upgraded since 2003 gave us an indication of drives in the 40-80gb range. So I headed off with my field acquisition kit and a box full of 80gb HD's. As always I threw in a couple of 160's "just in case".

Oh woe is me. The defendants didn't quite disclose the whole truth, (maybe not any truth), and I found 12 computers with fairly new drives in the 100-160gb range. Not only that but a couple of the cases were locked. and of course, no one knew where the keys were.

To make things even better, the first day, even though we had a order from a Federal Judge to enter and acquire evidence, the employees on site called the local cops and had us removed from the property. The attorney had to contact the Judge and get us back in the next day under court auspices.

IN short, there is no such thing as a routine day in on site imaging. In the next few days I will discuss how we overcame the lack of information and how we achieved the imaging goal.

Since this blog is going to be aimed at the practical side of forensics I'm going to try and cover real life scenarios and situations we face in the real world everyday.