Working for a Private Investigator

[labon210]

Within the past weeks I've been contacted by a private investigator. I haven't worked for him yet but he wants me to search computers for possible use of child porn, or other incriminating evidence.

I can easily get into the hard drive via ophcrack or simply slaving the drive. What I want to know is what should I look out for and are there helpful programs that I should use?

I'm really excited about this and look forward to your insight.

Thanks

 

[NYJimbo]

Have fun in court.

 

[iisjman07]

I can easily get into the hard drive via ophcrack or simply slaving the drive. What I want to know is what should I look out for and are there helpful programs that I should use?

This is the WORST thing you can do as a forensic investigator. The VERY FIRST THING that a forensic investigator will do is clone the drive using a hardware disk imager such as DeepSpar Disk Imager or Atola Insight and a hardware write blocker (or both in one). Booting the drive in the manner you say will alter drive information (it may overwrite sectors for example) and the 'bad person' could easily make a file that deletes all files if the computer isn't used in a specific way. If you did boot the drive your way, none of the evidence you collected would be reliable because you could've added it yourself.

The most renowned and respected forensics software is 'Encase', and is the main program that will stand up in court. Other popular software includes FTK (Forensic ToolKit) and X-Ways Forensic, but all these programs are very expensive. You'll also need data recovery software (eg, GetDataBack) and password cracking (word files/zip files, etc) such as Passware Forensic Edition. Even then you'll have to deal with things such as steganography or encrypted containers such as a TrueCrypt volume.

From the impression I've gotten, I'd say you're not ready to go into this type of forensic investigation. I'd recommend looking around www.myharddrivedied.com and watching Scott Moultons videos.

 

[labon210]

This is solid, info. Thanks for the heads up on what I may be getting into and I'll check out Scott Moulton's videos.

iisjam07 can you explain how slaving the drive could alter the files/sectors on the hard drive.

(And yes the first thing I would do would be to clone the drive and work from the cloned drive.)

 

[MrUnknown]

iisjam07 can you explain how slaving the drive could alter the files/sectors on the hard drive.

Windows creates Recycle Bin and System Volume Information folders on the devices. AVG creates a quarantine folder. There are plenty of things that automagically write themselves to drives when they shouldn't.

 

[iisjman07]

Well turning on a machine is going to read and write to sectors on the hard disk, which could overwrite information that has previously been deleted. eg, if the computer is half way through a service pack update and you booted from the host drive, whilst the rest of that update is taking place it's going to replace and add new files which will write to sectors. As an investigator you will rarely, if ever, need to boot into the clients OS, and it's much safer not to do so.

 

[ScottM]

what about back track 4 in foresics mode. that claims not to alter the state of any files or drive sectors, also includes everything you might need to crack files and recover deleted files

 

[labon210]

So iisjam07, what you're saying then is that it is impossible to view the files of a hard drive and save the integrity of the drive (other than the person who knows the username/password to start the OS). This cannot be correct. Or then I don't understand what you're saying.

One more question: Is the data unchanged (safe) when using a boot cd like Back Track 4 (thanks ScottM).

 

[colonydata]

Honestly for it to stand up in court, you need to be a Certified Forensic Examiner, and you absolutely need to use a write blocker when working with the hard drive. Even then the first thing you would do is do a bit level image of the drive to two other drives, and lock the original and one of the copies up. then you work with the other copy.

I took intro to computer forensics in college, my professor was a retired federal agent, and a expert computer forensics witness, he also happened to have written the text book for the class.

 

[Codemonkey]

Why is a private investigator looking into child porn? That's something to be handled by the real police. I'd be suspicious of the situation.

 

[Vakman]

Why is a private investigator looking into child porn? That's something to be handled by the real police. I'd be suspicious of the situation.

+1 This seems very sketchy. I wouldn't even consider doing the work. Recommend him to the local police if this is what he is looking for.

 

[Appleby]

+1 This seems very sketchy. I wouldn't even consider doing the work. Recommend him to the local police if this is what he is looking for.

Bingo.

First off, I know you aren't implying that you want to see child porn...I am NOT accusing you of that. But I'd be careful saying that you are excited about the task. For me, there could be nothing worse than child porn that I could find on a computer. I hope my eyes never have to see it.

As a couple others have said, this is weird. Child porn isn't something that a private investigator looks for. This is something the police looks for. Also, if YOU find child porn, I believe you have the duty to go to the police ASAP, even if you are working for someone else who says they are going to handle it. You aren't dealing with the cops, you are dealing with a private individual.

I am not bashing you or anything of the sort. I'm just saying, be careful this all sounds really weird.

 

[labon210]

Thank you for the warning Appleby, I need to speak with the PI to ask him about some concerns.

Maybe I made the job sound more devious then they may be. It may also be spouses checking up on each other. I really have no idea.

Thank you all for the your insight.

 

[Ccomp5950]

If you were in Texas you would be fined the moment the investigator brought up your name.

Check with a lawyer about state laws and other requirements you may have to meet, and if nothing else ask him what the requirements are for evidence handling in your state, because that is what you are doing, and any chance of saying you mishandled it will be exploited by the defense to the fullest possible scenario, including dragging your company through the mud in a public forum.

 

[Jamez64]

If i remember correctly,I think there's a class you can take and get a certificate in computer forensics or something along those lines..I came across this a couple years ago when i was working for a large county. A new investigator for the district attonery had asked one of the tech's to recover some stuff off a computer that they had recently seized from one of the outstanding citizens in the county. Long story short, I caught wind of it told him to stop and speak to out managers about it first...Turns out, there would've of been tons of legal B.S. and the data recovered probably wouldn't have been used in court because he had no official training in the matter..

just my .02