Questions are being raised in law enforcement and computer forensics circles about the manner in which the Australian Federal Police appeared to handle the Melbourne dawn raid that appeared on ABC's Four Corners program last week.
On Monday 17 August, the ABC's Four Corners show broadcasted a pre-dawn raid on a Melbourne house in which several computers and other digital storage devices were seized, saying the raid had taken place five days beforehand. Police said the resident had been seeking credit card details and to purchase an illicit botnet online. However, last week the AFP said no arrests had yet been made. The raid was led by the AFP but included assistance from the Victoria Police.
If you start a computer up or start typing and looking at files, you're actually corrupting that evidence
<e.law> forensics expert Allan Watts
The AFP officers who appeared in the raid wore rubber gloves, presumably to avoid leaving fingerprints. They appeared to access the suspect's computers and enter search queries, before carefully taping up the devices in envelopes and questioning the suspect.
During the episode, an officer was shown typing in the search term "password" on one of the laptops. The officers handling the computer said to another: "That's gold — opened up 'saved passwords'. I have got a huge list here."
But according to two computer forensics professionals, how the evidence was portrayed to have been collected in the episode involved highly unusual practices. Allan Watts, head of e-forensics at Australian computer forensic services firm <e.law>, said typing search terms into a computer intended as evidence would certainly ruin its value.
"If you start a computer up or start typing and looking at files, you're actually corrupting that evidence," he told ZDNet.com.au. "It's no different to a homicide scene, walking through with muddy gumboots, seeing a knife, picking it up and leaving your fingerprints all over it. That's why we never start up a computer if it's off. That modifies about 400 files. Once that's done you have got the question: what did you do and what did they do? Also, you could have modified data before it was cloned."
If the officers were following textbook instructions on how to collect computer evidence, they would have removed the hard drives first. "You then install a rights protection device that prohibits the drive from being written to. Then, using Encase or FTK Imager, you then forensically claim the entire hard disk drive," said Watts.
Jason Plumridge, a risk services manager for Certitude Technology Risk Services and a former computer forensics officer within the NSW Police force, agreed with Watts but explained that how you approached the device would depend whether the device was found in an "on" or "off" state.
"If it's turned off, leave it off. And then take the hard drive out and acquire the information in a forensically sound manner," said Plumridge. "If it's on, you should first record what's on the screen by way of video. But then you choose whether you shut it down because when you shut it down you could lose RAM. If it's an ongoing hacking, you might want to capture what's coming into the machine."
There are, however, situations where it may be better to tamper with an active device, according to Plumridge.
"I probably wouldn't choose to type anything on a PC unless you can see, for example, PGP [encryption] running in the background," he said. "And you know that when you turn off the machine, you lose the whole lot. In that instance I then would start running search terms, and copying files out knowing that I'm changing dates and times, but in that case you don't have any other option ... unless you had the encryption key."
It remains unclear whether the AFP-supplied footage was of the actual raid and search or file footage of a previous raid. ZDNet.com.au is awaiting a response from the AFP media department over the footage.