Holywood-style policing causes computer evidence blunder
Posted 29 August 2007, 13:56. (Filed under: Opinion by Andrew)
From the BBC: When a laptop computer was seized from a terror suspect, evidence was tampered with and possibly destroyed because the laptop was turned on. Nobody typed $ delete_evidence.sh, they just switched it on.
You see, when a computer is switched on, it likes to tidy up after itself, check things, update things, move things around. Just the sort of things that a forensic analyst would be interested in.
This is one of those slip-ups that I see all the time on Midsomer Murders. If I’m alone, I’ll shout at the telly, but mostly I keep quite – my family and friends already know never to play with evidence, and they’re unlikely to be in a position to try.
That a real-life police officer thought booting the laptop for a quick look was a good idea means that he or she lacks training or discipline. There are many people who don’t have the technical nous to understand why a running computer is less useful evidence than an untouched one, but that’s not necessary if they follow the rules.
Send ‘em back to Police School.
[Updated 31-08-2007] Bruce Schneier has now picked up on this.
* * *
