Loading ...
Sorry, an error occurred while loading the content.

Re: [linux_forensics] Helix/Vista Advice

Expand Messages
  • Bob Kardell
    Stevens, I don t see anything that could be interpreted as exculpatory. What part of Stuart s statement is exculpatory? Bob ... From: Stevens R. Miller
    Message 1 of 11 , Dec 1, 2006
    • 0 Attachment
      Stevens,

      I don't see anything that could be interpreted as exculpatory. What part of Stuart's statement is exculpatory?

      Bob

      ----- Original Message ----
      From: Stevens R. Miller <smiller@...>
      To: linux_forensics@yahoogroups.com
      Sent: Tuesday, November 28, 2006 12:08:51 PM
      Subject: RE: [linux_forensics] Helix/Vista Advice













      Stuart,



      I sincerely hope you capture and convict the guilty party. As a criminal

      defense attorney, though, I have to wonder if there is anything akin to the

      "Brady" rule in your jurisdiction. Here in the United States, your message

      to this group might constitute an exculpatory declaration which could be

      used to question the credibility of evidence obtained from the memory of the

      system you describe. The prosecutor would (under the decision in Brady) be

      obligated to volunteer your posting to the defense (that's right,

      "volunteer," as in, "without anyone asking for it"). Of course, this being

      a public group, they could conceivably have it anyway, but your message

      isn't specific as to who the defendant is; in a "Brady" production, the

      prosecutor would identify the case and defendant when the material was

      turned over, and would have to identify the source of the material (thus

      preventing any claim that it wasn't you who posted it, which--assuming it

      really was you--I know you wouldn't dispute anyway).



      Does anything like "Brady" apply where you are?



      Best,

      Stevens



      > -----Original Message-----

      > From: linux_forensics@ yahoogroups. com

      > [mailto:linux_forensics@ yahoogroups. com]On Behalf Of Stuart Bird

      > Sent: Thursday, November 16, 2006 2:48 PM

      > To: linux_forensics@ yahoogroups. com; linux_forensics@ yahoogroups. com

      > Subject: [linux_forensics] Helix/Vista Advice

      >

      >

      > Hi All

      >

      > I have been tasked to examine a computer which was found to be

      > running at the scene of an att murder.

      >

      > The machine is running Windows

      > Vista RC1 beta and has a windows live messenger chat window open

      > on the screen.

      > The file system is NTFS.

      >

      > The content of the chat session is very

      > relevant to the enquiry as it contains what amounts to a

      > confession by the main

      > suspect, so we need to image the memory before we remove the machine for

      > standard forensic work. (we have photographed the screen etc already).

      >

      >

      > I have tried this with both Helix V1.6 and 1.7 and got the same

      > results each time.

      >

      > Basically the CD fires up okay and I am presented

      > with the live tools menu.

      >

      > I had a check of the system data which

      > displays okay, I then added a sterile thumb drive which Vista

      > recognised and

      > loaded correctly.

      >

      > I selected \\.\Physical Memory from the dropdown,

      > set the path to E:\ (my thumb drive) and named the image file memory.dd.

      >

      >

      > I then hit the start acquisition button and... nothing. The system

      > just sat there and did not open the usual shell.

      >

      > I repeated this

      > process several times with the same result on each occasion. The

      > log shows

      > repeated attempts to start acquisition with no activity thereafter.

      >

      > I

      > took the Helix discs back too the lab and tried again on a Vista

      > Rc1 beta test

      > machine, same thing happened.

      >

      > I then tested both discs on an XP Pro

      > machine, having recreated the opn chat scenario, and the discs

      > performed as

      > expected. I was able to then recover the content of the chat

      > session from the

      > imaged memory.

      >

      > So, the problem seems to be with Vista. I have no idea

      > where to go from here but do need to get an image first thing

      > tomorrow, can

      > anyone suggest why this won't work with Vista, or a work around,

      > or have I done

      > the best I can by photographing the screen and chat session content?

      >

      >

      > Any help appreciated.

      >

      > Stu

      >

      >

      >

      > Send instant messages to your online friends

      > http://uk.messenger .yahoo.com

      >

      > [Non-text portions of this message have been removed]

      >

      >

      >

      >

      > Yahoo! Groups Links

      >

      >

      >

      >

      >














      <!--

      #ygrp-mlmsg {font-size:13px;font-family:arial,helvetica,clean,sans-serif;}
      #ygrp-mlmsg table {font-size:inherit;font:100%;}
      #ygrp-mlmsg select, input, textarea {font:99% arial,helvetica,clean,sans-serif;}
      #ygrp-mlmsg pre, code {font:115% monospace;}
      #ygrp-mlmsg * {line-height:1.22em;}
      #ygrp-text{
      font-family:Georgia;
      }
      #ygrp-text p{
      margin:0 0 1em 0;
      }
      #ygrp-tpmsgs{
      font-family:Arial;
      clear:both;
      }
      #ygrp-vitnav{
      padding-top:10px;
      font-family:Verdana;
      font-size:77%;
      margin:0;
      }
      #ygrp-vitnav a{
      padding:0 1px;
      }
      #ygrp-actbar{
      clear:both;
      margin:25px 0;
      white-space:nowrap;
      color:#666;
      text-align:right;
      }
      #ygrp-actbar .left{
      float:left;
      white-space:nowrap;
      }
      .bld{font-weight:bold;}
      #ygrp-grft{
      font-family:Verdana;
      font-size:77%;
      padding:15px 0;
      }
      #ygrp-ft{
      font-family:verdana;
      font-size:77%;
      border-top:1px solid #666;
      padding:5px 0;
      }
      #ygrp-mlmsg #logo{
      padding-bottom:10px;
      }

      #ygrp-vital{
      background-color:#e0ecee;
      margin-bottom:20px;
      padding:2px 0 8px 8px;
      }
      #ygrp-vital #vithd{
      font-size:77%;
      font-family:Verdana;
      font-weight:bold;
      color:#333;
      text-transform:uppercase;
      }
      #ygrp-vital ul{
      padding:0;
      margin:2px 0;
      }
      #ygrp-vital ul li{
      list-style-type:none;
      clear:both;
      border:1px solid #e0ecee;
      }
      #ygrp-vital ul li .ct{
      font-weight:bold;
      color:#ff7900;
      float:right;
      width:2em;
      text-align:right;
      padding-right:.5em;
      }
      #ygrp-vital ul li .cat{
      font-weight:bold;
      }
      #ygrp-vital a {
      text-decoration:none;
      }

      #ygrp-vital a:hover{
      text-decoration:underline;
      }

      #ygrp-sponsor #hd{
      color:#999;
      font-size:77%;
      }
      #ygrp-sponsor #ov{
      padding:6px 13px;
      background-color:#e0ecee;
      margin-bottom:20px;
      }
      #ygrp-sponsor #ov ul{
      padding:0 0 0 8px;
      margin:0;
      }
      #ygrp-sponsor #ov li{
      list-style-type:square;
      padding:6px 0;
      font-size:77%;
      }
      #ygrp-sponsor #ov li a{
      text-decoration:none;
      font-size:130%;
      }
      #ygrp-sponsor #nc {
      background-color:#eee;
      margin-bottom:20px;
      padding:0 8px;
      }
      #ygrp-sponsor .ad{
      padding:8px 0;
      }
      #ygrp-sponsor .ad #hd1{
      font-family:Arial;
      font-weight:bold;
      color:#628c2a;
      font-size:100%;
      line-height:122%;
      }
      #ygrp-sponsor .ad a{
      text-decoration:none;
      }
      #ygrp-sponsor .ad a:hover{
      text-decoration:underline;
      }
      #ygrp-sponsor .ad p{
      margin:0;
      }
      o {font-size:0;}
      .MsoNormal {
      margin:0 0 0 0;
      }
      #ygrp-text tt{
      font-size:120%;
      }
      blockquote{margin:0 0 0 4px;}
      .replbq {margin:4;}
      -->







      [Non-text portions of this message have been removed]
    • Brett Shavers
      Mr. Miller may have a good point. Handwritten notes taken during the course of a police investigation can be demanded in discovery as evidence. I have found
      Message 2 of 11 , Dec 1, 2006
      • 0 Attachment
        Mr. Miller may have a good point. Handwritten notes taken during the course
        of a police investigation can be demanded in discovery as evidence. I have
        found that when I worked for my local law enforcement agency, this wasn't an
        issue typically as notes (the little notepads in the pocket...) were
        destroyed after transcribing the information to a formal report as a normal
        course of duty. When working in federal task forces however, every scrap of
        paper was deemed discoverable and included in my cases.

        I believe the issue here is; if asked on the stand,
        "Officer/Detective/Agent, are there any notes you have made concerning this
        investigation that have not been turned over to the defense?", a problem may
        arise if there have been any postings to that effect. I wouldn't feel the
        credibility will be lost when asking for advice on a technical or procedural
        issue as that occurs in every single investigation for every single person.
        We all have to look up something, ask somebody, or read something to
        reassure what we know or should know.

        But as Stevens points out, I also feel that if a generic, technical question
        is posed online (in a list such as this), without disclosing a relationship
        to ANY case, then I don't believe that post would constitute 'notes' to an
        investigation. But then again, I'm not a lawyer.

        Brett Shavers

        On 12/1/06, Bob Kardell <bobkardell@...> wrote:
        >
        > Stevens,
        >
        > I don't see anything that could be interpreted as exculpatory. What part
        > of Stuart's statement is exculpatory?
        >
        > Bob
        >
        > ----- Original Message ----
        > From: Stevens R. Miller <smiller@...<smiller%40novadatalabs.com>
        > >
        > To: linux_forensics@yahoogroups.com <linux_forensics%40yahoogroups.com>
        > Sent: Tuesday, November 28, 2006 12:08:51 PM
        > Subject: RE: [linux_forensics] Helix/Vista Advice
        >
        > Stuart,
        >
        > I sincerely hope you capture and convict the guilty party. As a criminal
        >
        > defense attorney, though, I have to wonder if there is anything akin to
        > the
        >
        > "Brady" rule in your jurisdiction. Here in the United States, your message
        >
        > to this group might constitute an exculpatory declaration which could be
        >
        > used to question the credibility of evidence obtained from the memory of
        > the
        >
        > system you describe. The prosecutor would (under the decision in Brady) be
        >
        > obligated to volunteer your posting to the defense (that's right,
        >
        > "volunteer," as in, "without anyone asking for it"). Of course, this being
        >
        > a public group, they could conceivably have it anyway, but your message
        >
        > isn't specific as to who the defendant is; in a "Brady" production, the
        >
        > prosecutor would identify the case and defendant when the material was
        >
        > turned over, and would have to identify the source of the material (thus
        >
        > preventing any claim that it wasn't you who posted it, which--assuming it
        >
        > really was you--I know you wouldn't dispute anyway).
        >
        > Does anything like "Brady" apply where you are?
        >
        > Best,
        >
        > Stevens
        >
        > > -----Original Message-----
        >
        > > From: linux_forensics@ yahoogroups. com
        >
        > > [mailto:linux_forensics@ yahoogroups. com]On Behalf Of Stuart Bird
        >
        > > Sent: Thursday, November 16, 2006 2:48 PM
        >
        > > To: linux_forensics@ yahoogroups. com; linux_forensics@ yahoogroups. com
        >
        > > Subject: [linux_forensics] Helix/Vista Advice
        >
        > >
        >
        > >
        >
        > > Hi All
        >
        > >
        >
        > > I have been tasked to examine a computer which was found to be
        >
        > > running at the scene of an att murder.
        >
        > >
        >
        > > The machine is running Windows
        >
        > > Vista RC1 beta and has a windows live messenger chat window open
        >
        > > on the screen.
        >
        > > The file system is NTFS.
        >
        > >
        >
        > > The content of the chat session is very
        >
        > > relevant to the enquiry as it contains what amounts to a
        >
        > > confession by the main
        >
        > > suspect, so we need to image the memory before we remove the machine for
        >
        > > standard forensic work. (we have photographed the screen etc already).
        >
        > >
        >
        > >
        >
        > > I have tried this with both Helix V1.6 and 1.7 and got the same
        >
        > > results each time.
        >
        > >
        >
        > > Basically the CD fires up okay and I am presented
        >
        > > with the live tools menu.
        >
        > >
        >
        > > I had a check of the system data which
        >
        > > displays okay, I then added a sterile thumb drive which Vista
        >
        > > recognised and
        >
        > > loaded correctly.
        >
        > >
        >
        > > I selected \\.\Physical Memory from the dropdown,
        >
        > > set the path to E:\ (my thumb drive) and named the image file memory.dd.
        >
        > >
        >
        > >
        >
        > > I then hit the start acquisition button and... nothing. The system
        >
        > > just sat there and did not open the usual shell.
        >
        > >
        >
        > > I repeated this
        >
        > > process several times with the same result on each occasion. The
        >
        > > log shows
        >
        > > repeated attempts to start acquisition with no activity thereafter.
        >
        > >
        >
        > > I
        >
        > > took the Helix discs back too the lab and tried again on a Vista
        >
        > > Rc1 beta test
        >
        > > machine, same thing happened.
        >
        > >
        >
        > > I then tested both discs on an XP Pro
        >
        > > machine, having recreated the opn chat scenario, and the discs
        >
        > > performed as
        >
        > > expected. I was able to then recover the content of the chat
        >
        > > session from the
        >
        > > imaged memory.
        >
        > >
        >
        > > So, the problem seems to be with Vista. I have no idea
        >
        > > where to go from here but do need to get an image first thing
        >
        > > tomorrow, can
        >
        > > anyone suggest why this won't work with Vista, or a work around,
        >
        > > or have I done
        >
        > > the best I can by photographing the screen and chat session content?
        >
        > >
        >
        > >
        >
        > > Any help appreciated.
        >
        > >
        >
        > > Stu
        >
        > >
        >
        > >
        >
        > >
        >
        > > Send instant messages to your online friends
        >
        > > http://uk.messenger .yahoo.com
        >
        > >
        >
        > > [Non-text portions of this message have been removed]
        >
        > >
        >
        > >
        >
        > >
        >
        > >
        >
        > > Yahoo! Groups Links
        >
        > >
        >
        > >
        >
        > >
        >
        > >
        >
        > >
        >
        > <!--
        >
        > #ygrp-mlmsg {font-size:13px;font-family:arial,helvetica,clean,sans-serif;}
        > #ygrp-mlmsg table {font-size:inherit;font:100%;}
        > #ygrp-mlmsg select, input, textarea {font:99%
        > arial,helvetica,clean,sans-serif;}
        > #ygrp-mlmsg pre, code {font:115% monospace;}
        > #ygrp-mlmsg * {line-height:1.22em;}
        > #ygrp-text{
        > font-family:Georgia;
        > }
        > #ygrp-text p{
        > margin:0 0 1em 0;
        > }
        > #ygrp-tpmsgs{
        > font-family:Arial;
        > clear:both;
        > }
        > #ygrp-vitnav{
        > padding-top:10px;
        > font-family:Verdana;
        > font-size:77%;
        > margin:0;
        > }
        > #ygrp-vitnav a{
        > padding:0 1px;
        > }
        > #ygrp-actbar{
        > clear:both;
        > margin:25px 0;
        > white-space:nowrap;
        > color:#666;
        > text-align:right;
        > }
        > #ygrp-actbar .left{
        > float:left;
        > white-space:nowrap;
        > }
        > .bld{font-weight:bold;}
        > #ygrp-grft{
        > font-family:Verdana;
        > font-size:77%;
        > padding:15px 0;
        > }
        > #ygrp-ft{
        > font-family:verdana;
        > font-size:77%;
        > border-top:1px solid #666;
        > padding:5px 0;
        > }
        > #ygrp-mlmsg #logo{
        > padding-bottom:10px;
        > }
        >
        > #ygrp-vital{
        > background-color:#e0ecee;
        > margin-bottom:20px;
        > padding:2px 0 8px 8px;
        > }
        > #ygrp-vital #vithd{
        > font-size:77%;
        > font-family:Verdana;
        > font-weight:bold;
        > color:#333;
        > text-transform:uppercase;
        > }
        > #ygrp-vital ul{
        > padding:0;
        > margin:2px 0;
        > }
        > #ygrp-vital ul li{
        > list-style-type:none;
        > clear:both;
        > border:1px solid #e0ecee;
        > }
        > #ygrp-vital ul li .ct{
        > font-weight:bold;
        > color:#ff7900;
        > float:right;
        > width:2em;
        > text-align:right;
        > padding-right:.5em;
        > }
        > #ygrp-vital ul li .cat{
        > font-weight:bold;
        > }
        > #ygrp-vital a {
        > text-decoration:none;
        > }
        >
        > #ygrp-vital a:hover{
        > text-decoration:underline;
        > }
        >
        > #ygrp-sponsor #hd{
        > color:#999;
        > font-size:77%;
        > }
        > #ygrp-sponsor #ov{
        > padding:6px 13px;
        > background-color:#e0ecee;
        > margin-bottom:20px;
        > }
        > #ygrp-sponsor #ov ul{
        > padding:0 0 0 8px;
        > margin:0;
        > }
        > #ygrp-sponsor #ov li{
        > list-style-type:square;
        > padding:6px 0;
        > font-size:77%;
        > }
        > #ygrp-sponsor #ov li a{
        > text-decoration:none;
        > font-size:130%;
        > }
        > #ygrp-sponsor #nc {
        > background-color:#eee;
        > margin-bottom:20px;
        > padding:0 8px;
        > }
        > #ygrp-sponsor .ad{
        > padding:8px 0;
        > }
        > #ygrp-sponsor .ad #hd1{
        > font-family:Arial;
        > font-weight:bold;
        > color:#628c2a;
        > font-size:100%;
        > line-height:122%;
        > }
        > #ygrp-sponsor .ad a{
        > text-decoration:none;
        > }
        > #ygrp-sponsor .ad a:hover{
        > text-decoration:underline;
        > }
        > #ygrp-sponsor .ad p{
        > margin:0;
        > }
        > o {font-size:0;}
        > .MsoNormal {
        > margin:0 0 0 0;
        > }
        > #ygrp-text tt{
        > font-size:120%;
        > }
        > blockquote{margin:0 0 0 4px;}
        > .replbq {margin:4;}
        > -->
        >
        > [Non-text portions of this message have been removed]
        >
        >
        >


        [Non-text portions of this message have been removed]
      • liusiguang
        The handling of written notes is usually a procedural issue with the specific department. If they routinely destroy written notes after the report is finished
        Message 3 of 11 , Dec 6, 2006
        • 0 Attachment
          The handling of written notes is usually a procedural issue with the
          specific department. If they routinely destroy written notes after
          the report is finished then state this when asked for written notes.
          However, make sure the procedure is in writing rather than anecdotal.

          As for asking case-relevant questions, while this may be
          jurisdictional, LEO's routinely do this on listservs - as long as the
          case data is 'sanitized' so that it would not be associated with an
          ongoing investigation.

          ...and never apologize for not being a lawyer...^__^

          LSG

          --- In linux_forensics@yahoogroups.com, "Brett Shavers"
          <bshavers@...> wrote:
          >
          > Mr. Miller may have a good point. Handwritten notes taken during
          the course
          > of a police investigation can be demanded in discovery as
          evidence. I have
          > found that when I worked for my local law enforcement agency, this
          wasn't an
          > issue typically as notes (the little notepads in the pocket...) were
          > destroyed after transcribing the information to a formal report as
          a normal
          > course of duty. When working in federal task forces however, every
          scrap of
          > paper was deemed discoverable and included in my cases.
          >
          > I believe the issue here is; if asked on the stand,
          > "Officer/Detective/Agent, are there any notes you have made
          concerning this
          > investigation that have not been turned over to the defense?", a
          problem may
          > arise if there have been any postings to that effect. I wouldn't
          feel the
          > credibility will be lost when asking for advice on a technical or
          procedural
          > issue as that occurs in every single investigation for every single
          person.
          > We all have to look up something, ask somebody, or read something to
          > reassure what we know or should know.
          >
          > But as Stevens points out, I also feel that if a generic, technical
          question
          > is posed online (in a list such as this), without disclosing a
          relationship
          > to ANY case, then I don't believe that post would
          constitute 'notes' to an
          > investigation. But then again, I'm not a lawyer.
          >
          > Brett Shavers
        • Stevens R. Miller
          I m a wee-bit reluctant to answer this question, because doing so might give the appearance that I am questioning Stu s skills, which I have no reason to do.
          Message 4 of 11 , Dec 6, 2006
          • 0 Attachment
            I'm a wee-bit reluctant to answer this question, because doing so might give
            the appearance that I am questioning Stu's skills, which I have no reason to
            do. However, with that disclaimer issued up front, I would suggest that the
            defense attorney could use this posting to force an admission that Helix did
            not operate as Stu expected, which means it behaved while running on the
            live evidence machine in a way that Stu cannot fully explain. This could
            force a further admission that Stu doesn't fully know what Helix did while
            running, and that it therefore may have altered the evidence machine's
            memory. It's one thing to say that a tool you've tested is known by you to
            leave the evidence machine unchanged when it runs normally, but it would be
            a valid reason to question the credibility of any evidence obtained from a
            computer if it were the case that a software product run on that machine had
            behaved abnormally. Sure, Stu and the prosecutor might be able to show
            rehabilitative evidence that would cope with such a question, but that does
            not relieve the state of its Brady obligation to reveal the basis for the
            question to the defense.

            Now, if _no_ evidence from the computer was ever goint to be put in by
            either side, then there is nothing exculpatory in the fact that the tool
            used in an attempt to gather evidence from it behaved abnormally. But,
            consider this: suppose the defense is granted access to the computer. If
            their analyst finds nothing that the defense wants to use as evidence, it
            might still be exculpatory for the defense to be able to argue that the
            contents of the machine were in some jeopardy _after_ the crime is alleged
            to have taken place and _before_ the defense analyst was allowed to inspect
            it, because evidence favorable to the defense may have been damaged. The
            judge might require the defense to proffer something regarding what the
            favorable evidence would have been, but the defense could say almost
            anything viable (and in all good faith), since the lost evidence could,
            itself, have shown other alteration due to problems with the tool (or for
            other reasons).

            In other words, it is always exculpatory if the state cannot show compliance
            with its duty to hold evidence secure from material change, and it is not
            for the state (under Brady) to decide that a departure from best practices
            is not material; it is a question for the court, so the fact of the
            departure must be revealed.

            Personally, I think this is only fair. If a misstep or glitch is harmless,
            it should be possible to convince a jury that it is harmless, and so the
            state is not at a disadvantage. And if it _isn't_ harmless, then the jury
            should be allowed to decide how much harm it caused. Note that, even if the
            glitch isn't harmless, conviction is still possible. The state, like the
            rest of us, must simply admit it when it isn't perfect.

            HTH,
            Ss


            > -----Original Message-----
            > From: linux_forensics@yahoogroups.com
            > [mailto:linux_forensics@yahoogroups.com]On Behalf Of Bob Kardell
            > Sent: Friday, December 01, 2006 9:39 PM
            > To: linux_forensics@yahoogroups.com
            > Subject: Re: [linux_forensics] Helix/Vista Advice
            >
            >
            > Stevens,
            >
            > I don't see anything that could be interpreted as exculpatory.
            > What part of Stuart's statement is exculpatory?
            >
            > Bob
          • Stevens R. Miller
            Brett raises a related point, though not quite the one I tried to address. He s talking about disclosure obligations, which vary from state to state. In New
            Message 5 of 11 , Dec 6, 2006
            • 0 Attachment
              Brett raises a related point, though not quite the one I tried to address.
              He's talking about disclosure obligations, which vary from state to state.
              In New York, for example, I believe both sides must give all their notes to
              each other at some point before trial.

              The Brady rule only applies to evidence that could, however slightly, help
              win acquittal for the defendant. So, if a note said something like, "Found
              a video of the defendant committing the crime in his My Documents file,"
              that would not be exculpatory and Brady would not apply. Statutory
              disclosure law would apply, but only because it was a note, not because it
              was exculpatory (which it wasn't).

              Note that, if the prosecution simply becomes aware of exculpatory evidence,
              Brady requires that it be turned over to the defense, regardless of whether
              or not it's in the form of a document. For example, I recall a case some
              years ago in New York, where it had happened that the prosecutor had
              interviewed a number of witnesses from the scene of the crime. One was a
              mildly deranged man who initially said he had seen the whole event, but it
              turned out that he was just babbling. But, during his interview with the
              prosecutor, he also said that he, himself, had committed the crime. Well,
              with all the rest of his babbling, and with the benefit of some other
              investigation, the prosecutor decided that this "confession" was purely the
              result of derangement. But, she never told the defense about it.
              Eventually, the defense did find out out about it and asked the judge to
              order a Brady hearing to determine if the prosecutor had failed to divulge
              exculpatory evidence. I was present for that hearing (only as a spectator,
              though) and can tell you that the judge was as close as I've ever seen to
              suggesting that a prosecutor be disbarred. The fact that another person had
              confessed to the crime charged to the defendant is inherently exculpatory,
              and she should have told (by phone, e-mail, letter, whatever) the defense
              about it. Failing to do so was an extreme breach of the duty, however
              ridiculous this poor man's confession might be.

              Anyway, the point of that story is only to differentiate the disclosure duty
              Brett mentions, which applies by statute (in the jurisdictions I know about)
              to notes, from Brady material, which is exculpatory evidence in any form
              whatsoever.

              Stevens


              > -----Original Message-----
              > From: linux_forensics@yahoogroups.com
              > [mailto:linux_forensics@yahoogroups.com]On Behalf Of Brett Shavers
              > Sent: Friday, December 01, 2006 10:59 PM
              > To: linux_forensics@yahoogroups.com
              > Subject: Re: [linux_forensics] Helix/Vista Advice
              >
              >
              > Mr. Miller may have a good point. Handwritten notes taken during
              > the course
              > of a police investigation can be demanded in discovery as
              > evidence. I have
              > found that when I worked for my local law enforcement agency,
              > this wasn't an
              > issue typically as notes (the little notepads in the pocket...) were
              > destroyed after transcribing the information to a formal report
              > as a normal
              > course of duty. When working in federal task forces however,
              > every scrap of
              > paper was deemed discoverable and included in my cases.
              >
              > I believe the issue here is; if asked on the stand,
              > "Officer/Detective/Agent, are there any notes you have made
              > concerning this
              > investigation that have not been turned over to the defense?", a
              > problem may
              > arise if there have been any postings to that effect. I wouldn't feel the
              > credibility will be lost when asking for advice on a technical or
              > procedural
              > issue as that occurs in every single investigation for every
              > single person.
              > We all have to look up something, ask somebody, or read something to
              > reassure what we know or should know.
              >
              > But as Stevens points out, I also feel that if a generic,
              > technical question
              > is posed online (in a list such as this), without disclosing a
              > relationship
              > to ANY case, then I don't believe that post would constitute 'notes' to an
              > investigation. But then again, I'm not a lawyer.
              >
              > Brett Shavers
              >
              > On 12/1/06, Bob Kardell <bobkardell@...> wrote:
              > >
              > > Stevens,
              > >
              > > I don't see anything that could be interpreted as exculpatory. What part
              > > of Stuart's statement is exculpatory?
              > >
              > > Bob
              > >
              > > ----- Original Message ----
              > > From: Stevens R. Miller
              > <smiller@...<smiller%40novadatalabs.com>
              > > >
              > > To: linux_forensics@yahoogroups.com <linux_forensics%40yahoogroups.com>
              > > Sent: Tuesday, November 28, 2006 12:08:51 PM
              > > Subject: RE: [linux_forensics] Helix/Vista Advice
              > >
              > > Stuart,
              > >
              > > I sincerely hope you capture and convict the guilty party. As a criminal
              > >
              > > defense attorney, though, I have to wonder if there is anything akin to
              > > the
              > >
              > > "Brady" rule in your jurisdiction. Here in the United States,
              > your message
              > >
              > > to this group might constitute an exculpatory declaration which could be
              > >
              > > used to question the credibility of evidence obtained from the memory of
              > > the
              > >
              > > system you describe. The prosecutor would (under the decision
              > in Brady) be
              > >
              > > obligated to volunteer your posting to the defense (that's right,
              > >
              > > "volunteer," as in, "without anyone asking for it"). Of course,
              > this being
              > >
              > > a public group, they could conceivably have it anyway, but your message
              > >
              > > isn't specific as to who the defendant is; in a "Brady" production, the
              > >
              > > prosecutor would identify the case and defendant when the material was
              > >
              > > turned over, and would have to identify the source of the material (thus
              > >
              > > preventing any claim that it wasn't you who posted it,
              > which--assuming it
              > >
              > > really was you--I know you wouldn't dispute anyway).
              > >
              > > Does anything like "Brady" apply where you are?
              > >
              > > Best,
              > >
              > > Stevens
              > >
              > > > -----Original Message-----
              > >
              > > > From: linux_forensics@ yahoogroups. com
              > >
              > > > [mailto:linux_forensics@ yahoogroups. com]On Behalf Of Stuart Bird
              > >
              > > > Sent: Thursday, November 16, 2006 2:48 PM
              > >
              > > > To: linux_forensics@ yahoogroups. com; linux_forensics@
              > yahoogroups. com
              > >
              > > > Subject: [linux_forensics] Helix/Vista Advice
              > >
              > > >
              > >
              > > >
              > >
              > > > Hi All
              > >
              > > >
              > >
              > > > I have been tasked to examine a computer which was found to be
              > >
              > > > running at the scene of an att murder.
              > >
              > > >
              > >
              > > > The machine is running Windows
              > >
              > > > Vista RC1 beta and has a windows live messenger chat window open
              > >
              > > > on the screen.
              > >
              > > > The file system is NTFS.
              > >
              > > >
              > >
              > > > The content of the chat session is very
              > >
              > > > relevant to the enquiry as it contains what amounts to a
              > >
              > > > confession by the main
              > >
              > > > suspect, so we need to image the memory before we remove the
              > machine for
              > >
              > > > standard forensic work. (we have photographed the screen etc already).
              > >
              > > >
              > >
              > > >
              > >
              > > > I have tried this with both Helix V1.6 and 1.7 and got the same
              > >
              > > > results each time.
              > >
              > > >
              > >
              > > > Basically the CD fires up okay and I am presented
              > >
              > > > with the live tools menu.
              > >
              > > >
              > >
              > > > I had a check of the system data which
              > >
              > > > displays okay, I then added a sterile thumb drive which Vista
              > >
              > > > recognised and
              > >
              > > > loaded correctly.
              > >
              > > >
              > >
              > > > I selected \\.\Physical Memory from the dropdown,
              > >
              > > > set the path to E:\ (my thumb drive) and named the image file
              > memory.dd.
              > >
              > > >
              > >
              > > >
              > >
              > > > I then hit the start acquisition button and... nothing. The system
              > >
              > > > just sat there and did not open the usual shell.
              > >
              > > >
              > >
              > > > I repeated this
              > >
              > > > process several times with the same result on each occasion. The
              > >
              > > > log shows
              > >
              > > > repeated attempts to start acquisition with no activity thereafter.
              > >
              > > >
              > >
              > > > I
              > >
              > > > took the Helix discs back too the lab and tried again on a Vista
              > >
              > > > Rc1 beta test
              > >
              > > > machine, same thing happened.
              > >
              > > >
              > >
              > > > I then tested both discs on an XP Pro
              > >
              > > > machine, having recreated the opn chat scenario, and the discs
              > >
              > > > performed as
              > >
              > > > expected. I was able to then recover the content of the chat
              > >
              > > > session from the
              > >
              > > > imaged memory.
              > >
              > > >
              > >
              > > > So, the problem seems to be with Vista. I have no idea
              > >
              > > > where to go from here but do need to get an image first thing
              > >
              > > > tomorrow, can
              > >
              > > > anyone suggest why this won't work with Vista, or a work around,
              > >
              > > > or have I done
              > >
              > > > the best I can by photographing the screen and chat session content?
              > >
              > > >
              > >
              > > >
              > >
              > > > Any help appreciated.
              > >
              > > >
              > >
              > > > Stu
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > > Send instant messages to your online friends
              > >
              > > > http://uk.messenger .yahoo.com
              > >
              > > >
              > >
              > > > [Non-text portions of this message have been removed]
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > > Yahoo! Groups Links
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > >
              > >
              > > <!--
              > >
              > > #ygrp-mlmsg
              > {font-size:13px;font-family:arial,helvetica,clean,sans-serif;}
              > > #ygrp-mlmsg table {font-size:inherit;font:100%;}
              > > #ygrp-mlmsg select, input, textarea {font:99%
              > > arial,helvetica,clean,sans-serif;}
              > > #ygrp-mlmsg pre, code {font:115% monospace;}
              > > #ygrp-mlmsg * {line-height:1.22em;}
              > > #ygrp-text{
              > > font-family:Georgia;
              > > }
              > > #ygrp-text p{
              > > margin:0 0 1em 0;
              > > }
              > > #ygrp-tpmsgs{
              > > font-family:Arial;
              > > clear:both;
              > > }
              > > #ygrp-vitnav{
              > > padding-top:10px;
              > > font-family:Verdana;
              > > font-size:77%;
              > > margin:0;
              > > }
              > > #ygrp-vitnav a{
              > > padding:0 1px;
              > > }
              > > #ygrp-actbar{
              > > clear:both;
              > > margin:25px 0;
              > > white-space:nowrap;
              > > color:#666;
              > > text-align:right;
              > > }
              > > #ygrp-actbar .left{
              > > float:left;
              > > white-space:nowrap;
              > > }
              > > .bld{font-weight:bold;}
              > > #ygrp-grft{
              > > font-family:Verdana;
              > > font-size:77%;
              > > padding:15px 0;
              > > }
              > > #ygrp-ft{
              > > font-family:verdana;
              > > font-size:77%;
              > > border-top:1px solid #666;
              > > padding:5px 0;
              > > }
              > > #ygrp-mlmsg #logo{
              > > padding-bottom:10px;
              > > }
              > >
              > > #ygrp-vital{
              > > background-color:#e0ecee;
              > > margin-bottom:20px;
              > > padding:2px 0 8px 8px;
              > > }
              > > #ygrp-vital #vithd{
              > > font-size:77%;
              > > font-family:Verdana;
              > > font-weight:bold;
              > > color:#333;
              > > text-transform:uppercase;
              > > }
              > > #ygrp-vital ul{
              > > padding:0;
              > > margin:2px 0;
              > > }
              > > #ygrp-vital ul li{
              > > list-style-type:none;
              > > clear:both;
              > > border:1px solid #e0ecee;
              > > }
              > > #ygrp-vital ul li .ct{
              > > font-weight:bold;
              > > color:#ff7900;
              > > float:right;
              > > width:2em;
              > > text-align:right;
              > > padding-right:.5em;
              > > }
              > > #ygrp-vital ul li .cat{
              > > font-weight:bold;
              > > }
              > > #ygrp-vital a {
              > > text-decoration:none;
              > > }
              > >
              > > #ygrp-vital a:hover{
              > > text-decoration:underline;
              > > }
              > >
              > > #ygrp-sponsor #hd{
              > > color:#999;
              > > font-size:77%;
              > > }
              > > #ygrp-sponsor #ov{
              > > padding:6px 13px;
              > > background-color:#e0ecee;
              > > margin-bottom:20px;
              > > }
              > > #ygrp-sponsor #ov ul{
              > > padding:0 0 0 8px;
              > > margin:0;
              > > }
              > > #ygrp-sponsor #ov li{
              > > list-style-type:square;
              > > padding:6px 0;
              > > font-size:77%;
              > > }
              > > #ygrp-sponsor #ov li a{
              > > text-decoration:none;
              > > font-size:130%;
              > > }
              > > #ygrp-sponsor #nc {
              > > background-color:#eee;
              > > margin-bottom:20px;
              > > padding:0 8px;
              > > }
              > > #ygrp-sponsor .ad{
              > > padding:8px 0;
              > > }
              > > #ygrp-sponsor .ad #hd1{
              > > font-family:Arial;
              > > font-weight:bold;
              > > color:#628c2a;
              > > font-size:100%;
              > > line-height:122%;
              > > }
              > > #ygrp-sponsor .ad a{
              > > text-decoration:none;
              > > }
              > > #ygrp-sponsor .ad a:hover{
              > > text-decoration:underline;
              > > }
              > > #ygrp-sponsor .ad p{
              > > margin:0;
              > > }
              > > o {font-size:0;}
              > > .MsoNormal {
              > > margin:0 0 0 0;
              > > }
              > > #ygrp-text tt{
              > > font-size:120%;
              > > }
              > > blockquote{margin:0 0 0 4px;}
              > > .replbq {margin:4;}
              > > -->
              > >
              > > [Non-text portions of this message have been removed]
              > >
              > >
              > >
              >
              >
              > [Non-text portions of this message have been removed]
              >
              >
              >
              >
              > Yahoo! Groups Links
              >
              >
              >
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.