Kaseya Community

Porn and Acronis

  • We came across some files on a computer that was infected pretty bad at a clients office. We picked up the computer and found pictures and videos that were labeled with child pornography like names. We took an image of the machine with Acronis and wiped it. We let the business owner know about the situation. We talked to our attorney and he said that we should be ok as long as we told the business owner about it.

    How have others handled this situation?

    Is an Acronis image actually enforceable by law?

    Legacy Forum Name: Porn and Acronis,
    Legacy Posted By Username: bkelleher
  • Unless you are doing a raw image it's not an "exact" image of the drive like using DD or EnCase

    Not a lawyer or have been involved in E-discovery before but I am pretty sure there is a process they have to follow to show the image hasn't been tampered with as well.

    I would probably have acted the same in that situation, would have contacted the owner first before wiping it though (not sure if you did) so they could hand it over to the authorities and have someone with more pertinent tools take care of it.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jeremyj
  • Unless you viewed some of those pictures, you can't be sure and alerting the client to this is the best thing.

    HOWEVER, if you are pretty sure to definite, you really should contact the local authorities... what if this guys is a pedophile? Do you have young kids? Can you risk doing nothing??

    My opinion anyway.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: boudj
  • I think I would have pulled the current hard drive so that it could be turned over to the proper authorities to investigate it.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: crhis.duensing
  • crhis.duensing
    I think I would have pulled the current hard drive so that it could be turned over to the proper authorities to investigate it.


    In a similar situation we imaged (for those just in case times) the drive then pulled and replaced it and notified the proper people...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • There has to be a "chain of custody" for the drive or images to be used as evidence... (This is true in the US, I believe). This probably means that as soon as you see that there has been illegal activty, the drive must be preserved intact. Best bet would probably be to notify the local authorities and let them take the hard drive...

    Child porn is one of the few examples of images / material where merely possessing a copy is illegal.

    I would definitely notify the business owner, but in some areas you may be required to notify the local police.

    JMO.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: SamBelcher
  • SamBelcher
    There has to be a "chain of custody" for the drive or images to be used as evidence... (This is true in the US, I believe). This probably means that as soon as you see that there has been illegal activty, the drive must be preserved intact. Best bet would probably be to notify the local authorities and let them take the hard drive...

    Child porn is one of the few examples of images / material where merely possessing a copy is illegal.

    I would definitely notify the business owner, but in some areas you may be required to notify the local police.

    JMO.


    I'm no lawyer but I agree here, the hard drive intact is by far the BEST way to deal with this. You've got to have another drive to put in this system temporarily right? As soon as you imaged and wiped the drive, the 'scene' was contaminated. That's was Grissom told me at least...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: jwhitford
  • jwhitford
    I'm no lawyer but I agree here, the hard drive intact is by far the BEST way to deal with this. You've got to have another drive to put in this system temporarily right?


    Ditto. Replace the drive, lock up the old one, and notify who you need to. I would be relatively certain that the image is not going to meet the standards for admission as evidence (it should certainly be enough to get the employee terminated, though). I'm not sure what the legal requirements are for notifying law enforcement... As an MSP you're in a tough situation. On the one side, if you're sure the offending material came from this employee, it seems like morally the right thing to do is report it to law enforcement. However, you don't own the data on that PC (and in a lot of cases you probably don't even own the PC). What right do you have to remove data from the customer's network and hand it over to a third party without being subpoenaed to do so?

    A tough spot, certainly. I think you've done the right thing in notifying the customer (although as stated above, I would have preserved the original drive).

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: arobar
  • I have delt with this situation with my local police, you should not remove the drive at all or tamper with it, the whole machine has to be bagged and sealed for eveidence, also in england the original power cable must be attached when bagged, some kind of technicality with the way the law is here.

    The guy i caught got off with 7 years on the paedophile sex list, as he admitted to a lesser charge, after failing to attend crown court with a so called mental illness.

    Warning! be very careful about taking an image, report it as you see it, you have a duty of care.

    hope this helps, as i was seriously affected with the images i seen.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: FrankieBoy
  • FrankieBoy
    I have delt with this situation with my local police, you should not remove the drive at all or tamper with it, the whole machine has to be bagged and sealed for eveidence, also in england the original power cable must be attached when bagged, some kind of technicality with the way the law is here.


    FrankieBoy is right. I've been through a CHFI course (ethical hacking and computer forensics) a few years back. If you do anything with the drive itself and do not know wholly what you are doing, your credibility will be called into question. An Acronis image is not upheld in court because it is not an exact sector by sector copy of the drive. There are programs that will do this and only a few of those are recognized by law enforcement as being a "forensicly sound" image.

    Bottom line: Unplug the PC, put some sort of tamper sticker or tape across the case line and power socket (like masking tape with your initials), and give it to your client. Better if you print out a release to have your client sign releasing you from all responsibility.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCDave