--Judge Disallows Evidence Gathered From Laptop Six Months After SeizureThis is an interesting concept that I had not considered in the forensics arena. In the government space, the ACA that we work for has said that data we acquire is only valid for six months; after that, we would need to re-test a system up for accreditation. And I agree with that concept fully. Many times we will test a system, come back with data, analyze it, and write it up. We'll get questions up to a year later on what we wrote. And how valid are those questions? Many times, the system has changed so much that the initial report is almost invalid (sometimes it is - hopefully the system owners have made changes.)
(June 10 & 14, 2010)
A US federal judge has ruled that evidence gathered in June 2009 from a
laptop computer seized at a US border crossing in late January 2009 may
be suppressed. Andrew Hanson was randomly selected for secondary
baggage search in January 2009. Hanson is a US citizen who was
returning from South Korea to the US through San Francisco. An image
of child pornography justified seizure of his laptop; a subsequent scan
of the hard drive several weeks later turned up more evidence. However,
the laptop's contents were not viewed again until June 2009. The judge
allowed evidence discovered on the laptop in early February 2009 because
the search was conducted within a reasonable time frame. The judge
determined that evidence obtained during the June search, which was
conducted without a warrant, was inadmissible; a search so long after
the fact requires a warrant.
So, to see this in the forensics space is interesting. At what point does data become invalid. Certainly, an image of a system should be valid as a point-in-time snapshot for a long time; almost indefinitely.
Granted, given the circumstances around the original story, I think that there is more to it.