From Phoenix 31TT - " How is this different from downloading the information?... Creating a disk image is essentially a "pulling" of data with no data being "pushed"...
Downloading logs from a computer should be different right?"
Sorry - wish I knew, I'm on shaky ground here as I am not an expert on computer forensics, I know enough to be dangerous
- so I leave well alone.
OK, I am an expert when it comes to such things or so I am told
- have been diving so not monitoring this thread much.
Phil again has it exactly right (all of this is from a Canadian Legal perspective which is similar but not exactly the same as US law, and closer to Aus law I believe)
The expertise that I bring to court is that when I open up a computer I can testify that, to the best of my knowlege and expertise the data from the moment I got the device until I extract the data - has not changed. Or if there is a chance that it has changed that it has changed in the following manner - then I describe what has changed for that particular device and why and how it has no impact on the evidence in question.
For a dive computer I would take the device and then do some research - probably end up calling the manufacturer - the person/company that actually made/designed the hardware software and have a conversation, possibly even get an identical device to test. That conversation and testing would allow me to know what exactly changes when the device is turned on, and what changes happen as you move through menus and what changes happen on a download. I would also want to know how the raw data was stored and what if any errors are being introduced by the software used to download and display the raw data. None of this would happen in this particular case, but if the stakes were high enough and the investigator thought there was relevant data on the device someone like me would be brought in to answer those questions
The reality is that I doubt very much that evidence would be lost/changed by turning the device on or downloading the data - but I don't know for sure so could not testify that it was unchanged, and without that testimony the courts will not accept data from a computer because they know how easy it is to falsify such data or get bad data.
For a regular computer, I don't turn it on. I have hardware that was designed to attach to a disk drive and is guaranteed not to write to (change) the drive - and that guarantee has been reviewed by several courts in different countries. Without such a device you have to rely on a computer not writing data to the drive when it is turned on. Not as simple as it sounds, it can be done but not for non-propeller heads and courts frown on these methods unless there is no alternative.
Once I have the drive attached I copy it at the bit level to create a drive image (and a hash code to verify the image does not get altered in the future) and then I create a working copy of the drive from the image (if someone else wants to look at the data - I don't need the working copy to look at the image as if it was a drive). Then I seal the drive back up in the evidence bag, sign it and hand it back to the investigator. Then whoever wants to can look at the working copy for the evidence they are looking for. If they or I find something I can go back to the image to ensure we are dealing with unchanged data. This is the simple version there are lots of gotchas and issues - running computers are an interesting issue - the normal shutdown procedure changes and destroys evidence. Pulling the plug does a different thing, and also destroys evidence. Leaving them running and getting a copy destroys evidence. Choose one. I get to testify re what got lost/changed.
Don't do this any more, but it was fun.
Stroke 
Rule #1 Violation 
