I hadn’t been the lab chief in Stuttgart for very long and I was still learning about the team members who were now under my tutelage. One of the younger guys on the team really wanted to impress and was always looking for things to do and ways to show his skills. For this story lets call him Stanley. (Definitely not his real name.)
We had gotten in a hard drive that needed to be investigated for malware and Stanley was eager to run a case from start to finish. I agreed to let him. In hindsight, maybe I should have asked him a few more questions before turning him loose.
One of the very first things you do is to make a forensic copy of the drive. Put the original in the safe and work on the copy. You do this with a device known as a write blocker. Basically it is a one-way interface. You can read the original but can’t write to it in any way, thereby protecting the evidence on the drive.
The write blocker is marked Original and Copy. Not something I thought was a difficult concept. I was wrong.
Stanley connect the drives in reverse order and fired up the copy. What happened next was pretty bad in the world of forensics. He copied a totally blank drive on top of the original drive. Yep, he basically erased the evidence.
After putting the original drive in an evidence bag and placing that in the safe, he connected the copy to his workstation and started the search for malware. After a few minutes he eased over to one of the other analysts and whispered asking for help. He couldn’t find anything and things didn’t look right. The other analysts rolled over to this workstation and had a look. He then informed Stanley that he had accidentally connected a blank drive. Not realizing what had actually happened.
After a while longer Stanley finally came to me and asked for a second set of eyes. I went over and frankly scratched my head for a moment trying to divine out what he had done. When all else fails, start over. So he and I got the original out of the safe and went through the process of making the forensic copy again. “Maybe the blocker broke.” So we used a different blocker.
When the program came up to make a copy it noted that the original was blank. That is when you stop everything and now triple check things to make sure you don’t have a much larger problem. I went back and checked the system logs, and there I found the warning message that he had simply clicked through which said “Are you sure you want to copy a blank drive?”
As if he didn’t feel bad enough about all this once we figured it out, having to go tell the Sergeant who brought us the drive what happened and that we would not be able to help really put the cherry on top. I do think that Sergeants go through a special school for yelling and making a person feel about 1 inch tall.
Stanley didn’t offer to help with anything for a while and kind of stayed to himself. I let him wallow in self pity for a while and then pulled him out of it and started to teach him, which he really liked. He became a very good investigator over the next year, and as his skills grew so did his confidence. He is now a lead investigator for one of the big forensic labs in Virginia.
There is a great saying “Good decisions come from experience. Experience comes from making bad decisions.” ~ Mark Twain