I mean there is a certain elegant logic to the best way to perfectly secure an operating computer on the internet to preserve the evidence in pristene form. Quite simply:
Kill the Surfer and Pull the Plug!
Anything short of that will not guarantee that you get the machine in the same condition it was just prior to shutdown. There is a chance you might lose some information in open documents when you pull the plug, but you still preserve the entire history of the mahine.
If you let the surfer shut it down, there may be programming to damage stored files and make data recovery more time consuming and expensive but definately not impossible.
At the time, a computer is taken as evidence, it should be identified and tagged in and no one allowed to turn it on. The only thing done to it should be to make a mirror image of the hard drive and then all examinations are done on the mirror hard drive. This way there is no chance that the drive will be altered or damaged by anyone in the evidence chain.
Certainly the dumbest thing to do would be to give it to an untrained amature detective at PC Paridise, have them connect to the internet and surf with Internet Explorer so that the weekly history file is created with a date when it was not in the owners possession. However, since the Techie using your machine is not outside the reasonable expectation of privacy, it doesn’t violate the Bush court rulings.
The actual technique used to shut down the machine was probably malware which effected the video driver over the weekend. If the owner had taken the machine in on Monday, the weekly index.dat file wouldn’t have jumped out as being an error. However, he took it to be fixed on Tuesday and the Techie never got around to it until late Wednesday afternoon, so the weekly index.dat file turned out to be a very obvious nine day week at a time the Techie was playing with it.
In terms of a chain of evidence this one is exceptionally week and I always thought more highly of FBI shutdown trechniques. In the case of the shutdown of Kevin Mitnick, it’s been alleged that he was given malware which forced his motherboard to overheat and they were waiting for him at the repair shop to connect him to the machine. Quite simply the techie couldn’t turn the machine on and surf the web therefore potentially corrupting the evidence because the machine was inoperable. Mitnick was a target of a specific investigation and this trick forced him to give up his machine to people who were waiting for him.
In the current case, Charles Stefano was one of millions of people with a machine infected with malware and under Operation Preditor, the Computer Repair shops had been asked to turn in everyone they saw. So they weren’t waiting for Stefano, they were waiting for any computerate illeterate person begging for help.
I still believe that the chain of evidence should have been far more secure to have indesputiable proof he did anything.