SANS Digital Forensics and Incident Response Blog

Did Las Vegas Police Fumble Critical Digital Forensics in High Profile Shooting Case?

While in a re-certification class at SANS Network Security, a local news story catches my attention. It's a coroner's inquest into the death of Erik Scott, who was shot here in July outside a Costco store by officers of the Las Vegas Metropolitan Police (LVMP) after a store employee spotted Scott's firearm, which he had a permit to carry.

There's limited time while we drink from the SANS fire hose to absorb the day's news events. But I picked up the following from an op-ed piece by Scott's father in the Las Vegas Sun. The dead man's family is harshly critical the investigative process, and not without justification, if William Scott's account is accurate.

The elder Scott says the investigation has been entirely internal, conducted by LVMP. Scott is an aerospace journalist who notes that if an airline pilot has an accident that results in a fatality, the incident is not investigated by the airline involved. Instead, the National Transportation and Safety Board dispatches a team of experts to conduct a detailed examination.

What jumps out at a SANS-trained forensic analyst, of course, is Scott's description of how the store's surveillance video was handled. It was seized immediately after the shooting and viewed by "a few Metro officers," he writes, who "decided it was potentially ?unusable' because of a ?glitch'? so the hard disks were rushed to a Los Angeles forensics lab."

Whatever was on the video, this treatment certainly begs a number of questions:

1. With high-profile cases (like, multiple LVMP officers shoot a citizen seven times at a big-box store), why is there not a procedure for digital evidence to be "bagged and tagged" and sent to the lab for analysis?

2. Who was the forensic expert that determined there was a glitch in the video, and how was the glitch determined outside of the lab?

3. What are the consequences in a civil proceeding if digital evidence is treated in a way that potentially spoils the information? There are potentially huge penalties for the party that spoils the information. Will the LVMP be held accountable for any damage to the data?

4. I talked to a source here in Las Vegas. This individual works in video surveillance for major Nevada Casinos. According to the source, 50% of Las Vegas casinos are running digital video recorders (DVR), rather than magnetic video tape. Does LVMP know that unlike tape, "playing" a DVR can alter or potentially spoil critical forensic data?

There is another story in The Las Vegas Sun about today's Clark County Coroner's Inquest on the shooting. There was testimony that Erik Scott may have been under the influence of prescription pain-killing medication, including "a high level of morphine and Hydrocodone." An eyewitness said Erik Smith appeared to be "dazed." This non-digital information may shed light on what happened the night of the shooting. But these issues do not lesson the importance of a review of the digital forensic procedures for law enforcement officers.

Final thoughts: While here at SANS Network Security in Las Vegas, I spoke with a retired law enforcement (LE) officer. He said he was a member of LE for nearly 20 years. He was shocked that LVMP did not "bag and tag" the evidence for a case with these circumstances. One of the instructors here at SANS made two comments. One, LE might not know that tape needs to be handled differently than DVR, due to digital forensic issues. And, two, at the very least, LE should change their procedures for handling digital forensic data to improve the public opinion of the department by the citizens of Southern Nevada.

Digital Forensics Case Leads for 20100415 was compiled by Ira Victor G7799 GCFA GPCI GSEC ISACA CGEIT. Ira Victor is an analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.

4 Comments

Posted October 17, 2010 at 1:14 AM | Permalink | Reply

timbo

The only think I can say is''..DON'T BELIEVE WHAT YOU READ IN THE PAPER !!!
Their video system was broken and had not been in operation for 2 days before the police shooting.
AND another thing, we do have policies and procedures for handling this evidence and it is NOT based upon what citizens think, it is based upon industry standard and well established best practices.
Whoever wrote this should get their facts somewhere other than the newspaper.

Posted October 23, 2010 at 8:18 PM | Permalink | Reply

timetofessupmetro

timbo-
We don't automatically believe what is in the paper. Intelligent minds can see a cover-up with their own eyes. Like watching the entire inquest''you know the one where Lierly testified that the cameras were out and he made the call on WEDNESDAY!!!! Just one of the many lies we caught. Though it may have been ruled as "justified" in the kangaroo court called an inquest, I believe both Costco and Metro will pay dearly in the civil trial. This is strictly based on what my own eyes caught in the inquest.
One other thought, handling the evidence''.Does that include leaving it at the scene? Funny, thats not what the honest cops I know say should happen. Never Ever Ever!!!

Posted October 23, 2010 at 8:42 PM | Permalink | Reply

timetofessupmetro

Timbo
"AND another thing, we do have policies and procedures for handling this evidence and it is NOT based upon what citizens think, it is based upon industry standard and well established best practices.
Whoever wrote this should get their facts somewhere other than the newspaper."
You are saying that industry standard for handling evidence is''.leave the shit at the scene unguarded for two days, then have the lying SOB who caused a mans death, drive this evidence somewhere for repair? To me this should be investigated deeper, and not by Metro.
This in itself should be criminal. Ever hear of tampering with evidence?
A mans life was taken that day. I will never believe this was deserved. And between Metro and Costco, both of whom will pay dearly for Erik's life being taken, they have made sure that no one will ever see his final moments. Only thing is, with all the lies told in court, that can be proven were lies, they might have destroyed some evidence, but that won't save there ass in court!!

Posted October 24, 2010 at 4:53 AM | Permalink | Reply

Big Mamma

@timbo Nice of you to expose another concern we all have with LVMP ''" none of you know what other police forces' policies and procedures are. You guys continually show how inept and untrained you are. You're telling me that, unlike every other agency in the country (including LAPD), that securing video evidence at the crime scene, especially when it's an officer involved shooting, is NOT normal procedure? Are you saying that you would leave evidence at the scene, unsecured, for two days''and that's normal? Wow, you give me a lot of confidence in LVMP.