As the poster on 4chan concludes, you may not want to speak to the police about such things. However, not doing so could potentially result in accusations of knowing but not reporting a crime, or worse - destruction of evidence. I suspect there's no winning here, sadly :(
What follows is my initial thoughts off the top of my head as to how I might attempt to mitigate any accusations. This is not legal advice.
Firstly, if it looks to have been deliberately concealed, contact your building's security and/or the police (non-emergency). Don't touch it yourself at all. I cannot stress this enough. When contacting the police, ask them for instructions on what you should do, and get a name. If you can't stay at the scene until someone arrives, just tell them as much. You should be given a reference number and can update them if you need to be relived by someone.
Odds are, an unknown concealed item that is not likely to be an explosive or drugs is probably of little interest to your typical cop, and (sadly?) they will never get around to looking at it.
There might be some legitimate reasons to investigate further, for example with respect to an organisation's security. If you are in a large organisation, escalate the matter upwards and touch nothing, no matter how tempting. For many good reasons, security/fraud investigations often are on a strict need-to-know basis. Get the appropriate person to contact the police and take their guidance.
Let's assume for the purpose of this post that you are the right person, and there is no existing investigation which this may relate to. Your natural curiosity should be ignored, however, unless you have a genuine concern of data exfiltration or other potentially malicious activities.
But who I am kidding, of course you do, most organisations do! Now you need to make sure you can preserve as much evidence as possible, perform a detailed investigation, but all the time protect yourself from both legal and technical risks. What follows assumes high risk. Do your own judgement on the risks involved and if the steps below mitigate them adequately (they are probably over the top, this is not a bad thing). Assume that before and after each of these there is a "Listen to the police and/or your legal team".
1. Photograph in situ first, ideally with some means to date the photograph. If possible, get a second person involved. If the area is covered by CCTV, get the footage pulled for cross-referencing. Photographs are useful for the higher resolution details.
1a. Record everything on video.
2. Speaking of CCTV, you'll want to get someone to look at the tapes. This is left as an exercise for the reader, especially the bit about making it not soul-destroying manual observation. This point also covers all the non-technical but essential things like "who had access to this area", "do we stock that type of device", etc. Never forget that the old-fashioned non-technical questions can often give the best answers.
2. Use gloves and carefully remove the device. Take note of the environment it was in, with special interest for clues as to how long it has been there. Examine briefly for any markings. Place immediately into clear plastic bag, marking it with a description of the contents and ideally adding tamper seals. Clear plastic bag means you can verify the device hasn't changed. When not performing investigatory work, the bag should be locked in a dedicated place for evidential material.
3. Establish an air-gapped secure system to perform analysis on. Assume that malware will be present and that you will want to be able to detect and analyse it. Ideally have an investigations laboratory to add physical controls around the air-gap.
4. Establish a log book. Record the date, time, action taken, and tamper seal codes before and after. There will be more things you will wish to record, of course - this is only a rough guide.
5. Acquire a write-block device. These are utterly essential for any form of forensic investigation, and typically block at (what courts consider to be) hardware-level any modification to the device.
6. Attach the device to your air-gapped system using the write-blocker. At this point, the air-gapped system is dirty and will need to be forensically wiped/destroyed once you are finished.
7. Using Encase, similar forensic tools, or failing that GNU dd_rescue, image the device. Never, ever, work off the original device. The police and/or auditors may want to take their own copy, this is normal.
8. With respect to the log book, treat this image like the original device. This log book is what you use to back up "I was performing a security investigation". This includes any automated testing or password cracking you attempt.
9. If your organisation handles classified information, it goes without saying that identifying if any is present is your top priority - no matter what the implications that then has
10. Limit who gets to actually view the data on the device to an absolute minimum. You don't know what's there, it could be personal HR information or finances, or that hush-hush restructuring project. The fewer eyes the better. Ideally this should be someone trained in forensic examination and with a high enough clearance to view any potential contents.
11. Know when to give up. Seriously, you could spend years diving into the contents of a 64GB device, and never actually get anything useful.
12. Ask a legal person about how long to retain the device for once you've finished.
13. Assuming you have identified that the contents need further examination, look into eDiscovery tools like Symantec Clearwell, and visualisation tools like the excellent Gephi. Perform technical wizardry rather than wading through a hundred thousand files manually. You're reading hacker news, remember! ;)
14. Assuming that the police have been involved, update them. However if it really is an unknown item and there is otherwise little that is suspicious, they probably won't be that interested and/or will close the call silently.
Apparently I Am Not A Lawyer, And I Repeatedly Assert This Fact. I work in IT Security, and have been involved in quite a few investigations or varying types. Due to their nature, we knew the source of the data on most occasions, so many of the above steps were unnecessary. I'd rather suggest too many protective controls than too few - safer if I know I'm not a lawyer!
What follows is my initial thoughts off the top of my head as to how I might attempt to mitigate any accusations. This is not legal advice.
Firstly, if it looks to have been deliberately concealed, contact your building's security and/or the police (non-emergency). Don't touch it yourself at all. I cannot stress this enough. When contacting the police, ask them for instructions on what you should do, and get a name. If you can't stay at the scene until someone arrives, just tell them as much. You should be given a reference number and can update them if you need to be relived by someone.
Odds are, an unknown concealed item that is not likely to be an explosive or drugs is probably of little interest to your typical cop, and (sadly?) they will never get around to looking at it.
There might be some legitimate reasons to investigate further, for example with respect to an organisation's security. If you are in a large organisation, escalate the matter upwards and touch nothing, no matter how tempting. For many good reasons, security/fraud investigations often are on a strict need-to-know basis. Get the appropriate person to contact the police and take their guidance.
Let's assume for the purpose of this post that you are the right person, and there is no existing investigation which this may relate to. Your natural curiosity should be ignored, however, unless you have a genuine concern of data exfiltration or other potentially malicious activities.
But who I am kidding, of course you do, most organisations do! Now you need to make sure you can preserve as much evidence as possible, perform a detailed investigation, but all the time protect yourself from both legal and technical risks. What follows assumes high risk. Do your own judgement on the risks involved and if the steps below mitigate them adequately (they are probably over the top, this is not a bad thing). Assume that before and after each of these there is a "Listen to the police and/or your legal team".
1. Photograph in situ first, ideally with some means to date the photograph. If possible, get a second person involved. If the area is covered by CCTV, get the footage pulled for cross-referencing. Photographs are useful for the higher resolution details.
1a. Record everything on video.
2. Speaking of CCTV, you'll want to get someone to look at the tapes. This is left as an exercise for the reader, especially the bit about making it not soul-destroying manual observation. This point also covers all the non-technical but essential things like "who had access to this area", "do we stock that type of device", etc. Never forget that the old-fashioned non-technical questions can often give the best answers.
2. Use gloves and carefully remove the device. Take note of the environment it was in, with special interest for clues as to how long it has been there. Examine briefly for any markings. Place immediately into clear plastic bag, marking it with a description of the contents and ideally adding tamper seals. Clear plastic bag means you can verify the device hasn't changed. When not performing investigatory work, the bag should be locked in a dedicated place for evidential material.
3. Establish an air-gapped secure system to perform analysis on. Assume that malware will be present and that you will want to be able to detect and analyse it. Ideally have an investigations laboratory to add physical controls around the air-gap.
4. Establish a log book. Record the date, time, action taken, and tamper seal codes before and after. There will be more things you will wish to record, of course - this is only a rough guide.
5. Acquire a write-block device. These are utterly essential for any form of forensic investigation, and typically block at (what courts consider to be) hardware-level any modification to the device.
6. Attach the device to your air-gapped system using the write-blocker. At this point, the air-gapped system is dirty and will need to be forensically wiped/destroyed once you are finished.
7. Using Encase, similar forensic tools, or failing that GNU dd_rescue, image the device. Never, ever, work off the original device. The police and/or auditors may want to take their own copy, this is normal.
8. With respect to the log book, treat this image like the original device. This log book is what you use to back up "I was performing a security investigation". This includes any automated testing or password cracking you attempt.
9. If your organisation handles classified information, it goes without saying that identifying if any is present is your top priority - no matter what the implications that then has
10. Limit who gets to actually view the data on the device to an absolute minimum. You don't know what's there, it could be personal HR information or finances, or that hush-hush restructuring project. The fewer eyes the better. Ideally this should be someone trained in forensic examination and with a high enough clearance to view any potential contents.
11. Know when to give up. Seriously, you could spend years diving into the contents of a 64GB device, and never actually get anything useful.
12. Ask a legal person about how long to retain the device for once you've finished.
13. Assuming you have identified that the contents need further examination, look into eDiscovery tools like Symantec Clearwell, and visualisation tools like the excellent Gephi. Perform technical wizardry rather than wading through a hundred thousand files manually. You're reading hacker news, remember! ;)
14. Assuming that the police have been involved, update them. However if it really is an unknown item and there is otherwise little that is suspicious, they probably won't be that interested and/or will close the call silently.
Apparently I Am Not A Lawyer, And I Repeatedly Assert This Fact. I work in IT Security, and have been involved in quite a few investigations or varying types. Due to their nature, we knew the source of the data on most occasions, so many of the above steps were unnecessary. I'd rather suggest too many protective controls than too few - safer if I know I'm not a lawyer!