Can forensics tell of an FDE drive?

Discussion in 'privacy technology' started by Paranoid Eye, Aug 1, 2014.

Thread Status:
Not open for further replies.
  1. Randcal

    Randcal Registered Member

    May 29, 2014
    While that's true according to the rules of logic, I would hope that at least people here would be aware that courts do not always operate under logic. So I said before, it's going to depend on the court.

    In the Fricosu case for example, that was one of the major defense arguments...the feds didn't even have file names or file references to go from. Virtually everything was speculation. They were investigating a case of alleged real estate fraud and seized her machines, on the chance that evidence pertaining to the case existed on the drives.

    That was all it took: She was a suspect in the case, they got a warrant to search a house, they took the computers thinking they'd get some incriminating evidence, at least one of the devices turned out to be encrypted with PGP Desktop, and the courts ruled Fricosu was to be compelled to decrypt them so that any evidence discovered could be used against her for prosecution.

    The feds had absolutely zero proof of that any data at all was on the device...let alone any sort of evidence pertaining to the case they had a warrant for.

    They couldn't even verifiably prove she owned the laptop nor that she could even access the data. The most they had was suspicion based on (at best) circumstantial evidence and a cryptic recorded jailhouse conversation between her and a co-defendant.

    None of that mattered.

    Yes, one would think the term "foregone conclusion" would refer to actual proof of what was on the drive (for example, in the Boucher case, the facts were stated that the laptop was already powered on during a border crossing stop and incriminating evidence was visible and indeed seen by border agents before the device was shut down and locked.) In that case, it's obvious that it was already known there was incriminating evidence on the device (they literally saw it), so decrypting it would not remove any presumption of innocence. That is obviously what a "foregone conclusion" is in the literal sense.

    But of course, in the "legal sense," it can mean whatever the court wants it to mean. That has been my point all along. They really can just go on a fishing expedition. Even in the US.

    I must admit I too am confused by your preoccupation with TrueCrypt. The software used is irrelevant...irrelevant in regard to the OP's question, and irrelevant in the view of (at least US) courts.

    It did not matter that the device in the Fricosu case was encrypted with PGP Desktop. It's not as if a court would say "Oh you didn't use TrueCrypt? Nevermind then."

    Perhaps some foreign court cares what software is used, and will for some reason let a defendant go if it can't be determined what software was used to produce encrypted volumes. That makes absolutely no sense, and sounds completely insane, but I do realize we're talking about the government/legal system, so there really is no such thing.

    The real determining factor in the 11th Circuit John Doe case was that they could not prove the devices were his or that he had the ability to decrypt them, and the court ruled that ordering him to do so would put him in exactly the kind of conundrum that the 5th Amendment was designed to prevent.

    The fact that they could not prove there was any data at all on the device (which the judge did bring up) was more secondary.

    And again, evidently, despite having a very similar situation/set of facts, the court in the Fricosu case ruled the opposite. The judge in that case even admitted they couldn't prove the device was hers. He literally said:

    "it is more likely than not that the
    computer belonged to and was used by Ms. Fricosu. Accordingly, I find and conclude
    that the Fifth Amendment is not implicated by requiring production of the unencrypted
    contents of the Toshiba Satellite M305 laptop computer."

    So again, logic and proof are not a requirement in US courts.

    So I'll reiterate:
    If mere speculation is enough for a court to rule a suspect be compelled to decrypt a device, then all of the above arguments in this thread are largely moot. Speculation that the drive belongs to/was used by the suspect, speculation that the suspect can decrypt the device, and speculation that there is even any data on the device. That was all that was needed for the court to rule to force Ramona Fricosu to decrypt a laptop.

    So as I said, if they have file paths or references or fragments, or any of the other kind of information like what is cautioned against in the TC documentation, I'd say it would be that much easier to get such a ruling.

    Once again, plausible deniability (as in a decoy volume) is the only viable defense.
    Last edited: Aug 8, 2014
  2. Randcal

    Randcal Registered Member

    May 29, 2014
    For further support of my point, the EFF concurs, and actually contradicts @justpeace 's claim that "Under the foregone conclusion test, location and custody is also a requirement which must be proven apart from existence."

    An act of production is not "testimonial" if the government can show with "reasonable particularity" that when it tried to obtain the requested material, it already knew what the material was and where it was on the computer.​

    So the government does NOT require proof of "location and custody." Just a "reasonable particularity." In the legal world, that is a gap the size of a football field.

    I'll also note that this piece also contradicts @S.B. 's claim that Fricosu was granted immunity from anything found on the decrypted device. In that other thread, our argument largely centered on the meaning and implications of immunity from the "act of production" of incriminating material.

    In the Fricosu case, the district attorney requested the judge grant Fricosu immunity from the "act of production" in decrypting the device, so that the prosecution might go forward in trying to get her compelled to decrypt it (so that they might use any contents of the drive as evidence against her in court.)

    S.B. claimed that immunity from the "act of production" equals (or at least includes) immunity from the contents of the drive:

    "Without her action of producing the drive, the govt would have no information as to what is on the drive. Hence the govt would have to use as a matter of necessity, her actions in producing the drive, to use evidence found on the drive in a criminal prosecution against her. So yes, I can assure you that it changes everything."

    But my point was that he is making a leap that the law does not. As the EFF says:

    The issue in the decryption cases is not whether the decrypted contents of the computer (the files) are "testimonial" under the Fifth Amendment. The simple answer to that question is that they aren't, because despite whatever incriminating character the files may have, the creation of the documents were not "compelled" by the government. Instead, the issue in these cases is whether the act of decrypting the computer or producing a decrypted version of information on the computer is "testimonial" under the Fifth Amendment. And the answer to that question, as with many legal questions, is "it depends."​
    (italics original)

    And further:

    The government offered Doe "use immunity" that amounted to a promise by the government not to use the fact Doe decrypted the computer against him. But the government did not offer him "derivative use" immunity, which would have prohibited the government from using whatever it found on the decrypted computer (likely files) against him later. The 11th Circuit ruled that the government's offer of immunity was insufficient and that it had to offer both use and derivative use immunity to match the scope of Doe's Fifth Amendment privilege.​

    This is precisely what I was saying in these three posts: [1], [2], [3]

    So here again we see that it is not the contents of the drive that matters in these cases, it is the circumstances surrounding how the government would have to go about determining what those contents are.

    Here's another article:

    ...the government may compel a defendant to provide access to a computer’s contents once it knows the defendant has the ability to access the computer. But it may not compel production of a password.

    This may seem like a distinction without a difference, but there could be scenarios where information like the password is itself incriminating — for instance, if the password was “ImGuiltyScrewTheFeds.” Moreover, to the extent that people frequently reuse passwords, providing a password to the government could enable unsanctioned fishing expeditions across the Internet.​

    So as I keep saying, nothing is fullproof of course, but your best bet is plausible deniability.
    Last edited: Aug 8, 2014
  3. justpeace

    justpeace Registered Member

    Sep 21, 2012
    Not quite.
    The 11th Circuit considered Fricosu but found it distinguishable:

    So Fricosu let the cat out of the bag and admitted during a taped telephone call that the evidence sought by the government was on the computer, and that she wanted them to work hard to get at it.

    As to the ownership of the computer, she also admitted to the fact during the conversation. laptop&hl=en&as_sdt=2006

    Fricosu pretty much incriminated herself by admitting to every testimonial fact the government would have had a hard time proving.

    I had not before read the entire conversation, but it's incredible that her lawyer had given her advice and she nonetheless divulged everything over a tapped phoneline.

    True, the District Court did not accept the objection that the government didn't know what was on the computer, but given Fricosu's staggering incompetence, basically admitting that she knew the password, and linking the computer to the evidence sought by the prosecution, the outcome is not least surprising.

    So your assertion that everything was speculation in the Fricosu case is not supported by the record.

    You wrote:

    My preoccupation with Truecrypt is due to the not insignificant fact that its antiforensic quality has successfully withstood law enforcement.

    The Doe suspect in the 11th circuit likely used Truecrypt full disk encryption, and was careful to wipe his traces and probably did not trust anyone who could rat him out.

    So he got out free as a bird, whereas Fricosu, Boucher and Gelfgatt did not fare so well.

    Had the encryption implementation been less solid, something could have leaked and the outcome could well have been a closer call.

    Essentially the government was in the dark, since it could not prove the facts regarding the existence or location,
    possession, or authenticity of the subpoenaed materials.

    Note that all these prongs are treated separately by 11th circuit's ruling and that the government's evidence failed them all.

    What it had was merely a computer where Truecrypt was installed and a lot of random data which even the expert conceded could be blank:

    You wrote:

    No, what mattered in the Fricosu case was only that she admitted to every testimonial fact protecting her against being compelled to decrypt the computer and that the evidence was stored in a nondeniable system.

    If she had used Truecrypt or another deniable encryption scheme, she could reveal the outer volume and still not be compelled to answer if there was an inner volume, provided of course that she only admitted the existence of the outer volume.
    Last edited: Aug 8, 2014
  4. Randcal

    Randcal Registered Member

    May 29, 2014
    Then that would beg the question as to why the judge simply said "it is more likely than not that the
    computer belonged to and was used by Ms. Fricosu
    " opposed to outright stating it was hers and that she could access it.


    The judge is actually being more honest and making less inferences than you are. You literally claim she admitted to ownership of the computer in question. The judge at least admits that it's just an assumption.

    Notice Fricosu never exactly clarifies what "it" is in that transcription. Is she referring to actual evidence? Or just the laptop? And is "her computer" the laptop that they actually did seize, or was it another one that they did not find?

    Notice she also didn't say anything confirming she had the ability to decrypt anything. All she said was "they will have to ask for my help"...that doesn't mean she'd actually be able to help them. (Which is why her own lawyer argued it's possible she forgot any necessary password.) She even stated in that call how she never admitted to knowing any password:

    "yeah cause they kept asking me for passwords and I said, ya know no I just didn't answer them"

    So she actually didn't "admit to every testimonial fact the government would have had a hard time proving" as you claim. Even if you could produce some court document that claims there wasn't speculation, the actual statements of fact do not reflect that. As I said before, the best they had was circumstantial evidence and inference.

    And that was enough for the court. Once again, that's my whole point.

    It would be one thing if she had said "Everything incriminating us is on my encrypted laptop that they seized, and I'm not going to give them my password." That would give credence to your claim that she gave away the farm. Of course I'm not saying she didn't screw herself by talking. Obviously she did. My point is simply that she didn't have to say anywhere near what you made it sound like was necessary for a court to compel decryption.

    Once again, they didn't really prove anything. There is no proof that the laptop they found is the one she was talking about on the call. There is no proof that "it" even refers to a laptop at all. That is no definitive proof that the laptop they found is even hers or that she accessed it, they just made that assumption based on where it was found and the fact that the encryption screen identified the computer as "RS.WORKGROUP.Ramona". This is the very definition of circumstantial. Just because something is in your room doesn't mean you own it. Just because a computer has an account with your first name on it doesn't prove it's your computer.

    They were simply able to make the leap and infer all of that. They didn't have to prove anything. That's my whole point.

    And of course none of this does anything to negate my second post which points out that the government does NOT in fact require proof of "location and custody" to invoke the "foregone conclusion" allegation, as you claimed...the court claims it just needs a "reasonable particularity."

    Huh? They "didn't fare so well" because they talked (and eventually gave up passwords). That has absolutely nothing to do with the "antiforensic quality" of anything.

    And for that matter, how is the strength of the encryption even slightly relevant to what we're talking about? What does LEAs not being able to crack TC (or PGP Desktop, or any other encryption program used by these defendants) have to do with your focusing on whether or not an adversary can prove something is a TrueCrypt volume versus a volume encrypted with some other software?

    You're not making any sense at all.

    (And the defendant's name is "Gelfgatt." You keep spelling it wrong.)

    First of all, just because you use TrueCrypt to encrypt something DOES NOT mean you automatically have plausible deniability. You are talking as though it does. Second, simply having a scheme involving a hidden volume DOES NOT automatically mean you can deny encryption entirely (which is what it sounded like the OP was interested in.)
    Last edited: Aug 8, 2014
  5. justpeace

    justpeace Registered Member

    Sep 21, 2012
    More likely than not is a term of art used to state that the evidence for X is more likely than the evidence for Y i.e. 51 to 49.

    It's just another way to state that the claim satisfies a Preponderance of evidence burden which is frankly lower than proof beyond a reasonable doubt.

    But more likely than not does not, contrary to your belief, mean that the court will allow the government to subpoena a witness just on its own speculation.

    Note that even the 11th circuit which ruled for the Doe suspect relied on what Ramona Fricosu said during the taped telephone call and on that ground found Doe's situation distinguishable.

    Doe could claim the Fifth, because he had not admitted to the testimonial fact implicit in decrypting the contents of the computer and because the government's own expert couldn't prove it either from examination of the seized equipment.

    I'll hope that you understand that even the 11th circuit attributed great weight to what Fricosu admitted during the taped telephone conversation.

    It has been covered extensively in the tech media, and EFF's analysis of the differing outcome is not far from mine:

    I don't think that Fricosu should have lost, but she damaged her own case by admitting the ability to decrypt and the existence and location of the data during the taped telephone conversation.

    The admission of the ability to decrypt = knowing the password was very specific, but the admission of the existence and location of the sought data was on a high level of generality.

    Note that not even the EFF disputes the correctness of the district court's finding -- that that it was more likely than not that the
    computer belonged to and was used by Ms. Fricosu.

    The ability to decrypt is a fact with testimonial implications and almost everyone seems to agree that it's covered by the privilege against self incrimination.

    Where the EFF disagrees with the outcome in Fricosu is regarding the court's application of the foregone conclusion test and the extend of the grant immunity under 6002.

    For the district court in Fricosu, physical custody and the ability to decrypt is enough to satisfy the foregone conclusion exception.

    If you admit during a taped conversation that you own device xxx, and that you are able to decrypt it, you have basically conceded all the testimonial implications in entering or divulging the password.

    But if you don't admit anything the government can't compel you to confess it.

    For the 11th circuit, the government in order to satisfy the foregone conclusion must also with reasonable particularity know that certain files exist on an encrypted filesystem, a requirement the government could not meet because the only thing it had seized was a computer with Truecrypt and a partition which might or might not contain a filesystem.

    The application of what constitutes reasonable particularity under the foregone conclusion in the two cases is different, but for most cases it should not matter if the defendant stays silent.

    Yes, and that's also reasoning I find superficial, in that the court seems to interpret location very broadly.

    But they had already seized the laptop, and there was her username on the computer along with a PGP encrypted structure.

    The government only sought to compel Fricosu to decrypt the contents of the seized laptop not forcing her to divulge if she owned other computers stored at unknown locations or if there was steganographic encryption inside the PGP encrypted system.

    She might still plead the Fifth as to these questions, because these facts would not be known to the government and thus not covered by the foregone conclusion even in the way the district court broadly applied it.

    The takeaway on which I think we agree is that you should never admit anything or divulge any information, something I mentioned in another thread.

    But as I said in the other thread, invoking the self incrimination privilege remains a viable argument in encryption cases even for serious crimes, provided that the individual isn't stupid.

    Her husband ended up giving the government the password, and the 10th circuit did therefore not have an opportunity to decide the issue.

    I don't like that outcome, but I have little doubt that Fricosu would not have been compelled to decrypt the contents of the computer if she had remained silent and not divulged anything.

    Her husband was imprisoned for another crime, and maybe the government was already pulling his strings promising him leniency in exchange for cooperating.
    That's a possibility, or both were just stupid.

    I Agree, and as I noted her lawyer had advised her of her right to remain silent, and she still talked wwhen it was in her best interest to shot up.

    Her husband knew the password, strongly suggesting that the computer might have been shared or at least that she was not the sole user.

    Sure it does, if you have one outer volume encrypted with Truecrypt and an inner hidden volume and you admit that the outer volume exists or have it mounted while being watched by law enforcement.

    Of course, that aspect of plausible deniability should never be necessary, if they can't prove that you are able to decrypt the outer volume, but don't you think that Fricosu would have fared better if she had hidden her really incriminating stuff inside the second layer?

    The government could compel her to decrypt the outer volume, but apart from an admission that there was an inner volume, Fricosu could just decrypt the outer volume without giving the government any useful evidence against herself.

    Nothing, and I do not argue that the strength of the encryption is relevant to the government's ability to prove the existence of an encrypted filesystem.

    Rather I argue that Truecrypt's ability to make the existence of even an FDE encrypted filesystem unprovable is important where the government can't even prove that the suspect is possessing something else than random data.
  6. Randcal

    Randcal Registered Member

    May 29, 2014
    That's a distinction without a difference. The point is "more likely than not" is not the same thing as "proof." On the contrary, by definition it implies speculation.

    I say again, depends on the court. I don't know what your experience with legal matters is, but it can't be much if you have no reservations making sweeping claims like that. Courts have allowed a lot more for less.

    Not exactly. But any weight they did attribute was "more than likely" just government tap dancing so as to at least try and make it sound as though they didn't have completely contradictory rulings.

    I'm the one who already linked to that article to prove you were mistaken in your assertion about government requiring proof of "location and custody."

    EFF's conclusion is quite different from yours. Read that second to last sentence again:

    The district court's conclusion that the foregone conclusion was satisfied because the government "knows of the existence and location of the computer's files" even though "it does not know the specific content of any specific documents" is tenuous at best.12 And it doesn't square with the 11th Circuit's belief that while the law "does not demand that the Government identify exactly the documents it does require some specificity in its requests—categorical requests for documents the Government anticipates are likely to exist simply will not suffice."

    You keep insisting that the rulings were different simply because facts were slightly different. While EFF freely acknowledges that the court's assert a difference in facts, at least EFF admits the rulings are still ultimately in opposition in a fundamental way. You do not seem to recognize this.

    She did not admit the ability to decrypt. She did not admit the location of the data.

    I already went over this. It's almost as if you haven't read even half of what I already said.

    She didn't admit either one of those things.

    Too bad Fricosu didn't do that. Then your argument might be valid.

    I already said that it would be one thing if she had said "Everything incriminating us is on my encrypted laptop that they seized, and I'm not going to give them my password."

    But she admitted nothing of the kind. Again, the only things she said even remotely close to that in the phone call were "they will have to ask for my help" and "they kept asking me for passwords and I said, ya know no I just didn't answer them."

    If you're really going to argue that that is an admission of ownership of the specific device in the Fed's possession, and the ability to decrypt it, then you're only further supporting my point that the court gives it self incredible leeway in inferring things.

    Again, something I already said.

    It's also kind of interesting that that is the exact same escape hatch S.B. used when he started to realize how wrong he was about Fricosu's immunity.

    Then what are we debating? If you agree with me that they didn't prove anything, and all they had was circumstantial evidence and inference, and the court decided that was enough...then why have you been trying to argue the opposite this whole time?

    Once again you are not making any sense.

    What? Now you're really not making any sense. You stated that your preoccupation with Truecrypt was due to its history of success in standing up to law enforcement. And to support that assertion you pointed to a TC user who avoided prosecution because he didn't talk and didn't give up a password, and to contrast you pointed to three other people who used some other software and DID give up their passwords.

    In other words, you're asserting TC is good software because people who don't use TC give up their passwords.

    It's like saying a certain brand of car is safer than all the others because you can provide a few cases in which people driving other brands of car drove drunk and crashed.

    Well, when I asked, that's the defense you gave.

    So basically, all along you were just answering questions that weren't asked. No wonder this has been confusing.
  7. justpeace

    justpeace Registered Member

    Sep 21, 2012
    No, it's not a distinction without a difference.
    Preponderance of evidence or more likely than not does not require 'proof' in the scientific or absolute sense or giving weight to one single dispositive factor.

    Courts have leeway in assessing the evidence, and the fact that the court may weigh the cumulative weight of multiple factors does not make an isolated fact dispositive.
    For instance, a computer with a username seized during a search would probably not in isolation establish that the person is the custodian of the data, but in conjunction with other factors known to the government, the cumulative weight may tip in the government's favor.

    I recognize that the application of the foregone conclusion was different, and that the 11th circuit's ruling was probably better reasoned, but I don't think that Fricosu and Doe is necessarily in conflict.

    The 11th circuit was not bound by Fricosu, a district court ruling from another circuit and could have flatly declared that it was wrong, but it nonetheless elected to discuss it and found it distinguishable on its facts.
    So I don't think that the outcome in the Fricosu and Doe is necessarily inconsistent with each other.

    Law professor Orin Kerr made the following remark on The Volokh Conspiracy after the 11th Circuit handed down its ruling:

    So claiming that the two rulings are in ultimate opposition is at least questionable, at least when Professor Kerr and three judges on the 11th circuit are able to find the situations distinguishable.

    A court may draw reasonable inferences from an oral statement depending on the context.
    It does not have to be an unambiguous confession that the person knows xxx, can access partition yyy and the encryption used is PGP or Truecrypt.

    I simply disagree with your blank assertion that Fricosu did not admit the facts, or rather that the court's treatment of the facts was in conflict with the 11th circuit's exposition of the foregone conclusion test.

    There is at least reasonable disagreement, and if one reads the comments to Professor Kerr's post, several posters seem to find that the outcome in the two cases are not necessarily in conflict.

    You can't accuse people of dishonesty for failing to follow your logic to the conclusion you believe is the proper one.

    I have already stated in another thread that I think self incrimination should be a viable objection even if you slip up and admit you know the password to a computer and that the government should with reasonable particularity have to prove what is searching for.

    But even if the bar is so low, it's only a big deal if you admit something you shouldn't, also in a taped conversation with your partner.
    Last edited: Aug 9, 2014
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.