Court Sets Rules for RIAA Hard Drive Inspection

Discussion in 'privacy general' started by Fontaine, May 7, 2009.

Thread Status:
Not open for further replies.
  1. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    I can see how a forensics examiner can tell if a drive has been wiped, but how can they tell if individual files, or say, a directory of music files, has been erased using software like Eraser?
     
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Actually, the article was talking about "any evidence that the hard-drive has been wiped" in general. Problem is that if you wipe any data AFTER the litigation started, you can be accused of destroying evidence, and I belive you may be in big trouble if you face that kind of accusation.
     
  3. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    Unless you happen to be the NSA or CIA, of course.
     
  4. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    Right, but can a forensics analyst tell if someone erased a few folders vice the whole hard drive? The hard drive would be pretty obvious, but overwriting folders with random data, is that even detectable?
     
  5. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    If you've never erased anything on the HDD before then it is possible for someone to determine that you may have erased something recently due to the presence of patches of random data [or maybe bit patterns].

    Thing is, if you've always been erasing data then they can't prove that you've erased anything they're interested in [as long as the filenames aren't still hanging about]. If you perform a full free-space wipe with random data every so often then that would make it even harder to prove.

    As far as I know, there's no "timestamp" associated with the data written to the drive during erasing so I'm not sure how they intend to prove you did so since initiation of litigation. Unless it's to cover people erasing an entire HDD that they know previously had an operating system on it :)
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    There is an algorithm, and maybe somebody can remember who or what it was, that instead of leaving tell-tale signs of wiped data left what appears to be data complete with innocent file names and dates set to your specification. I've Googled and can't find it, but when I saw it I thought it might be worth grabbing and never did. Does anybody know what I'm talking about?
     
  7. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I am interested in knowing what people think about how the expert would handle a TrueCrypt drive that has been whole disk encrypted.
     
  8. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    The court would probably require the encryption key be provided to the expert or a charge of contempt could be levied...

    Regards -
    -Bob
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    What about the 5th Amendment right's protection against self incrimination? I am aware of a recent case where the judge ruled that the forced disclosure of a key was not testimonial. Just wanted to raise the issue.

    I am interested in knowing what you think about the incorporation of a one-time password into this hypothetical. What if the defendant doesn't actually know the password and/or only knows part of it? Also, how does the plausible deniability of TrueCrypt's hidden partition feature play into all of this?

    Thanks for your thoughts.
     
  10. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    Depends on whether the password were added after the discovery process had been launched or before... If after, then you hit tampering with evidence and other nice charges... but if before, then the question would be, why would the defendant only know part of a password to a file on his own computer o_O

    That being said, the person that knows the other part of the password could then be linked as an accessory to whatever is found behind the protection...

    These are grey areas which should really be defined by security experts outside the courts...

    The problem is, search warrants typically give the government the right to execute a search for the specifics stated within the warrant anywhere within the premises cited... ie... apartment is cited as the premises, a government team can enter the apartment and search everywhere inside the apartment for the item(s) declared within the warrant... If that includes items that may be hidden on the hard drive, then the search could include that as part of gathering evidence... and typically there is no recourse an individual has if the searchers destroyed anything during the process of recovering said evidence... other than filing a complaint with the government and trying to get restitution for the destruction of property... which really gets fun if no evidence is found and no arrest made...

    Bottom line... the inspection could have been carried out by the initial investigation team under the search warrant... unless they used a different method for building the case and just arrested the individuals... which means that they wouldn't need the evidence found on the hard drive to build the case... but anything gathered from it could only reinforce the case...

    But back to your question of plausible deniability...

    It really depends upon the circumstances surrounding the evidence...

    If the individual lives alone and it is their personal computer/laptop, then plausible deniability is almost impossible to establish... The statement of I must have been hacked would be hard to defend if there is any sort of technical knowledge shown by the defendant...

    If the individual lives with others or it is shown that others have access to the computer when the individual is not around, then the case of plausible deniability can enter the scene... it becomes a much harder case for the prosecution to try... Then time stamps on the files becomes important... to establish when the file was last modified and who might have had access during that time frame...

    As far as 15 years ago, the FBI had the capability to tap a phone line and when a modem signature was detected, a computer screen would display everything that was seen by the computer whose modem line was being tapped... When the bust was made, the computer time was noted before it was shutdown and gathered as evidence... along with scraps of paper and post-its found near the computer and in the trash... The times of detection were linked with the comings and goings of targeted individuals and the case was built from there...

    The RIAA case is interesting in that the expert will have to determine if the music/video files found on the computer originated from a copy protected source... Something that the various recording industries are going to have to fight, and will lose the way the laws are currently set up, is if the source was the air waves... and with all the broadcasters being forced to move to high definition, that is going to make cases like this even more difficult...

    Once the prosecutors establish that the individual is the one that was at the computer when the crime was detected, then discovery of anything on the hard drive has no plausible deniability...

    In the case of torrents that are password protected, the prosecutor would probably stay with intent if they couldn't get past the password... Example... the file name was StarTrek2009, even though the experts couldn't get past the encryption, they could probably surmise, based upon file size, that it was a copy of the movie and thus would prosecute for intent unless the defendant opened the file and proved it wasn't...

    Cases of this nature are going to be started with hard evidence outside what is found on the hard drive... because they cannot rely on the hard drive to make the case for them in case they couldn't find anything on it...

    What if the defendant downloaded stuff and then moved it to an online storage location... and erased the hard drive after each move... then there would be zero evidence left behind and it would be hard to prosecute the case where you depend on the hard drive as the key evidence...

    I have to like the phrasing of the court to ignore anything that didn't pertain to the case... It is exactly like issuing a search warrant on the premises saying you are looking for drugs... Anything else found is inadmissable... which is why search warrants are usually worded a little more ambiguous... to allow the discovery of things like money and guns associated with the drugs...

    I suspect that the evidence has already been gathered in advance to build this case and the discovery of anything on the hard drive is just icing on the cake...

    btw... the 5th admendment only refers to spoken testimony... if the government finds a piece of paper sealed in an envelope in a safe that they required you to open during the process of a search warrant, that paper can be used as evidence even though you were required to open the safe... I suspect that the evidence found on the hard drive protected by encryption will fall under this same rule...

    Please be aware that I am not in law enforcement nor am I an employee of any government entity... I just had a unique experience with this type of case several years ago... back when no one was willing to prosecute this in front of a jury selected from the public... and no, I wasn't the defendant either...

    Regards -
    -Bob
     
  11. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Bob,
    I appreciate your obvious intellect on this subject. Thank you for taking time to discuss this. You briefly mentioned online storage in your last posting. Have you heard of FreeNet? If not, you can learn about the project here:

    http://freenetproject.org/

    Basically, my understanding about the project is that people "donate" a portion of their hard drive (and bandwidth) to the project in exchange for the "privilege" of gaining access to others that have done the same. Once the donation is made, the donated section of the hard drive becomes filled with random noise that is encrypted data from others that use the service. In this case, the person (donor) actually cannot know what is on the donated section of the drive, nor does the donor have the necessary encryption keys needed to decrypt the data stored on the donated section of the drive. What the system claims to provide is an anonymous means of storing encrypted data.

    The goal of the project seems to be to promote free speech under the premise that speech can only truly be free when it is allowed to be completely anonymous (I don't necessarily believe the premise and I would like to avoid derailing this thread by debating this premise). This uninhibited free flow of information has its pros and cons. This system seems to prevent governments from interfering in any way with the flow of information; however, it also allows child porn (just a single example of many negative consequences) to be stored free from the reach of law enforcement.

    What are your thoughts on the ability of the Court's new rules to adequately deal with this system?

    Thanks again Bob for your insight.
     
    Last edited: May 9, 2009
  12. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    The courts need to smack the RIAA folks upside the head.

    Standard rules of evidence dictate that there must a reasonable cause, followed by a search warrent. The RIAA files charges, then insists the defendant provide the evidence. There is another word for it: extortion.
     
  13. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    I have not heard of Freenet... but it is something to be wary of...

    If this is anything like the P2P networks, then you would have to expose a portion of your computer to parties unknown... and if your computer was used as part of a piracy scheme, the government could take your computer as evidence in a trial against someone else... which would deprive you of the use of your computer... even though you could prove you did nothing wrong...

    Of course... it would be very hard to prove that the evidence existed solely on your machine... or a set of machines... I am glad I didn't have that issue back in the day... it would have given me headaches... )))

    As for the comment AKAJohnDoe made...

    I need to go back and read up on this case... From what my knowledge in the past has been... the prosecution must present its case and evidence in order for a trial to go forward... and the contents of the hard drive would just add icing on the cake, not be the complete evidence in the matter...

    If it is just a lawsuit... then RIAA has to provide all evidence without the ability to force the defendant to even admit he has a computer... and from there, if they can prove that the defendant was probably guilty, they can ask that assets belonging to them be seized... but I was not aware of any capability to gain access to a defendants assets unless it was a criminal court... in which case a long list of evidence would have already been compiled before the arrest was made...

    Regards -
    -Bob
     
  14. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245

    The Boucher case is often discussed. Guy tries to cross the border, agent loads his laptop and sees porn, arrests him, shuts laptop down, PGP encrypts drive, accused refuses to supply encryption key, judge rules he cannot be forced to reveal key, appeals judge overrules and says he must provide content on drive.
    Apologies for the crappy summary. Do a search on 'Boucher Encryption' and make sure you read articles dated March 2009 and forward as they have the most recent rulings.
    The problem with this case is that the border agent had seen the illegal pornography. The big question is: what if he had never seen it? What if he merely wants to look at the hard drive contents? Border patrol has the right to view your laptop, but if you refuse to decrypt, then what? Aside from refusing passage to/from the country, I don't think there are any other ramifications. Now, what if someone is accused of downloading illegal information? The only proof is your IP address tied to a site. They get a warrant to confiscate your hardware. You employ whole disk encryption. Then what? In the U.S. can you be forced to decrypt?
     
  15. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    This quote from the Boucher case would apply here as well...

    "Where the existence and location of the documents are known to the government, no constitutional rights are touched," Judge Sessions wrote, citing a previous case.

    That particular copy/paste was taken from the Techworld.com article, but it appears in a couple articles...

    Thanks for the heads up Fontaine...

    Digging further into the RIAA cases... looks like all the monitoring was done without government intervention... and by a 3rd party that did not file the appropriate paperwork...

    In the old days the RIAA case would never had made it to court as the evidence obtained was obtained illegally and thus inadmissable in court, which explains why they are going for the hard drives... The hard drives contain the only evidence available to support the claims filed within the lawsuit...

    Also, RIAA was only targeting small individuals in hopes that they would gain money and not a lengthy court process, but agreed in December not to pursue this any further... but it looks like they ARE still pursuing it...

    In my opinion... RIAA is acting way out of line here... choosing to take the cheap route to gain money instead of the proper legal route...

    There is no doubt that they are being defrauded and copyrighted material is being passed freely throughout the internet... but RIAA needs to take a different stance and direction on this... and it looks like they are being sued as of March 1 of this year...

    I think this is going to become VERY interesting... in light of what the lawsuit claims... and I suspect that RIAA and the various record labels and Mediasentry are going to be working hard to cover their behavior...

    I apologize folks... I thought RIAA had worked with the process with the government for discovery and filed the appropriate motions and paperwork prior to the hard drive seizure... evidently they have not... and thus I am shocked that the judge granted any viewing of the drive at all...

    Regards -
    -Bob
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    What if a person uses Rapidshare to download? Wouldn't that be safe? And if I have music and movies on my computer, how would anyone know that they were obtained illegally?
     
  17. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
  18. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    Yes and no. Yes, because downloaders are not widely targeted. Uploaders are. Rapidshare.de recently gave the details of one of their uploaders and he was raided by police. Not saying it's right or wrong, just reporting the facts. :rolleyes:
    http://www.rlslog.net/rapidshare-hands-over-uploaders-details-house-raided/


    In the case of p2p sharing, they would download the file from your drive (remember, they target uploaders, and you would be an uploader), take a snapshot of your ISP etc and take you to court. First they try to settle out of court by hoping you are scared enough to pay. If not, you go to trial and they have that evidence. If they somehow get a warrant to seize your drive, as they did in the case posted in the initial thread, I suppose they could check the MD5 checksum of the file to verify it's the same one that they originally downloaded from you. Someone else can speak much more intelligently about this (MD5 stuff) than me. :p
     
  19. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    Well... according to RIAA, you have to prove that you obtained them legally... and it looks like one judge was following the same ruling...

    but... the little guys have started fighting back... and this could be a blow to RIAA and the private firm they hired, not to mention the recording industry companies that backed them... if they lose that is...

    As for how they can tell o_O

    Well... I can go back to my original thoughts on this subject and related a small portion of that...

    Let's say RIAA suspects that users of a specific network are stealing their recordings and sharing them around the world... They lodge a complaint with their local police department...

    Okies... we all know the local police department can't do anything about it, but the complaint MUST be filed... and they are the perfect place to start...

    When no progress is made after a few weeks, then you asked the FBI to get involved... but... you need to be able to document losses of over $50k or they will tell you to get lost... (at least it was $50k back in 1989... not sure if that value has changed or not)... Of course, you could also ask your state bureau to get involved, but since it is across state lines for much of the traffic, they will probably refer you to the FBI or even the Secret Service...

    Once a federal entity is involved... you will need to show proof that you have been stolen from and come up with proof for the dollar value you are placing upon the loss... and from there, the feds will ask if you suspect anyone... and at that point, you tell them about this particular network and that you suspect that they may have something to do with it...

    NOTE: You can use a private source to determine the network is involved, but you can't gather any evidence... that needs to be left to the feds... but you can use the private source to feed the feds with the basic information...

    The feds will then generate court orders for surveillance... and with the surveillance, they will be able to trace IP packets moving from one source to another... They will also be able to log in and set up a fake to be traced...

    Then it is just a matter of collecting all their evidence of who is transporting stolen goods (music and videos) across the wires from computer to computer... and once they have a full picture, they will begin the arrests...

    The feds typically involve the ISPs, the phone companies, all their records and the history of usage of different nodes on the network to help compile their case...

    RIAA got greedy and didn't want to wait for the time that due process would take... instead they opted to sue through litigation instead of criminal court... which means they went for the money instead of punishment for the crime...

    By all rights, they shouldn't be able to gain access to individual computers, but it seems that judges understand there has been theft here and are taking short-cuts that shouldn't be allowed in standard due process... or even standard litigation...

    Regards -
    -Bob
     
  20. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    Yeah... I keep forgetting the upload piece... too used to what I saw happen with an information case back in the early 90s... It was all download and hacking...

    It is possible that Rapidshare.de had been targetted by the police and required by law to turn over their records or face the punishment themselves for the actions of the users...

    Regards -
    -Bob
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I use Xerobank so I don't think they could sniff packets. And I don't see how they could ever have enough of a reason to invade my privacy. All they see is a connection to Xerobank.

    And I think my ISP is for the most part pretty cool about downloading. They offer a 20MB connection for $10 more a month. And they advertise how fast downloads are in their TV ad.

    But anyway I guess if they don't have any record of downloads then they would not have enough reason to spy.
     
  22. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    Actually... they can see the packets... just probably cannot see what is inside them...

    Even with VPN, you have to have an address of origin and an address of destination as part of a surrounding IP packet... The data inside the packet may be totally encrypted, but somewhere along the way, a connection packet has to be established to indicate the link... and from there any additional packets have to have address information as well...

    Sure, you can spoof your MAC address and other various changes so it LOOKS like you are coming from somewhere else... but down in the heart of IP... there has to be an address of origin so that the information can get back to you... ie... the page display... or your bank information...

    You aren't hardwired directly to the bank with you being the sole connector...

    This is something that people keep forgetting when they go out and hook up with these online VPN sites and all the other trouble they go to in order to try and appear anonymous...

    It is just that most sites don't make the effort to try and translate everything from the IP packet header... and typically some of it is stripped off as it is routed from one destination to another in an effort to reach the final goal... but if they really put forth the effort, they could find all the address information in the packet how to reach back to your computer...

    Why do you think unique IP addresses on the web are so important o_O and since we are exceeding the addresses allowable by IPv4... we are moving toward the standard use of IPv6... and talk about a pain that will be... the DNS servers will basically have to reload every single host name and the new IP address that is associated with it... or we will be back to the time when you had to specify the IP address of the remote site to be able to read it...

    But I digress...

    Now days more and more sites are delivering beefier content because more and more people have high speed bandwidth... which means that the signature of standard surfing and business is growing... thus you start having to look for a slightly different signature type to classify you as being a downloader or uploader... and thus the feds will have to spend more time determining the networks that provide the capability for p2p... and then pounce on them in an effort to either shut them down for harboring illegal traffic or giving up addresses where the heavy files can be found for obtaining illegally...

    Means less work for the feds if they can bully them into it... but wonder what happens when they run into a network provider that is in a country that doesn't care what the USA feds have to say and thus will continue to protect their user base...

    Regards -
    -Bob
     
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What if the RIAA owns the p2p software or any of the servers that handle the transfer of the copyrighted material?
    Can they copy and catalog that info with your identifiable info for lawsuit?
     
  24. vizhip

    vizhip Registered Member

    Joined:
    May 2, 2009
    Posts:
    83
    Depending on the wording of the EULA, yes they could...

    Regards -
    -Bob
     
  25. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245

    Kind of funny that they could. Wouldn't it be similar to the MPAA standing on the corner selling bootleg copies of their movies and then taking down your information for actually purchasing from them? Somehow they are granted police-like powers on the Internet. I suppose the gov't doesn't mind as it frees them up to focus on other things. What a shame.
     
Loading...
Thread Status:
Not open for further replies.