

Rethinking Police Searches of Computers - three14
http://www.freedom-to-tinker.com/blog/paul/gizmodo-warrant-searching-journalists-terabyte-age

======
ErrantX
_At the very least, the courts should forbid the police from looking at any
file timestamped before March 18, 2010_

As already pointed out timestamps can often be a problem.Limiting searches to
a specific timeframe is difficult because of how the forensic tools work. It's
infeasible to tell the tool "only search files and data between these dates".
Indeed I wish that _was_ possible - it would make things much faster!

But more importantly we _are_ limited in what we can investigate. Not just for
legal reasons but for cost as well. As a forensic examiner I feel (and I know
most of my colleagues do as well) ethically obliged to stick to the
requirements of the case - as tempting (for personal interest) as it is to
poke into other corners of peoples lives it is entirely unethical and wrong.

------
epochwolf
> At the very least, the courts should forbid the police from looking at any
> file timestamped before March 18, 2010

Except that timestamps can be altered.

~~~
pyre
True, but if someone is ordered to turn over 'all documents pertaining to
topic X', they still might withhold documents. We don't allow the police to
search all documents, just in case.

{edit} It would get messy if he was on a computer that had a faulty cmos
battery (i.e. randomly your system clock is reset to the unix epoch). Trying
to figure out the true date of files with timestamps of December 31, 1969
would be difficult. ;-) (I know that's prior to the epoch, but I had a faulty
cmos battery in an old PowerBook and that's what would happen)

~~~
blasdel
The timestamps are before the epoch because you live in the western
hemisphere, so your timezone is GMT-N.

------
sophacles
If the police are going to confiscate, why would they confiscate the whole
computers, and not just the drives? Furhter, why not provide the option for
the guy being served to get some new drives and copy the data to them before
the police confiscate the original?

~~~
ErrantX
Usually the answer is that police, generally, have no clue about computers -
enough to seize machines but not to safely remove the drives. Clearly that's
not the case in this specific incident.

But there are other reasons. Firstly, when you remove drives from the machines
you have to open it up, photograph them in situ, remove the drives, image and
replace them. It's a reasonably time consuming job (and I doubt you'd want
police in your home for hours doing it :)). Secondly there may be issues
imaging the drive; wrong connectors or just fickle drives. Usually in such a
case you can fire up the original machine with the drive attached and load a
forensic imager from CD to pull the data (in other words it's a fail safe).
And finally you have to photograph the computer CMOS time next to an atomic
clock to help validate any timestamps on the hard drives.

~~~
sophacles
Awesome detailed answer, thanks! My questions come from a basic concern for
the suspect, and presumption of innocence before proven guilty. A confiscated
computer not only may require extra care in "plain sight" restrictions as
outlined in the article, but also extra care in "undue hardship". If I keep
all my records on a computer, and that computer is confiscated, I am now
without any way of doing basic stuff like paying bills. It would seem that
being able to retain a copy of the data is relatively trivial, so such an
option should be made available. Given that current practices seem to be
"never see your stuff again", is there any reason not to allow it? (Perhaps
not as its taken, but shortly thereafter).

~~~
ErrantX
Yeh. You've touched on the inherent trade off of my job. If you have critical
stuff on your computer then we will do our best to get a copy back to you asap
(of course I can only talk for us).

The problem is not retaining the data. We work from images anyway. The issue
is that if the drive contains evidence returning the original would probably
kill the case in court. If a defence analyst questions the data - say accuses
us of faking it - how do you prove that if it goes back to the suspect.

~~~
sophacles
I totally understand that last part, about evidence custody stuff. I find it
vaguely totemic, in that the "one true datathingy" must be preserved. (not on
your part necessarily, on the whole court system in general). Good on you guys
for getting data back to the suspect. I presume that if it all comes from
Images anyway, it would be trivial for me to bring in a couple TB of NAS and
say, "data please" and just get raw image dumps.

I think to clarify my above stuff: Rules of evidence should state that images
of the computer files in custody should be made available to suspects in some
short amount of time after they are processed, due to the easy copy aspect of
digital media, and the critical nature some data on the drives.

~~~
ErrantX
Yes I wish that happened more to be honest.

Currently the issue is that it is a logistical nghtmare die to how large
police forces work. Unfortunately we are on the outside so our suggestions
mostly fall on deaf ears at management level :(

------
Buckley
I guess we're going to find out how good Jason Chen's back up strategy is. I
doubt he'll write anything for Gizmodo for a little while, but I wonder how
long it will take him to get back up and running with all of his systems
seized.

------
slantyyz
If I'm a paranoid tech journalist (I'm not), everything would be tucked away
in a hidden TrueCrypt volume masked as a swap file, and all my other files
would be in the cloud. Not sure seizures are even useful in such a case.

~~~
protomyth
I get the feeling that your "cloud" service provider will turn over your stuff
quickly and inform you later.

~~~
wizard_2
IANAL but I don't think they can compel you to give your truecrypt passwords
as they're in your head. There was an ongoing court case (involving child
pornography) about this topic.

~~~
slantyyz
Even then, I think TrueCrypt lets you create a second volume within the
initial volume, and leaves no trace that the second volume even exists.

~~~
pyre
The problem therein is programs that record your 'most recent documents.' If
they refer to documents that aren't anywhere in what they confiscated, and/or
on a volume that doesn't exist they may suspect that you have a hidden volume.

------
0wned
Forensic guys want to take images of the storage devices. They use tools such
as dcfldd or purpose-built devices (Tableu) to do this. They'll then analyze
the images and probably never touch the guy's hardware again. It will sit in a
evidence room for eons. They could return the hardware as soon as they've done
the imaging, but I've never seen that happen. Use whole disk encryption
everywhere :)

