

Police Return Seized Hardware to Victorious BitTorrent Admin, Trashed - rbanffy
http://torrentfreak.com/police-return-seized-hardware-to-victorious-bittorrent-admin-trashed-110313/

======
martincmartin
"It almost appears as if a frustrated FACT employee trashed the hardware on
purpose before it was sent back. How else could it turn into such a mess, and
why take the computers apart piece by piece in the first place? What were they
looking for? Warez?"

I suspect that the cops are worried that, if they boot up the computer, it'll
have a program which notices something is wrong and wipes the hard drive. So
I'd guess they take the hard drives out and inspect them separately. At that
point, they probably don't care about the rest of the computer, so don't care
how it's treated. What they did was horrible, but perhaps this explains it as
something other than malice.

What's the line about incompetence often being a more likely cause than
malice?

~~~
bradleyland
EDIT: I just realized that this case was in the UK. I don't know how much of
what I'm about to say applies to their judicial system, but I'm going to leave
it here anyway for those familiar with the UK to comment on.

I did computer forensic work for the US Trustee system. Chain of evidence and
the whole deal, because occasionally, our evidence would be handed over to law
enforcement and used in criminal cases. I can tell you that at no point during
the process should any component treated with any level of disregard.
Something called the "chain of evidence" is required in order for anything you
find to hold up in court. Here's a brief list of the steps taken when a
computer is picked up and examined.

* Arrive at the scene, record the datetime, and fill out your pick-up forms. These forms include information about what is attached to the computer (displays, printers, external hard drives, any random devices, etc). Anything that stores data is taken with. You also catalog the general environment. What was around the computer? Did the place look trashed? Cleaned out? Just moved? Anything meaningful to the case is cataloged on the pick-up form.

* If the systems are turned on, record the datetime and shut them down.

* Unhook peripherals and pack the computers up in the van.

* As you're about to leave, record the datetime and fill out your vehicle mileage log.

* When you get back to the lab, check the computers in to lock-down. More forms including a complete inventory, and (you guessed it) more forms with the data and time on them.

* The computers are stored in a locked room with logged access until they are ready for examination.

* At exam time, you check out a computer or two (recording the datetime!) and head to a lab station. Here, before you do anything, you start to fill out your exam form, which requires that you document every alpha-numeric string you can find on the outside of the computer. We also took photos with a little point and shoot.

* Next it's time to extract the hard drives. You open the system up and pull one hard drive at a time, recording the manufacturer, model, serial number, size, sector count, etc. Anything on the label gets recorded and photographed. You also record where it was attached to (IDE channel and master/slave or SATA port number).

* Once you have the hard drives in hand, you attach them to the write-blocker (we used hardware) and hook them up to the forensic workstation (we used EnCase).

* I'm going to skip the forensic examination portion because it's not relevant to the physical condition of the returned hardware.

* After the examination, we would place the hard disks in protective plastic shells that we purchased and label the drive as evidence with (surprise!) the datetime, case number, and identifying information for the exam form (which linked the drive back to the computer)

* Rinse and repeat for each drive.

* At this point, you have a computer (sans-hard-drives) and a handful of hard disks that you check back in to the lock-up. Hard drives went in a HUGE data-safe fireproof cabinet. The PC case was screwed back on with minimal hardware and put back on a shelf.

* When a case was over, and assuming the debtor in question wasn't brought up on criminal charges and allowed to receive their hardware back, we returned the computers with the hard disks still in the plastic cases, but our labels clearly indicated the computer ID and SATA/IDE channels, so reinstallation was simple. Other times the equipment went to auction. If the equipment went to auction, we'd typically reinstall the drives to get best market value (heh, like that ever happened).

So the point I'm trying to make is this: at no point during the legitimate
forensic process should a computer be banged up, subjected to dirt, or
generally mistreated. Should this case have gone to court, every single one of
those factors could be used by the defense to show mistreatment of evidence.
What investigator would want to risk their case on something as simple as
maintaining the chain of evidence? This is the #1 thing they hammer in to your
head during forensic training.

I don't have any statistics on hand, but cases are won and lost on the basis
of sound evidence. Whoever did this did it maliciously and intentionally.
There is zero question in my mind.

~~~
getsat
> * If the systems are turned on, record the datetime and shut them down.

Did this ever lock you out of any machines configured to use Whole Disk
Encryption or out of encrypted, mounted volumes? You could have dumped the
keys out of ram, etc.

> we used EnCase

Did you ever come across any _exotic_ filesystems that EnCase can't read, like
XFS?

~~~
bradleyland
> Did this ever lock you out of any machines configured to use Whole Disk
> Encryption or out of encrypted, mounted volumes? You could have dumped the
> keys out of ram, etc.

At the firm I worked for, preservation was priority #1 any time we were
walking in to a case with high trial-risk. In order to discover that the
system was encrypted, I would have to use the computer. Using the computer
means changing it. Protocol was really straight forward: If it's running, shut
it down and get it to the lab.

Because we were working in the US Trustee system, we were dealing with
business owners who were either in bankruptcy where a trustee had been
appointed, or receiverships, which almost always involves a trustee (or like
appointee). This means we weren't chasing kiddie porn, we were looking for the
movement of money. Were we to encounter end-to-end encryption, the password is
just a "motion to compel" order away. Failure to comply means you sit in a
jail cell until you cough up the password.

Having said that, I don't recall ever having to go that far. Neither did we
encounter any seriously hardened systems. Anyone smart enough to encrypt a
system end-to-end at a company was usually on our side by the time we got
there. In large businesses where this type of encryption is common, there is
an IT person who can get past it. Bad business people have a tendency to make
enemies out of their employees, and the trustee knew who to take care of.

In instances where we didn't have access to employees with the required
knowledge to get in to systems, we relied on industry tools. We were mostly
trying to crack in to things like QuickBooks files, Outlook PSTs, and
protected documents, so not what you'd normally expect from a geek perspective
(john, l0pht, etc). A lot of the stuff was proprietary, and at the end of the
day, brute force and dictionary attacks were usually very effective.

We rarely encountered disk-level encryption on the systems we examined. App
and document level passwords were the norm. I used to run the disk images
through STRINGS(1) to extract every bit of text on the drive. Then, I'd break
whitespace to newlines and use that as my dictionary. When you have three or
four computers worth of strings, coupled with relatively unsophisticated
users, you don't often strike out. We had a 100% success rate using standard
crackers and the technique outlined above. It seems that users can't resist
typing their password in plain text at some point in the life of their
computer.

> Did you ever come across any exotic filesystems that EnCase can't read, like
> XFS?

I don't think I ever examined a computer that wasn't Windows XP. These were
strictly business cases, so anything that wasn't Windows was a server, and
that was a very rare case. Most of the time, we got approval to simply run the
server systems in question to get the data we needed. The rules of engagement
with servers were a little different. Servers involve a lot of multi-user
access, so the chain of evidence requirements were a little different. We had
to be the most careful with the personal workstations of the owners and
accountants. I'd find emails requesting off-shore accounts, shell companies,
etc. These had to be bulletproof in order to pin down the business owner.

I can't stress enough that I operated in a non-criminal, largely
unsophisticated environment. Our rules for preservation were mostly
precautionary. There was very little trial risk in our organization. It was
mostly a matter of trying to identify assets and dig up any evidence that the
owner was acting in a way that would put them in hot water. The trustee would
use these items to squeeze the debtor in an effort to repay lenders.

~~~
getsat
Thanks for the response. I'm not even in my 30s yet, but I feel old when I
hear about John the Tripper and l0phtcrack. :)

> Failure to comply means you sit in a jail cell until you cough up the
> password.

I don't think this has precedent in a US court. The closest I can find is the
following. He messed up by being initially cooperative:

<http://en.wikipedia.org/wiki/United_States_v._Boucher>

[http://en.wikipedia.org/wiki/Key_disclosure_law#United_State...](http://en.wikipedia.org/wiki/Key_disclosure_law#United_States)

This is also relevant for those interested in disk encryption:

[http://news.techworld.com/security/3228701/fbi-hackers-
fail-...](http://news.techworld.com/security/3228701/fbi-hackers-fail-to-
crack-truecrypt/)

~~~
bradleyland
That certainly didn't stop the trustee from threatening with motion to compel
orders in just about every case we worked. IANAL, so I have no idea what the
enforceability is. Every law enforcement/trustee's worst nightmare is a well-
informed suspect/debtor.

------
Sidnicious
I've read a few stories now about property being seized by the police and
returned damaged or not at all. What legal options does one have in that
situation?

EDIT: from the comments:

> _Yes he has recourse, if the police didn't find anything illegal in their
> search then ALL damages must be paid for._

Fair enough. What if they had found something?

~~~
solson
In the US if the authorities use civil forfeiture they can keep your property
even when you aren't even charged with a crime and there is little you can do
to get it back. <http://en.wikipedia.org/wiki/Asset_forfeiture>

It is generally used in organized crime and drug cases but has expanded
greatly in recent years. It is now routinely used to seize cars in DUI cases.
They can and do legally keep the property without even charging the driver
with DUI or any other crime. <http://www.slate.com/id/2243428/>

I don't know about the UK but I am surprised any property was returned.

~~~
tptacek
Alarmist. Civil asset forfeiture is not _carte blanche_ for local and state
governments to take property. There is an elaborate due process system
surrounding it. The often-cited statistics about how few forfeiture cases are
accompanied by criminal convictions are obviously and clearly biased: much
crime goes unpunished, and if you are in fact running drugs (the nexus of the
vast and overwhelming majority of forfeiture cases), you're probably not going
to go to court to get your Escalade back.

Details:

[http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0...](http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00000983
----000-.html)

In one sense (I'm not married to this argument), declaring all asset
forfeiture to be an unconstitutional tyannical abhorrence --- call this the
"Radley Balko Line Of Attack" --- plays into the hands of those who would
abuse it. There is virtually no chance that the fundamental process of asset
forfeiture will be reworked. Both liberals and conservatives, both Republicans
and Democrats all support it. Unsurprisingly, because in most cases, you
really do want seized those things the government seizes.

A far better way to foil people who would abuse civil forfeiture would be to
educate people about the processes made available to people to recover
property. One simple point rarely brought up by Reason Magazine: a simple
written request filed within something like 90 days of the forfeiture is all
it takes to force the government to defend their seizure in court.

~~~
solson
It's only alarmist when it isn't happening to you or someone you love. It
happened to my nephew, several thousand dollars in cash seized from his
college dorm room (he was a bartender, but should it matter? it isn't illegal
to have cash is it?), no charges filed and it would have cost him more than
they seized to attempt to get it returned. Back in the 80s, when I was in high
school they seized a local family's home because someone said they bought acid
from a boy who lived there. It made big news back then, this stuff was new.
The family lost the legal battle, they couldn't prove they didn't know their
kid was selling acid. The authorities couldn't prove he was selling acid
either, but that doesn't matter in these cases. To have your property
returned, you must prove you are innocent or ignorant which are both almost
impossible things to prove.

~~~
tptacek
Why would it cost him significantly to have it returned? According to US code,
a single note is all it takes to force a court procedure where the prosecutor
has to demonstrate a nexus between the money and a crime. What would it cost
your brother to go to court by himself? What would he have to lose?

Look, I see the issue here. Clearly, if the government was _randomly_ taking
thousands of dollars from people and forcing them to go to court to keep it,
that would be a miscarriage of justice. But that's probably not what happens
in reality.

Under what auspices was your nephew's cash seized? What's the other side of
this story? Is there really not another side to this story?

~~~
solson
There is. A kid left the frat and drowned in a river (it was a frat room not a
dorm room). Drugs were suspected. I'm not sure why. They executed a warrant
and took the money. BTW the autopsy found no drugs in the dead student's
system.

Anyway, you make this sound so simple, just send a note and go to court. Most
people are extremely intimidated by this stuff and they just want it to end.
Especially when you've already been violated and had your reputation impugned.
The advice they were given was it wasn't worth it.

Asset forfeiture is a serious problem. [http://www.aclu.org/blog/racial-
justice/easy-money-civil-ass...](http://www.aclu.org/blog/racial-justice/easy-
money-civil-asset-forfeiture-abuse-police)

"In 80 percent of such cases, the owner is not charged. The standard of proof
to be met by the authorities is the minimal "probable cause" standard. If the
owner wishes to regain possession, he has the onus of proving in court that
the property is "innocent"; his standard of proof is higher: a preponderance
of the evidence. In some cases, property has been seized for acts someone
other than the owner performed." <http://www.cato.org/pubs/policy_report/pr-
ma-hy.html>

edit: I doubt they are doing this randomly, but they seem to be opportunistic
and they do target certain types of people - youth, poor, minorities. The
right to seize valuable assets is corrupting in nature. I think you'd see it
drop dramatically if the government wasn't allowed to keep the assets as a
fund raising mechanism.

~~~
tptacek
Again: that 80% stat? I'm certain it's true, but it's meaningless. The stat
you want is, how often are challenges to seizures denied. Because --- and I'm
not saying this is what happened with your nephew --- it is very likely the
reason that 80% of those seizures don't match up with a conviction is that the
people whose assets are seized are in fact criminals.

Recognizing that doesn't mean I think civil asset forfeiture is problem-free
or that Radley Balko doesn't have an argument with his stories on this issue.
But you can't just cite that stat as if it opened and shut the case.

I agree that one sensible step to take would be to foreclose on the use of the
assets as local funding mechanisms. I agree entirely with that.

Finally: I think your nephew was given bad advice.

~~~
prodigal_erik
I don't think it matters much whether many challenges are successful. When it
takes years and costs more in unrecoverable legal fees (it's a civil court
case, not merely a request) than most seized property is actually worth, very
few victims are going to bother.

[http://www.csmonitor.com/USA/Justice/2009/1209/p02s06-usju.h...](http://www.csmonitor.com/USA/Justice/2009/1209/p02s06-usju.html)

~~~
tptacek
I don't know how bad it is at the state level, but according to the US Code,
at the federal level it shouldn't take years; there's a rigid statutory
timeline on hearings, measured in increments of 30 days.

------
maeon3
Folks we are losing our basic human rights a little bit at a time here. It's
like back thousands of years ago where if you wanted to convict someone of a
crime you sneak them away in the night, torture them, set their house on fire,
attempt to manufacture some evidence, then wreck their life then leave them
alone for a little while. Vigilante justice, get 12 men together, and what
they want is the law.

It seems like some government agencies are turning into old vigilante justice
squads. Going around, setting people's lives upside down, being judge jury and
executioner, then the victim is left to pick up the pieces where the real
criminal escapes justice from the law because the other branches of government
don't care.

It's like the 1200's all over again. We made laws against this sort of thing
for a reason. If you want to challenge the legality of some entity or
transaction then you can't just go and set their house on fire and then go
hide when it turns out you were wrong.

~~~
nazgulnarsil
Populism based jurisprudence will sink to the level of rigor demanded by the
populace: not much. It will also be subject to fashionable morality. That is,
the courts will tend to favor the party that is more aligned with the
ideological winds regardless of the facts of the individual case.

This is devastating to the economy, as contract law relies on consistency. If
parties can't expect predictable/neutral arbitration this greatly raises the
costs/risks of investment.

This is devastating to personal justice, as minorities (ideologically,
culturally, ethnically, etc.) face an uphill battle instead of neutral
arbitration.

