If the data has legitimate evidentiary value, the FBI should be taking images of the drives then returning the full servers to service... and not the other way around, where innocent companies only get disk images back.
What's more, with the right equipment and staff, this could have been done onsite at the colo facility, in the first 24-48 hours, turning machines back on as soon as the FBI had a forensic copy of their persistent storage.
I'll go ahead and play devil's advocate here for a moment and look at it from the FBI's point of view. I can imagine that they would rather keep the original equipment and make copies for the involved parties. What if they missed something during the copy or the machines were modified in some strange way? They don't really want to blow their case.
I agree that they should do it onsite, however, and not make them wait days or weeks to get it back. It's a lame excuse to seize that many machines just in case without the ability to assist the businesses to keep operating, especially in the current economic environment we're in.
Yes, I'm sure that's their reasoning. But we'd never accept it if, for example, they shut down an entire office building or mall because of a crime in just one tenant's space, or even a crime by the landlord... on the off chance a tiny bit of evidence might be in one of the corners of the building.
They get away with it here because the data center is out of view and the losses are abstract. But the costs they're imposing on third parties, just to save themselves a little trouble and risk of misidentifying evidence, are unreasonable.
Residences are protected against overly broad search and seizure through the procedure of getting a warrant. A warrant is for a specific address. The police can't go and cordon off the whole block just because they want to make sure they get one house.
There needs to be some sort of analogous procedure for datacenters.
This is a good example of the FBI's answer to the question "Is it better that guilty man go free than 1,000 innocent men be punished?" The FBI is doing their job to get the 1 or few guilty parties (allegedly - they're innocent until proven otherwise), but in the process hurting many others.
If anything I think that the FBI should have at least provided more aid to the innocent parties. Honestly, making them supply their own drives to recover their data? That's pretty low in my book.
If the FBI allowed them to have access to their data by copying the hard drives over, why not let them have the rest of the system back? After all, the original hard drive is the only part of the system that retains data/evidence.
Our servers actually have a full embedded ARM Linux installation to support IPMI[1]. It has a separate processor, power management, flash storage, et al, and operates independently of the installed OS. The onboard IPMI module runs as long as the machine is connected to a power source.
The card can be re-flashed from the running OS, and actually runs a number of open source network daemons with known vulnerabilities.
It can interact with the BIOS, provide network access to the console, access the network via the host's ethernet chipset, supply the OS with pseudo-disk devices (CD-ROM, floppy) ...
Yes, a lot of servers have this. My point was more along the idea that as long as the FBI has the drives, they don't need anything else - so they should return everything except the original drives.
Wouldn't the FBI need to secure any onboard storage, including an embedded computer running Linux? Can they (currently) guarantee that they've found all locations on which evidence could be stored?
IPMI servers and related devices like Sun's LOM and HP's iLO have little to no storage space, perhaps a few MB of flash.
You can set up a limited number of users, like 16, and cannot store or access random data (i.e. you cannot use it like a 1GB USB drive). Of course, you could image that data, as there are tools under Linux etc. that let you read the IPMI / LOM / iLO information.
The management modules are often considerably more powerful than what is necessarily exposed via IPMI -- A number of SuperMicro's IPMI modules have more than a few megabytes of flash, and do run an embedded version of Linux.
The module's capabilities are not all that different from OpenWRT; they run Linux, have a network connection, provide a web UI including a 'VNC' server for the VGA console, run (IIRC) net-snmp ...
If I wanted to obscure my intentions, I definitely would leverage such non-obvious embedded systems.
more reason to have at least a daily backup of your site on S3. Unless you are hosting trillions of TBs, its affordable enough as an offsite backup solution
Actually a canny data-center operator might be able to offer a limited free service to something like a hospital, allowing them to argue that a wholesale shutdown might threaten lives. Done just right, the hospital gets a free service and the data-center gets protection.
What's more, with the right equipment and staff, this could have been done onsite at the colo facility, in the first 24-48 hours, turning machines back on as soon as the FBI had a forensic copy of their persistent storage.