Judge: No cryptographic hash analysis without warrant In a case that could have important implications for law enforcement investigations throughout the US, a federal judge has ruled that the cryptographic fingerprinting of suspects' hard drives constitutes a search for purposes of the Constitution. The decision by US District Judge Yvette Kane in the Middle District of …
I thought this was a surprisingly sane ruling, until this came up at the last minute. Under what circumstance is a warrant ever going to be issued to search a particular platter of a hard drive, excluding others? Does she not realize that the construction of a magnetic disk has nothing to do with data organization?
It doesn't sound like she really "groks" the whole computer thing, but she got the important part right. Clearly hashing on the files on a disk constitutes a search. And given the large amount, and variety, of information on a hard drive, it makes sense to treat it as more than a single container.
While I applaud the judge in acknowledging the existence of the fourth amendment and it's intended purpose, I do feel she may have erred in this case. If the suspect truly did leave his computer behind when evicted, then he abandoned it. As such, it should no longer be protected by his fourth amendment right. Once he abandoned it (as opposed to accidentally leaving it behind or, more likely, not being allowed to retrieve it), it was no longer his possession, and as such, the person who did take possession of it had every right to turn it over to the police, who then had every right to examine it without a search warrant (since the new owner voluntarily, without being coerced or threatened, gave them permission).
I also think she erred in considering each platter a separate container. Using that mindset, the police would need to get a separate search warrant for every platter, which is unfeasable (they would first need to get a search warrant for the drive itself, then record the model number and look up it's specs to determine the number of platters, then get a warrant for each platter). Without examining the file allocation table, you don't even know what platters hold the file(s) you're interested in. And if the drive does not map logical sectors to physical sectors (for example, if they borrow that technology from new SSDs), then there is no way to determine which platters the data is on since the drive's controller board will likely only tell you the logical sector number. Simply put, the hard drive is one device, one container.
With all that in mind, the prosecutor is an absolute idiot and/or liar for saying that taking a hash of the drive's contents does not constitute a search. That would be like saying "well, we examined every book and every paper in his filing cabinets, but we didn't conduct a search". And while the prosecution personnel themselves may not have looked at the files' data, their program most certainly did, as it needed to in order to create the hashes. Therefore, there can be no doubt that a search did, in fact, occur. This still leaves open the question of whether it was a legitimate search or not (whether or not they needed a warrant).
This post has been deleted by its author
"Without examining the file allocation table, you don't even know what platters hold the file(s) you're interested in."
Worse than that - unless there are very, very few files on the disk, the file allocation table itself (or the Master File Table, for machines using NTFS) will be spread across all the platters anyway! The platter aspect seems ridiculous, since even the operating system itself has no idea which platter it's putting a block of data: it appears as a single set of blocks of data these days.
I suspect she was confusing platters with disks, but even there I'd say she's stretching it a bit: a warrant specifying the computer as a whole should suffice. Does it really matter whether there's one disk, two or a whole big RAID array in the case?
OK, the technicalities weren't quite correct, but the judge is not an expert. The key thing is she got the right idea!
OK, he shouldn't have had that stuff on his HDD, but the cops should have got a search warrant (must've been easy enough).
"each compartment, disk, file, folder and bit,"
How can they claim they hashed each _file_ without recording some actual information from the drive? At bare minimum, they'd need to read and interpret the file allocation table, more likely is that it was NTFS so they had to traverse the entrire file structure, reading and interpreting as they go to determine where other files are.
Let me get this straight.
Someone not in law enforcement plays with someone elses machine for an unknow time and then finds a heap of stuff and this is considered valid evidence?
Changing timestamps of files (even down in raw NTFS blocks is noddy stuff with a live linux distro and UNDETECTABLE ON A DISK IMAGE. The only way to detect such tampering is removing the platters and looking for residual images with a TEM (expensive).
This is one reason why unless there is a chain of evidence (a list of handovers etc) AND you can prove that the item was authored by someone then tampering must be considered and the evidence be rejected.
I could *easily* plant files into a NTFS disk undetectable in a disk image copy with one of the three main live linux secuirty distros and a bit of C code - overwriting disk blocks in not exactly "rocket science".
Jacqui
So you need suspicion and a warrant to search people. Innocent people are protected by their right to privacy and a judge upheld this and refused the FBI reach-around.
Nowhere in the civilized world would any politician be so stupid and think so little of the people that vote for them, that they would permit random searches without cause or judicial check.
You'd have to be a f**king moron to create a random stop and search law. Some sort of fear ridden mental ill person with a power complex would be needed.
Thank god nobody is so stupid as to treat everyone as criminals and wonder why the people hate them. Yes nobody outside of tin pot dictatorships, with their censorship of words would be so hateful as to do that.
"I also think she erred in considering each platter a separate container. Using that mindset, the police would need to get a separate search warrant for every platter."
No. Similar to a warrant allowing police to search your house and any containers found therein, they could get a warrant to search your computer and any containers therein. In this case, the police did not have a warrant to search the computer AT ALL. Their argument was that computer had already been "breached" by the acquaintance, as if it were a container of alcohol. However, the judge in this case rightly concluded that viewing a few files on a computer does not constitute exposing the entire filesystem to the public.
The reference to the platters makes sense when you look at the method of search used in this case: the application hashed the drive sector-by-sector, not file-by-file. In that way, it was viewing the physical organization of the data, not the logical. If the police had browsed folder-by-folder, then a logical-based container argument would have made sense (and then the folders would be the separate containers.)
"Good and bad, right and wrong
By Chris C Posted Saturday 15th November 2008 03:02 GMT
While I applaud the judge in acknowledging the existence of the fourth amendment and it's intended purpose, I do feel she may have erred in this case. If the suspect truly did leave his computer behind when evicted, then he abandoned it. As such, it should no longer be protected by his fourth amendment right. Once he abandoned it (as opposed to accidentally leaving it behind or, more likely, not being allowed to retrieve it), it was no longer his possession, and as such, the person who did take possession of it had every right to turn it over to the police, who then had every right to examine it without a search warrant (since the new owner voluntarily, without being coerced or threatened, gave them permission)."
With all the time it took you to write all the above it never occurred to you that the machine, if not under the suspects control, is itself suspect?
I own a vehicle. Suppose it was used to commit a crime when it was not in my possession? I am not guilty am I? Suppose I used it as the sole user despite it being in the safe keeping of a third party? Still not necessarily guilty.
So if the judge had found any different, the perp would still have a god reason for walking.
Hmm. I am surprised there is no program that automates the changing of a files hash. For image MPEG/JPG etc this should be no real problem as the format is robust enough to withstand it and to the naked eye/ear is usually invisible/inaudible. Unlike files that need to stand exactly the same such as zip files and exe's.
"Thank god nobody is so stupid as to treat everyone as criminals and wonder why the people hate them."
Every company that uses DRM is treating their customers as criminals.
Also, note that he was being evicted and someone "took possession of his computer." Since he was forced out, rather than leaving voluntarily, it's probably not considered abandoned property. Suppose you go on vacation for a month and someone steals your car on day 26. Does that make him the rightful owner of it, as it wasn't being used and is now in his possession? No. Something can be considered abandoned only if the current owner clearly and unambiguously has no intention of retrieving or making use of that item again.
Laudable though the Judge's remarks are regarding the technicalities of the search, there seems also to be reasonable doubt whether the computer's owner was the one who put the files there.
Obviously there are going to be many cases like this in the coming years; it's reassuring to see this one get off on such a good foot, technologically.
One has to wonder how this software works that can hash files by inspecting individual sectors on a disk, when a file - especially a large one - is almost certain to be physically spread around.
FYI, any modern disk drive (anywhere in the last 7-8 years or so) does logical block mapping all the time. It's not just SSDs.
Getting capacities up has required tolerances to be so small in the magnetic domains and mechanical alignments that read errors crop up constantly. The drive starts out with thousands of spare sectors, and logically maps them in as read errors crop up.
In addition, the notion of a fixed "sectors per track" is also outdated. Outer tracks are physically much longer than inner tracks, so many more sectors are written there (this became feasible once the read channel became much faster than the linear platter speed).
The traditional cylinder/head/sector numbering is pure fiction nowadays, present only because of a certain OS and the BIOSes which support it.
As others, I thought the ruling quite sane.. until I got to that last quote and realized that the judge just didn't quite understand what the hell she was on about.
The rest of the ruling makes sense, but that last line could put the judgement in line for being overturned. Which is unfortunate.
Actually, there are plenty of tools like this already, though intended for almost exactly the opposite purpose: steganographic security hides data in the least significant bits of an image, in exactly the way that you describe. The purpose is to hide small amounts of text, but the effect is the same: the original image is altered imperceptibly.
This is also the crux of why the Judge was correct: the intent of the hashing was to identify the files conclusively, regardless of how the file names had been changed. Regardless of how this was achieved, the entire purpose of the task was to match the files against stuff the government knew about. This could quite easily be extended to work at a lower level, identifying any files that contain the word 'terror' or ENRON or whatever.
The judge almost certainly thinks that "platters" are somehow related to a once-popular beat combo. Rightly so. Judges are not there to make their own evidence up, they're there to produce a judgement based on the evidence presented.
You want the culprit? Blame the defence attorney who managed to get the judge to swallow his technologically-illiterate bullshit argument hook, line and sinker. If there's an appeal based on the risible nature of the justification for judgement, the defence will have brought it on themselves.
The system was played with by someone who then gave it to the police saying "look what i've found on here"
The person giving it to the police was also the guy who was pissed off at the original owner for not paying his rent.
I wonder how this "Evidence" would stand up to any decent lawer? Legally obtained evidence or not, its still been tampered by a non-neutral party with a grudge to grind.
The police would do well to search HIS systems, 10 quid says hes hashed things up (hahaha)
and left soem of those files on his own computer when he copied them over
Since the drive was turned over to them by the landlord who was evicting a tenant for unpaid bills, no search warrant is necessary. Her technical analysis is even loonier. I will grant that if the hard drive had been seized directly from the defendant without a warrant that the search of the hashes would have constituted a search. However, as it was not taken directly from the defendant, it is not a warrantless search. This does allow for the defense to raise the possibility that someone else put the data on the hard drive, but the reasonableness of that claim is for the jury to determine. That's why we have juries here in The States.
Since the drive was turned over to them by the landlord who was evicting a tenant for unpaid bills, no search warrant is necessary. Her technical analysis is even loonier.
you said evicting, not evicted. if the person was still living there and had not been removed from the premise then the land lord had no right to use/ search his computer. Secondly the evidence would had to of been in plain sight with out a warrant.
> Someone (later defined as "the landlord's acquaintance") who took possession of his computer stumbled upon some of the forbidden files and reported them to police.
Or maybe the landlord's acquaintance decided to access some kiddie porn himself and then reported it?
And was it legal for that acquaintance to take possession of that computer anyway? I don't know how the US system works, but AIUI in the UK it is illegal for a landlord to take possession of a tenant's personal property, they must apply for a Court Order for Bailiffs to remove the tenant and/ or any property, not simply grab it themselves.
I think the judge was correct in identifying the disk subsystems as separate elements, even if it is a bit premature. Consider:
Search warrant is obtained to search "the house"
-- Does not include searching within "the computer"
Search warrant is obtained to include "the computer"
-- Does not include searching within any "virtual drive" not included within "the computer" case
A "virtual drive", such as storage provided by Google or another resource, is simply space allocated to the subscriber. That "space" may take up clusters on any number of physical hard drives. Does a search warrant encompass the entirety of all of those hard drives? No it doesn't ... it only encompasses that space being used by the defendant, exclusive of the space being used by other subscribers.
Therefore a search warrant that only specifies "the computer" cannot be presumed to apply to all of the data accessible from that computer. There may not even be a hard drive in "the computer", for that matter.
Therefore a search warrant must explicitly define the exact scope of the area to be searched, including any specific portions of any "virtual drives" so as not to infringe on innocent subscribers' "virtual drive" materials.
Similarly it cannot be assumed that the entire physical hard drive within "the computer" contains only the defendant's materials: There may be other users of "the computer" whose rights would be infringed by a blanket search of the entire hard drive mechanism.
Therefore the search warrant must specify exactly which parts of the hard drive(s) are subject to the warrant, in order to preserve the rights of innocent co-users.
Therefore the platters come into play, along with the FAT and any other allocation mechanisms that would specify the location of the data segments being searched for.
Speaking with defense attorneys, here in my office, it seems that they are doubtful any more of these challenges will succeed. I am strongly encouraging them to argue against the inclusion of evidence gathered pursuant to ANY search warrant that stops at the level of "the computer", because while that level of detail may have worked up until now, it can clearly be successfully challenged, and it needs to be, if the true nature of technology is to be recognized, going forward.
The first of which is proving that (1) evictee actually owned the computer and had control over it at all times. Second, that police did not obtain the computer in a direct line of acquisition from the alleged suspect in the case. There is, in fact, almost no way of conclusively proving that the original owner put the pr0n on the computer and that is wasn't in fact the landlord or his accomplice (erm, friend). Third, that upon obtaining control of the computer the police did not, in fact, apparently, acquire a legitimate search warrant based on the claims of the landlord's "friend".
Fourth, that the computer was not infected with a virus or some other piece of malware which could have downloaded the pr0n onto the computer without the evictee's knowledge.
Is this leaving a doubt yet. It ought to; you may find yourself in this circumstance some day and it's way better to be considered innocent until proven guilty than guilty until you can prove yourself innocent.
I appreciate the judge ruling properly in this case on the unwarranted search. This blighter will still be battling uphill to "prove" his innocence as the cry of "kiddie pr0n" will have the witch burners out and he will be roundly condemned by 99.9% (and probably murdered by the other .1% if they get the chance).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
