"It almost appears as if a frustrated FACT employee trashed the hardware on purpose before it was sent back. How else could it turn into such a mess, and why take the computers apart piece by piece in the first place? What were they looking for? Warez?"
I suspect that the cops are worried that, if they boot up the computer, it'll have a program which notices something is wrong and wipes the hard drive. So I'd guess they take the hard drives out and inspect them separately. At that point, they probably don't care about the rest of the computer, so don't care how it's treated. What they did was horrible, but perhaps this explains it as something other than malice.
What's the line about incompetence often being a more likely cause than malice?
I'd more likely suspect malice disguised as incompetence. I wouldn't doubt FACT has an unwritten policy of this. They're an anti-piracy organization and they had the computers of a bit-torrent tracker, of course they have an incentive to trash the machines.
I'd have thought that the incentive would be not to trash the machines as doing so makes them look like extrajudicial thugs when they claim to be on the side of the law.
As an institution, law enforcement seldom worries about whether its actions might look thuggish to others. And antipiracy organizations are explicitly about pounding down David at the behest of Goliath (regardless of your political opinions, the pirates are unquestionably poorer and have less political might than most copyright litigators), so I doubt they'd be more concerned than the average.
EDIT: I just realized that this case was in the UK. I don't know how much of what I'm about to say applies to their judicial system, but I'm going to leave it here anyway for those familiar with the UK to comment on.
I did computer forensic work for the US Trustee system. Chain of evidence and the whole deal, because occasionally, our evidence would be handed over to law enforcement and used in criminal cases. I can tell you that at no point during the process should any component treated with any level of disregard. Something called the "chain of evidence" is required in order for anything you find to hold up in court. Here's a brief list of the steps taken when a computer is picked up and examined.
* Arrive at the scene, record the datetime, and fill out your pick-up forms. These forms include information about what is attached to the computer (displays, printers, external hard drives, any random devices, etc). Anything that stores data is taken with. You also catalog the general environment. What was around the computer? Did the place look trashed? Cleaned out? Just moved? Anything meaningful to the case is cataloged on the pick-up form.
* If the systems are turned on, record the datetime and shut them down.
* Unhook peripherals and pack the computers up in the van.
* As you're about to leave, record the datetime and fill out your vehicle mileage log.
* When you get back to the lab, check the computers in to lock-down. More forms including a complete inventory, and (you guessed it) more forms with the data and time on them.
* The computers are stored in a locked room with logged access until they are ready for examination.
* At exam time, you check out a computer or two (recording the datetime!) and head to a lab station. Here, before you do anything, you start to fill out your exam form, which requires that you document every alpha-numeric string you can find on the outside of the computer. We also took photos with a little point and shoot.
* Next it's time to extract the hard drives. You open the system up and pull one hard drive at a time, recording the manufacturer, model, serial number, size, sector count, etc. Anything on the label gets recorded and photographed. You also record where it was attached to (IDE channel and master/slave or SATA port number).
* Once you have the hard drives in hand, you attach them to the write-blocker (we used hardware) and hook them up to the forensic workstation (we used EnCase).
* I'm going to skip the forensic examination portion because it's not relevant to the physical condition of the returned hardware.
* After the examination, we would place the hard disks in protective plastic shells that we purchased and label the drive as evidence with (surprise!) the datetime, case number, and identifying information for the exam form (which linked the drive back to the computer)
* Rinse and repeat for each drive.
* At this point, you have a computer (sans-hard-drives) and a handful of hard disks that you check back in to the lock-up. Hard drives went in a HUGE data-safe fireproof cabinet. The PC case was screwed back on with minimal hardware and put back on a shelf.
* When a case was over, and assuming the debtor in question wasn't brought up on criminal charges and allowed to receive their hardware back, we returned the computers with the hard disks still in the plastic cases, but our labels clearly indicated the computer ID and SATA/IDE channels, so reinstallation was simple. Other times the equipment went to auction. If the equipment went to auction, we'd typically reinstall the drives to get best market value (heh, like that ever happened).
So the point I'm trying to make is this: at no point during the legitimate forensic process should a computer be banged up, subjected to dirt, or generally mistreated. Should this case have gone to court, every single one of those factors could be used by the defense to show mistreatment of evidence. What investigator would want to risk their case on something as simple as maintaining the chain of evidence? This is the #1 thing they hammer in to your head during forensic training.
I don't have any statistics on hand, but cases are won and lost on the basis of sound evidence. Whoever did this did it maliciously and intentionally. There is zero question in my mind.
> * If the systems are turned on, record the datetime and shut them down.
Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes? You could have dumped the keys out of ram, etc.
> we used EnCase
Did you ever come across any exotic filesystems that EnCase can't read, like XFS?
I work on criminal cases, so have a slightly different perspective to bradleyland.
> Did you ever come across any exotic filesystems that EnCase can't read, like XFS?
I've come across something "obscure" only once or twice (in several hundred cases). The bottom line is that most computer crime isn't conducted by technically adept people, but by normal people. i.e. Windows is by far the most common system, with Mac a distant (thought growing) second :)
> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes? You could have dumped the keys out of ram, etc.
There are all sorts of ways (as bradleyland explained) to get around this issue. The problem is that most material is siezed by a normal police officer - so there is simply no way you can let them do a live acquisition :D (or indeed no way they would know they had to).
But there are all manner of ways to figure out, or sometimes crack, the encryption key and away you go :)
The times I've come across WDE I've managed to get round it fairly quickly, mostly due to "user error".
Can you elaborate on this? I'm aware of taking advantage of idiotic Firewire/USB drivers to inject code into a running system and the "evil maid" attack, but that's where my knowledge of WDE attacks stops.
> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes?
That read weird to me too. My file system is totally encrypted and the easiest way to get a copy of it is to not turn the machine off but make a copy of the mounted hard disks first. That's true for any encrypted file system, sounds like a pretty big faux pas in the procedure.
From a technical perspective, there are definitely better ways to go about acquisition. It can be very hard for technical people to work in computer forensics because many technically attractive strategies are off-limits to you due to constraints that are wholly non-technical.
Think of it like this. Police would probably find a lot more evidence if they were able to search your car/property without consent, but they don't because that would violate your civil rights. The acquisition situation is a little bit different, because it's not strictly a matter of civil rights. It's more subtle. We have the right to examine the computer, but the process has to:
1) Hold up in a court as irrefutable and demonstrate a process that is inherently resistant to tampering.
2) Discover the evidence required to execute the legal strategy.
All the evidence in the world won't convict someone if the defense can take the position that evidence was tampered with. Using the computer prior to examination is akin to taking a gun used in a murder to the gun range before checking it in as evidence. Simply testifying that you didn't tamper with it doesn't do the trick. It very quickly becomes a chicken and the egg problem.
> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes? You could have dumped the keys out of ram, etc.
At the firm I worked for, preservation was priority #1 any time we were walking in to a case with high trial-risk. In order to discover that the system was encrypted, I would have to use the computer. Using the computer means changing it. Protocol was really straight forward: If it's running, shut it down and get it to the lab.
Because we were working in the US Trustee system, we were dealing with business owners who were either in bankruptcy where a trustee had been appointed, or receiverships, which almost always involves a trustee (or like appointee). This means we weren't chasing kiddie porn, we were looking for the movement of money. Were we to encounter end-to-end encryption, the password is just a "motion to compel" order away. Failure to comply means you sit in a jail cell until you cough up the password.
Having said that, I don't recall ever having to go that far. Neither did we encounter any seriously hardened systems. Anyone smart enough to encrypt a system end-to-end at a company was usually on our side by the time we got there. In large businesses where this type of encryption is common, there is an IT person who can get past it. Bad business people have a tendency to make enemies out of their employees, and the trustee knew who to take care of.
In instances where we didn't have access to employees with the required knowledge to get in to systems, we relied on industry tools. We were mostly trying to crack in to things like QuickBooks files, Outlook PSTs, and protected documents, so not what you'd normally expect from a geek perspective (john, l0pht, etc). A lot of the stuff was proprietary, and at the end of the day, brute force and dictionary attacks were usually very effective.
We rarely encountered disk-level encryption on the systems we examined. App and document level passwords were the norm. I used to run the disk images through STRINGS(1) to extract every bit of text on the drive. Then, I'd break whitespace to newlines and use that as my dictionary. When you have three or four computers worth of strings, coupled with relatively unsophisticated users, you don't often strike out. We had a 100% success rate using standard crackers and the technique outlined above. It seems that users can't resist typing their password in plain text at some point in the life of their computer.
> Did you ever come across any exotic filesystems that EnCase can't read, like XFS?
I don't think I ever examined a computer that wasn't Windows XP. These were strictly business cases, so anything that wasn't Windows was a server, and that was a very rare case. Most of the time, we got approval to simply run the server systems in question to get the data we needed. The rules of engagement with servers were a little different. Servers involve a lot of multi-user access, so the chain of evidence requirements were a little different. We had to be the most careful with the personal workstations of the owners and accountants. I'd find emails requesting off-shore accounts, shell companies, etc. These had to be bulletproof in order to pin down the business owner.
I can't stress enough that I operated in a non-criminal, largely unsophisticated environment. Our rules for preservation were mostly precautionary. There was very little trial risk in our organization. It was mostly a matter of trying to identify assets and dig up any evidence that the owner was acting in a way that would put them in hot water. The trustee would use these items to squeeze the debtor in an effort to repay lenders.
> Failure to comply means you sit in a jail cell until you cough up the password.
So, keyfiles on easily-destroyable thumbdrives, then? If they say the only copy of the key (that they're aware of) was destroyed, that's basically equivalent to saying they wiped the disk; you can't really hold them expecting them to magically recreate it, right?
"Tampering with evidence is the knowing and intentional physical manipulation, altering or destruction or falsification of evidence relevant to a criminal case or investigation. It is important to note that tampering is not the accidental destruction or modification of evidence, it is only if the individual had reason to believe the material or item was part of an investigation."
Evidence tampering often carries much harsher penalties than the crime in question -- if a company is in trusteeship, wiping the disk (or doing the equivalent) can quite possibly be the dumbest possible thing you can do.
That's only in the case where you can prove that someone knew there would be an investigation and destroyed the key as a result. The nice thing about thumbdrives: they're incredibly easy to lose. If it's only needed for startup, you can just say that you lost it a long time ago, but it wasn't a problem because you just left the machine running. To disprove that, they'd need to check the system logs, which are, of course, also on the encrypted disk. :)
That certainly didn't stop the trustee from threatening with motion to compel orders in just about every case we worked. IANAL, so I have no idea what the enforceability is. Every law enforcement/trustee's worst nightmare is a well-informed suspect/debtor.
I just realized that this case was in the UK. I don't know how much of what I'm about to say applies to their judicial system, but I'm going to leave it here anyway for those familiar with the UK to comment on.
Yep, the process is pretty much the same here.
The bottom line is that with the sheer amount of hardware going through youi do end up with some small damages (scratched cases, a few dead disks), but nothing on this scale.
It makes me mad, actually, to see this, and if he wants a hand finding out who to blame I'd be very happy to help with that. It gives my profession a bad name to see someone showing so little respect to someone else's kit :(
Basically the same system in the UK - except they then leave a copy of the data they found in a bar (if it's top secret) or in a cab (if it's financial)
They then show the evidence that they found child porn in court - and on appeal discover that the child porn came from a senior officer's machine.
> the cops are worried that, if they boot up the computer, it'll have a program which notices something is wrong and wipes the hard drive
That's why you take the drive out and image it and keep it powered down and analyze just the image. You don't boot the computer you seized as evidence.
I've read a few stories now about property being seized by the police and returned damaged or not at all. What legal options does one have in that situation?
EDIT: from the comments:
> Yes he has recourse, if the police didn't find anything illegal in their search then ALL damages must be paid for.
In the US if the authorities use civil forfeiture they can keep your property even when you aren't even charged with a crime and there is little you can do to get it back.
http://en.wikipedia.org/wiki/Asset_forfeiture
It is generally used in organized crime and drug cases but has expanded greatly in recent years. It is now routinely used to seize cars in DUI cases. They can and do legally keep the property without even charging the driver with DUI or any other crime.
http://www.slate.com/id/2243428/
I don't know about the UK but I am surprised any property was returned.
Alarmist. Civil asset forfeiture is not carte blanche for local and state governments to take property. There is an elaborate due process system surrounding it. The often-cited statistics about how few forfeiture cases are accompanied by criminal convictions are obviously and clearly biased: much crime goes unpunished, and if you are in fact running drugs (the nexus of the vast and overwhelming majority of forfeiture cases), you're probably not going to go to court to get your Escalade back.
In one sense (I'm not married to this argument), declaring all asset forfeiture to be an unconstitutional tyannical abhorrence --- call this the "Radley Balko Line Of Attack" --- plays into the hands of those who would abuse it. There is virtually no chance that the fundamental process of asset forfeiture will be reworked. Both liberals and conservatives, both Republicans and Democrats all support it. Unsurprisingly, because in most cases, you really do want seized those things the government seizes.
A far better way to foil people who would abuse civil forfeiture would be to educate people about the processes made available to people to recover property. One simple point rarely brought up by Reason Magazine: a simple written request filed within something like 90 days of the forfeiture is all it takes to force the government to defend their seizure in court.
It's only alarmist when it isn't happening to you or someone you love. It happened to my nephew, several thousand dollars in cash seized from his college dorm room (he was a bartender, but should it matter? it isn't illegal to have cash is it?), no charges filed and it would have cost him more than they seized to attempt to get it returned. Back in the 80s, when I was in high school they seized a local family's home because someone said they bought acid from a boy who lived there. It made big news back then, this stuff was new. The family lost the legal battle, they couldn't prove they didn't know their kid was selling acid. The authorities couldn't prove he was selling acid either, but that doesn't matter in these cases. To have your property returned, you must prove you are innocent or ignorant which are both almost impossible things to prove.
Why would it cost him significantly to have it returned? According to US code, a single note is all it takes to force a court procedure where the prosecutor has to demonstrate a nexus between the money and a crime. What would it cost your brother to go to court by himself? What would he have to lose?
Look, I see the issue here. Clearly, if the government was randomly taking thousands of dollars from people and forcing them to go to court to keep it, that would be a miscarriage of justice. But that's probably not what happens in reality.
Under what auspices was your nephew's cash seized? What's the other side of this story? Is there really not another side to this story?
There is. A kid left the frat and drowned in a river (it was a frat room not a dorm room). Drugs were suspected. I'm not sure why. They executed a warrant and took the money. BTW the autopsy found no drugs in the dead student's system.
Anyway, you make this sound so simple, just send a note and go to court. Most people are extremely intimidated by this stuff and they just want it to end. Especially when you've already been violated and had your reputation impugned. The advice they were given was it wasn't worth it.
"In 80 percent of such cases, the owner is not charged. The standard of proof to be met by the authorities is the minimal "probable cause" standard. If the owner wishes to regain possession, he has the onus of proving in court that the property is "innocent"; his standard of proof is higher: a preponderance of the evidence. In some cases, property has been seized for acts someone other than the owner performed."
http://www.cato.org/pubs/policy_report/pr-ma-hy.html
edit: I doubt they are doing this randomly, but they seem to be opportunistic and they do target certain types of people - youth, poor, minorities. The right to seize valuable assets is corrupting in nature. I think you'd see it drop dramatically if the government wasn't allowed to keep the assets as a fund raising mechanism.
Again: that 80% stat? I'm certain it's true, but it's meaningless. The stat you want is, how often are challenges to seizures denied. Because --- and I'm not saying this is what happened with your nephew --- it is very likely the reason that 80% of those seizures don't match up with a conviction is that the people whose assets are seized are in fact criminals.
Recognizing that doesn't mean I think civil asset forfeiture is problem-free or that Radley Balko doesn't have an argument with his stories on this issue. But you can't just cite that stat as if it opened and shut the case.
I agree that one sensible step to take would be to foreclose on the use of the assets as local funding mechanisms. I agree entirely with that.
Finally: I think your nephew was given bad advice.
I don't think it matters much whether many challenges are successful. When it takes years and costs more in unrecoverable legal fees (it's a civil court case, not merely a request) than most seized property is actually worth, very few victims are going to bother.
I don't know how bad it is at the state level, but according to the US Code, at the federal level it shouldn't take years; there's a rigid statutory timeline on hearings, measured in increments of 30 days.
> In some cases, property has been seized for acts someone other than the owner performed.
My first father in law (that sounds weird) had a SUV stolen. On the same afternoon, it was involved in two robberies - one supermarket, one bank - and one murder (one of the robbers was shot by his colleagues). It took him a while to get the car back.
Seizing 80 year olds houses because they grandson was caught with weed or seizing the home of a pair of doctors who were giving weed to cancer patients.
Then strangely not applying the same law when the mayor/governer's kids are caught with a joint.
What's your point? How many cops get speeding tickets? Did you know that technically, it's just as illegal for them to casually run red lights in their squad cars as it is for you to? Shall we do away with red lights?
My point isn't that asset forfeiture is invariably defensible. It is obviously abused. My point is that it's being built up into a bogeyman. This perspective, perversely, robs people of their ability to defend themselves against it.
My point is that once local politics - remember it isn't cops that seize property it's DAs - kicks in then laws which are only for use against terrorists/makejor drugs dealers/organised crime can be used against ordinary people.
And given the population sizes of terrorists/drug dealers/etc compared to ordinary people - they are almsot always used against ordinary people
Cite evidence for that last sentence. It is an extraordinary claim: that law enforcement is in fact a massive criminal conspiracy used to defraud ordinary people of their lawful property.
He didn't make that claim. He claimed that the asset forfeiture laws are almost always used against "ordinary people," whom he distinguishes from "drug dealers/terrorists/etc."
In the UK 'Regulatory Investigative Powers' RIP was introduced to catch terrorists and international drug dealers. It allows government to get pretty much unlimited snooping ability on phones, web visits, cell phone location etc.
Within a year the majority of RIP requests were from local city councils famously investigating cases of dog crap and people giving a false address to get kids into better schools.
That is certainly an interesting and uncited fact, but it hardly qualifies as evidence that forfeiture laws are almost always used against ordinary people.
Indeed. He needs to very carefully document every bit of damage (photos of everything, paper evidence of the age of equipment if possible, etc), and claim in detail for everything, and his time and legal costs.
Folks we are losing our basic human rights a little bit at a time here. It's like back thousands of years ago where if you wanted to convict someone of a crime you sneak them away in the night, torture them, set their house on fire, attempt to manufacture some evidence, then wreck their life then leave them alone for a little while. Vigilante justice, get 12 men together, and what they want is the law.
It seems like some government agencies are turning into old vigilante justice squads. Going around, setting people's lives upside down, being judge jury and executioner, then the victim is left to pick up the pieces where the real criminal escapes justice from the law because the other branches of government don't care.
It's like the 1200's all over again. We made laws against this sort of thing for a reason. If you want to challenge the legality of some entity or transaction then you can't just go and set their house on fire and then go hide when it turns out you were wrong.
Populism based jurisprudence will sink to the level of rigor demanded by the populace: not much. It will also be subject to fashionable morality. That is, the courts will tend to favor the party that is more aligned with the ideological winds regardless of the facts of the individual case.
This is devastating to the economy, as contract law relies on consistency. If parties can't expect predictable/neutral arbitration this greatly raises the costs/risks of investment.
This is devastating to personal justice, as minorities (ideologically, culturally, ethnically, etc.) face an uphill battle instead of neutral arbitration.
I suspect that the cops are worried that, if they boot up the computer, it'll have a program which notices something is wrong and wipes the hard drive. So I'd guess they take the hard drives out and inspect them separately. At that point, they probably don't care about the rest of the computer, so don't care how it's treated. What they did was horrible, but perhaps this explains it as something other than malice.
What's the line about incompetence often being a more likely cause than malice?