At the very least, the courts should forbid the police from looking at any file timestamped before March 18, 2010
As already pointed out timestamps can often be a problem.Limiting searches to a specific timeframe is difficult because of how the forensic tools work. It's infeasible to tell the tool "only search files and data between these dates". Indeed I wish that was possible - it would make things much faster!
But more importantly we are limited in what we can investigate. Not just for legal reasons but for cost as well. As a forensic examiner I feel (and I know most of my colleagues do as well) ethically obliged to stick to the requirements of the case - as tempting (for personal interest) as it is to poke into other corners of peoples lives it is entirely unethical and wrong.
True, but if someone is ordered to turn over 'all documents pertaining to topic X', they still might withhold documents. We don't allow the police to search all documents, just in case.
{edit} It would get messy if he was on a computer that had a faulty cmos battery (i.e. randomly your system clock is reset to the unix epoch). Trying to figure out the true date of files with timestamps of December 31, 1969 would be difficult. ;-) (I know that's prior to the epoch, but I had a faulty cmos battery in an old PowerBook and that's what would happen)
And they do use such limitations in cases where it'd be difficult/unlikely for them to be altered, such as timestamps kept by a third party. For example, subpoenas demanding that Google turn over email from a Gmail account usually specify a date range (I think there's even precedent that they're normally required to).
If the police are going to confiscate, why would they confiscate the whole computers, and not just the drives? Furhter, why not provide the option for the guy being served to get some new drives and copy the data to them before the police confiscate the original?
Usually the answer is that police, generally, have no clue about computers - enough to seize machines but not to safely remove the drives. Clearly that's not the case in this specific incident.
But there are other reasons. Firstly, when you remove drives from the machines you have to open it up, photograph them in situ, remove the drives, image and replace them. It's a reasonably time consuming job (and I doubt you'd want police in your home for hours doing it :)). Secondly there may be issues imaging the drive; wrong connectors or just fickle drives. Usually in such a case you can fire up the original machine with the drive attached and load a forensic imager from CD to pull the data (in other words it's a fail safe). And finally you have to photograph the computer CMOS time next to an atomic clock to help validate any timestamps on the hard drives.
Awesome detailed answer, thanks! My questions come from a basic concern for the suspect, and presumption of innocence before proven guilty. A confiscated computer not only may require extra care in "plain sight" restrictions as outlined in the article, but also extra care in "undue hardship". If I keep all my records on a computer, and that computer is confiscated, I am now without any way of doing basic stuff like paying bills. It would seem that being able to retain a copy of the data is relatively trivial, so such an option should be made available. Given that current practices seem to be "never see your stuff again", is there any reason not to allow it? (Perhaps not as its taken, but shortly thereafter).
Yeh. You've touched on the inherent trade off of my job. If you have critical stuff on your computer then we will do our best to get a copy back to you asap (of course I can only talk for us).
The problem is not retaining the data. We work from images anyway. The issue is that if the drive contains evidence returning the original would probably kill the case in court. If a defence analyst questions the data - say accuses us of faking it - how do you prove that if it goes back to the suspect.
I totally understand that last part, about evidence custody stuff. I find it vaguely totemic, in that the "one true datathingy" must be preserved. (not on your part necessarily, on the whole court system in general). Good on you guys for getting data back to the suspect. I presume that if it all comes from Images anyway, it would be trivial for me to bring in a couple TB of NAS and say, "data please" and just get raw image dumps.
I think to clarify my above stuff: Rules of evidence should state that images of the computer files in custody should be made available to suspects in some short amount of time after they are processed, due to the easy copy aspect of digital media, and the critical nature some data on the drives.
Currently the issue is that it is a logistical nghtmare die to how large police forces work. Unfortunately we are on the outside so our suggestions mostly fall on deaf ears at management level :(
I guess we're going to find out how good Jason Chen's back up strategy is. I doubt he'll write anything for Gizmodo for a little while, but I wonder how long it will take him to get back up and running with all of his systems seized.
If I'm a paranoid tech journalist (I'm not), everything would be tucked away in a hidden TrueCrypt volume masked as a swap file, and all my other files would be in the cloud. Not sure seizures are even useful in such a case.
This is assuming you keep unencrypted stuff on the cloud. If you're TrueCrypting your entire drive, you probably won't leave anything unencrypted elsewhere unless it's totally innocuous.
IANAL but I don't think they can compel you to give your truecrypt passwords as they're in your head. There was an ongoing court case (involving child pornography) about this topic.
IIRC, in that case the guy unlocked his encrypted drive for a border agent, the border agent saw child porn, then the computer was turned off (disabling access to the encrypted drive). The guy already showed the authorities that he had incriminating evidence on his encrypted drive. It's not exactly the poster-child case for being compelled to turn over your encryption keys/passwords.
The problem therein is programs that record your 'most recent documents.' If they refer to documents that aren't anywhere in what they confiscated, and/or on a volume that doesn't exist they may suspect that you have a hidden volume.
That's still an uphill battle, especially if stuff ain't hosted in the country you live in.
Like I said, I'm not paranoid, so I don't have time to go to such lengths, but simply having physical access to a computer these days may not yield nearly as much evidence as it may have a decade ago.
It can yield a lot more useful evidence though. You can't get the guy for the iPhone thing - but you now have:
Every website he has visited (are all those boys/girls/sheep over 18?)
Every book/dvd/toy he has bought - did he declare state tax on all the stuff from Amazon.
All his tax and business records.
Everywhere he has been, everyone he has phoned,emailed,
texted tweeted.
The police could get all this from other sources - but imagine going to a judge and saying "we can't prove the phone was stolen - so can we check all tax records for 10years in the hope of getting him for something else?"
But by getting a warrant for computers they have a fishing expedition for his whole life.
The only point I was trying to make, which may have been missed, is that it's much easier to keep what you're doing anonymous than it has been in the past, by:
1 - using encrypted volumes
2 - putting stuff in the cloud (encrypted where possible)
3 - using the anonymous browsing mode (which most popular browsers support)
Forensic guys want to take images of the storage devices. They use tools such as dcfldd or purpose-built devices (Tableu) to do this. They'll then analyze the images and probably never touch the guy's hardware again. It will sit in a evidence room for eons. They could return the hardware as soon as they've done the imaging, but I've never seen that happen. Use whole disk encryption everywhere :)
As already pointed out timestamps can often be a problem.Limiting searches to a specific timeframe is difficult because of how the forensic tools work. It's infeasible to tell the tool "only search files and data between these dates". Indeed I wish that was possible - it would make things much faster!
But more importantly we are limited in what we can investigate. Not just for legal reasons but for cost as well. As a forensic examiner I feel (and I know most of my colleagues do as well) ethically obliged to stick to the requirements of the case - as tempting (for personal interest) as it is to poke into other corners of peoples lives it is entirely unethical and wrong.