Privacy, Hacking, and Information Security Tools: A Primer for Legal Professionals (Part I)

I thought it might be useful to describe some commonly used tools in the Information Security sphere that should be on every attorney's radar, for myriad reasons. Perhaps you are defending a client who has used such a tool; or, you wish to uphold your obligations under the Model Rules to truly make your attorney-client communications confidential.

This may become a multi-part post, given the plethora of tools out there (and further posts will, to some extent, depend on whether people find this post to be useful - so feedback would be great).

1.   To start, a tool used by hackers, privacy enthusiasts, and others is Tails, "The Amnesic Incognito Live System." It is a LiveCD/Bootable OS that comes packed with baked-in privacy tools; the most important feature being that the network configuration forces all traffic through the Tor Network. From the Tails page, the OS allows you to:

-use the Internet anonymously and circumvent censorship;

-all connections to the Internet are forced to go through the Tor network;

-leave no trace on the computer you are using unless you ask it explicitly;

-use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

So, you can boot with the LiveCD, do all of your surfing anonymously in the Tails OS (modified Linux), and then restart back into your regular operating system without leaving forensic tidbits on the hard drive; the OS operates in running memory, so upon reboot the memory is wiped (RAM does not persist a reboot, with some caveats). The "Warning" page gives a good synopsis of various gotchas that can limit your anonymity and/or complicate the goal of covering your tracks.

Some people, like yours truly, use Tails in a bootable VM image. There are some drawbacks to that approach (it makes it easier to leave forensic artifacts). Thankfully, I'm not doing anything illegal, so I really don't care. It's a good way to get on Tor and ensure all traffic does indeed travel through onion routing.

**Side note - most people are familiar, at least superficially with Tor (given the press surrounding Silk Road). However, there are other closed/anonymous peer-to-peer networks out there, most notably, I2P. **

2. A lot of people are lulled into a false sense of security when they sign-up for offshore or self avowed "totally anonymous" VPN providers. HideMyAss, a popular VPN provider, didn't hide the ass of a LulzSec member, instead providing information to the FBI that assisted in his arrest. More nuanced yet, is that even if you use a VPN provider rgR does not keep logs (an assertion I always take with a grain of salt), VPN users often misconfigure their VPN tunnel and accidentally send DNS requests via their regular ISP. So, your traffic is going over the VPN, but if you are also sending DNS traffic to your ISP over VPN, it is possible to track, at the very least, what sites you are going to (but not, to be sure, the actually content of the traffic itself). Enter the next tool: DNSLeakTest. This tool will run a test against your configuration to show whether or not you are actually using the DNS servers you want to/need to/assumed were set up. For example - when I run the Extended Test using my home internet connection, I receive, inter alia, the following result:

What this image shows is that my DNS is being routed to Charter (my provider), in Wisconsin. To be expected when I am surfing without attempting anonymity. But, I would not want this to show up if I am trying to be anonymous. Using a common VPN provider, I receive the following results, showing my DNS queries are going through their servers:

The key here is that if you are arguing that you never visited (insert site with criminal ties here), and there is a DNS request around the time of the specific activity, you've got a credibility (and evidentiary problem) that is hard to refute. Granted, you are once again trusting the anonymity ("short memory") of the VPN provider's DNS records.

3. When it comes to chatting, many users swear by Cryptocat. The app is described as follows:

Cryptocat is a fun, accessible app for having encrypted chat with your friends, right in your browser and mobile phone. Everything is encrypted before it leaves your computer. Even the Cryptocat network itself can't read your messages.

With the following caveats:

Cryptocat is not a magic bullet. Even though Cryptocat provides useful encryption, you should never trust any piece of software with your life, and Cryptocat is no exception.

Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor. 

Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn't mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party. 

Cryptocat does not protect against untrustworthy people: Parties you're conversing with may still leak your messages without your knowledge. 

Cryptocat aims to make sure that only the parties you're talking to get your messages, but that doesn't mean these parties are necessarily trustworthy.

4. With respect to mobile messaging apps, it also should be noted there are various other apps advertising the same anonymity. See the following:

• Secret - "Share with your friends, secretly. Speak freely." -- See this news story (from Gigaom) for more: The design decisions behind the tech industry’s beloved anonymous Secret app

• Confide - "Your Off-the-Record Messenger" -- From the website: "Spoken words disappear after they're heard. But what you say online remains forever. With confidential messages that self-destruct, Confide takes you off the record."

5. On the hacking side of things, there are a few popular LiveCDs that bundle common hacking tools into an easy to use interface. The following distros are worth taking a look at:

• Kali Linux - "The most advanced penetration testing distribution, ever" -- (formerly Backtrack) -- Kali is a LiveCD used by penetration testers, hackers, and information security professionals to streamline various hacking/recon/exploitation tasks. It includes Metasploit, the most used exploitation tool out there. Metasploit is the tool of choice for "script kiddies," essentially allowing exploitation of systems with no coding; a hacker normally must only provide a few parameters and choose a payload before the ownage of systems can commence.

• Samurai Web Testing Framework -- Created by whitehats at Inguardians, Samurai WTF focuses on Web Penetration Testing and Exploitation. It includes many of the tools in Kali, with a focus on web-based exploits, including SQL injection, XSS, CSRF, and various other methods for web shenanigans.

6. Finally, much has been made of social engineering as the easiest, most-effective, and hardest to defend method of enterprise infiltration. (In security, the weakest link is often the human element). Social engineering has been used to gain ownership of Twitter accounts (too many examples to note), the RSA breach, etc. See this article from Dark Reading for more evidence: Socially Engineered Behavior To Blame For Most Security Breaches.

The toolkit of choice for script kiddies, penetration testers, and various others is TrustedSec's Social-Engineer Toolkit (SET). TrustedSec's website notes:

The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. 

The Toolkit makes it trivial to create webpages that are identical to real enterprise websites that require credentials (allowing login/password harvesting), and also allowing Man-in-the-Middle attacks where the engineered website is passed off as a legitimate portal while the SSL traffic is stripped in the middle (allowing the "hacker" to obtain unencrypted credentials without alerting the user). The toolkit also automates phishing and has various tools and tips to help trick enterprise users into giving up the keys to the kingdom.

Read More

Case files (briefs + argument) for two key cases before Mass. Sup. Ct.: forced decryption (5th Amendment) and cell site location

The Massachusetts Supreme Judicial Court has two cases before it to keep an eye on. Summaries from the court, briefs, and links to oral argument are below.

SJC-11358
Commonwealth v. Gelfatt
Criminal; Self-incrimination-- Whether the Commonwealth's request in a criminal case for a court order compelling the defendant to enter his encryption key to access information on a computer seized by the Commonwealth violates the defendant's rights against self-incrimination.

Appellant Commonwealth Brief
Appellee Gelfgatt Brief
Appellant Commonwealth Reply Brief
ACLU Foundation Brief
Amicus Criminal Defense Lawyers Brief
Amicus Criminal Defense Laywes Brief [sic] (In support and joined by NACDL)
Amicus FL Dept Of Law Enforcement Brief
Amicus Opderbeck Brief

Notable events:
11/05/2013 --- Oral argument held. (Ireland, C.J., Spina, J., Cordy, J., Botsford, J., Gants, J., Duffly, J., Lenk, J.).

Oral Argument Video

SJC-11482
Commonwealth v. Augustine

Search and Seizure-- In a murder prosecution, the Commonwealth is appealing a Superior Court judge's order allowing the defendant's motion to suppress historic cell site location information relating to the defendant's cellular phone number; the District Attorney's Office obtained the information in connection with a murder investigation without a search warrant by means of a judicial order pursuant to a federal statute.

Appellant Commonwealth Brief
Appellee Augustine Corrected Brief
Appellant Commonwealth Reply Brief
Amicus Electronic Frontier Brief
Amicus Criminal Defense Brief

Notable events:

10/10/2013 --- Oral argument held. (Ireland, C.J., Spina, J., Cordy, J., Botsford, J., Gants, J., Duffly, J., Lenk, J.).

Oral Argument Video

10/24/2013 --- #18 ORDER (By the Court): Before the court in this case is the Commonwealth's appeal pursuant to G. L. c. 278, § 28E, and Mass. R. Crim. P. 15(a)(2), from a decision of a Superior Court judge granting the defendant's motion to suppress evidence, including records that would show [the] defendant's location at a particular time, obtained pursuant to a warrantless search and seizure of cell phone records pertaining to a telephone number that, it appears, was used exclusively by the defendant. It is not disputed that some or all of the evidence in question referred to as cell site location information (CSLI) -- was obtained by the Commonwealth from Sprint Spectrum, an electronic communications service provider, pursuant to a Superior Court order issued pursuant to 18 U.S.C. § 2703(d)(§ 2703(d) order). The defendant has been provided with a copy of the CSLI that is at issue, but no copy was included in the motion record before the Superior Court and no copy has been included in the record on appeal. This case was argued before this court on October 10, 2013. The court is of the view that the CSLI obtained pursuant to the § 2703(d) order that is the subject of the defendant's motion to suppress may assist the court in its understanding and consideration of the issues raised in the Commonwealth's appeal. The court hereby directs the single justice to hold a hearing on the question whether the appellate record should be expanded to include the CSLI evidence, and if so, what conditions may be appropriate to adopt with respect to such an expansion. The single justice will provide the full court with a recommendation concerning what, if any, order should issue. Counsel is to confer with the Clerk of this court to schedule the hearing.

Read More

EFF files amicus brief in Massachusetts forced decryption case

The Electronic Frontier Foundation recently filed an amicus brief in a Massachusetts case on appeal concerning whether a court can force a defendant to decrypt a computer.

Here's an excerpt from the press release:

Leon Gelfgatt was charged with forgery and the government, with a search warrant, seized a number of his electronic devices. Law enforcement couldn't break the encryption that protected the devices, so it went to court, asking a judge to order Gelfgatt to decrypt the devices for them. The Fifth Amendment protects a person from being forced to testify against themselves and so the government promised not to look at the encryption key—the "testimony" in their eyes—but nonetheless wanted the ability to use the unencrypted data against Gelfgatt. The judge denied the government's request, ruling that forcing Gelfgatt to decrypt the devices would violate the Fifth Amendment.

The government appealed that decision and the case is now before the Massachusetts Supreme Judicial Court, where we filed an amicus brief with the ACLU and the ACLU of Massachusetts.

Read the EFF's amicus brief for Commonwealth v. Gelfgatt here.

To read other Cybercrime Review posts on forced data decryption, view our encryption label.

Read More

Feds decrypt two hard drives in Wisconsin case, defendant arrested on CP charges

Over the past several months, I've written a few times about the ongoing Wisconsin encryption case. Here are the posts for background.

• Defense suggests improprieties in Wisconsin encryption case
• Wisconsin federal magistrate reverses on forced production of decrypted data after government presents new evidence
• Wisconsin federal court forbids forced production of decrypted data on Fifth Amendment grounds

The feds had been unable to break the encryption on the defendant's hard drives, but a major breakthrough last week resulted in the defendant's arrest for child pornography.

According to the Journal Sentinel, the Assistant U.S. Attorney on the case announced that two of the nine hard drives had been decrypted. Those two drives contained "preteen children in images of sexual assault, bondage and bestiality."

The court has yet to decide whether the defendant will be ordered to decrypt the remaining hard drives.

The criminal complaint is available here.

Read More

Defense suggests improprieties in Wisconsin encryption case

Several months ago I wrote about an encryption case in Wisconsin where the magistrate had ordered production of the decrypted data, and then the district court judge suspended the order. Since then, several interesting things have happened. First, the prosecution argued that the defendant could forget the password so he needed to provide it, and it could be kept by a third party.

Now, the defense is arguing that prosecutors may have "intentionally or recklessly mislead the court," according to an article published last week by the Journal Sentinel in Milwaukee.

The forced decryption issue is one that continues to develop across the country, and we have yet to see a clear pattern develop in the handful of courts to decide the issue. Visit our encryption label to read about related cases on encryption and compelled production.

Read More

Wisconsin federal magistrate reverses on forced production of decrypted data after government presents new evidence

Late last month, a federal magistrate judge denied the forced production of decrypted data from a defendant's hard drives. Last week, the judge changed his mind after the government presented new evidence.

In the initial order, the court made the "close call" to deny the production because the government did not have enough evidence concerning the defendant's access and control, nor did they actually know what was on the hard drives, though some file names indicated the presence of child pornography.

Since that time, the FBI was able to decrypt one of the drives which contained over 700,000 files including "numerous files which constitute child pornography." It also contained "detailed personal financial records and documents belonging to" the defendant and "dozens of personal photographs" of him.

The judge determined that this new evidence makes it a "foregone conclusion" that the defendant has "access to and control over the encrypted storage drives." As such, the defendant was ordered to "enter the appropriate password ... so as to decrypt those drives" or to otherwise make "available for [law enforcement's] examination a decrypted copy of the data."

Read More

9th Circuit orders hard drive reformatting just in case hard drives contained encrypted files

The Ninth Circuit recently upheld an order allowing the government to reformat the hard drives on a computer before returning them because the drives might have contained encrypted files, and those encrypted files might have violated the defendant's supervised release. (United States v. Spink, No. 12-30068 (9th Cir. 2013)).

The defendant had been accused of violating the terms of his supervised release by use of his computer by possessing images of bestiality or zoophilia (he had previously owned at least 52 such websites). However, it appears as though the computers had either been erased, or the defendant had encrypted files on the computer. As no evidence was apparently found (from the little facts in the opinion), the computers had been ordered to be returned.

However, after the order, the government argued that they should be able to erase the hard drives in case there were files encrypted on the drive that would violate the defendant's release.

The government professed that it could not determine whether the computers' hard drives appeared to be blank because they had been erased or because they contained encrypted information that the government could not access.

The Ninth Circuit affirmed the decision to allow the hard drives to be erased, holding:

If the hard drives have been erased, there is no harm to Spink from the government wiping the hard drives again before it returns the computers. However, if there is encrypted data, Spink presumably has the ability to access those materials, and he has not offered to access the files in the presence of the Probation Office. Moreover, if the hard drives contain encrypted materials, those materials are likely to be the type of materials that Spink is prohibited from possessing under the conditions of his supervised release.

As I've argued many times before, I think the assumption that encryption is only used to do illegal or improper acts is erroneous and a very harmful idea for courts to consider. Does a locked door to your house imply that you are hiding illegal items in your home?

Read More

Featured Paper: Cloud Computing Security and Privacy

Cloud computing has been viewed by many as the next inevitable step towards a more efficient system for information management and storage. However, as our dependence on cloud computing continues to grow, many have started to examine the privacy, security, and legal ramifications that such a system creates. The Center for Applied Cybersecurity Research (CACR), located at Indiana University, has recently released a new white paper, Cloud Computing Security and Privacy, that examines the privacy and security risks associated with cloud dependence, as well as what should be done to create more secure and sustainable cloud-computing systems. The white paper was authored by Drew Simshaw, former information security fellow at CACR and current project manager and policy analyst with the Center for Law, Ethics, and Applied Research (CLEAR) in Health Information. I highly recommend taking a look at this white paper if you at all involved in cloud computing. The abstract appears below:

As the world’s data increase at unfathomable rates, individuals and organizations are seeking more convenient and cost effective ways to store and manage it. Many are turning to the cloud, recognizing its benefits, but failing to understand how it actually works. To confirm that cloud computing is no longer a fringe IT issue, one need look no further than President Obama’s re-election campaign, which was successful thanks in no small part to its utilization of Amazon’s cloud platform for a massive voter database. As cloud computing use continues to increase, security and privacy issues, as evidenced by recent events, should be considered so individuals and organizations can decide how best to store and manage their data. Although these events shed some light on measures that can be taken to reduce risk, they also demonstrate that bigger thinking is needed when it comes to improving security and privacy in the cloud. Therefore, as opportunity in the cloud expands and the stakes continue to rise, individuals, organizations, and cloud service providers must bear in mind the following security and privacy issues:

• Creating a Bigger Target for Hackers
• Government Access to Data in the Cloud
• Data Access and Control in the Cloud
• Cloud Service Outages and Human Error
• Authentication
• Encryption

In addition to being a guest author at Cybercrime Review, Andrew Proia is a research assistant to Professor Fred Cate, Director of the Center for Applied Cybersecurity Research. Andrew is also set to become a CACR Post-Doctoral fellow in information security law & policy later this year. All opinions expressed by the author are solely in his individual capacity.

Read More

Wisconsin federal court forbids forced production of decrypted data on Fifth Amendment grounds

The District Court for the Eastern District of Wisconsin held last week that compelled production of decrypted data violates the Fifth Amendment because it would require the suspect to admit to having access and control over the devices. In re The Decryption of a Seized Data Storage System, 13-M-449 (E.D. Wis. 2013).

The FBI seized 16 storage devices from the suspect, nine of which were encrypted. After four months of attempts to access the files, the government sought to force the suspect to "assist in the execution" of the search warrant by providing a decrypted copy of the files.

The predominant legal issue in such cases is the Fifth Amendment and whether or not the act of providing the decrypted files would be considered "testimonial." The issue has caused a split in district courts, but only the Eleventh Circuit has decided the issue at the appellate level, holding that forced production does violate the Fifth Amendment.

As distinguished from some other cases, the government here knew the encrypted drives contain files and had evidence to show that some of the filenames indicate they are images of child pornography. Further, the defendant has a computer science degree and works as a software developer, so he "may very well be capable of accessing the encrypted portions of the hard drives."

However, the deciding issue for the court was whether or not the suspect "has access to and control over the ... devices." Because he has not admitted to having access and control, he could not be compelled to provide the decrypted copy.

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity”—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.

Thus, the government's attempt to compel production of the files was denied. Visit our encryption label to read about related cases on encryption and compelled production.

Read More

$299 software allows decryption of volumes with FireWire attack or the computer's hibernation or memory dump file

Software developer Elcomsoft has released a $299 software package claiming to be able to decrypt BitLocker, PGP, and TrueCrypt volumes. The software is able to obtain encryption keys from the computer's hibernation file or memory dump file and can also perform a FireWire attack if the encrypted volume is mounted.

Here's their description of how the keys are obtained:

Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.

If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.

If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition....

Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump.... Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.

Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.

This is nothing new but is simply a easy way to hack a well-known flaw. In order to properly protect your encrypted system when you're away from it, you simply cannot use sleep or hibernate mode on your computer.

ElcomSoft, based in Moscow, "helps law enforcement, military, and intelligence agencies in criminal investigations with its wide range of computer forensics products."

Read More

Hushmail provides unencrypted e-mails to feds; practice raises interesting legal questions

In a Second Circuit case (United States v. Gonzalez, 686 F.3d 122 (2d Cir. 2012)) released earlier this year, evidence was presented at trial that had been e-mailed through Hushmail, a secure e-mail service used by "millions of people and thousands of businesses." Hushmail's website claims that they "encrypt your message automatically before it is sent, and then restore it back to its original form when the recipient reads it."

The issue that immediately came to my mind was the fact that Hushmail provided not only the communications but they were able to unencrypt them first. Here's the court's description of the evidence:

The government also introduced into evidence numerous emails sent from the address "biotechresearch@hush.com" — which Gonzalez admitted was his — through "Hushmail," an encrypted email service provider that encoded email messages, permitting them to be accessed and read only by someone who had the encryption key. The emails introduced at trial by the government, decoded by Hushmail, included the following..."

This isn't the first time Hushmail has done this. In 2007, Threat Level explained the security issues and how Hushmail is able to provide an unencrypted copy of a user's e-mails.

In recent years, several courts have evaluated whether the government can force an individual to provide an encryption key for electronic files. Courts have ruled on both sides of this popular Fifth Amendment issue. Perhaps an interesting extension of that debate is whether a person's agent (that word choice may be a stretch) - their e-mail provider - can be forced to provide an unencrypted copy of e-mails or whether they may only provide the scrambled versions. Another interesting issue is how we would define communications required to be disclosed under provisions of the Stored Communications Act.

Hush Communications' CEO, Ben Cutler, responded to my inquiry about their disclosure policy:

Our policy is to only release user information if we receive an order enforceable in British Columbia Canada requiring that we do so. British Columbia, Canada is the jurisdiction where our servers and operations are located. The order must be for a specific user account. In the case where authorities in the US are seeking information on one of our users they would have to make an MLAT request to the Canadian Department of Justice, which if successful would result in an enforceable order being issued here in Canada.

As may be obvious, I don't really claim to have answers to these issues, but I feel they are interesting to think about. Please feel free to comment below with your thoughts.

Read More

Slides from our recent webinar on encryption

Thanks to those of you who participated in our recent webinar on encryption technology and legal issues. For those of you who were unable to attend, below is a link to a PDF of the slides from the presentation. Please feel free to contact Justin or me if you have any questions.

Click here for the PDF.

Read More

Cybercrime Review to conduct webinar on encryption technology and legal issues

Two weeks from today, Justin and I will conduct the first of what we hope to be many webinars on cybercrime related topics. In our initial presentation, Justin will cover encryption technology and software as well as forensics issues, and I will address the relevant case law on forced disclosure of passwords for encrypted files.

Date: Wednesday, August 22
Time: 1:00-1:30 Eastern

Click here to register. The webinar will be approximately thirty minutes in length, and we will stick around afterward for any questions you may have. Feel free to share this information as this webinar is open to anyone with an interest in the subject. CLE credit is not available for this webinar.

Read More

Massachusetts appellate court to rule on compelled password disclosure of encrypted drive

A Massachusetts trial court, dealing with an encrypted drive in a criminal case, has asked the Massachusetts Appeals Court how to act. The question presented to the appellate court is:

Can the defendant be compelled pursuant to the Commonwealth’s proposed protocol to provide his key to seized encrypted digital evidence, despite the rights and protections provided by the Fifth Amendment to the United States Constitution and Article Twelve of the Massachusetts Declaration of Rights?

The case is Commonwealth v. Gelfgatt, Suffolk Superior Court No. SUCR2010-10491. Read more here in an article by Tom Ralph, Chief of the Cybercrime Division of the Massachusetts Attorney General's Office, published in the Cybercrime Newsletter, a publication of the National Association of Attorneys General and the National Center for Justice and the Rule of Law.

Cybercrime Review has extensively covered encryption issues. Click here for our archive on the topic.

Read More

Fricosu's co-defendant provides law enforcement with encryption password

For those of you following the Fricosu drama, you'll be saddened to hear that it is now over. Fricosu's co-defendant recently provided law enforcement with the password for the encrypted drive, and Fricosu's attorney received a copy of the files from the drive today.

Here's a rundown of the history. A Colorado federal court ordered Fricosu to provide law enforcement with the password or an unencrypted copy of the files by February 29. Earlier this month, Fricosu's attorney suggested that she may have forgotten the password. She appealed to the Tenth Circuit, but they declined because there was no final judgment in the case. Last week, it was rumored that Fricosu's co-defendant (her ex-husband) had turned over the password.

Also last week, the Eleventh Circuit held that compelling disclosure of unencrypted files could violate a defendant's Fifth Amendment rights.

Read More

Why can't investigators just hack encrypted drives? With unlimited resources and time, they can

I blogged yesterday about the Eleventh Circuit case finding that compelling a defendant to provide an unecrypted copy of files would violate the Fifth Amendment. The drives in that case were encrypted using TrueCrypt (which I've discussed here).

To better understand the reason why law enforcement cannot simply "crack" the encryption, I wanted to better explain the situation. It can certainly be done through what is called a "brute-force attack" which would essentially develop a list of every possible password and try each one. The longer and more complicated the password, the longer it would take. Thus, adding length, capital letters, numbers, and symbols greatly increases the complexity. The type of security used also modifies the complexity. The attack will first attempt to use dictionary words, and the entire English language could be checked in a few minutes. Of course, there's the possibility that the password will be guessed early on, but there are no promises.

Suppose a drive was encrypted using a fairly average but secure password - 1 upper case letter, 6 lower case, 1 number, and 1 special character. A brute force attack could try the 2.5 trillion possibilities in about 3 days using only one computer.

If we upgrade the password to 3 upper case, 8 lower case, 2 numbers, and 1 special character, there are almost 12 quintillion combinations. Using one computer to crack it would take about 40,000 years (using modern-day computers), but if you could dedicate 100,000 computers to the task, it could be done in about 6 months.

Since TrueCrypt passwords can be up to 65 characters, these times could easily extend into millions of years.

For a handy spreadsheet to calculate your password's security, click here for one from Mandylion Research Lab. I make no promises that the calculations are accurate because the math is much to complex for me!

UPDATE: Thanks to a reader comment, I've been directed to Gibson Research Corporation's calculator (by Steve Gibson). The page contains a lot of great information on password strength and some helpful and interesting links. Thanks for the tip!

Read More

11th Cir. finds Fifth Amendment violation with compelled production of unencrypted files

The Eleventh Circuit held that compelled production of unencrypted files violates the Fifth Amendment as it would be testimonial, and the "foregone conclusion" doctrine does not apply. In Re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, 671 F.3d 1335 (11th Cir. 2012).

The case began with a child pornography investigation after videos of underage girls were found on YouTube. Officers seized multiple external hard drives and determined that parts of them were encrypted using TrueCrypt (discussed here). A grand jury subpoena was issued to require production of an unencrypted copy, and the defendant refused to comply and was held in contempt.

Whether the production was testimonial was the key issue examined by the Eleventh Circuit. The government argued that "all it wanted Doe to do was merely to hand over pre-existing and voluntarily created files, not to testify." The court agreed, finding that the files alone are not testimonial. The act of production, on the other hand, "would sufficiently implicate the Fifth Amendment privilege."

The court reached this conclusion after finding that it would not be a physical act like providing a key for a safe, but "would require the use of the contents of Doe's mind. Also, the purported testimony was not a "foregone conclusion" because the government does not even know what is on the drive - it may be nothing. Neither do they know that Doe is capable of accessing the files.

Also, the court held that testimony could be compelled with sufficiently granted immunity, but that was not given to Doe. In order to compel the production, "use and derivative-use immunity" must be provided.

Certainly a key to this outcome is the way in which TrueCrypt works. When a volume is encrypted using this software, there is no way to tell whether the volume is full or empty without knowing (or breaking) the encryption key. Since breaking the key may take hundreds of years, it is likely impossible to know what, if any, files are on the drive through a forensics investigation. These drives could have contained millions of files, preventing the government from knowing with any specificity what was on it. Encryption for individual files (as opposed to an entire drive or partition), on the other hand, would likely not bring this same result.

This decision comes just days after the latest ruling in the related Fricosu case from the Tenth Circuit (read more here).

Read More

10th Cir. denies interlocutory appeal on forced drive decryption in Fricosu

In previous posts (here and here), I have discussed the case of United States v. Fricosu where a federal judge has ordered the defendant to provide a decrypted copy of her hard drive to federal investigators. Just after the order, Fricosu claimed that she may have forgotten the encryption key. The deadline for providing the copy is later this month.

Meanwhile, she has appealed to the Tenth Circuit on the issue. The appellate court dismissed the appeal, finding they have no jurisdiction due to a lack of a final decision from the district court.

Read More

Woman ordered to decrypt drive has forgotten password

In a recent post, I discussed United States v. Fricosu, the case of a Colorado woman who was court-ordered to provide an unencrypted copy of her hard drive. Law enforcement had been unable to decrypt the drive, and Fricosu refused to turn over the password.

Well, as reported by Threat Level, Fricosu has forgotten the password. "It's very possible to forget passwords," said her attorney. All along, Fricosu has claimed that she was not the one who encrypted the drive, but the court found that not to be true.

Fricosu has until February 21 to turn over the files, so we do not yet know how the court will respond. Meanwhile, she is preparing an appeal to the Tenth Circuit.

Read More

Fifth Amendment held not violated by forced disclosure of unencrypted drive

The Colorado District Court is the latest to weigh in on the popular issue of whether a person can be forced to disclose a password or unencrypted files. In United States v. Fricosu, the court found that the defendant's Fifth Amendment right is not implicated by requiring production of an unencrypted version of the files. 2012 U.S. Dist. LEXIS 11083 (D. Colo. 2012).

After law enforcement seized six computers from the defendant's home, they were unable to break the encryption on one of the computers. The defendant refused to provide the password, arguing that such a requirement would violate her Fifth Amendment right against self-incrimination.

Two prior cases have dealt with this issue. In In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. 2007), the court required the defendant to provide either a password or an unencrypted copy of the specified files. However, as the EFF (Electronic Frontier Foundation) noted in their amicus brief to Fricosu, Boucher involved specific files identified as child pornography. Investigators could see the filenames but were unable to open the files. That is distinguishable in Fricosu because investigators only know of the types of files that will be on the computer. On that issue, the Fricosu court held, "The fact that [the government] does not know the specific content of any specific documents is not a barrier to production."

Also, in United States v. Kirschner, 2010 U.S. Dist. LEXIS 30603 (E.D. Mich. 2010), the court found that the defendant could not be compelled to disclose his password. The government argued in Fricosu that Kirschner does not apply they are providing the alternative of allowing production of decrypted files instead of the password.

In Fricosu, the EFF had argued that forcing Fricosu to provide the password or unencrypted files “would be an admission that she had control over the computer and the data stored on it before it was seized from her residence—which are critical admissions” and would therefore violate her Fifth Amendment rights.

In a recent post, I discussed TrueCrypt, a popular open-source software package that allows users to create hidden, encrypted volumes.

Read More