Featured Papers: iOS Anti-Forensics, Google Drive Forensics, and Cell Phone Searches

Here's a roundup of new papers on SSRN:

IOS Anti-Forensics: How Can We Securely Conceal, Delete and Insert Data?

Abstract:

With increasing popularity of smart mobile devices such as iOS devices, security and privacy concerns have emerged as a salient area of inquiry. A relatively under-studied area is anti-mobile forensics to prevent or inhibit forensic investigations. In this paper, we propose a "Concealment" technique to enhance the security of non-protected (Class D) data that is at rest on iOS devices, as well as a "Deletion" technique to reinforce data deletion from iOS devices. We also demonstrate how our "Insertion" technique can be used to insert data into iOS devices surreptitiously that would be hard to pick up in a forensic investigation.

Google Drive: Forensic Analysis of Cloud Storage Data Remnants

Abstract:

Cloud storage is an emerging challenge to digital forensic examiners. The services are increasingly used by consumers, business, and government, and can potentially store large amounts of data. The retrieval of digital evidence from cloud storage services (particularly from offshore providers) can be a challenge in a digital forensic investigation, due to virtualisation, lack of knowledge on location of digital evidence, privacy issues, and legal or jurisdictional boundaries. Google Drive is a popular service, providing users a cost-effective, and in some cases free, ability to access, store, collaborate, and disseminate data. Using Google Drive as a case study, artefacts were identified that are likely to remain after the use of cloud storage, in the context of the experiments; on a computer hard drive and Apple iPhone3G, and the potential access point(s) for digital forensics examiners to secure evidence.

Cell Phone Searches in a Digital World: Blurred Lines, New Realities and Fourth Amendment Pluralism

Abstract:

State and federal courts are split over whether cell phone searches incident to a lawful arrest are permissible under the Fourth Amendment. The Supreme Court has the opportunity to create uniformity by accepting a certiorari petition in a cell phone search incident to arrest case, either United States v. Wurie or Riley v. California. The Court should do so to create an analysis that incorporates sensory enhancing technology, not avoids it, as it has done to date. 

The split in case law evidences a central contradiction. Fourth Amendment rules need to be predictable and based on clear guidelines for effective and safe crime interdiction. Technological advances cloud the application of the rules by introducing new facts into the calculus, facts that separate form from function and transform the analysis. In the past, as evidenced by search cases Katz and Jones, and exception cases for searches incident to lawful arrest, Chimel and Robinson, the Supreme Court analysis tended to be based on abstract and grand theory, which has led to a form of Gresham’s Law of constitutional application, where general principles often end up marginalizing specific provisions. Because of advancing technology, however, Fourth Amendment protection has been eroding, as predicted in Kyllo. Searches of cell phones incident to lawful arrests can provide a huge source of discretionary information for police, and searches of "smart" phones without cause can seem like a fishing expedition. Comparisons and analogues have not worked. Neutral narratives have been fractured and unsatisfying. 

This paper suggests using local structures accommodating post-digital technology instead of pre-digital comparisons like containers and walls and doors. Facts, and new realities, matter. In essence, analyses should incorporate the capabilities of the technology in question. The new doors and walls of the advancing technology era create new privacy encroachments, including nondiscoverable information without permission, but are still guided by the same textual and Framers’ intent considerations, such as invasiveness, duration and intent of the government conduct, as well as the nature and impact of the invasion. In light of this calculus, cell phone searches incident to a lawful arrest generally should require some sort of independent and legitimate reason to search the device, a search of which does not fit neatly into existing rationales of container, officer safety, or destruction of evidence. 

Read More

Computer forensic delays a growing problem?

It is hard not to notice the growing number of cases that revolve around or discuss the delays associated with processing computer forensic evidence. Is there a growing problem? The short answer is yes, but it is hard to determine the scope and depth of the problem merely by analyzing disparate court opinions and news stories. It does appear to be a systemic problem, both at the federal, state, and local level. Here is some evidence:

Recent cases

(January 3rd, 2013) United States v. Montgomery, __ F.3d __ (10th Cir. 2013) - after obtaining documents through a FOIA request, the defendant alleged as part of his defense that "forensic analysis had not been done because the FBI's . . . CART . . . office in Oklahoma City was backlogged for over 6 months."

United States v. Lovvorn, 2012 WL 3743975 (M.D. Ala. April 24, 2012) - "Finally, Lovvorn argues that an unreasonable delay between the seizure and the subsequent search of his computer is a violation of the Fourth Amendment. . . . The property was taken to the Coffee County Police Station, and then turned over to the Alabama Bureau of Investigation ("ABI"). The ABI returned the results of their forensic investigation nineteen months after the seizure from Lovvorn's residence occurred. There was no evidence presented that Lovvorn sought to have his property returned or was prejudiced in any way, nor has there been any assertions against the chain of custody or the authenticity of the evidence. The ABI has only one location in the state. The court therefore finds it is reasonable to believe that the delay was caused by nothing more than a backlog of cases."

News Stories

General Dynamics Awarded $42 Million to Support FBI Computer Forensic Networks

Previous posts

Federal court holds that 15-month delay in reviewing electronic evidence was an unlawful seizure

District court orders suppression after lengthy delay for cell phone search (3 month delay)

In Paypal DDOS case, government reprimanded for failure to analyze and return data in a timely fashion - In that post, I wrote: "To me, it's hard not to wonder if there is a systemic problem going on with how the government is handling cybercrime cases and the plethora of evidence that they tend to produce - according to this transcript, there were at least 9 terabytes of data that had to be analyzed.  That is certainly a lot of data, but as the court in Metter stated, there has to be a line drawn somewhere when retention of data transforms from investigatory to a violation of the Fourth Amendment."

Comments

The underlying legal implications of such backlogs are numerous, but include: (1) the suppression of evidence (as seen in a few cases above) due to the delay, as a violation of the Fourth Amendment, (2) delay in prosecution of child pornography and similar child predator cases, which has the potential to provide time/opportunity to commit additional offenses, and (3) the likelihood that evidence in lesser cases will be skipped over for more high-profile cases, driving up the bar that must be reached to consider a case worthy of prosecution.

I'd appreciate any comments from practitioners in the field who have seen similar delays and can attest to them, or alternatively, stories indicating a trend in the opposite direction.

Read More

"Egregious spoliation conduct" of plaintiff, who used various pieces of software to scrub his computer, results in claim forfeiture

Update: I've placed a link to the case in the write-up

In Taylor v. Mitre Corp., 2012 U.S. Dist. LEXIS 162854 (E.D. Va. September 10, 2012), the plaintiff in an employment related suit (FMLA and ADA claims), through "egregious spoliation conduct" - use of CCleaner, Evidence Eliminator, and a sledge hammer - had his suit tossed out and forfeited his claims.

The action was brought before the court on a Motion for Sanctions, filed by the defendant, after Mitre Corp. discovered (through a court ordered forensic examination of the plaintiff's computer) that the defendant had knowingly deleted large swaths of files on his new computer. The plaintiff was also requested to produce an old HP laptop that he had used during his employment with Mitre and which had significant litigation related information on it. The plaintiff, however, indicated that he had tried to back up the computer, only getting 30-40% of the files off, before taking a sledgehammer to the computer and taking it to the dump.

Aware of the plaintiff's new Dell computer, the court ordered a computer inspection of the Dell to discover any related evidence. The court described what happened next:

 E-mails between Plaintiff and his counsel illustrate Plaintiff's frustration with the Court's consideration of a mandatory computer inspection. For example, on May 30, 2012, in an e-mail to counsel, Plaintiff said, "As a computer expert very familiar with forensic examinations, I find this overly invasive and unwarranted" and that he and his wife would "not submit to a voluntary submission of [their] electronic devices without a court order."  Plaintiff goes on to say that if his counsel returned with a court order requiring inspection of his laptop he "will either not provide the devices or [he] will move all non-sensitive files to a CD and wipe the drive." . . . At the conclusion of the e-mail he jokes that "an electrical surge just fried my computer and a 50 pound anvil fell over and landed on it" and asks "what penalties [he would] suffer from a contempt of court citation."

The attorney client emails above were discoverable due to the fraud exception to the privilege.  After the court order was clarified to fall under FRCP 34, a forensics firm conducted a keyword search on the computer, but the defendant refused to allow it to be imaged.

The forensic company then ran various forensics programs on the computer and discovered a plethora of evidence showing the plaintiff's spoliation activity. The day the plaintiff heard about the court order for inspection, he bought Evidence Eliminator, which overwrites files on the computer to make them unable to be recovered upon forensic examination. However, the plaintiff did not make any attempt to remove the program after using it, so it was easy to confirm he had in fact done so. Additionally, he had run CCleaner (which cleans temporary internet files), to destroy additional evidence, to the tune of approximately 16K files being deleted. Finally, in another effort to avoid discovery, he used Private Browsing to ensure browsing history would be erased when the browser was exited.

The court was not pleased, and dismissed the case and ordered forfeiture of the plaintiff's claims - the harshest sanction possible. This was a ruling based on all of the activities the plaintiff took, willfully to destroy evidence - taking a sledgehammer to the old PC, using CCleaner, private browsing, and most especially, using Evidence Eliminator. With regard to the latter, the court stated:

This Court cannot, and will not, tolerate the use of such a program by a plaintiff in litigation—in the middle of the discovery—who had knowledge that his computer was about to be searched pursuant to a Court order. The undersigned Magistrate Judge concludes that downloading and running of Evidence Eliminator just days after finding out about the Court-ordered computer inspection constituted willful spoliation of evidence.

The court went on to say that the conduct noted above highly prejudiced the defendant, and to let the suit proceed after such willful conduct, would be to the detriment of the defendants.

My question is - how could a self-described computer expert not know he would get caught?

Read More

Fifth Circuit shows forensic acumen in CP case; defendant preserves important question for appeal

In United States v. Pelland, __ F.3d __ (5th Cir. 2012), the Fifth Circuit held that circumstantial evidence could be used to prove the interstate commerce requirement of the federal CP statute. The case is noteworthy for two reasons: (1) the court, in holding as it did, discussed the forensic details accurately and succinctly (which often does note happen) and (2) the defendant preserved an interesting statutory interpretation problem which the court punted on for good reason.

This case is relatively run of the mill in terms of facts - the defendant was caught with child pornography on a computer and a zip drive, and convicted. On appeal, he asserted that the government had failed to produce sufficient evidence to sustain the conviction because they had not proven, for each file, that the interstate commerce requirement was met.

In a thoughtful and technologically accurate opinion, the court held that circumstantial evidence of internet use, coupled with file creation dates, and the defendant's own admissions, were sufficient to sustain the conviction. In the court's holding, which I encourage you to read, it deals with IRC chat rooms, file creation dates with respect to downloading and copying, and a few other technical issues. Their analysis was spot on, and an encouraging sign that the courts are becoming better equipped to handle these issues. Here is a small excerpt:

Pelland's child pornography files—both charged and uncharged—had creation dates ranging from May 2008 to March 31, 2009. As Cummings testified, a creation date can be the date a file was downloaded from the Internet or the date it was transferred from another device. Pelland contends that the creation dates reflect the dates on which he transferred pre-existing files onto the thumb drive and desktop, not the dates on which they were originally downloaded. The jury could have reasonably concluded, however, that Pelland would not have transferred the files in a piecemeal fashion on many separate dates, and that Internet downloading on separate dates was more plausible.

If, as Pelland urges, creation dates reflected the dates that pre-existing files were transferred (and not download dates), none of the files on the thumb drive or desktop could have had creation dates earlier than November 2008—the date Poisson gave these devices to Pelland, and thus the earliest date he could have transferred files onto them. Because some of the uncharged files have creation dates going back to May 2008, however, the jury could have reasonably inferred that the creation dates reflected download dates, not file transfer dates. 

The defendant also argued that for one particular count the court was relying on an erroneous decision in United States v. Dickinson, 632 F.3d 186 (5th Cir. 2011) which allows the commerce clause requirement to be met by "producing" child pornography on a device that was involved in interstate commerce. The error, the defendant asserts, is that the Fifth Circuit held in Dickinson that copying files from one device to another is "producing" child pornography, and that is clearly erroneous. The court, because the evidence tying the defendant to the internet was sufficient to sustain all counts, punted on the issue.

The statute in question is 18 U.S.C. § 2252A(a)(5)(B), which states in pertinent part:

Any person who . . . knowingly possesses, or knowingly accesses with intent to view, any . . . material that contains an image of child pornography . . . that was produced using materials that have been mailed, or shipped or transported in or affecting interstate or foreign commerce by any means . . . .

The Fourth, Seventh, Ninth, and Tenth circuits have also held that a defendant copying files from one media to another has "produced" child pornography. The language in question from Dickinson is as follows:

Dickson's arguments are as unpersuasive to us as similar arguments were to the Fourth, Seventh, Ninth, and Tenth Circuits. First, "producing" is broadly defined as "producing, directing, manufacturing, issuing, publishing, or advertising." 18 U.S.C. § 2256(3). Congress could have left "producing" undefined, thereby giving it its ordinary meaning. But by defining "producing" using the term itself plus other closely related terms, Congress intended the statute to cover a wider range of conduct than merely initial production. Excluding copying from our interpretation of "producing" would be too restrictive a reading.

The defendant in Pelland argued that Dickson was wrongly decided, arguing that the statutory definition of "producing" was construed too broad and that copying was never meant to be within the statute's reach. The Fifth Circuit denied to address the issue:

Pelland's argument respecting the definition of "produced" is moot because, as we have discussed, the trial evidence was sufficient to prove the government's primary interstate commerce theory. . . . In any event, because Dickson has not been overruled or superseded by a decision of the Supreme Court or this court sitting en banc, we cannot overturn it. . . . Pelland recognizes that we must follow Dickson, and raises this argument only to preserve it for further review.

It is my hope that the defendant requests an en banc review, or if such review is denied, appeals to the Supreme Court. I have a hard time pulling "copying" from "producing." More fundamentally, I think it is tenuous to rest federal jurisdiction on copying to a device that came from interstate commerce - the previous activity of the device seems to be irrelevant for the current activities. In cases where the internet is used as the jurisdictional hook, at least data is contemporaneously being transferred between interstate elements (be it CP related or not). I think this is overstepping by Congress, compounded by judicial expansion of a statute beyond its plain meaning. Stay tuned.

Read More

In Paypal DDOS case, government reprimanded for failure to analyze and return data in a timely fashion

If you recall, I wrote earlier about the E.D.N.Y holding that the government's failure to examine data after 15-months was a seizure under the Fourth Amendment - see: Federal court holds that 15-month delay in reviewing electronic evidence was an unlawful seizure. Well, it appears the government continues to have issues in this regard.

In United States v. Collins, 2012 U.S. Dist. LEXIS 111583 (N.D. Cal. Aug. 8, 2012), the government's motion to reconsider an order to return evidence was denied. The evidence was data that "fell outside the scope of the 27 warrants by which over 100 of the defendants'computers and other digital devices (including storage media) were seized."

The defendant, Collins, is part of a large group of people that were rounded up last year after the DDOS attack on Paypal. The attack was allegedly perpetrated by Anonymous, and used the Low Orbit Ion Cannon to achieve its goal. You can see the DOJ announcement, here: Prosecution of Internet Hacktivist Group "Anonymous," and some of the proceedings of the case, here (including a description of what allegedly occurred, and the criminal charges).

The facts are somewhat similar to Metter (the case my article above is on), in that in an extraordinary amount of time the government failed to deal with seized data. In the courts words:

almost a year and a half after presenting the warrants, the government has yet to take any meaningful steps to isolate non-targeted from targeted data

The government's arguments for reconsideration of the order on March 16, 2012 (nearly 5 months ago, and many months after the original seizure) are that:

(1) identifying non-targeted data might be difficult; (2) certain non-targeted data might be useful in understanding data that is clearly targeted; and (3) disaggregating non-targeted from targeted data might be unduly burdensome and expensive; (4) allowing only the defendants to keep a complete copy of the seized data might deprive the government the ability to challenge exculpatory non-targeted data and thus would be unfair.

The court was unconvinced by the governments justifications, and essentially chided the government for arguing a position that would essentially allow them to keep data they were not authorized to seize (possibly indefinitely) and which would nullify the government's pledge in search warrants to return such data. In the courts words:

If separating non-targeted data from targeted data and devices lawfully retained as criminal instrumentalities is too hard here, it presumably is too hard everywhere. In what case where a storage device is seized lawfully could a defendant or other subject of a search warrant ever secure return of data that the government had no right to take? Just about every storage device can be searched more easily with automated scripts than manually. Just about every storage device has non-targeted data that might prove useful to understanding the data that was targeted. Just about every storage device has deleted files in unallocated space. If the government's argument were accepted here, so that it need not return even one bit of data that is clearly outside the scope of the warrant, the court thus would render a nullity the government's pledge in just about every search warrant application it files in this district that it will return data that it simply has no right to seize. 

To me, it's hard not to wonder if there is a systemic problem going on with how the government is handling cybercrime cases and the plethora of evidence that they tend to produce - according to this transcript, there were at least 9 terabytes of data that had to be analyzed.  That is certainly a lot of data, but as the court in Metter stated, there has to be a line drawn somewhere when retention of data transforms from investigatory to a violation of the Fourth Amendment.

Read More