Federal Judge decides 5th amendment protection does not apply to encrypted HD...

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

About the case for which this thread is of topic:

"Forcing Defendant to Decrypt Hard Drive Is Unconstitutional, Appeals Court Rules"
By David Kravets, February 24, 2012 @ 3:40 pm
URL1=http://www.wired.com/threatlevel/2012/02/laptop-decryption-unconstitutional

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

"Suspect Must Unlock Laptop's Files"
By NATHAN KOPPEL, FEBRUARY 27, 2012
URL1=http://online.wsj.com/article/SB10001424052970204778604577243621660569112.html

This is a new bit of information, but does not change my position. In this, there is a claim they have enough evidence to convict her. Even if we assume this to be true, it does not attack the reasons for finding such a request unconstitutional in the 11th circuit court of appeals:
* There is no witness (LEO or otherwise) to seeing evidence on the encrypted laptop
* The laptop's encrypted media may have nothing in it, and without witness to say otherwise, and they know of specific illegal content, such a demand becomes a fishing expedition.
* Demanding the defendant decrypt the contents of the laptop establishes they had access to read and write contents to the encrypted media. (This is not the same as being the, "sole or primary user of the laptop." With drive-by-download, and infection by malware, and physical access of the laptop by other family members, and anywhere she may leave it out as she takes it with her to coffee shops, visitors visit her at her hours, or when taken to work... with all of these, there is opportunity for her husband or others to install files on her laptop without her knowledge. Is there an opportunity for a "Plan B"? The husband could have planted evidence on her laptop, especially if the passwords he provided authorities not only grant local login access to the laptop, but also access to the encrypted files. If their breakup was unhappy, he may have motive to implicate her, or frame her for something in which she may not have been involved.
* Forcing the defendant to use information stored in their mind (such as to open a safe with a proper combination) has historically been found unconstitutional when 5th amendment protections are claimed, and this "combination to to a safe" as a metaphor is a closer match than "a key to a lockbox" as argued by the state.


It also does not address issues where the defendant may have forgotten the passphrase.


If this stands, and she is forced to decrypt an encrypted volume, can this be abused to frame and implicate any target with a laptop? Consider the "fun" with leaving evidence that a laptop of your "enemy" was used to do illegal things, then leave encrypted files, or volumes on their laptop and drop clues (anonymously) to authorities until they are arrested. Now wait until they are held in contempt until they decrypt something they didn't even know they had. I predict super-fun times ahead for people with enemies willing and able to frame them for crimes they did not commit.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

And some more write-ups, courtesy of the SANS Newsbites:

http://arstechnica.com/tech-policy/n...ard-drives.ars
http://www.wired.com/threatlevel/201...onstitutional/
http://news.cnet.com/8301-1009_3-573...rize-password/
http://www.h-online.com/security/new...e-1442424.html

Sure, this could replace 'swatting' as the newest form of technical revenge.

Chris: Guard you laptop when you're around Cot. I'm just sayin'.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

"Constitutional Showdown Voided: Feds Decrypt Laptop Without Defendant’s Help"
By David Kravets, February 29, 2012 | 5:17 pm
URL1=http://www.wired.com/threatlevel/2012/02/decryption-flap-mooted/

If the co-defendant provided the passphrase to decrypt the contents, that established *he* had access to read/write contents, but does not explicitly provide a connection with his ex-wife, the one that claimed 5th amendment protection, had access to read and write contents to the encrypted volumes.

There were the phone conversation, recorded, which might be used against her, which may be able to show she claims to have had access to the encrypted content.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

That's a good point. I know of at least one case (non-computer related) where one party in a marriage committed a fraud, and spouse was proved -via forensic accounting- not to have been involved.
Of course, there may also be some issue of cooperation and testimonial evidence that has not been reported as yet. That's not exactly unknown with ex-spouses who are also ex-partners in crime. That may in turn trigger issues of spousal privileged communications and spousal testimonial privilege, but those limits are already fairly well defined under both federal and state case law.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

I want to know how chain of custody could possibly work under a system where you are required to decrypt the data, but not to give up the key. Giving the accused some private time with the keyboard would be giving them an opportunity to tamper with the evidence, even if slight. Everyone has "wipe incriminating data" mapped to ctrl-alt-shift-d right?

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

I would assume an image of the evidence would be taken before decryption, and threats of being prosecuted for destruction of evidence would provide incentive to not delete the data. Also, with an image of encrypted data and then access to decrypted data, "known plain-text attacks," could yield a key for use with copes of the encrypted content.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

It could probably be worked out in one of several ways, but the easiest would be to have his attorney enter the key it on a forensic image*. Defense attorneys usually play by the rules, and tend to avoid getting themselves in legal jeopardy. Also, since SOP is that you always work from the image (and NEVER on the original drive/PC**), and the first thing you do is generate hashes on the original and the image, any tampering would be pretty obvious.

*"Image" in this context means "a forensically correct duplicate of the digital media in question". "Image" is the standard word used in digital forensic circles, as opposed to "copy" or "mirror", due to prior case law.

**Despite what McGee and Abby do on TV...

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

I just wanted to chime in here on the MD5 (hash) that you are referencing. Hash of encrypted volume =/= hash of unencrypted same volume.

the image you refer to is standard terminology, the google term would be a "bit level image" or a "bit for bit copy"

You are correct that forensics is never done on the original system, for any reason, ever.. if it is the investigator should be fired on the spot. SOP in a lab environment (every lab) is to image the original (the original being behind a write blocker) then make a duplicate of the image. The duplicate is the "working copy" the image file is then locked into an evidence storage medium (evidence vault) and the original system is then either handed back to the person (only corporate environments), stored in a different evidence vault, or stored in the same evidence vault.

I also wanted to mention that it depends on the type of encryption as to wether an encrypted volume is even imaged. A dumb examiner with unlimited budges will just image everything; a smart examiner knows about hardware vs software encryption. In the case of something like an iron key.. I'm not going to be able to image it because I can't get to the data partition until you unlock it.. so imaging the partition that I can get to is useless. What I'd have to do is decrypt it then do a logical acquisition.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

Since we are on the topic of encryption and hiding data.. I just wanted to offer a simple idea.

If you were to write a bit of shell code that pulls files from a particular pointer, then encrypted a volume and put a file into unallocated space on the encrypted volume.... chances are that the file would be over looked.

When imaging an encrypted volume you will most likely have to do a logical acquisition, which as the kids in school know isn't a bit level image. In fact what it is would be similar to running cp -p command (which doesn't copy file slack or unallocated space).

I hope people can follow my line of thinking here....

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

An excellent point, and one that slipped my mind.

In sticking with TheCotMan's "how would you do it" scenario though, I think you could still work it out with the defense attorney by having him do the decrypt in front of the examiner, doing a logical acquisition of the decrypted volume, re-encrypting the original volume (using the attorney to supply the password), and finally comparing the MD5 of the volume in the before and after encrypted states. Then the attorney keeps the key, the authorities get the data, and the chain of custody is preserved.

I follow you, and that's a very interesting idea. I'm going to have to put that to the test with some extra disks, and see what happens.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

Sounds similar to a deniable encryption filesystem like MaruTukku ( http://en.wikipedia.org/wiki/MaruTukku ). Such a method to hide data was brought up at Defcon, maybe Defcon 6? Schneier and others brought up another point of view as a disagreement on the results of using such a system. If authorities know you are using any deniable encryption filesystem, and they beat you for passwords/passphrases, they won't know when to stop beating you. Other people believe that a person is better off not revealing any passphrases, because once any passphrase is given up, it only encourages more beatings and torture until more passwords/passphrases are given up. This assumes that people have no breaking point. Everyone has a breaking point. If using a deniable encryption filesystem, be sure that "Eve" is not willing and able to do, "whatever it takes," to get the password/passphrase from you, if you want to use it. In the U.S., use of such a piece of software could lead to unlimited detention (up to the maximum penalty for a crime or maybe 10 years or so) if the court thinks you have not given up all of the passphrases/passwords to hidden content.

If just hiding a file without encryption, it would seem to be more like security by obscurity.

Stay safe. :-)

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

To continue discussion here, we have a new article:

URL1=http://www.wired.com/threatlevel/2013/07/decryption-flap/

This sounds like contempt of court is a likely outcome if the defendant claims they forgot the password. This is one of the more likely possibilities that we have discussed above. It would be good to see what happens when someone does claim that in such a case, and follows-through with it, no mater what the consequences might be.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

1. Use absolutely huge passwords like 50 characters.
2. Keep the password on an encrypted USB device like an Ironkey.
3. Type the wrong password ten times, key destructs, password forever inaccessible.

Re: Federal Judge decides 5th amendment protection does not apply to encrypted HD...

Wouldnt they then be allowed to just prosecute on the assumption then there was incriminating evidence?