Well, when I was prosecuting, and had the key situation come up, we usually gave the person a choice. Give up the key or the lock is getting cut off. In one case I remember well, it was give up the combination to the gun safe or they are going to force entry. He gave up the combination because he had a couple of nice shotguns inside he didn't want damaged (along with his homemade kiddie p0rn). You aren't forcing the defendant to do anything here but minimize damage to his/her property. With the password, it's clearly a situation where you are forcing a person to give a statement. If nothing else, it's a statement of ownership, because by giving the password, you are acknowledging everything protected by that password, as well as knowledge of the contants.
And RevDisc, you're right on several points. They do always replicate teh hard drive and work on the copy. It's the only way to properly preserve the evidence on the machine. And, you're also right in that the law and technology aren't on the same page. Not by a long shot. A lot of courts in Ohio don't recognize filing by fax, much less by other electronic means.
Having established an ounce of credibility regarding IT forensics, let me make this statement. IT forensics is even more of a joke than normal forensics. Many kinds of normal forensics has a very long way to go before they can or should be considered science. DNA forensics is solid, if done correctly. Even bedrock solid "forensics" such as fingerprints is... less than optimal. By less than optimal, I mean any scientist trying to make such claims would be burned at the stake, deservingly so. Collaborative Testing Service ran a test (the FIRST test, in 1995!) of 156 professionals asked to identify four suspect cards with prints of all ten fingers against seven latents. 44% did so correctly.
k, so normal forensics is bad, but not horrifically bad. IT forensics... trust me, I could easily, trivially and casually frame a person on "IT evidence". With automated tools, that I could teach a 12 year old to operate. Leaving no marks that any IT forensics geek could possibly disprove. I know this, because I was bloody trained to do so by IT forensic geeks.
Only useful purpose for IT forensics is to hang morons, or for superficially convincing reason to hang someone you really want to hang on but can't otherwise nail. Forensics is more alchemy than science. I don't know the proper analogy for IT forensics. Using a witch doctor analogy is providing way too much credibility.
I am not some "truth'er" or other nut job that thinks rainbows in a sprinkler is an NSA conspiracy. I've been a geek since I could walk. I know and have gotten drunk with the best computer forensics folks in the world (in Vegas, heh, some GREAT stories there). Heck, I could be one of the best computer forensics folks in the world if I had less integrity or ability to feel shame. I can provide proof and working examples of everything I mentioned.
And how do they do that? Assuming they disconnect it from the machine it's in, there are a few ways that a small circuit on (or inside) the drive could detect a disconnect without falsing on a simple power shutdown. (continuity between the various ground pins on an SATA or PATA connector, or ground pin and shell on USB for example - even if this isn't maintained at the controller, it would be trivial to short those pins together in the cable or at the controller-side connector) It doesn't take a lot of power to scramble a fair swath of data, and most of the desktop drives I've disassembled had room for a button cell battery, microcontroller to handle the processing, and the wiring to just start sending random bits to the write heads. Anyone determined to do Really Bad Things could set up a clean room to install the circuit in drives for their operatives, and now that I think about it, it sounds like a half decent product for various black markets. (Not working too closely together, so that any potential weakness isn't necessarily consistent among all designs.)
Block transfers. There are plenty of overpriced devices that you slap the original HD and a blank HD into, hit a button, and it will give you a bit accuracy copy of the original HD. It's standard practice. It doesn't load the OS, it goes straight to the lowest level. Oversimplified? HD reads a 0, it copies a 0. HD reads a 1, it copies a 1.
And yes, folks have tried to implement ways of detecting this and other forms of hardware hacking. Photovoltic cells inside of chips, pressurized sections, etc. All of which can and have been bypassed. For PV cells, you simply don't allow any light. For pressurized sections, you do your work in a pressurized baggie with nitrogen to the right PSI. etc etc. For hard drives, it's even easier. You can take out the platters, and slap them into another enclosure. It's done on a regular basis for data recovery.
Which has nothing to do with encryption.
Which invalidates the concern over "damage" to contents of the drive.
If adjudicated "not guilty" the suspect party is getting all his original computer equipment back intact. No acetylene torches used to "brute force" and destroy contents of the drive, since the technicians will be working against copies of the data rather than original data.
I'm thinking that a doubled password is just the ticket... but give them NOTHING. If they happen to get lucky and find the "bad" password (if you had anything "bad"), you say "You're manufacturing information" and provide the "good" password in your defense that shows embarassing, but not illegal, data. Then they have to prove that their forensic trail isn't suspect, and that the technique they used is even legitimate. 90% of the time I bet the whole debate then goes right over the top of the jury and they acquit out of frustration.
Ayep. Hence why folks go with the plausible deniability encryption. It works against "lead pipe cryptoanalysis", the joking term for physical coercion. Trust me, crypto geeks have thought of every friggin possibility and developed countermeasures for the overwhelming majority. The overwhelming majority of folks don't care enough to do it right, and doing it even slightly wrong invalidates a lot of security.
Okay, in the key/combo situation, is there a contempt charge precedent in there if they don't choose to provide the key or combo?
Thanks for your inputs, I'm even more wary now...again, my worst fear is:
What if you manually scramble the data (specific, manually entered, bit-wise shuffles (or manually doing a block cypher, but each step executed on the system)--now the "key" is the order and specifics of a series of actions. Could they then force you to reveal your actions, as they constitute the encryption key? Seems like that's the same as holding someone until they tell you exactly what other actions they performed. Overall, this is a horrible precedent if it goes through.
Re key or combo, I'm not a judge, but for the most part, no. They call a locksmith, who usually just drills or torches the thing open. (Another rant, locksmiths, blah!)
Second part, ayep. They'd hit you with contempt charges until you fold like origami. Respectfully speaking, 99.999% of lawyers, judges and prosecutors know barely more than Microsoft Office. (Trust me, I worked for lawyers, they thanked the Gods for being given a geek.) TrueCrypt or homebrew crypto (always a bad idea) is a black box to them that they don't really understand, and don't really care to understand.
And yes, it is.
