Slashdot Mirror

← Back to Stories (view on slashdot.org)

Safeguards For RIAA Hard Drive Inspection

Posted by kdawson on from the under-watchful-eyes dept.

NewYorkCountryLawyer writes "In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA's examination of the defendant's hard drive: (1) RIAA imaging specialist makes mirror image of hard drive; (2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code; (3) one mirror image is held in escrow by the expert, the other given to defendant's lawyer for a 'privilege review'; (4) defendant's lawyer provides plaintiffs' lawyer with a 'privilege log' (list of privileged files); (5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for 'lawyers' eyes only.' The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA's own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy."

15 of 276 comments (clear)

  1. Initial image by agreed experts, not RIAA by nibblybits · · Score: 2, Informative

    it (a) permits the RIAA's own imaging person to make the initial mirror image IANAL, but having RTFA, I'd say that statement's a bit misleading. It actually states that an expert agreed upon by both parties will make two copies, make an MD5 hash of the copies, then the defendant has the opportunity to justify that some files are private and nothing to do with the case, and once that's settled:

    Plaintiffs shall have access to the Escrowed Image of the hard drive, minus the files as to which privilege has been asserted Seems pretty reasonable to me. Wouldn't make a lot of sense if they gave them access to the drive minus these files, if they had already initially had access to the whole thing.
    1. Re:Initial image by agreed experts, not RIAA by Kjella · · Score: 4, Informative

      I would strongly recommend against that, if you make the tiniest of mistakes such as timestamps which lets them show that you reinstalled your OS or swapped out your disk for a fake system after being subpoenaed, you could find yourself at the wrong end of some nasty criminal charges for destruction of evidence, obstruction of justice and so on. If you think psying a few thousand dollars is bad, you should see what a felony conviction does for your life...

      --
      Live today, because you never know what tomorrow brings
    2. Re:Initial image by agreed experts, not RIAA by Bob9113 · · Score: 3, Informative

      No, it said the earlier order specified that an RIAA's person was to make the image. The new order says agreed upon expert.

      Verbatim, from the new court order:
      1. Kimberly Arellanes ("Defendant") shall make her computer hard drive available for imaging by Plaintiffs on or before March 21, 2007 [emphasis mine]

      Clearly the court order says that Sony gets to do the initial imaging.

      Step 2 is, "an expert in computer forensics selected by the parties shall make two (2) verified bit-images". That's the second set of images. The initial image is done by Sony.

      --
      Stop-Prism.org: Opt Out of Surveillance
    3. Re:Initial image by agreed experts, not RIAA by Bob9113 · · Score: 2, Informative

      Correction - I'm wrong. Parts 1 and 2 of the document are actually contradictory. Part 1 alone makes it sound like Sony makes an image. Part 2 alone makes it sound like the expert makes two images. Reading both parts together makes it sound like the document is flawed.

      --
      Stop-Prism.org: Opt Out of Surveillance
    4. Re:Initial image by agreed experts, not RIAA by Architect_sasyr · · Score: 2, Informative

      IANAL and this is not legal advice, merely a recount of a story

      A friend of mine got pulled in by the big guns out here in Australia a little while ago. It was kept very quiet (for which he was grateful) because they stormed into his house to find him sitting at his table drinking a coffee, all his PC's turned off. His TrueCrypted hardisks were useless as he "forgot" the complex key in all the excitement of having his door kicked in by a task force. Probably not legal but can they prove it?

      Of course pleading the 5th would just make you look guilty as hell ;)

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    5. Re:Initial image by agreed experts, not RIAA by Wavicle · · Score: 2, Informative

      Can you be required to divulge the decryption key? IANAL, but I assume that you can be held in contempt of court (or something) by refusing to offer it up, leading to criminal charges, fines, and/or jail time. In any case, I doubt you can just give the RIAA the bird and say "Nah nah, can't touch this" because your stuff is encrypted.

      IANAL either (so take this with a grain of appropriately sized salt)...

      You can refuse to give out your key, but since this is a civil proceeding, the 5th amendment does not apply. If you refuse to give out your key, the judge may hold you in contempt, or may just give the RIAA a default judgment.

      Do the smart thing:

      TrueCrypt has an option to store the "real" information in the apparently "unused" portion of your truecrypt volume (called 'hidden volume'). There is no way to tell if this unused portion is a hidden volume or unused space. Store the stuff that would get you in trouble there.

      --
      Education is a better safeguard of liberty than a standing army.
      Edward Everett (1794 - 1865)
  2. Re:Piracy just hurts the little guy. by AC5398 · · Score: 2, Informative

    Oops, article's at http://www.torontosun.com/News/Columnists/Bonokosk i_Mark/2007/04/20/4078973.html

  3. oops wrong Re:Why a broken hash? by daveb · · Score: 5, Informative
    After babbling mindlessly I thought I'd do a quick check.

    I'm wrong - in fact I get the feeling that it's now important that MD5 is NOT used. NIST (an authority when it comes to forensic investigations) do *not* recommend the use of MD5 checksums. The grandparent was perfectly correct. A decent summary (sorry PDF) is here

  4. Use TrueCrypt! by mwilliamson · · Score: 5, Informative

    Assuming you really do have something to hide, using an encrypted volume embedded within another encrypted volume could be very useful. TrueCrypt supports nested encrypted file systems and since TrueCrypt uses no headers to demarcate its volumes, it is not possible to determine if an additional volume is embedded within a TrueCrypt volume. In effect, it provides plausible deniability of the existence of a 2nd embedded volume if you're forced by court order to decrypt the main volume. (stick some Creative Commons licensed mp3 files in the main volume though, just to throw the RIAA the middle finger a little more.)

    Better yet, support non-RIAA artists at sites like Magnitune. The quality of music I've found there is proof positive that the RIAA no longer has a legitimate purpose in the music industry.

    My tips for installing TrueCrypt on Fedora Core 6.

    1. Re:Use TrueCrypt! by Johnno74 · · Score: 2, Informative

      Yes it works 100% with NTFS. It doesn't care in the slightest what filesystem the drive hosting the volume is using, or what the filesystem inside the encrypted volume is.

  5. Re:Some things I wonder about are....In One Case.. by Nom+du+Keyboard · · Score: 4, Informative
    Do they 'interview' neighbors and friends to see if there is a missing hard drive they are just 'holding'?

    Well, in one case they are demanding to image and search the hard drives and all MP3 players of the son of a defendant, who lives miles away, and claims to only have a desktop system at home that he uses for his job as a legal assistant (i.e. large amount of confidential files there). They're trying to do this because, having searched his mother's harddrive and found ABSOLUTELY NO EVIDENCE of illegal activity on it, and only assumed that they were given the wrong hard drive, and are now on the hunt for the correct one that they're sure exists.

    In the RIAA's twisted logic, he has either taken his desktop (not notebook/laptop computer) to his mother's house miles away to do illegal filesharing on her Internet broadband account, and then taken it home again, or REMOVED HIS HARDDRIVE and transported it over and back to infringe on record company copyrights. This theory, they feel, allows them to now search his hard drive -- or, I would expect, anyone within 4 degrees of separation from the defendant -- and all music players as they wish. While I believe this was finally ruled unreasonable and unlikely to produce admissible evidence, they now are fighting their best to avoid paying his legal bills that he entailed explaining this bit of common sense to them.

    So in answer to your question: Yes!

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  6. Re:Safeguards I use by swillden · · Score: 2, Informative

    Is there any law that says you have to tell the guy taking the computer away there is a bomb in the computer? Whatever, it makes life interesting.

    I think not telling him would be excellent grounds for a reckless endangerment charge even if he's not injured. If he's killed you could potentially be charged with manslaughter or even murder. A really aggressive DA might even be able to argue first-degree murder, saying that your decision not to tell him while leading him to the booby-trapped computer constituted premeditation.

    So, yeah, there's a law against it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Re:Um, drop it... by freedomlinux · · Score: 2, Informative

    I doubt that the amount of damage caused by such an incident would cause much damage.
    First, there is a much lower chance of corrupted data when the drive heads are parked, as they would be as you hand the bare drive to someone.
    Second, it would take several heard crashes to cause data loss, as there would have to be significant damage to the platters.
    Third, professional date recovery companies can recover much of data from non-working drive, up until the point where a large majority of the physical platters are destroyed.
    Hard drives are resilient units... my experience:
    1. Running notebook dropped 1.5m onto concrete. Result = no data loss
    2. 80gb SATA drive carried for two weeks in an external pocket of a messenger bag. Result = MD5 hash same as previous hash
    3. Hard drive recovered from structure fire. Result = successful professional data recovery.
    4. Running notebook with remote ignition trigger for Thermite. Result = 2204 degreeC fire, platters physically destroyed, no data recovered. (See it at The Broken

  8. Re:Some things I wonder about are....In One Case.. by NewYorkCountryLawyer · · Score: 4, Informative

    If anyone wants to look up that case it's UMG v. Lindor.

    --
    Ray Beckerman +5 Insightful
  9. Re:Digital Forensics - a tough issue by Beryllium+Sphere(tm) · · Score: 2, Informative

    Preferably with a live CD that always mounts things read-only. Helix from e-fense.com is a well known one.

    Be aware that some file systems have counts of how often they've been mounted that increment even when you mount read-only, which is all it takes to make a hash change. Hardware write blockers are not strictly necessary but are handy. Make sure the one you use has been through real testing, preferably your own.