Merely Cloaking Data May Be Incriminating?

n0g writes "In a recent submission to Bugtraq, Larry Gill of Guidance Software refutes some bug reports for the forensic analysis product EnCase Forensic Edition. The refutation is interesting, but one comment raises an important privacy issue. When talking about users creating loops in NTFS directories to hide data, Gill says, 'The purposeful hiding of data by the subject of an investigation is in itself important evidence and there are many scenarios where intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself.' That begs the question: if one cloaks data by encrypting it, exactly what incriminating evidence does that provide? And how important is that evidence compared to the absence of anything else found that was incriminating? Are we no longer allowed to have any secrets, even on our own systems?"

Let me get this straight...

[nonsequitor]

If I encrypt my financial data, and am unable to unlock it for the FBI because I lost the smart card I used to encrypt it, does that make me guilty of . When asked why I didn't delete it, I could say I hoped to one day find the smart card. Does that mean they can ship me off to gitmo?

Of course the difference between this scenario and one where someone merely claims to be unable to decrypt the data is irrelevant.

I thought that we were innocent until proven guilty in this country, not vice versa.

It's called a "warrant".

[khasim]

So I'm guessing innocent until proven guilty doesn't apply to a person's data, just a person.

The cops go to a judge and get a warrant based upon whatever evidence they have that a law was broken.

So if any information(data) hidden from government view in incriminating, then does that give "probable cause" to anything not already in plain sight?

They'd have to have access to it already to see that it was encrypted. And that access should require a warrant.

This would seem to be the death blow to already suffering 4th Amendment- "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Again, see the word "warrants" there?

Encrypt EVERYTHING to protect yourself from regular criminals.

But if you are accused of a crime, you have to decide whether the encrypted data will help your case or harm it. And if it will harm your case, will it do more or less harm than refusing to decrypt it?

But there has to be a warrant. Focus your complaints on situations where there aren't any warrants.

Re:Why even ask?

[irtza]

What's significant here is that you are suggesting that there is a reason and that you are treating all data the same in which case it can be said that the data is not really hidden. You merely have a ton of encrypted data. What would be significant and incriminating is selected encryption and "hiding" of data. For example, if all customer information is encrypted, but a select set of customer files for whom you illegally handled funds are kept separately with their own password and login then there is knowledge gained. What is learned is that you took the time and effort to separate those select files from the rest and went to the trouble to make them more difficult to access. It can then be inferred that you had cause independent of all factors other than that these files had evidence of illegal action.

Can't prove hidden partition doesn't/does exist

[KWTm]

It could be presumed that you chose that software specifically for the well-known "hidden partition" option (police departments hire geeks too, you know). As such, prove that the incriminating evidence ISN'T locked away in the hidden partition and that you're not refusing to comply with the warrent.

The point of a hidden partition is that you can't prove it either way, unless you actually unlock it with the key. So, without the key, I could say, "Yes, there's a hidden partition within this conventional TrueCrypt partition, but I'm not giving you the key!" or I could say, "No, there's no hidden partition," and you wouldn't be able to tell either way.
So, then, you *could* presume that there is a hidden partition --but then that would be on the same order as just presuming that I have something to hide just because I'm using TrueCrypt in the first place. If I don't actually have a hidden partition, and you go looking for one, you're going to spend a pretty long time looking. There's nothing more frustrating than looking for something to prove that it doesn't exist (bug-checking programming sessions, anyone?).
As a matter of course, I do set up TrueCrypt volumes at standard sizes that happen to be much bigger than I need --my usual is 680MB so I can burn the whole thing to a CD. I think all my financial files add up to about 100MB within the 680MB TrueCrypt volume. If you want to go looking in the remaining 580MB for some incriminating evidence --hey, knock yourself out.