Court Sets Rules For RIAA Hard Drive Inspection

NewYorkCountryLawyer writes "In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"

Re:Question

[JoshuaZ]

There have been contradictory rulings about this. Many courts have ruled that at least in criminal cases people can be forced to decrypt their hard drives. See for example http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars

Re:Wiping the Hard Drive After Litigation

[vertinox]

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

You could, assuming that the computer was still in your possession which I doubt at this point.

Re:You're wrong

[AKAImBatman]

Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chose

I don't think that's the point. The point is that a trusted expert in the industry is the only one with access to the private information. He can then represents the findings on behalf of the RIAA. The defense needs to find its own expert witness to counter any arguments made by the RIAA's expert witness.

At least, that's my understanding of how the proceedings would work. (IANAL)

Re:Wiping the Hard Drive After Litigation

Posting anonymously because, well, you'll see.

I have personally nailed people for trying such a thing. One guy had to pay my fees and the fees of the attorney, another I believe spent a month in jail (the destruction was just the straw that broke the camel's back). In civil matters, destroying evidence means that whatever was there was far worse and far more damaging than anything currently residing on the drive. Lawyers can get away with that because they can say whatever they like and you have no way of proving them wrong.

As for your question, a wiped drive is fairly obvious, unless you set your bios clock 100's of times and do stuff incrementally, create a range of files with chronological creation/modification/access times, populate the event logs with a smooth span of times, and not leave any smoking guns (windows xp pro on a dell?), you're probably gonna get nailed if the forensics expert is worth his paycheck. By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over.

The forensics expert is allowed to look at file system data and registry data as long as he can justify that its to detect just the kind of scenario you've stated, and its within the domain of his orders. Hell, he theoretically can click through every picture, document, and file on the drive if he creates a new forensic case aside from the official one and doesn't tell anybody about it. (thats bad, don't do that).

By the way, if I was ever faced with such a situation, I'd plug my hard drive is as an external, scrub the offending files, blow away the registry, destroy the file system, and take a soldering iron to the circuit board so that they have to do a clean room recovery which will result in a partial image for analysis. I'd present that drive along with a new drive, repaired and what not to the court and say my hard drive crashed and that they can have at it if they like.

Re:New defense tactic...

[TinBromide]

The expert can run an md5 hash list containing the signatures of all the copyrighted music that the RIAA has collected over the years and compare the results against the contents of the hard drive. You can name a file anything you want and its content based md5 will stay the same. Also, you can rename a jpeg to a .doc and the first 4 bits of the file will still reveal it as a jpeg. Every piece of modern forensics software is capable of doing the above, and most do them automatically.

If you take an MP3 file and rename it personal.doc, it will still show up in the media bucket and be declared as an audio file in the forensic software I am professionally experienced with.

if it works for bush

[circletimessquare]

http://en.wikipedia.org/wiki/Bush_White_House_e-mail_controversy

why can't it work for you?

of course, wiping your disk after start of litigation opens you up to destruction of evidence

so all you have to is structure your attitude towards the courts, and the nature of how you wipe according the RNC playbook, and you can should be able to give yourself enough plausible deniability to let yourself off the hook. "whoops! how'd that happen?"

pirates should learn from the best crooks, the past administration, when it comes to the destruction of electronic evidence

or i suppose there exists some sort of double standard between the elites and the commoners in a country supposedly standing for western liberal ideals about fair play and equality? naahhhh...