Court Sets Rules For RIAA Hard Drive Inspection

NewYorkCountryLawyer writes "In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"

Question

If the entire hard drive was secured with something like TrueCrypt, could you be compelled to turn over the password?

Anyway, does stuff like this matter much anymore? I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Re:Question

[interkin3tic]

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

I'd bet the RIAA wants to be as invasive and punitive as possible. I'm suprised they haven't asked for daily body cavity searches of all defendants.

Re:Question

[JoshuaZ]

There have been contradictory rulings about this. Many courts have ruled that at least in criminal cases people can be forced to decrypt their hard drives. See for example http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars

Re:Question

[vertinox]

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Which would be more logical because how else can you tell the difference between a pirated MP3 and one I downloaded from Amazon.com or ripped from a CD?

Re:Question

[Aranykai]

Because its in a directory named "Miley Cyrus - Breakout [2008][CD+SkidVid_XviD+Cov]320Kbps"

Obviously.

Re:Question

[PIBM]

What if you liked to keep a lot of information handy about what you've been ripping/scanning ?

Re:Question

[earlymon]

I thought more and more convictions were based on ISP logs instead of hard drive searches these days...

Perhaps more and more civil cases, but not more and more convictions.

Re:Question

[commodore64_love]

That's nice. "To consider the judges as the ultimate arbiters of all constitutional questions [is] a very dangerous doctrine indeed, and one which would place us under the despotism of an oligarchy. Our judges are as honest as other men and not more so. They have with others the same passions for party, for power, and the privilege of their corps. Their maxim is good justice is broad jurisdiction, and their power the more dangerous as they are in office for life and not responsible, as the other functionaries are, to the elective control. The Constitution has erected no such single tribunal, knowing that to whatever hands confided, with the corruptions of time and party, its members would become despots. It has more wisely made all the departments co-equal and co-sovereign within themselves." - Thomas Jefferson, founder of the Democratic Party

Correct Mr. Jefferson. *I* have determined that the Constitution forbids the government(s) from forcing me to testify against myself ("nor shall be compelled in any criminal case to be a witness against himself"), so I will remain silent about my password on the ground it may or may not incriminate me. If the jackbooted police want to see what's on my drive, let them hack their way in. And if they cannot, then they must free me for lack of ability to find guilt.

Re:Question

[Hatta]

They can detect that you have truecrypt partitions, they cannot detect how many. The "hidden volume" feature is still safe.

Re:Question

[hipifreq]

While the article you link too was quite informative on the court issues surrounding encrypted drives, the matter is not anywhere near closed in that case. I suspect that one may go all the way to the SCOTUS, although even if they do say the court can compel testimony, then it appears to contain some specific issues such that it doesn't clearly say that courts can compel a defendant to provide a password just because the drive is encrypted.

If you read the reasoning from judge Sessions, who said the court has the right to compel the defendant to decrypt the drive, the court has that right only because the police had foreknowledge of some of the contents of the drive.

The distinction here is fairly subtle, but the crucial legal point appears to be the interpretation of the "reasonable particularity" requirement that applies when government demands the "testimonial" production of evidence. Crudely put, the government can demand that you produce that bloody knife the police saw you run into the woods with, but they can't insist that you turn over any objects you may have around the house that would prove you guilty of a crime. In one case, they're just insisting that you provide the thing they intend to show the jury; in the other, you're supplying the information that helps them convict you.

Too me, as a non-lawyer, the police already saw the "bloody knife" at the border check so can compel the defendant to produce it to show the jury. If they just see an encrypted hard drive they don't have any foreknowledge of evidence that may or may not exist on that drive, so cannot compel the defendant to produce a password.

Re:Question

[blueg3]

The order doesn't require them to identify music and other file types by extension. It is probably well within the limitations to use automated software to detect the file content.

Of course, if you were so foolish as to use an obviously-invented file extension and make a login/logout script, they would have two good reasons to investigate those files specifically, and additionally may report that you were attempting to conceal the files from a search.

Re:Question

[sjames]

Dang! I KNOW that's the right password, I can't imagine why it's not working! (as the crypto software begins silently corrupting the data)

Unless we as a society are prepared to make poor memory a crime, that's about the end of that road.

On the biometric front, some fingerprint scanners claim to be able to detect duress. Since an unwilling person would necessarily be under duress, no court order could overcome that however compliant the defendant might be.

Re:Question

[Thinboy00]

And if/when the RIAA can't find anything, they'll just claim he did exactly this and demand a more thorough (read: privacy-violating) search.

Re:Question

[jwildstr]

*YOU* may have determined that the Constitution doesn't force you to reveal your password, but if the Judicial Branch doesn't hold with that interpretation, you can probably be held (indefinitely?) in contempt of court. I don't know what the current rules are, nor if a case has made it to the SCotUS, but unfortunately, an individual's interpretation of the Constitution isn't going to hold water all on its own.

Re:Question

[Aczlan]

thus the reason for the bit for bit copy of the harddrive before doing anything else.

Aaron Z

This can't be true...

[stephanruby]

This makes way too much sense.

New defense tactic...

[Volante3192]

Just because my PDFs play in winamp doesn't mean they're music files!

Re:New defense tactic...

[Rockoon]

rename *.mp3 *.doc

Re:New defense tactic...

[rodrigoandrade]

Good point. Will the forensic expert just look at file extensions to determine what is copyrighted material, and what is personal/private info?? If so, your trick should work.

Re:New defense tactic...

[TinBromide]

The expert can run an md5 hash list containing the signatures of all the copyrighted music that the RIAA has collected over the years and compare the results against the contents of the hard drive. You can name a file anything you want and its content based md5 will stay the same. Also, you can rename a jpeg to a .doc and the first 4 bits of the file will still reveal it as a jpeg. Every piece of modern forensics software is capable of doing the above, and most do them automatically.

If you take an MP3 file and rename it personal.doc, it will still show up in the media bucket and be declared as an audio file in the forensic software I am professionally experienced with.

Re:New defense tactic...

[TheBig1]

So flip the last bit on all your MP3s, and the hashes will all be off. Or flip a random bit in the middle, at most you will hear a bit of hiss or something at one point in the song.

Re:New defense tactic...

[Bandman]

Coming soon...WinAmp plugins to XOR your MP3 collection

Re:New defense tactic...

[EvilBudMan]

--You can name a file anything you want and its content based md5 will stay the same.--

What if you were to re-sample them? People do that all the time to make sure the volume level is the same for all *.mp3's in their collection?

I guess there is always a hex editor to remove such things if need be. Real pirates are not going to be slowed down. They are just stopping mom and pop. Why? I don't get it. It can only be about controlling not just the distribution of old Led Zeppelin files but controlling future do it your self-ers. They are wanting to get enough control over the Net to stop people that want to publish there own material by their selves.

Re:New defense tactic...

[Firehed]

Well, let's assume that someone rips tracks from some CD at 256k MP3 and puts them in a torrent for all to download. Let's assume that I've purchased that same CD and ripped a copy to my machine using the same encoder and settings. Shouldn't both the pirated and my own legal copy be identical? You're taking two identical files, running them both through the same algorithm (despite being an algorithm that results in lossy compression) and getting an output. How would they then be able to show that the file was pirated?

I haven't tested this, but if f(x) = y isn't always true, then I'd assume something went wrong (unless of course f(x) is designed to give random outputs, which I'd think isn't the case for audio compression algorithms).

Re:New defense tactic...

[TinBromide]

The tags are in the file, so it would change the content. The forensic software doesn't read those tags, so changing them would only change the md5 and sha1 hashes, not the fact that they're MP3 files. IIRC, Itunes stores a lot of stuff in a central database, but it will populate the internal metadata for ripped cd's (changing the hashes).

I doubt that they'd use the fuzzy hashing, all they'd do would be to produce all MP3 files for the defense to mark as privileged or not. The privilage processes is a fun one, the forensics expert would send all music files, file sharing data, and relevant raw data culled from the hard drives to the defense attorneys. They would then feed the files into review software and determine what is privileged or not and return the manifest of files back. The expert would produce another manifest and set of files for approval which they would then provide to the RIAA lawyers. If the defense lawyers try to mark everything as privileged, they could face sanctions or lose privilege for abusing it.

Keep in mind that having mp3 files is not illegal, downloading mp3 files is not illegal, but sharing them is. The number of MP3 files that were not purchased or ripped from cd's (it would be up to the defendant to account for as many songs as possible) only adds to circumstantial evidence. However, what they are being charged with is uploading files, and that's all in the file sharing and registry. Remember the sharing ratio in bittorrent? That'd be just as important as music being there. Also, the location of the music is just as important as it being there. If its in a shared folder or a file sharing folder, they can assert that the defendant "made available" and we all know how well that works...

I guess my big point is that the md5 method is for lazy forensics experts, but they will also probably run a key term search that will identify plain text in mp3 files (mostly in the tags) and there are tons of ways to perform the analysis of the drives in a way that would reveal as much music as possible. For every forensic method there is a way of defeating it, and there's a way of defeating that, and so on.

Re:Hard Drive Inspection

[DirtyCanuck]

SONY BMG Music Entertainment v. Tenenbaum

Ya last time I checked Sony did this with illegal DRM being installed without telling the consumer.

We should be checking THEIR hard drives for malicious code.

*Head Spins Off* Who are the laws meant to protect again?

Wiping the Hard Drive After Litigation

[Anonymous+Drunkard]

(c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation.

Just curious: Let's say someone wanted to do just that - wipe or erase the hard drive since the initiation of the litigation.

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

It would seem to me that if the BIOS clock was set to a prior point, that everything else on the HDD would follow. The BIOS clock has no intuitive knowledge of time, it only knows what it's told.

All theoretical, of course. No one would actually do such a thing, of course...

Re:Wiping the Hard Drive After Litigation

[t00le]

The simplest thing to do is to have a second disk in your computer, one for bad things and the second as a legal spare. Some truck drivers keep multiple log books, so something like that would be easier.

That way you could show use on the second boot disk. If you get sued simply remove the illegal disk and bury it somewhere, like a neighbors yard. start using your legal hdd as you would minus the piracy piece.

Re:Wiping the Hard Drive After Litigation

[vertinox]

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

You could, assuming that the computer was still in your possession which I doubt at this point.

Re:Wiping the Hard Drive After Litigation

[Todd+Knarr]

They could, but it's easy to get tripped up. For instance, one of the default settings in Windows XP is to synchronize time to a network time server belonging to Microsoft. If you weren't careful to keep the machine isolated during the install and all patching, you'd end up with a big discrepancy in timestamps as the clock jumped forward to the correct time during the last part of the install process. It'd also show up in the timestamps on patches, they might show as having been installed before they were issued or they'd be all lumped together at the very end when they should've been installed in a steady stream starting at the claimed install date and getting progressively more recent as patches were applied automatically. It might be hard to prove exactly when the drive was wiped, but it'd be easy to show that the fingerprint of the timestamps doesn't match what it'd be if the drive was as old as it claimed to be and had aged at 1 second per second since then.

Re:Wiping the Hard Drive After Litigation

Posting anonymously because, well, you'll see.

I have personally nailed people for trying such a thing. One guy had to pay my fees and the fees of the attorney, another I believe spent a month in jail (the destruction was just the straw that broke the camel's back). In civil matters, destroying evidence means that whatever was there was far worse and far more damaging than anything currently residing on the drive. Lawyers can get away with that because they can say whatever they like and you have no way of proving them wrong.

As for your question, a wiped drive is fairly obvious, unless you set your bios clock 100's of times and do stuff incrementally, create a range of files with chronological creation/modification/access times, populate the event logs with a smooth span of times, and not leave any smoking guns (windows xp pro on a dell?), you're probably gonna get nailed if the forensics expert is worth his paycheck. By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over.

The forensics expert is allowed to look at file system data and registry data as long as he can justify that its to detect just the kind of scenario you've stated, and its within the domain of his orders. Hell, he theoretically can click through every picture, document, and file on the drive if he creates a new forensic case aside from the official one and doesn't tell anybody about it. (thats bad, don't do that).

By the way, if I was ever faced with such a situation, I'd plug my hard drive is as an external, scrub the offending files, blow away the registry, destroy the file system, and take a soldering iron to the circuit board so that they have to do a clean room recovery which will result in a partial image for analysis. I'd present that drive along with a new drive, repaired and what not to the court and say my hard drive crashed and that they can have at it if they like.

Re:Wiping the Hard Drive After Litigation

[Qzukk]

Even then, it'd show an awful lot of work having been done on the computer in 1998, then absolutely no new files or system log entries until 2009, which would be quite remarkable.

Re:Wiping the Hard Drive After Litigation

[Ucklak]

Use a USB drive for `personal` stuff. Let them take the OS drive and mirror it to hearts content.

Re:Wiping the Hard Drive After Litigation

[vux984]

Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?

Yes, theoretically it can be done.

So, right out of the gate, there would be evidence that the drive had been formated and shredded just prior to the litigation. That's not 'criminal', but its suspicious enough to maybe look into it, and try and determine if it was in fact done before or after. And in practice most people, especially regular people, will make mistakes.

Ok... so the OS and installation logs etc proudly proclaim they were all insalled before such and such a date. But hmmm... what's this strange 4 month gap in the time stamps in the event log, starting 2 days after the OS was reinstalled.... or maybe our genius thought of that, but then why was the machine booted up and down each 'day' yet did nothing else...and it did this for 4 straight months... that looks a LOT more like someone rebooting, advancing the bios date, rebooting, advancing the bios date...etc than actually using it.

And then on top of that, why does the java auto update log show that the latest Java Update was installed 2 months before it was released... and this folder here... it contains mp3s with file creation dates before they were even recorded.

So they might come back and say, clearly someone was messing around with the clock and doing strange things with the PC. Couple that with the evidence the PC was wiped and shredded... we, of course, can't PROVE, the defendant tampered with the drive to destroy evidence... there are other possible explanations. But this is evidence of tampering, we think the jury will agree that the drive was tampered with, as opposed to being conveniently afflicted by a bizarre set of circumstances that make it merely look like it was tampered with.

Like anything digital, yes, your perfect crime is theoretically possible, but its probably much harder than you think.

Re:Wiping the Hard Drive After Litigation

[eth1]

The problem with this is that there will be lots of logs, registry bits, and other cruft on the "legal" system drive that point to the existence of the one you removed.

Don't underestimate modern forensic software.

Re:Wiping the Hard Drive After Litigation

[The+Master+Control+P]

Unless you had a long, long time to plan such a move in advance it is extremely unlikely that you can do this well enough to beat a forensic investigator.

You have two basic paths open to you: Either a surgical strike against the incriminating files or emulating a normal usage history sans music from scratch. You can't just wipe and reinstall because it's an obviously unnatural usage pattern.

Unless you're paranoid like me, you're probably not using ext2fs; Those spiffy new journaling filesystems also mean that there's no gaurantee that 'shred' overwriting britney.mp3 50 times will result in the drive head physically setting the same locations to garbage 50 times. This practically gaurantees that a surgical strike will fail. To make it worse, modern OSes and programs of all flavors leave metadata, logdata and temp files floating around all over the place. Unless you pay overwhelming attention to detail, you're going to miss some .playlist or incriminating log entry somewhere. In addition, as others have pointed out, all filesystems (including my beloved ext2) maintain low-level metadata - ctime, atime, etc - which would require extremely careful manipulation at the lowest levels to remove the proof that you changed and/or deleted key log files.

It's not impossible in principle, but it would be incredibly difficult to do successfully - the odds of you finding and sterilizing absolutely every file your media player and p2p have ever touched in even the most tangential way are not good. The only standard is perfection and if your ploy is anything less the courts will crucify you for destruction of evidence.

A small additional line of defence might be gained by spreading a great deal of legal music (e.g. Rhyme Torrents) around everywhere where the illegal stuff was, with the intention of perhaps adding just enough noise to obscure a signal that you missed.

The alternative is to fabricate a normal use history from whole cloth; This will likely be even more difficult, as the surgical strike leaves the other 99% of the drive and its normal, not-suspicious usage history untouched. Even if you import your documents back from a backup using something like --preserve-ctime, you will have to recreate the metadata and temp stuff left by the apps which use and create them or what you did will be obvious. Trying to recreate the metadata from scratch is straight out; An AI capable of doing that for you would most likely pass the Turing Test. That leaves copying the old metadata over while scrubbing it of incriminating data, in which case you might as well have just gone with option #1 anyway.

What can they do if you simply happen to have a large and very powerful degaussing loop in your bedroom doorframe that most unfortunately wipes the drive (and everyone's wallet) as they walk out with it?

Re:Wiping the Hard Drive After Litigation

[JoeMerchant]

The simplest thing to do is to have a second disk in your computer, one for bad things and the second as a legal spare. Some truck drivers keep multiple log books, so something like that would be easier.

That way you could show use on the second boot disk. If you get sued simply remove the illegal disk and bury it somewhere, like a neighbors yard. start using your legal hdd as you would minus the piracy piece.

Don't they sell these as NAS drives? You could even operate it underground in your neighbors' back yard and just pull the wires when feeling paranoid.

Re:Wiping the Hard Drive After Litigation

[thejynxed]

Fun - fun - fun with disabling access time stamps (and other filesystem "time" settings) in Windows XP.

That's what always gets me about these forensic folks. What do they do if the individual they are investigating is technically literate, instead of Joe Job Number 10?

I know on my system at least, I have access timestamps disabled, and I have all file creation/modification times set to the original contained within the installers or .rar files.

Outside of .txt log files, Guildwars files, Firefox stuff, and MUSHClient configuration files, essentially everything on this system will probably look awfully strange to a forensics expert. Even the Microsoft patches after installation, only show the original timestamps from Microsoft.

Torrent clients? If it isn't a "portable" version, I don't use it. All data files, etc, kept on external and NAS drives. All OS system and installer log files are deleted once a week. Registry is cleaned out once a week. "Most Recently Used", etc is permanently disabled via the registry. System is defragged once per week as well. All deleted material is cleaned using DoD standards, and freespace is scrubbed and overwritten.

Take note: I do not sync my system clock with any outside server either.

How does a forensic expert deal with a system like mine?

Re:Wiping the Hard Drive After Litigation

[earlymon]

It might be hard to prove exactly when the drive was wiped, but it'd be easy to show that the fingerprint of the timestamps doesn't match what it'd be if the drive was as old as it claimed to be and had aged at 1 second per second since then.

emphasis mine

Easy to show to you and me or easy to show to a jury? I'm naive enough to skip my own forensics experts at that point, take the stand with pre-arranged questions from my lawyer, and then testify as follows:

Geez, I don't know, I'm not a forenics computer guy. I do not have clue one about the inner working of timestamps and the idea of time having a fingerprint frankly sounds like something out of Star Trek to me. I don't even know why my fate is being decided this way. Evidently, their experts say that my own computer says I am liar. I don't know, but I thought from watching TV that using lie detectors against a person is against the law. Are you telling me now - let me get this straight - that a Windows computer that makes me and everyone I know crazy with all its crazy Windows frustrations of losing my files when I'm typing them and crashing on me and stuff - are you telling me that that is now a lie detector? And that my very own Windows-computer-lie-detector is their point in accusing me guilty?

Like I admitted, I'm naive, but I'd bet if someone said that while I was on a jury, I could not in any way under the sun find him guilty of anything whatsoever.

This makes my blood boil

[Smidge207]

While I admire people fighting the good fight, this is EXACTLY what makes court so dicey. If you get some judge with his head up the RIAA's ass and you are going to lose no matter how good your case is. The PROPER thing to do in a case like this is to have both parties agree on who examines the drive. One more thing, five days doesn't seem like a lot of time to examine a tech report for improprieties.

=Smidge=

Re:This makes my blood boil

[evanbd]

I was of the impression that it was fairly common to let the party doing the discovery select their own expert examiner. If the defense believe the examiner is for some reason inappropriate, for example overly biased or unqualified, they can object -- but requiring the two parties to a lawsuit to agree on *anything* is doomed to failure.

This actually seems quite sane to me.

(IANAL, of course.)

Re:This makes my blood boil

[Golddess]

requiring the two parties to a lawsuit to agree on *anything* is doomed to failure.

In a trial by jury, both sides must accept a juror in order for them to be on the jury.

(cue jokes about jury failure or something)

Re:This makes my blood boil

[evanbd]

requiring the two parties to a lawsuit to agree on *anything* is doomed to failure.

In a trial by jury, both sides must accept a juror in order for them to be on the jury. (cue jokes about jury failure or something)

First, jurors are quite explicitly not the same as expert witnesses in law. And second, there are very well-defined limits imposed -- it's not as simple as they both have to agree. Usually, either side can reject a juror if there is some cause for the rejection that they can get the other side or the judge to agree to, and each side has a very limited number of peremptory challenges that do not require a cause.

"of the RIAA's choosing"

[elrous0]

The "forensics expert of the RIAA's choosing" pretty much negates all other protections in this order. That's like telling me "You can't peak into my email" then saying "But you can have any one of your best friends peak, with no supervision."

Re:"of the RIAA's choosing"

[TubeSteak]

The "forensics expert of the RIAA's choosing" pretty much negates all other protections in this order.

The expert can secretly (an in contempt of court) tell the RIAA whatever it wants, but if the RIAA tries to use anything outside the scope of the report, the both of them will be in a boatload of trouble with the Judge.

Beyond the contempt of court and violations of professional ethics, there's undoubtedly at least one federal or state privacy law that would be violated.

You're wrong

[Zontar_Thing_From_Ve]

This makes way too much sense.

Nope. Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chosen. I'd think all that would do is make it very easy for the RIAA to set up a forensics lab of their own that could potentially plant evidence on the mirror copy. Then what do you do? They could always claim that your copy, which is minus the planted evidence, was "tampered with". I see no good out of this, but if NewYorkCountyLawyer disagrees, I would welcome an opportunity to be educated out of my error here.

Re:You're wrong

[AKAImBatman]

Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chose

I don't think that's the point. The point is that a trusted expert in the industry is the only one with access to the private information. He can then represents the findings on behalf of the RIAA. The defense needs to find its own expert witness to counter any arguments made by the RIAA's expert witness.

At least, that's my understanding of how the proceedings would work. (IANAL)

Re:You're wrong

[NewYorkCountryLawyer]

This makes way too much sense.

Nope. Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chosen. I'd think all that would do is make it very easy for the RIAA to set up a forensics lab of their own that could potentially plant evidence on the mirror copy. Then what do you do? They could always claim that your copy, which is minus the planted evidence, was "tampered with". I see no good out of this, but if NewYorkCountyLawyer disagrees, I would welcome an opportunity to be educated out of my error here.

No, while I think the order otherwise "makes sense", I happen to agree with you 100% on your point that the RIAA should not be able to unilaterally pick the forensic examiner. I think that is a mistake on the judge's part. As I pointed out in TFA:

Unlike the protective order (pdf) in SONY BMG Music Entertainment v. Arellanes, this protective order permits the RIAA to unilaterally select whatever expert it chooses, rather than an independent, mutually agreeable, expert.

I think that is unfortunate. I'm hoping the judge comes to recognize that oversight.

Re:You're wrong

[NewYorkCountryLawyer]

They will do everything they can to bend the laws until they crack, but they won't plant evidence. NYCL can correct me....

You must be new here.

You're asking ME to back you up on your claim that the RIAA would not pick a forensics expert who would stoop to such a thing? The same RIAA which has employed MediaSentry to send out millions and millions of slightly corrupted mp3 files, and then sued tens of thousands of people for having those files on their computers?

You must have me confused with someone else.

Every time I think I've found a level to which even the RIAA would not stoop, I wind up being proved wrong.

Re:You're wrong

[NewYorkCountryLawyer]

I am curious how the court responded to Defendant's Opposition to Plaintiffs' Motion to Dismiss Counterclaims

I believe that is scheduled for oral argument on June 5th.

Re:You're wrong

[NewYorkCountryLawyer]

Does the order preclude the defense from picking their own forensic examiner, and leaving it up to the court (jury?) to decide which one to believe?

No it does not. It relates solely to the methodology of the hard drive mirror image inspection.

Re:You're wrong

[c0d3g33k]

Disclaimer: I fully support NYCL's efforts to bring some balance to the tug-of-war between content producers who want maximal control of how people can acquire and use said content and the content recipients who want to be more than just a goose that lays golden eggs for the benefit of the former. Consider this post a devil's advocate response.

How exactly is seeding the internet with slightly corrupted mp3 files wrong, if (according to current laws) acquiring content without paying for it is considered illegal and those files are not available through "legal" channels? This particular example doesn't seem to be that different from marking money in a vault as a means of catching bank robbers.

I suppose if the police arrested everyone in possession of a marked bill this would be wrong (given that changing hands is the very essence of the utility of money), but otherwise this seems reasonable. One could argue entrapment, I suppose.

I'll give you the benefit of the doubt and assume you would have provided a better example of stooping low given time.

Re:You're wrong

[NewYorkCountryLawyer]

I usually take "you can correct me" to mean "if my claim is wrong, please debunk it". I don't think GP was asking you to prove his point so much as he was inviting you to enlighten/overrule him if he was wrong.

I was just kidding around with him; he's been a Slashdot friend for a long time. But seriously, if you imply that NYCL will correct you if you're wrong, that kind of carries with it an implication that if I don't correct him I thought he was right. And I certainly didn't think he was right on that. I usually don't give advice here, but let me give a word of advice: don't ever bet on there being anything even an RIAA lawyer wouldn't do.

Semantics aside, I agree with your suspicion.

Well I'm not saying they would plant evidence; I'm just saying I wouldn't put it past them. I don't know how low they would go. I just know that they make false statements frequently, they act immorally and contrary to law, and the depths of their behavior seems to know no bounds.

And let me take the opportunity to say, I've always enjoyed reading your submissions to Slashdot and your comments as well.

Thank you very much. I've always felt at home at Slashdot, since the first day I discovered this nutty place.

Re:You're wrong

[NewYorkCountryLawyer]

I'll give you the benefit of the doubt and assume you would have provided a better example of stooping low given time.

Hundreds. The reason I selected that example is that it's the closest to 'planting evidence'.

I can't discuss the legality of the 'entrapment' concept you are discussing because I haven't litigated the issue yet, and I never like to give the RIAA lawyers a free look at my strategic thinking. But I think I can say that the RIAA knows that many, usually most, of the files in their exhibit B 'screenshot' are files which they themselves furnished, so that the numbers of alleged files are padded. If someone bent on infringing the copyright of a sound recording by making an unauthorized download has to obtain 4 copies to find 1 working copy, that means if he has 400 unuathorized downloaded files on his computer he probably only would have had 100, but for the RIAA's own conduct. MediaSentry's president himself testified in the Canadian case, BMG v. Doe, that you would need to play the song files to know if they are infringing song files. The RIAA however will claim that every file on the computer is an infringing file, even though it can't back that up, and knows that it's not in fact true.

Re:You're wrong

[NewYorkCountryLawyer]

I have no love for the **AA, but

I can't help but smile each time I see that

it's dangerous to let one's hatred of their philosophy and tactics cloud one's thinking.

Well it would be dangerous for someone like me to allow my hatred for them to 'cloud my thinking', since it is part of my professional life to fight this enemy. But I can't see why everyone else can't just kick back, relax, and hate the RIAA as much as it deserves to be hated.

If they believe people are illegally a[c]quiring/reproducing/distributing their content in violation of the law, then producing 'marked' versions of their *own* content to better detect those violations seems justified...

What basis do you have for suggesting that their motivation for flooding the internet with their own mp3's in slightly corrupted format is "to better detect ... violations"?

A virtual environment then.

[AgTiger]

> (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation
> of the litigation.

So as long as you wipe or erase the hard drive before litigation begins, or before you become subpoena'ed (aware of the litigation), you're protected if you destroyed any evidence of your activities?

Perhaps a VMWare or other virtual operating system is in order then. Download, burn to optical, revert the guest image.

Perhaps NewYorkCountyLawyer could confirm the viability of this method?

Something about not being forced to testify against yourself. No sense in leaving your equipment capable of testifying against yourself either.

Although it sounds plausible

[joeflies]

I would guess the penalties for the destruction of evidence and the manufacturing of new evidence would land you in significantly more trouble, no?

Our laws are not even wrong

[earlymon]

Court orders to search hard drives aren't right - they're not even wrong.

If you get a warrant to search my house, you search my house.

No court believes that it would issue a single warrant to search part of my home, part of my business and parts of my friends' and family's homes.

But a warrant to search my hard drive is exactly that.

Restricting this search to the forensics expert of the MAFIAA's choosing but not allowing irrelevant info to pass on to them is exactly offensive and ridiculous. I'm frustrated my own following hyperbole, but I am so angry, this is the only metaphor that I can find - the beat cop gets to exercise the right to search everyplace you've been with a single warrant, but don't worry, he'll only tell the detectives about the stuff he found that's relevant.

The fucking MAFIAA's cases isn't one of governmental high crimes or misdemeanors, neither is it one involving a criminal case - it's a fucking civil case. How dare any court in the land grant such a mind-numbingly offensive violation of one's constitutional protection of privacy in a fucking civil case?

Re:Our laws are not even wrong

[earlymon]

Fuck me, I'm not done. Even Judge Judy knows better than this.

Plantiff: "You honor, she stole my CDs when she moved out. A friend saw her carrying out boxes plus who else would have done it?"
Judge Judy: "Ms. X, did you take his CDs?"
Defendant: "No, judge. I did not."
Judge Judy: "I'm sorry, Mr. Z, but you have no proof. Under the law, there's nothing that I can do."
Plaintiff: "Your honor, please - how about a warrant to search her home, business and all of her friends' and family's home - then I'll have proof."
Judge Judy looks at Bert, narrows her eyes, admonishes the idiot to get a life because he's clueless and the law doesn't exist for him to conduct witch hunts and we fade to commercial.

Tell me how my point isn't any simpler than that. How in the fuck did we come to this as a people? Why in the fuck are any of us laying down for this?

My anger may be getting the better of me, but maybe that anger helps fuel my weak brain. How did we condone Gitmo? How did we let the Patriot Act and Warrantless Wiretapping go on?

How does the fucking camel get into the tent? He sticks his nose in first. Civil warrants to search hard drives have existed for more years than I can recall. That could very well be the camel's fucking nose.

Now - how in fuck do we fix this?

It's funny...

[smooth+wombat]

As I read various comments, people are suggesting ways to thwart the attempt of a forensics expert to determine if certain files are present on a person's drive.

Which is amusing because numerous posters make the claim that they are doing nothing wrong when they get a piece of music for nothing.

So, if they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Re:It's funny...

[Myji+Humoz]

So, if they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Moral != legal
Immoral != illegal
Hiding possibly illegal activities != Hiding possibly immoral activties
Hint: People of both the innocent and guilty variety dislike going to jail.

Re:It's funny...

[earlymon]

So, if they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Because the law has not caught up with electronic media?

It's 1950. You have a copyright-infringement claim, claiming that I made an illegal copy of a portrait. You may have the right to have me bring in my artwork under a court order (I do not know, IANAL, and I'm still trying to understand the discovery process).

You do NOT have the right to have me also bring in just about everything else I possess in my house.

It's 2009. You have a copyright-infringement claim, claiming that I made an illegal copy of some music using computer media. Evidently, you now have the right to have me bring in, under court order, all of my computer media - music, video, software, email exchanges and confidential business documents. In fact, today it's supposed to be evidently a victory to have someone go through all of that personal stuff to just get to the music files. Gee, I don't know, but in 1950, I don't think anyone was allowed to enter and rifle your home as part of the discovery process to ensure that all artwork was brought in.

Life, liberty and the pursuit of happiness - perhaps you've heard these words.

My liberty is seriously curtailed whenever my privacy is invaded. I am not a constitutional scholar, and so I don't know, but I suspect that just maybe the constitutional rights protecting privacy itself - while giving the state due process to violate that privacy under certain specific and limited conditions and circumstances - is a class of rights derived from the unalienable right to liberty, with all protections thereto.

So, your argument - that if you're doing nothing wrong, then why are you hiding? - whether in a civil or criminal context - is quite frankly disgusting.

As I write this, some mods have found your post to be either funny or interesting. I find your thinking to be neither. The idea that only the guilty want to hide things is dangerous and contrary to everything our country was founded on. And I repeat, disgusting.

Personally, I never want to hide anything or prevent anyone from seeing anything of mine - until someone wants to see, for any reason - and then I very much want to hide and not disclose; and that is just out of general principle. I was brought up free.

Re:It's funny...

[misexistentialist]

Q: If you're doing nothing wrong, why are you hiding that Jew in your attic? A: Jews want to be free!

Re:It's funny...

[firewrought]

If they're doing nothing wrong, why all the suggestions on ways to hide what you're doing?

Because this is a technical site and the means by which computer forensics can be carried out or thwarted is of intrinsic technical interest?

Two Words.

[DarthVain]

Thurr and Mite! :)

simple solution

[FudRucker]

get some thermite, glue it to the top of your harddrive with a fuse connected to the cover on your PC case, if not opened properly the harddrive melts...

Re:simple solution

This still leaves you with the situation of having live thermite on a hair trigger sitting a few (inches? feet?) away from your knees.

Maybe the courts are starting to get it

[bzzfzz]

I see this as good news.

The best news here is that this shows that the court system and the judges understand what computers are and how they are used and are at least making an effort to deal with the case in a balanced way. Sure, computer forensic evidence has become routine in the last few years but there have still been plenty of RIAA cases where the handling of the defendant's property is remarkably cavalier.

The RIAA, despite their myriad flaws, are entitled to their day in court. If procedures are balanced and remedies are fair, then I believe that the RIAA's corporate sponsors will quickly decide that the game isn't worth the candle.

The copyright statutes and the discovery procedures are the law of the land whether we like them or not. The injustice and unfairness early in the RIAA campaign came from the lack of due process, the flimsy evidence and weak cases, and the threats of draconian penalties. It's getting better, and every positive step brings us that much closer to closing this dark era in the history of the legal system.

Re:Maybe the courts are starting to get it

[russotto]

The RIAA, despite their myriad flaws, are entitled to their day in court. If procedures are balanced and remedies are fair, then I believe that the RIAA's corporate sponsors will quickly decide that the game isn't worth the candle.

When it's Juggernaut (RIAA) vs. Pipsqueak (average Joe), nothing is EVER balanced or fair, except in the Fox News sense. It can't be.

1) Juggernaut's expenses to run its offense are insignificant compared to its size. Pipsqueak's legal costs are significant, perhaps even crushing, to him.
2) Juggernaut has nothing at risk. Pipsqueak is at the risk of bankruptcy if he loses.
3) Juggernaut has played this game before and knows all the moves. It's probably Pipsqueak's first experience with the system
4) This is Juggernaut's job. Pipsqueak is forced to divert time and effort from his life and work to deal with it.

And that's before any cheating by Juggernaut.

Re:Maybe the courts are starting to get it

[bzzfzz]

Welcome to the courts. It's the same way with a DUI prosecution or an eviction proceeding or Walmart throwing the book at some store clerk for theft by conversion of a 99-cent tube of Chap Stick. In the RIAA cases as in every other there are ample opportunities for the defendant to do and say stupid things that create trouble for them later. That's why people need attorneys. Yes, it's expensive. Tough. And so it has always been, read through Moll Flanders (public domain edition available for free at Project Gutenberg) to get the idea.

With the RIAA cases, the other side of the coin is that, as long as the cases are handled fairly, they are too expensive for the plaintiffs to pursue. Last time I checked, the pockets of the corporate sponsors behind the RIAA not exactly of limitless depth. Absent the ability to bully people into $5000 out-of-court settlements with an hours' work by a nickel-ante paralegal and a penny-ante "investigator," a fair case with the court costs and attorney's fees will far exceed any civil penalties that the RIAA is likely, on the average, to collect. And absent the threat of an unwinnable case with six-figure damages, the PR battle moves from Pyrrhic to simply pointless.

Re:Maybe the courts are starting to get it

[NewYorkCountryLawyer]

With the RIAA cases, the other side of the coin is that, as long as the cases are handled fairly, they are too expensive for the plaintiffs to pursue. Last time I checked, the pockets of the corporate sponsors behind the RIAA not exactly of limitless depth. Absent the ability to bully people into $5000 out-of-court settlements with an hours' work by a nickel-ante paralegal and a penny-ante "investigator," a fair case with the court costs and attorney's fees will far exceed any civil penalties that the RIAA is likely, on the average, to collect. And absent the threat of an unwinnable case with six-figure damages, the PR battle moves from Pyrrhic to simply pointless.

Excellent post, bzzfzz. Wish I could write like that. I hope you get modded to "+5".

You are exactly right; if proper safeguards had been put in place, and were the Courts vigilant to ensure that the letter of the law was followed by the RIAA lawyers, these cases would have stopped 6 years ago.

if it works for bush

[circletimessquare]

http://en.wikipedia.org/wiki/Bush_White_House_e-mail_controversy

why can't it work for you?

of course, wiping your disk after start of litigation opens you up to destruction of evidence

so all you have to is structure your attitude towards the courts, and the nature of how you wipe according the RNC playbook, and you can should be able to give yourself enough plausible deniability to let yourself off the hook. "whoops! how'd that happen?"

pirates should learn from the best crooks, the past administration, when it comes to the destruction of electronic evidence

or i suppose there exists some sort of double standard between the elites and the commoners in a country supposedly standing for western liberal ideals about fair play and equality? naahhhh...

I call bull on the above statement!

[Mycroft_514]

"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."

Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.

Now me? All my music files (all legal, btw) are already on a USB portable drive anyway, because it takes 15GB off the active drive I need the space on. And my wife's machine? Re-loaded with WIN XP PRO over the top of WIN XP Home about a month ago. Memory chip went bad, and garbled part of the registry - right after I got a full backup of the files.....

So, how are we going to certify Forensics experts? Obviously the Anonymous Coward above wants to be one, but certainly doesn't qualify, if he makes such a basic mistake. (And to double check, I tried it just before I posted this message. Copied a file to another dirve and it retains the 2008 creation date).

Re:I call bull on the above statement!

[HandleMyBidness]

"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."

Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.

You are looking at date_mod, not date_create there smart guy. I hire forensic experts and the AC seems to have a pretty solid grip.

Re:I call bull on the above statement!

[serialband]

"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."

Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.

You obviously don't know much about filesystems. On Windows, unix and linux filesystems, there are 3 timestamps, access, creation, and modification. They've existed for as long as I remember them back to first IBM PC. You normally only see the modification timestamp when you look at files. The other 2 are "hidden," and you'll be screwed if you think that the modification time is the only timestamp on your system.

Timestamp are not 100% proof since they can be manipulated. You don't need to set the bios date to change timestamps. The access timestamp is changed everytime the file is accessed or even listed and is only usefull if you made the disk read only before any access, otherwise, it is pretty worthless.

A single timestamp is worthless. Multiple timestamps across the system to prove correlation is necessary to prove guilt. Unless you're good enough to write a script to manipulate numerous timestamps to make deletions and modifications look like normal access, changing timestamps, either through bios or software is pretty useless. Guilt only needs to be proven Beyond a Reasonable Doubt. Reasonable Doubt is actually quite a low bar and very different than a Shadow of a Doubt.

Illegal MP3s

[Nekomusume]

How would the forensics expert know any given MP3 he finds is illegal? Between online music stores and CD-Ripping, he could very well find 1000 MP3s, and every last one of them be legal.

Obligatory xkcd referral

[jggimi]

"Security"

http://xkcd.com/538/

Clearing Out Unallocated File Space

[Nom+du+Keyboard]

What's a good, free cleaner for Windows to wipe all current unallocated file space - and preferably deleted files names as well? The court may have said you can't inspect any .doc files, but when you look through that unallocated space there is no longer a file type associated with it, allowing that slimy RIAA to read all the .tmp versions of your .doc, .pdf, .eml, and every other prohibited file type. Cleaning unallocated file space should be part of everyone's general housekeeping.