Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Agent: Decrypting Data 'Fundamentally Alters' Evidence (vice.com)

Posted by msmash on from the fundamentals-201 dept.

Joseph Cox, reporting for Motherboard: An FBI agent has brought up an interesting question about the nature of digital evidence: Does decrypting encrypted data "fundamentally alter" it, therefore contaminating it as forensic evidence? According to a hearing transcript filed last week, FBI Special Agent Daniel Alfin suggested just that. The hearing was related to the agency's investigation into dark web child pornography site Playpen. In February 2015, the FBI briefly assumed control of Playpen and delivered its users a network investigative technique (NIT) -- or a piece of malware -- in an attempt to identify the site's visitors. [...] According to experts called by the defense in the affected case, the fact that the data was unencrypted means there is a chance that sensitive, identifying information of people who had not been convicted of a crime was being sent over the internet, and could have been manipulated. (Alfin paints this scenario as unlikely, saying that an attacker would have to know the IP address the FBI was using, have some sort of physical access to the suspect's computer to learn his MAC address, and other variables.)

9 of 89 comments (clear)

  1. Re:Encryption != Integrity by Anonymous Coward · · Score: 5, Funny

    Hillary Clinton has no encryption.

  2. "Special" Agent needs remedial forensics training by thoromyr · · Score: 4, Insightful

    “[Had that data been encrypted,] It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected,” Alfin said.

    Which is such utter BS its hard to credit. I figured the summary was just the usual flame bait, but unless the article is misquoting the agent that is pretty damning.

    Hint: if the hash of the data before and after it is sent remains the same then that satisfies one of the requirements to being forensically sound (specifically, the data will be "accurate" -- unchanged since collection). Does the "special" agent think running it through an SSH tunnel would have altered the data? How about over a VPN connection? Does he not realize that the data was *shock* modified during transit (encapsulation at the very least, quite possibly encoded depending on the nature of the physical links along the way). What a moron.

    By his reasoning all digital data is forensically unsound because spinning platters *encode* the data (hint, it isn't the bits and bytes you might think, longer story has to do with run length synchronization issues). And *encryption* is a particular means of *encoding*. So if encryption is "the bad" because it transforms data then all encodings are bad because they all inherently transform data.

  3. There is a point to be made here by LichtSpektren · · Score: 3, Interesting

    Suppose the FBI* wanted to present evidence against me in court, which allegedly I transmitted over HTTP, telnet, SSL, or some other insecure protocol. Could I not validly say that the message was forged by a man-in-the-middle? Afterall, it's the digital equivalent of a postcard or billboard posting that's very easily tampered with and forged.

    It seems as though the FBI should be cheering for encrypted transmission by default; it means the evidence they collect is (more provably, at least) genuine.


    * Let's assume they have a valid and proper warrant here, which usually isn't the case, but let's keep this simple.

    1. Re:There is a point to be made here by medv4380 · · Score: 3, Insightful

      Yes, but said evidence results in a warrant to search your computer physically. If you then possess the Child Porn then ether you've been setup by a master which you're screwed, or you're probably guilty which you're also screwed.

  4. Re: THIS case? by Anonymous Coward · · Score: 4, Insightful

    You can't pick them like that - you have to use the case that raises the question most directly. And it's always the degenerate undesirables that are used to expand police powers to the detriment of civil society.

  5. Re:"Special" Agent needs remedial forensics traini by Solandri · · Score: 5, Informative

    Hint: if the hash of the data before and after it is sent remains the same then that satisfies one of the requirements to being forensically sound

    If the data is sent as cleartext, it becomes much, much easier for an attacker to alter the cleartext into a different form which contains a plausible message yet generates the same hash. There's an entire branch of cryptography dedicated to these types of attacks.

    If it's transmitted while encrypted, the attacker (assuming he can't break the encryption) has no way to verify that his altered ciphertext which generates the same hash still decrypts into a cleartext message which makes any sense in the context of the original cleartext, much less has been altered to his liking.

    While it's not required that this sort of data be encrypted before transmission, it is prudent to do so whenever possible. It drops the chances that the data has been forensically compromised from very small to vanishingly small (it is easier for the attacker to break your encryption).

  6. Re:No by PCM2 · · Score: 3, Informative

    On a semi-related note, during the "Zip wars" in the early 90s there was a fake file compression program circulating called NaBoB that claimed to use some sort of quantum compression techniques (all compression algorithms named after quarks) to cause your files to hit "the singularity," where every archive would be reduced to a single byte in size.

    Naturally, all it really did was rename your files, hide them, and write a one-byte "archive file" in their places. When you "decompressed" the archive, the full-size files would be restored. Miraculous!

    --
    Breakfast served all day!
  7. Re:"Special" Agent needs remedial forensics traini by thoromyr · · Score: 3, Informative

    Sorry, I didn't read your whole post so my answer is incomplete. While collisions can be generated, for even semi-modern hashes they involve more than just data changes (e.g., the size of the data is changed as well). A digital chain of custody will record both the hash and the size in bytes. And that does not alter the fact that the burden of proof lies with the defense when making allegations of alteration. That is, the allegations must be specific -- not just a general hand waving that "something could have happened". There is a presumption that evidence has not been tampered with. Breaks in chain of custody are not uncommon and normally have no impact on proceedings other than some additional testimony.

    Furthermore, hash collisions are not considered to be an issue by the courts. Fingerprints have a far far greater risk of collision (or simply misidentification) than say md5 and law enforcement has done an effective job of convincing the courts that *fingerprints* are unassailable evidence and now with hashing being vastly better it is considered completely irrefutable.

    Again, the purpose of encryption is to protect confidentiality, not provide integrity. While it may have some impact in that regard it is a side effect. Integrity measures (such as documenting the chain of custody, hashing evidence on collection, etc.) are what provide that.

  8. Re: THIS case? by dwillden · · Score: 4, Informative

    And it's the same degenerate undesirables who fight back on their convictions who establish what protections we do have. Miranda for example was a real scumbag, but his appeal on being interrogated without knowing his rights established the Miranda warnings we can all quote from TV. And incidentally shortly after winning his landmark case that upstanding citizen was stabbed to death in a bar fight.

    --
    I'm too lazy to compose a creative sig.