Safeguards For RIAA Hard Drive Inspection 276
NewYorkCountryLawyer writes "In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA's examination of the defendant's hard drive: (1) RIAA imaging specialist makes mirror image of hard drive; (2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code; (3) one mirror image is held in escrow by the expert, the other given to defendant's lawyer for a 'privilege review'; (4) defendant's lawyer provides plaintiffs' lawyer with a 'privilege log' (list of privileged files); (5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for 'lawyers' eyes only.' The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA's own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy."
Initial image by agreed experts, not RIAA (Score:2, Informative)
Re:Initial image by agreed experts, not RIAA (Score:5, Informative)
Re:Initial image by agreed experts, not RIAA (Score:4, Informative)
Verbatim, from the new court order:
1. Kimberly Arellanes ("Defendant") shall make her computer hard drive available for imaging by Plaintiffs on or before March 21, 2007 [emphasis mine]
Clearly the court order says that Sony gets to do the initial imaging.
Step 2 is, "an expert in computer forensics selected by the parties shall make two (2) verified bit-images". That's the second set of images. The initial image is done by Sony.
Re:Piracy just hurts the little guy. (Score:3, Informative)
Re:Initial image by agreed experts, not RIAA (Score:3, Informative)
oops wrong Re:Why a broken hash? (Score:5, Informative)
I'm wrong - in fact I get the feeling that it's now important that MD5 is NOT used. NIST (an authority when it comes to forensic investigations) do *not* recommend the use of MD5 checksums. The grandparent was perfectly correct. A decent summary (sorry PDF) is here [nist.gov]
Use TrueCrypt! (Score:5, Informative)
Assuming you really do have something to hide, using an encrypted volume embedded within another encrypted volume could be very useful. TrueCrypt [truecrypt.org] supports nested encrypted file systems and since TrueCrypt uses no headers to demarcate its volumes, it is not possible to determine if an additional volume is embedded within a TrueCrypt volume. In effect, it provides plausible deniability of the existence of a 2nd embedded volume if you're forced by court order to decrypt the main volume. (stick some Creative Commons licensed mp3 files in the main volume though, just to throw the RIAA the middle finger a little more.)
Better yet, support non-RIAA artists at sites like Magnitune [magnitune.com]. The quality of music I've found there is proof positive that the RIAA no longer has a legitimate purpose in the music industry.
My tips for installing TrueCrypt [aggiegeeks.com] on Fedora Core 6.
Re:Initial image by agreed experts, not RIAA (Score:3, Informative)
A friend of mine got pulled in by the big guns out here in Australia a little while ago. It was kept very quiet (for which he was grateful) because they stormed into his house to find him sitting at his table drinking a coffee, all his PC's turned off. His TrueCrypted hardisks were useless as he "forgot" the complex key in all the excitement of having his door kicked in by a task force. Probably not legal but can they prove it?
Of course pleading the 5th would just make you look guilty as hell
Re:Initial image by agreed experts, not RIAA (Score:3, Informative)
IANAL either (so take this with a grain of appropriately sized salt)...
You can refuse to give out your key, but since this is a civil proceeding, the 5th amendment does not apply. If you refuse to give out your key, the judge may hold you in contempt, or may just give the RIAA a default judgment.
Do the smart thing:
TrueCrypt has an option to store the "real" information in the apparently "unused" portion of your truecrypt volume (called 'hidden volume'). There is no way to tell if this unused portion is a hidden volume or unused space. Store the stuff that would get you in trouble there.
Re:Some things I wonder about are....In One Case.. (Score:5, Informative)
Well, in one case they are demanding to image and search the hard drives and all MP3 players of the son of a defendant, who lives miles away, and claims to only have a desktop system at home that he uses for his job as a legal assistant (i.e. large amount of confidential files there). They're trying to do this because, having searched his mother's harddrive and found ABSOLUTELY NO EVIDENCE of illegal activity on it, and only assumed that they were given the wrong hard drive, and are now on the hunt for the correct one that they're sure exists.
In the RIAA's twisted logic, he has either taken his desktop (not notebook/laptop computer) to his mother's house miles away to do illegal filesharing on her Internet broadband account, and then taken it home again, or REMOVED HIS HARDDRIVE and transported it over and back to infringe on record company copyrights. This theory, they feel, allows them to now search his hard drive -- or, I would expect, anyone within 4 degrees of separation from the defendant -- and all music players as they wish. While I believe this was finally ruled unreasonable and unlikely to produce admissible evidence, they now are fighting their best to avoid paying his legal bills that he entailed explaining this bit of common sense to them.
So in answer to your question: Yes!
Re:Use TrueCrypt! (Score:3, Informative)
Re:Safeguards I use (Score:3, Informative)
I think not telling him would be excellent grounds for a reckless endangerment charge even if he's not injured. If he's killed you could potentially be charged with manslaughter or even murder. A really aggressive DA might even be able to argue first-degree murder, saying that your decision not to tell him while leading him to the booby-trapped computer constituted premeditation.
So, yeah, there's a law against it.
Re:Um, drop it... (Score:2, Informative)
First, there is a much lower chance of corrupted data when the drive heads are parked, as they would be as you hand the bare drive to someone.
Second, it would take several heard crashes to cause data loss, as there would have to be significant damage to the platters.
Third, professional date recovery companies can recover much of data from non-working drive, up until the point where a large majority of the physical platters are destroyed.
Hard drives are resilient units... my experience:
1. Running notebook dropped 1.5m onto concrete. Result = no data loss
2. 80gb SATA drive carried for two weeks in an external pocket of a messenger bag. Result = MD5 hash same as previous hash
3. Hard drive recovered from structure fire. Result = successful professional data recovery.
4. Running notebook with remote ignition trigger for Thermite. Result = 2204 degreeC fire, platters physically destroyed, no data recovered. (See it at The Broken [revision3.com]
Re:Some things I wonder about are....In One Case.. (Score:5, Informative)
Re:Digital Forensics - a tough issue (Score:3, Informative)
Be aware that some file systems have counts of how often they've been mounted that increment even when you mount read-only, which is all it takes to make a hash change. Hardware write blockers are not strictly necessary but are handy. Make sure the one you use has been through real testing, preferably your own.