Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Music Media Government The Courts News Your Rights Online

Safeguards For RIAA Hard Drive Inspection 276

Posted by kdawson from the under-watchful-eyes dept.
NewYorkCountryLawyer writes "In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA's examination of the defendant's hard drive: (1) RIAA imaging specialist makes mirror image of hard drive; (2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code; (3) one mirror image is held in escrow by the expert, the other given to defendant's lawyer for a 'privilege review'; (4) defendant's lawyer provides plaintiffs' lawyer with a 'privilege log' (list of privileged files); (5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for 'lawyers' eyes only.' The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA's own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy."
This discussion has been archived. No new comments can be posted.

Safeguards For RIAA Hard Drive Inspection More

Safeguards For RIAA Hard Drive Inspection

Comments Filter:

  • Initial image by agreed experts, not RIAA (Score:2, Informative)

    by nibblybits ( 1091481 ) * on Saturday April 21, 2007 @11:57PM (#18829099)

    it (a) permits the RIAA's own imaging person to make the initial mirror image
    IANAL, but having RTFA, I'd say that statement's a bit misleading. It actually states that an expert agreed upon by both parties will make two copies, make an MD5 hash of the copies, then the defendant has the opportunity to justify that some files are private and nothing to do with the case, and once that's settled:

    Plaintiffs shall have access to the Escrowed Image of the hard drive, minus the files as to which privilege has been asserted
    Seems pretty reasonable to me. Wouldn't make a lot of sense if they gave them access to the drive minus these files, if they had already initially had access to the whole thing.

  • Re:Initial image by agreed experts, not RIAA (Score:5, Informative)

    by Kjella ( 173770 ) on Sunday April 22, 2007 @12:27AM (#18829303) Homepage
    I would strongly recommend against that, if you make the tiniest of mistakes such as timestamps which lets them show that you reinstalled your OS or swapped out your disk for a fake system after being subpoenaed, you could find yourself at the wrong end of some nasty criminal charges for destruction of evidence, obstruction of justice and so on. If you think psying a few thousand dollars is bad, you should see what a felony conviction does for your life...

  • Re:Initial image by agreed experts, not RIAA (Score:4, Informative)

    by Bob9113 ( 14996 ) on Sunday April 22, 2007 @12:36AM (#18829379) Homepage
    No, it said the earlier order specified that an RIAA's person was to make the image. The new order says agreed upon expert.

    Verbatim, from the new court order:
    1. Kimberly Arellanes ("Defendant") shall make her computer hard drive available for imaging by Plaintiffs on or before March 21, 2007 [emphasis mine]

    Clearly the court order says that Sony gets to do the initial imaging.

    Step 2 is, "an expert in computer forensics selected by the parties shall make two (2) verified bit-images". That's the second set of images. The initial image is done by Sony.

  • Re:Initial image by agreed experts, not RIAA (Score:3, Informative)

    by Bob9113 ( 14996 ) on Sunday April 22, 2007 @12:41AM (#18829417) Homepage
    Correction - I'm wrong. Parts 1 and 2 of the document are actually contradictory. Part 1 alone makes it sound like Sony makes an image. Part 2 alone makes it sound like the expert makes two images. Reading both parts together makes it sound like the document is flawed.

  • oops wrong Re:Why a broken hash? (Score:5, Informative)

    by daveb ( 4522 ) <davebremer.gmail@com> on Sunday April 22, 2007 @01:03AM (#18829557) Homepage
    After babbling mindlessly I thought I'd do a quick check.

    I'm wrong - in fact I get the feeling that it's now important that MD5 is NOT used. NIST (an authority when it comes to forensic investigations) do *not* recommend the use of MD5 checksums. The grandparent was perfectly correct. A decent summary (sorry PDF) is here [nist.gov]

  • Use TrueCrypt! (Score:5, Informative)

    by mwilliamson ( 672411 ) on Sunday April 22, 2007 @01:06AM (#18829581) Homepage Journal

    Assuming you really do have something to hide, using an encrypted volume embedded within another encrypted volume could be very useful. TrueCrypt [truecrypt.org] supports nested encrypted file systems and since TrueCrypt uses no headers to demarcate its volumes, it is not possible to determine if an additional volume is embedded within a TrueCrypt volume. In effect, it provides plausible deniability of the existence of a 2nd embedded volume if you're forced by court order to decrypt the main volume. (stick some Creative Commons licensed mp3 files in the main volume though, just to throw the RIAA the middle finger a little more.)

    Better yet, support non-RIAA artists at sites like Magnitune [magnitune.com]. The quality of music I've found there is proof positive that the RIAA no longer has a legitimate purpose in the music industry.

    My tips for installing TrueCrypt [aggiegeeks.com] on Fedora Core 6.

  • Re:Initial image by agreed experts, not RIAA (Score:3, Informative)

    by Architect_sasyr ( 938685 ) on Sunday April 22, 2007 @01:10AM (#18829605)
    IANAL and this is not legal advice, merely a recount of a story

    A friend of mine got pulled in by the big guns out here in Australia a little while ago. It was kept very quiet (for which he was grateful) because they stormed into his house to find him sitting at his table drinking a coffee, all his PC's turned off. His TrueCrypted hardisks were useless as he "forgot" the complex key in all the excitement of having his door kicked in by a task force. Probably not legal but can they prove it?

    Of course pleading the 5th would just make you look guilty as hell ;)

  • Re:Initial image by agreed experts, not RIAA (Score:3, Informative)

    by Wavicle ( 181176 ) on Sunday April 22, 2007 @02:25AM (#18829967)
    Can you be required to divulge the decryption key? IANAL, but I assume that you can be held in contempt of court (or something) by refusing to offer it up, leading to criminal charges, fines, and/or jail time. In any case, I doubt you can just give the RIAA the bird and say "Nah nah, can't touch this" because your stuff is encrypted.

    IANAL either (so take this with a grain of appropriately sized salt)...

    You can refuse to give out your key, but since this is a civil proceeding, the 5th amendment does not apply. If you refuse to give out your key, the judge may hold you in contempt, or may just give the RIAA a default judgment.

    Do the smart thing:

    TrueCrypt has an option to store the "real" information in the apparently "unused" portion of your truecrypt volume (called 'hidden volume'). There is no way to tell if this unused portion is a hidden volume or unused space. Store the stuff that would get you in trouble there.

  • Re:Some things I wonder about are....In One Case.. (Score:5, Informative)

    by Nom du Keyboard ( 633989 ) on Sunday April 22, 2007 @03:59AM (#18830329)
    Do they 'interview' neighbors and friends to see if there is a missing hard drive they are just 'holding'?

    Well, in one case they are demanding to image and search the hard drives and all MP3 players of the son of a defendant, who lives miles away, and claims to only have a desktop system at home that he uses for his job as a legal assistant (i.e. large amount of confidential files there). They're trying to do this because, having searched his mother's harddrive and found ABSOLUTELY NO EVIDENCE of illegal activity on it, and only assumed that they were given the wrong hard drive, and are now on the hunt for the correct one that they're sure exists.

    In the RIAA's twisted logic, he has either taken his desktop (not notebook/laptop computer) to his mother's house miles away to do illegal filesharing on her Internet broadband account, and then taken it home again, or REMOVED HIS HARDDRIVE and transported it over and back to infringe on record company copyrights. This theory, they feel, allows them to now search his hard drive -- or, I would expect, anyone within 4 degrees of separation from the defendant -- and all music players as they wish. While I believe this was finally ruled unreasonable and unlikely to produce admissible evidence, they now are fighting their best to avoid paying his legal bills that he entailed explaining this bit of common sense to them.

    So in answer to your question: Yes!

  • Re:Use TrueCrypt! (Score:3, Informative)

    by Johnno74 ( 252399 ) on Sunday April 22, 2007 @04:31AM (#18830425)
    Yes it works 100% with NTFS. It doesn't care in the slightest what filesystem the drive hosting the volume is using, or what the filesystem inside the encrypted volume is.

  • Re:Safeguards I use (Score:3, Informative)

    by swillden ( 191260 ) * <shawn-ds@willden.org> on Sunday April 22, 2007 @09:52AM (#18831381) Journal

    Is there any law that says you have to tell the guy taking the computer away there is a bomb in the computer? Whatever, it makes life interesting.

    I think not telling him would be excellent grounds for a reckless endangerment charge even if he's not injured. If he's killed you could potentially be charged with manslaughter or even murder. A really aggressive DA might even be able to argue first-degree murder, saying that your decision not to tell him while leading him to the booby-trapped computer constituted premeditation.

    So, yeah, there's a law against it.

  • Re:Um, drop it... (Score:2, Informative)

    by freedomlinux ( 1072142 ) on Sunday April 22, 2007 @10:55AM (#18831751) Homepage
    I doubt that the amount of damage caused by such an incident would cause much damage.
    First, there is a much lower chance of corrupted data when the drive heads are parked, as they would be as you hand the bare drive to someone.
    Second, it would take several heard crashes to cause data loss, as there would have to be significant damage to the platters.
    Third, professional date recovery companies can recover much of data from non-working drive, up until the point where a large majority of the physical platters are destroyed.
    Hard drives are resilient units... my experience:
    1. Running notebook dropped 1.5m onto concrete. Result = no data loss
    2. 80gb SATA drive carried for two weeks in an external pocket of a messenger bag. Result = MD5 hash same as previous hash
    3. Hard drive recovered from structure fire. Result = successful professional data recovery.
    4. Running notebook with remote ignition trigger for Thermite. Result = 2204 degreeC fire, platters physically destroyed, no data recovered. (See it at The Broken [revision3.com]
  • If anyone wants to look up that case it's UMG v. Lindor [blogspot.com].

  • Re:Digital Forensics - a tough issue (Score:3, Informative)

    by Beryllium Sphere(tm) ( 193358 ) on Sunday April 22, 2007 @08:07PM (#18835513) Journal
    Preferably with a live CD that always mounts things read-only. Helix from e-fense.com is a well known one.

    Be aware that some file systems have counts of how often they've been mounted that increment even when you mount read-only, which is all it takes to make a hash change. Hardware write blockers are not strictly necessary but are handy. Make sure the one you use has been through real testing, preferably your own.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close