Safeguards For RIAA Hard Drive Inspection 276
NewYorkCountryLawyer writes "In SONY v. Arellanes, an RIAA case in Sherman, Texas, the Court entered a protective order (PDF) that spells out the following procedure for the RIAA's examination of the defendant's hard drive: (1) RIAA imaging specialist makes mirror image of hard drive; (2) mutually acceptable computer forensics expert makes make two verified bit images, and creates an MD5 or equivalent hash code; (3) one mirror image is held in escrow by the expert, the other given to defendant's lawyer for a 'privilege review'; (4) defendant's lawyer provides plaintiffs' lawyer with a 'privilege log' (list of privileged files); (5) after privilege questions are resolved, the escrowed image — with privileged files deleted — will be turned over to RIAA lawyers, to be held for 'lawyers' eyes only.' The order differs from the earlier order (PDF) entered in the case, in that it (a) permits the RIAA's own imaging person to make the initial mirror image and (b) spells out the details of the method for safeguarding privilege and privacy."
Digital Forensics - a tough issue (Score:5, Interesting)
Re:Initial image by agreed experts, not RIAA (Score:3, Interesting)
And I agree, it does actually sound pretty reasonable.
Regardless, anyone who gets a subpoena from the RIAA should be smart enough to swap out hard drives and install a new OS before the case even gets that far anyway. Assuming they have something to hide. Seems pointless really.
Re:I love this line... (Score:4, Interesting)
My vote: it's the troll. It's too stupid to do a parody of anything.
Re:Piracy just hurts the little guy. (Score:2, Interesting)
And notice that it's an off-topic troll, to boot.
Re:Piracy just hurts the little guy. (Score:1, Interesting)
It's very clearly an instance of sustained irony.
Re:Initial image by agreed experts, not RIAA (Score:3, Interesting)
Besides being more private, it's also damned cool and lets you bring your programs, files, and everything with you no matter what computer you're on.
Re:Why a broken hash? (Score:3, Interesting)
Re:Initial image by agreed experts, not RIAA (Score:4, Interesting)
TrueCrypt is pretty neat, but that brings up a question. If you encrypt your entire hard drive, what happens when your computer is taken as evidence? Can you be required to divulge the decryption key? IANAL, but I assume that you can be held in contempt of court (or something) by refusing to offer it up, leading to criminal charges, fines, and/or jail time. In any case, I doubt you can just give the RIAA the bird and say "Nah nah, can't touch this" because your stuff is encrypted.
Does anyone know the details about this? I doubt encryption helps you when it comes to legal matters, unless maybe you can plead the Fifth. After all, by giving up the decryption key you may be incriminating yourself
Anyone know?
Safeguards I use (Score:5, Interesting)
2.A good self destruct device (easy to built and arm) for the hard drive(renders it absolutely useless to any forensic expert,since it physically destroys the platters.)
3.I use an external drive to store the MP3 and other multimedia files on.Easily hidden,(like the old Varmit XL1000 CB Linear amps of decades past)
Anyone wanting to seize my machine will pay dearly for trying.I just don't give a damn anymore since I had the nervous breakdown last year.
That way,If the RIAA does get the machine,it will turn to scrap before they can get it 2 miles away.Paranoid? Sure,but with the corruption of the courts these days,these steps are needed.
Re:Initial image by agreed experts, not RIAA (Score:5, Interesting)
Or if you're real paranoid, just get a laptop body + huge HDD + wireless and bury it in your wall and store your shit on that. Just manually mount the (encrypted) remote volume and supress NFS logging and there's zero evidence that you ever had any files.
Just remember to encrypt everything anyway. And use ext2fs to avoid a journal leaving any "suprises" behind.
And what about disk-copy utilities that duplicate a disk, timestamps and all, except you leave out certain important things (like ~/music/) from the copy? Actually, best to have some classical or nerdcore music, lest the absence of anything prove suspicious.
I guess what I'm saying is, there are many, many ways to foil the MAFIAA. You just have to implement them beforehand, and calmly cover every angle. Trying to do something *after* getting subpoenaed is a bad idea, because then you're hurrying. And as you say, one tiny mistake is all it takes, and people tend to make mistakes when they hurry.
Re:Some things I wonder about are.... (Score:5, Interesting)
do they search each defendant's home top to bottom to find any hidden hard drives?
I'd been thinking about this and had more or less decided it would be a good idea to by a wireless hard dive (like this: http://www.whatlaptop.co.uk/YRtBdcdoWel2Yg.html [whatlaptop.co.uk]). I might even really go wild and rip some of the plasterboard off a partition wall and wire it straight in to a ring main. Replace the plasterboard and repaint and you'd virtually have to pull the building apart to find it (unless you used RF direction finding) - and that's if you knew it was there. I can't imagine your average cop/lawyer realising.
But would it be a fire hazard?
I would have them remove... (Score:4, Interesting)
In the end they should receive any MP3 files that are on their list of infringing files, and Online Media Distribution System (P2P file sharing program, for the rest of us) files for the OMDS they've claimed they've identified (e.g. KaZaA) if present, AND NOTHING MORE!
As I understand it (IANAL), you are allowed to remove personal files that have no relationship to the case at hand. The RIAA can object if you try to protect files they say have a direct bearing on their case, however, they should find it an impossible task to justify why they need to see anything other than specified MP3 and/or OMDS files. Don't give them a byte more than they're entitled to.
And most importantly of all, perhaps, wipe all the unused file space. Let them try to prove why they deserve access to areas of the hard drive not included in any files.
All the more reason to use.... (Score:2, Interesting)
i.e. - VMWare, where the installation is hosted within a single file. For tin foil hat level security you may choose to keep the file on an removable device. The first hint that the RIAA is persuing you, you disconnect/erase the device/file.
Ooops, the cat's out of the bag now !
maybe this has been said (Score:1, Interesting)
Re:Initial image by agreed experts, not RIAA (Score:2, Interesting)
----
from the trucrypt website:
Plausible Deniability
In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:
1. Hidden volumes (for more information, see the section Hidden Volume).
2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.
TrueCrypt containers (file-hosted volumes) can have any file extension you like (for example,
When formatting a hard disk partition as a TrueCrypt volume, the partition table (including the partition type) is never modified (no TrueCrypt "signature" or "ID" is written to the partition table).
Whenever TrueCrypt accesses a file-hosted volume (e.g., when dismounting, attempting to mount, changing or attempting to change the password, creating a hidden volume within it, etc.) or a keyfile, it preserves the timestamp of the container/keyfile (i.e., date and time that the container/keyfile was last accessed* or last modified), unless this behaviour is disabled in the preferences.
Re:Initial image by agreed experts, not RIAA (Score:2, Interesting)
Re:Initial image by agreed experts, not RIAA (Score:1, Interesting)
Timestamps are totally unreliable if you have a few hours of time on your hands to create a false trail. I'm amazed the courts consider *any* PC-derived evidence as admissable. It just shows the ignorance of the legal system in general. Until or unless we have TPM imposed upon us, no computer-related evidence is really trustworthy.
Thank goodness.
RIAA is interested in (Score:3, Interesting)
1) kazaa.log
2) spyware.log
3) $sys$sonyrootkit.log
Re:Initial image by agreed experts, not RIAA (Score:5, Interesting)
The inner volume can be hidden, and the creators believe that it is robust enough that it can not be identified if you don't know it is there.
http://www.truecrypt.org/ [truecrypt.org]
Re:Initial image by agreed experts, not RIAA (Score:1, Interesting)
If you really want to hide something, do this:
1. Go to a store and buy a large external hard drive. Pay with cash.
2. Use loop-aes, TrueCrypt, or whatever you use on the drive.
3. Install VMWare, Qemu, VirtualBox, KVM, Xen, or whatever you use.
4. Create a virtual machine for doing your filesharing in. Store it on the external drive.
5. Store all downloaded content on the external drive.
This way, if the RIAA wants your computer's hard drive they won't get anything. They don't have to know the external exists. They won't see the filesharing apps installed. They won't see 60gb TrueCrypt volumes with 10 office documents in it (since the rest is in the hidden part...). Just make sure that the true path of the VM isn't listed in your virtualization software's history. And create a few vms of various operating systems so it looks like you use it for things.