Court Sets Rules For RIAA Hard Drive Inspection 470
NewYorkCountryLawyer writes "In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"
Re:Question (Score:5, Informative)
Re:Wiping the Hard Drive After Litigation (Score:4, Informative)
Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?
You could, assuming that the computer was still in your possession which I doubt at this point.
Re:You're wrong (Score:5, Informative)
I don't think that's the point. The point is that a trusted expert in the industry is the only one with access to the private information. He can then represents the findings on behalf of the RIAA. The defense needs to find its own expert witness to counter any arguments made by the RIAA's expert witness.
At least, that's my understanding of how the proceedings would work. (IANAL)
Re:Wiping the Hard Drive After Litigation (Score:5, Informative)
I have personally nailed people for trying such a thing. One guy had to pay my fees and the fees of the attorney, another I believe spent a month in jail (the destruction was just the straw that broke the camel's back). In civil matters, destroying evidence means that whatever was there was far worse and far more damaging than anything currently residing on the drive. Lawyers can get away with that because they can say whatever they like and you have no way of proving them wrong.
As for your question, a wiped drive is fairly obvious, unless you set your bios clock 100's of times and do stuff incrementally, create a range of files with chronological creation/modification/access times, populate the event logs with a smooth span of times, and not leave any smoking guns (windows xp pro on a dell?), you're probably gonna get nailed if the forensics expert is worth his paycheck. By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over.
The forensics expert is allowed to look at file system data and registry data as long as he can justify that its to detect just the kind of scenario you've stated, and its within the domain of his orders. Hell, he theoretically can click through every picture, document, and file on the drive if he creates a new forensic case aside from the official one and doesn't tell anybody about it. (thats bad, don't do that).
By the way, if I was ever faced with such a situation, I'd plug my hard drive is as an external, scrub the offending files, blow away the registry, destroy the file system, and take a soldering iron to the circuit board so that they have to do a clean room recovery which will result in a partial image for analysis. I'd present that drive along with a new drive, repaired and what not to the court and say my hard drive crashed and that they can have at it if they like.
Re:New defense tactic... (Score:5, Informative)
If you take an MP3 file and rename it personal.doc, it will still show up in the media bucket and be declared as an audio file in the forensic software I am professionally experienced with.
if it works for bush (Score:4, Informative)
http://en.wikipedia.org/wiki/Bush_White_House_e-mail_controversy [wikipedia.org]
why can't it work for you?
of course, wiping your disk after start of litigation opens you up to destruction of evidence
so all you have to is structure your attitude towards the courts, and the nature of how you wipe according the RNC playbook, and you can should be able to give yourself enough plausible deniability to let yourself off the hook. "whoops! how'd that happen?"
pirates should learn from the best crooks, the past administration, when it comes to the destruction of electronic evidence
or i suppose there exists some sort of double standard between the elites and the commoners in a country supposedly standing for western liberal ideals about fair play and equality? naahhhh...
Re:Our laws are not even wrong (Score:1, Informative)
Dude,
Learn something about the law. This is a CIVIL case. This isn't a search from a warrant, this falls under DISCOVERY, which is the process whereby each side in a civil suit can force the other to show what evidence they have about the case.
This is common, and allowing each side to choose the investigator they use for such specific tasks as computer forensics is the norm.
IANAL, but I was a computer forensics tech a long time ago.
Re:Question (Score:2, Informative)
I'm surprised nobody's shot the RIAA CEO in the head yet. Maybe RIAA deliberately avoids known-militia users. (shrug). Really this whole thing's getting out of hand. I'm going to lose years of my life fighting a court case just because I downloaded the Hot 100 from 2008? C'mon. I have hundreds of CDs on my shelves - it's not as if I (and other fans) don't support singers we like. RIAA is blowing things totally out of proportion, and it's about time people rise-up and fight back.
http://en.wikipedia.org/wiki/Whiskey_rebellion#Consequences [wikipedia.org] - "The hated whiskey tax was repealed in 1803, having been largely unenforceable outside of Western Pennsylvania, and even there never having been collected with much success."
Re:You're wrong (Score:1, Informative)
The point is that a trusted expert in the industry is the only one with access to the private information.
No, the point is that the expert only needs to be trusted by the RIAA, they have the sole say who gets chosen. They might as well choose an employee not otherwise associated with the case.
Re:Question (Score:3, Informative)
They can detect that you have truecrypt partitions, they cannot detect how many. The "hidden volume" feature is still safe.
Re:You're wrong (Score:3, Informative)
I am curious how the court responded to Defendant's Opposition to Plaintiffs' Motion to Dismiss Counterclaims
I believe that is scheduled for oral argument on June 5th.
Re:I call bull on the above statement! (Score:1, Informative)
I just copied a file with a creation date of 8/11/2008 from my D: drive to C:. After the copy, the file on C: has a creation date of 5/7/2009, but still has a modified date of 8/11/2008 (which is what displays by default in Explorer).
So the dude's right after all...
Re:I call bull on the above statement! (Score:2, Informative)
"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."
Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.
You obviously don't know much about filesystems. On Windows, unix and linux filesystems, there are 3 timestamps, access, creation, and modification. They've existed for as long as I remember them back to first IBM PC. You normally only see the modification timestamp when you look at files. The other 2 are "hidden," and you'll be screwed if you think that the modification time is the only timestamp on your system.
Timestamp are not 100% proof since they can be manipulated. You don't need to set the bios date to change timestamps. The access timestamp is changed everytime the file is accessed or even listed and is only usefull if you made the disk read only before any access, otherwise, it is pretty worthless.
A single timestamp is worthless. Multiple timestamps across the system to prove correlation is necessary to prove guilt. Unless you're good enough to write a script to manipulate numerous timestamps to make deletions and modifications look like normal access, changing timestamps, either through bios or software is pretty useless. Guilt only needs to be proven Beyond a Reasonable Doubt. Reasonable Doubt is actually quite a low bar and very different than a Shadow of a Doubt.
Re:You're wrong (Score:3, Informative)
Does the order preclude the defense from picking their own forensic examiner, and leaving it up to the court (jury?) to decide which one to believe?
No it does not. It relates solely to the methodology of the hard drive mirror image inspection.
Re:I call bull on the above statement! (Score:1, Informative)
Who modded this up? It's just plain wrong. The file creation date does change. What doesn't change, and what explorer shows by default, is the file modification date. Try right clicking on the column headings and checking "date created". So yes, you can tell if you simply copied everything over to a new location.