Court Sets Rules For RIAA Hard Drive Inspection 470
NewYorkCountryLawyer writes "In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"
Question (Score:2, Interesting)
If the entire hard drive was secured with something like TrueCrypt, could you be compelled to turn over the password?
Anyway, does stuff like this matter much anymore? I thought more and more convictions were based on ISP logs instead of hard drive searches these days...
Re:Hard Drive Inspection (Score:3, Interesting)
SONY BMG Music Entertainment v. Tenenbaum
Ya last time I checked Sony did this with illegal DRM being installed without telling the consumer.
We should be checking THEIR hard drives for malicious code.
*Head Spins Off* Who are the laws meant to protect again?
A virtual environment then. (Score:4, Interesting)
> (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation
> of the litigation.
So as long as you wipe or erase the hard drive before litigation begins, or before you become subpoena'ed (aware of the litigation), you're protected if you destroyed any evidence of your activities?
Perhaps a VMWare or other virtual operating system is in order then. Download, burn to optical, revert the guest image.
Perhaps NewYorkCountyLawyer could confirm the viability of this method?
Something about not being forced to testify against yourself. No sense in leaving your equipment capable of testifying against yourself either.
Re:New defense tactic... (Score:3, Interesting)
Re:Wiping the Hard Drive After Litigation (Score:5, Interesting)
They could, but it's easy to get tripped up. For instance, one of the default settings in Windows XP is to synchronize time to a network time server belonging to Microsoft. If you weren't careful to keep the machine isolated during the install and all patching, you'd end up with a big discrepancy in timestamps as the clock jumped forward to the correct time during the last part of the install process. It'd also show up in the timestamps on patches, they might show as having been installed before they were issued or they'd be all lumped together at the very end when they should've been installed in a steady stream starting at the claimed install date and getting progressively more recent as patches were applied automatically. It might be hard to prove exactly when the drive was wiped, but it'd be easy to show that the fingerprint of the timestamps doesn't match what it'd be if the drive was as old as it claimed to be and had aged at 1 second per second since then.
Re:You're wrong (Score:5, Interesting)
This makes way too much sense.
Nope. Letting the RIAA pick the "forensics expert" does absolutely nothing to ensure that a fair and impartial expert is chosen. I'd think all that would do is make it very easy for the RIAA to set up a forensics lab of their own that could potentially plant evidence on the mirror copy. Then what do you do? They could always claim that your copy, which is minus the planted evidence, was "tampered with". I see no good out of this, but if NewYorkCountyLawyer disagrees, I would welcome an opportunity to be educated out of my error here.
No, while I think the order otherwise "makes sense", I happen to agree with you 100% on your point that the RIAA should not be able to unilaterally pick the forensic examiner. I think that is a mistake on the judge's part. As I pointed out in TFA:
Unlike the protective order [beckermanlegal.com] (pdf) in SONY BMG Music Entertainment v. Arellanes [beckermanlegal.com], this protective order permits the RIAA to unilaterally select whatever expert it chooses, rather than an independent, mutually agreeable, expert.
I think that is unfortunate. I'm hoping the judge comes to recognize that oversight.
simple solution (Score:4, Interesting)
rename (Score:1, Interesting)
1. download music, movies
2a. rename all media files to doc or xls
OR
2b. zip files (possibly encrypt)
3. beat court case b/c forensics find no mp3,mp4,aac,wma,wmv,mov,avi,etc
4. profit
seriously?
Re:Wiping the Hard Drive After Litigation (Score:3, Interesting)
Theoretically, couldn't a person just set the BIOS clock to a date and time prior to the legislation, do multiple shreds and formats on the HDD, reinstall the OS with the BIOS clock still 'in the past', and have it seem as though nothing changed since the initiation of the litigation?
Yes, theoretically it can be done.
So, right out of the gate, there would be evidence that the drive had been formated and shredded just prior to the litigation. That's not 'criminal', but its suspicious enough to maybe look into it, and try and determine if it was in fact done before or after. And in practice most people, especially regular people, will make mistakes.
Ok... so the OS and installation logs etc proudly proclaim they were all insalled before such and such a date. But hmmm... what's this strange 4 month gap in the time stamps in the event log, starting 2 days after the OS was reinstalled.... or maybe our genius thought of that, but then why was the machine booted up and down each 'day' yet did nothing else...and it did this for 4 straight months... that looks a LOT more like someone rebooting, advancing the bios date, rebooting, advancing the bios date...etc than actually using it.
And then on top of that, why does the java auto update log show that the latest Java Update was installed 2 months before it was released... and this folder here... it contains mp3s with file creation dates before they were even recorded.
So they might come back and say, clearly someone was messing around with the clock and doing strange things with the PC. Couple that with the evidence the PC was wiped and shredded... we, of course, can't PROVE, the defendant tampered with the drive to destroy evidence... there are other possible explanations. But this is evidence of tampering, we think the jury will agree that the drive was tampered with, as opposed to being conveniently afflicted by a bizarre set of circumstances that make it merely look like it was tampered with.
Like anything digital, yes, your perfect crime is theoretically possible, but its probably much harder than you think.
I call bull on the above statement! (Score:2, Interesting)
"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."
Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.
Now me? All my music files (all legal, btw) are already on a USB portable drive anyway, because it takes 15GB off the active drive I need the space on. And my wife's machine? Re-loaded with WIN XP PRO over the top of WIN XP Home about a month ago. Memory chip went bad, and garbled part of the registry - right after I got a full backup of the files.....
So, how are we going to certify Forensics experts? Obviously the Anonymous Coward above wants to be one, but certainly doesn't qualify, if he makes such a basic mistake. (And to double check, I tried it just before I posted this message. Copied a file to another dirve and it retains the 2008 creation date).
Illegal MP3s (Score:2, Interesting)
How would the forensics expert know any given MP3 he finds is illegal? Between online music stores and CD-Ripping, he could very well find 1000 MP3s, and every last one of them be legal.
Re:I call bull on the above statement! (Score:2, Interesting)
"By the way, when you copy a file across a file system, from one drive to another, it gets a new creation time, so if all the files were "created" on a single day, that was when they were migrated over."
Not on a Windows system it doesn't. The only time you get a new date on it is when you download from an external system, or you manually change the date/time stamp.
You are looking at date_mod, not date_create there smart guy. I hire forensic experts and the AC seems to have a pretty solid grip.
Re:Wiping the Hard Drive After Litigation (Score:3, Interesting)
You have two basic paths open to you: Either a surgical strike against the incriminating files or emulating a normal usage history sans music from scratch. You can't just wipe and reinstall because it's an obviously unnatural usage pattern.
Unless you're paranoid like me, you're probably not using ext2fs; Those spiffy new journaling filesystems also mean that there's no gaurantee that 'shred' overwriting britney.mp3 50 times will result in the drive head physically setting the same locations to garbage 50 times. This practically gaurantees that a surgical strike will fail. To make it worse, modern OSes and programs of all flavors leave metadata, logdata and temp files floating around all over the place. Unless you pay overwhelming attention to detail, you're going to miss some
It's not impossible in principle, but it would be incredibly difficult to do successfully - the odds of you finding and sterilizing absolutely every file your media player and p2p have ever touched in even the most tangential way are not good. The only standard is perfection and if your ploy is anything less the courts will crucify you for destruction of evidence.
A small additional line of defence might be gained by spreading a great deal of legal music (e.g. Rhyme Torrents) around everywhere where the illegal stuff was, with the intention of perhaps adding just enough noise to obscure a signal that you missed.
The alternative is to fabricate a normal use history from whole cloth; This will likely be even more difficult, as the surgical strike leaves the other 99% of the drive and its normal, not-suspicious usage history untouched. Even if you import your documents back from a backup using something like --preserve-ctime, you will have to recreate the metadata and temp stuff left by the apps which use and create them or what you did will be obvious. Trying to recreate the metadata from scratch is straight out; An AI capable of doing that for you would most likely pass the Turing Test. That leaves copying the old metadata over while scrubbing it of incriminating data, in which case you might as well have just gone with option #1 anyway.
What can they do if you simply happen to have a large and very powerful degaussing loop in your bedroom doorframe that most unfortunately wipes the drive (and everyone's wallet) as they walk out with it?
Re:Question (Score:3, Interesting)
The order doesn't require them to identify music and other file types by extension. It is probably well within the limitations to use automated software to detect the file content.
Of course, if you were so foolish as to use an obviously-invented file extension and make a login/logout script, they would have two good reasons to investigate those files specifically, and additionally may report that you were attempting to conceal the files from a search.
Re:Wiping the Hard Drive After Litigation (Score:3, Interesting)
The simplest thing to do is to have a second disk in your computer, one for bad things and the second as a legal spare. Some truck drivers keep multiple log books, so something like that would be easier.
That way you could show use on the second boot disk. If you get sued simply remove the illegal disk and bury it somewhere, like a neighbors yard. start using your legal hdd as you would minus the piracy piece.
Don't they sell these as NAS drives? You could even operate it underground in your neighbors' back yard and just pull the wires when feeling paranoid.
Re:It's funny... (Score:2, Interesting)
Re:Wiping the Hard Drive After Litigation (Score:2, Interesting)
Fun - fun - fun with disabling access time stamps (and other filesystem "time" settings) in Windows XP.
That's what always gets me about these forensic folks. What do they do if the individual they are investigating is technically literate, instead of Joe Job Number 10?
I know on my system at least, I have access timestamps disabled, and I have all file creation/modification times set to the original contained within the installers or .rar files.
Outside of .txt log files, Guildwars files, Firefox stuff, and MUSHClient configuration files, essentially everything on this system will probably look awfully strange to a forensics expert. Even the Microsoft patches after installation, only show the original timestamps from Microsoft.
Torrent clients? If it isn't a "portable" version, I don't use it. All data files, etc, kept on external and NAS drives. All OS system and installer log files are deleted once a week. Registry is cleaned out once a week. "Most Recently Used", etc is permanently disabled via the registry. System is defragged once per week as well. All deleted material is cleaned using DoD standards, and freespace is scrubbed and overwritten.
Take note: I do not sync my system clock with any outside server either.
How does a forensic expert deal with a system like mine?
Re:You're wrong (Score:3, Interesting)
I usually take "you can correct me" to mean "if my claim is wrong, please debunk it". I don't think GP was asking you to prove his point so much as he was inviting you to enlighten/overrule him if he was wrong.
I was just kidding around with him; he's been a Slashdot friend for a long time. But seriously, if you imply that NYCL will correct you if you're wrong, that kind of carries with it an implication that if I don't correct him I thought he was right. And I certainly didn't think he was right on that. I usually don't give advice here, but let me give a word of advice: don't ever bet on there being anything even an RIAA lawyer wouldn't do.
Semantics aside, I agree with your suspicion.
Well I'm not saying they would plant evidence; I'm just saying I wouldn't put it past them. I don't know how low they would go. I just know that they make false statements frequently, they act immorally and contrary to law, and the depths of their behavior seems to know no bounds.
And let me take the opportunity to say, I've always enjoyed reading your submissions to Slashdot and your comments as well.
Thank you very much. I've always felt at home at Slashdot, since the first day I discovered this nutty place.
Re:Question (Score:3, Interesting)
Dang! I KNOW that's the right password, I can't imagine why it's not working! (as the crypto software begins silently corrupting the data)
Unless we as a society are prepared to make poor memory a crime, that's about the end of that road.
On the biometric front, some fingerprint scanners claim to be able to detect duress. Since an unwilling person would necessarily be under duress, no court order could overcome that however compliant the defendant might be.
Re:Wiping the Hard Drive After Litigation (Score:3, Interesting)
It might be hard to prove exactly when the drive was wiped, but it'd be easy to show that the fingerprint of the timestamps doesn't match what it'd be if the drive was as old as it claimed to be and had aged at 1 second per second since then.
emphasis mine
Easy to show to you and me or easy to show to a jury? I'm naive enough to skip my own forensics experts at that point, take the stand with pre-arranged questions from my lawyer, and then testify as follows:
Geez, I don't know, I'm not a forenics computer guy. I do not have clue one about the inner working of timestamps and the idea of time having a fingerprint frankly sounds like something out of Star Trek to me. I don't even know why my fate is being decided this way. Evidently, their experts say that my own computer says I am liar. I don't know, but I thought from watching TV that using lie detectors against a person is against the law. Are you telling me now - let me get this straight - that a Windows computer that makes me and everyone I know crazy with all its crazy Windows frustrations of losing my files when I'm typing them and crashing on me and stuff - are you telling me that that is now a lie detector? And that my very own Windows-computer-lie-detector is their point in accusing me guilty?
Like I admitted, I'm naive, but I'd bet if someone said that while I was on a jury, I could not in any way under the sun find him guilty of anything whatsoever.
Re:New defense tactic... (Score:3, Interesting)
I doubt that they'd use the fuzzy hashing, all they'd do would be to produce all MP3 files for the defense to mark as privileged or not. The privilage processes is a fun one, the forensics expert would send all music files, file sharing data, and relevant raw data culled from the hard drives to the defense attorneys. They would then feed the files into review software and determine what is privileged or not and return the manifest of files back. The expert would produce another manifest and set of files for approval which they would then provide to the RIAA lawyers. If the defense lawyers try to mark everything as privileged, they could face sanctions or lose privilege for abusing it.
Keep in mind that having mp3 files is not illegal, downloading mp3 files is not illegal, but sharing them is. The number of MP3 files that were not purchased or ripped from cd's (it would be up to the defendant to account for as many songs as possible) only adds to circumstantial evidence. However, what they are being charged with is uploading files, and that's all in the file sharing and registry. Remember the sharing ratio in bittorrent? That'd be just as important as music being there. Also, the location of the music is just as important as it being there. If its in a shared folder or a file sharing folder, they can assert that the defendant "made available" and we all know how well that works...
I guess my big point is that the md5 method is for lazy forensics experts, but they will also probably run a key term search that will identify plain text in mp3 files (mostly in the tags) and there are tons of ways to perform the analysis of the drives in a way that would reveal as much music as possible. For every forensic method there is a way of defeating it, and there's a way of defeating that, and so on.
Re:Question (Score:3, Interesting)
And if/when the RIAA can't find anything, they'll just claim he did exactly this and demand a more thorough (read: privacy-violating) search.
Lots of ram and a live CD (Score:1, Interesting)
Is there a linux live cd that will boot and set up a bit torrent client that runs exclusively in a RAM disk? This way, the only time a file would be moved from ram to hard drive is when it is a complete finished product. There would never be any evidence of file sharing on the computer because all programs would be on a separate CD and all the file sharing info would be lost when the computer is shut down... This is a bit of an pain but it guarantees always having a clean hard disk...
Re:Question (Score:2, Interesting)